So this is a bit disturbing: a white-hat hacker has discovered a bug in Razer's device installation software that could give hackers a full administration right in Windows 10 by simply plugging in a compatible peripheral and downloading the accompanying Synapse utility. It can be a Razer mouse or keyboard or any device that touches the Synapse software.
A user who follows "jonhat" on Twitter publicly revealed the security flaw after contacting Razer and initially not receiving a response from the company. The message also contains a video that highlights the incredible ease of exploiting the newly discovered attack vector, as a user with limited standard system privileges.
Do you need a local administrator and have physical access? – Connect a Razer mouse (or dongle): Windows Update will download and run RazerInstaller as SYSTEM: Abuse the elevated browser to open Powershell with Shift + Right-click and tried to contact @Razer, but there are no answers. So here is a pic.twitter.com/xDkl87RCmz giftAugust 21, 2021
What’s at stake here is that when you connect a Razer device (or a dongle, if it’s a wireless peripheral), Windows gets a Razer installer that contains the driver software and the Synapse utility. As part of the configuration routine, it opens an Explorer window that asks the user to select where the driver should be installed.
This configuration routine runs with high administration privileges, the highest available in Windows 10. What was found is that if a user chooses to change the default location of the installation folder, it opens a In the "Choose a folder" dialog, the user can right-click in the installation window and press the Shift key to open a Powershell terminal with the same administrator privileges. This is not good. From there, an attacker could wreak havoc.
The video from the Twitter post demonstrates this process and the people of BleepingComputer he also confirmed it, noting that "the bug is so easy to exploit, as you only have to spend $ 20 on Amazon" for a Razer peripheral.
In one response, a user said it also "works great" falsify the seller's identification of an existing non-Razer peripheral, so an attacker shouldn’t even buy anything. And yet stated another user this attack vector "also works with any Asus ROG mouse. You will be prompted to install Armory Crate" and run it with the same elevated system privileges.
For its part, Razer acknowledged the problem in a statement provided to ComputerBase, saying there is a solution on the way.
"We were informed of a situation where our software, in a very specific use case, provides the user with wider access to their machine during the installation process. "Razer said. "We have investigated the problem, we are currently making changes to the installation application to limit this use case and will post an updated version shortly. Use of our software (including the installation application) does not provide unauthorized access to third-party machines. "
"We are committed to ensuring the digital security of all our systems and services and, in the event of possible defects, we encourage you to report them through our error reward service, Inspectiv: https: //app.inspectiv.com / # / sign-up, "Razer added.
Similarly, Jonhat said Razer has since been in contact and has offered a reward despite publicly revealing the problem.
Should you worry about that? Not really, for the most part. Razer warns that this error only applies to a "very specific use case," and this is because an attacker would need physical access to a machine to exploit the vulnerability; this cannot be achieved remotely.
That said, this is another reason why you should never leave your laptop unattended in places where other users can access it. The risk of theft, of course, is the other good reason not to do such a thing.
While Razer is working on a solution, it will be interesting to see if Microsoft offers any guarantees that would eliminate this method of circumventing limited account privileges. Presumably, this would also work on Windows 11, though at this point it doesn’t look like anyone has tried it yet.