Famously, Pinky and the Brain were a pair of animated mice that wanted to take over the world. Of course they never succeed, but maybe they just set their sights too high. Because while mice may not be taking over the world yet, they are taking over computers.
In the last week, security researchers have reported not one, but two different mice (of the non-furry, non-animated variety) being used to seize control of Windows machines.
Which had us asking ourselves: How is it that something as simple as a mouse can cause security issues? Well, it’s all about ease of use. Things that are intended to make your life easier have a way of making life easier for those with mal-intent too. We’ll explain.
“Let’s take over the world!” Brain said to Pinky, and off they went…
Yesterday it was Razer
A few days ago, a security researcher discovered and disclosed a local privilege escalation (LPE) vulnerability that allows any user to walk up to an unlocked Windows machine and gain SYSTEM privileges, simply by plugging in a Razer Synapse mouse or keyboard. SYSTEM privileges allow them to install and run anything on the device, putting them in total control.
It needs to be said that this scenario is only something you need to start worrying about after an attacker has already gained physical access to your computer, be it stolen or otherwise. (But it’s also worth saying that getting physical access to computers is the sort of thing that attackers like to do.)
The problem stems from the fact that when you plug a Razer device into Windows 10 or Windows 11 computer, the operating system tries to be helpful by automatically downloading and installing the Razer software that allows you to alter the settings for that mouse.
It’s called “Plug and Play”, but you could this a case of “Plug and Privilege Escalation”.
Not just Razer as it turns out
Inspired by the story about Razer, another researcher conducted a test against a gaming keyboard from SteelSeries. It took him some trial and error, but the end result was the same: SYSTEM privileges for a process of your choice, allowing for a complete takeover.
The researcher also warned there are probably more out there too. He concluded that vendors aren’t forcing proper access control against their downloadable firmware, so we should look forward to hearing similar stories about multiple hardware products.
And he was soon proven right by yet another researcher, who used an Android phone (that was pretending to be a SteelSeries USB keyboard), to pull of the same attack.
The mice are not the problem
As you might have guessed, it’s not the mice that are the problem, it’s actually the Windows Desktop application that causes the trouble. That’s because it gets SYSTEM privileges during installation, without first asking for a system administrator’s permission.
When the Razer software is installed, the setup wizard allows you to choose the folder where you want to install it. This ability to select an installation folder is where an attacker can cut in.
When you change the location of the folder, a ‘Choose a Folder’ dialog will appear. If you press Shift and right-click on the dialog, you will be prompted to open ‘Open PowerShell window here,’ which will open a PowerShell terminal in the folder shown in the dialog. Since this PowerShell prompt is being launched by a process with SYSTEM privileges, the PowerShell prompt will also inherit those same privileges. In the elevated PowerShell prompt you can run any command (and you have effectively taken over).
The SteelSeries installer proved a bit harder to abuse, but the researcher discovered that opening the “Learn More” link in the license Agreement opened the default browser with SYSTEM privileges, allowing the user to save the agreement. And from that dialog it is possible to spawn a terminal with god-like powers.
Patches are in the works
Razer has awarded the researcher a bug bounty and is working on a patch. SteelSeries has announced it will disable the automatic start of the installation software when a new device is connected.
Which leaves two questions: What other mice are lurking, undiscovered, with ambitions unknown, and since this seems to be an issue with how installation works, shouldn’t Microsoft also be working on these problems?
To be continued.