It seems that the rather simplistic Razer zero-day vulnerability has opened a can of worms that may force accessory makers to rethink and reprogram their accompanying software. As one security researcher predicted, the vulnerability can be found in other peripherals that also install their own helper apps, including those from popular brand SteelSeries. While the same physical access to the Windows computer is still required, SteelSeries’ vulnerability is potentially worse since it doesn’t even require a SteelSeries device to trigger it.
At the heart of the vulnerability is the way accessory makers like Razer and SteelSeries install utility software after plugging in a mouse, keyboard, or some other peripheral. The software installer itself runs with system privileges, but it also has detours that would eventually allow an attacker to open a Command Prompt or PowerShell instance with the same system access. That, in turn, would allow the attacker to do almost anything with the computer, including install malware.
Lawrence Amer of 0xsp discovered that the SteelSeries software installer was subject to the same vulnerability. The process is slightly different and longer because an attacker would have to first view the license agreement in a browser, try to save the web page, and then launch PowerShell from the file dialog that appears. Another security researcher, however, discovered that it is possible to fake a SteelSeries product, so you don’t even need to plug in anything.
An Android script can actually be used to mimic a new SteelSeries device that will trigger the entire process. While the script can be used to also disguise the phone as a Razer peripheral, Bleeping Computer said that the process didn’t trigger Razer’s vulnerability since it didn’t require user interaction at all.
Again, physical access to a Windows computer without a desktop lock is necessary for this vulnerability to be exploited, so it isn’t exactly a horrifying scenario similar to the recent PrintNightmare bug. That said, it does reveal the presumptions that developers have made in writing app installers, and, hopefully, they’re already preparing a fix for these before someone comes up with a way to remotely exploit it.