It appears that Razer’s rather simplistic zero-day vulnerability has opened up a can of worms that may force accessory makers to rethink and reprogram accompanying software. As one security researcher predicted, the vulnerability can be found in other peripherals that also install their own helper applications, including those from the popular SteelSeries brand. While the same physical access to the Windows computer is still required, the SteelSeries vulnerability is potentially worse as it doesn’t even require a SteelSeries appliance to activate it.
At the heart of the vulnerability is the way accessory manufacturers such as Razer and SteelSeries install utility software after connecting a mouse, keyboard, or some other peripheral. The software installer itself runs with system privileges, but it also has detours that would eventually allow an attacker to open a command prompt or PowerShell instance with the same system access. That, in turn, would allow the attacker to do almost anything with the computer, including installing malware.
0xsp’s Lawrence Amer discovered that the SteelSeries software installer was subject to the same vulnerability. The process is slightly different and longer because an attacker would have to first view the license agreement in a browser, try to save the web page, and then start PowerShell from the file dialog that appears. However, another security researcher found that it is possible to counterfeit a SteelSeries product, so you don’t even need to connect anything.
In fact, an Android script can be used to mimic a new SteelSeries device that will trigger the whole process. While the script can also be used to disguise the phone as a Razer peripheral, Bleeping Computer said the process did not trigger Razer’s vulnerability as it did not require user interaction at all.
Again, physical access to a Windows computer without a desktop lock is necessary to exploit this vulnerability, so it’s not exactly a horrible scenario similar to the recent PrintNightmare bug. That said, it reveals the assumptions developers have made when writing app installers and hopefully they are already preparing a solution for these before someone finds a way to remotely exploit it.