Posts: 8,303 +103
In brief: It seems that gaining administrator-level Windows privileges on a PC doesn't require much work; all you need is physical access and a Razer mouse or keyboard. It's the result of a zero-day vulnerability in the company's popular Synapse software that exploits the plug-and-play installation process.
Security researcher jonhat revealed the bug on Twitter (via BleepingComputer). He explains how anyone can get system privileges on Windows devices simply by plugging in a Razer mouse, keyboard, or dongle, giving them complete control of the system and allowing the installation of unauthorized software, including malware.
Need local admin and have physical access?— jonhat (@j0nh4t) August 21, 2021
- Plug a Razer mouse (or the dongle)
- Windows Update will download and execute RazerInstaller as SYSTEM
- Abuse elevated Explorer to open Powershell with Shift+Right click
Tried contacting @Razer, but no answers. So here's a freebie pic.twitter.com/xDkl87RCmz
The process works by first connecting one of Razer's peripherals. This will result in Windows automatically downloading and installing the driver and Razer Synapse software. The problem stems from the RazerInstaller.exe executable being launched with system-level privileges so it can make changes to the PC.
During the setup process, the setup wizard allows users to specify where they want to install the Razer Synapse software. When changing the destination folder, a "Choose a Folder" dialog will appear. Shift and right-click here and select "Open Powershell windows here." This will open the Powershell prompt with the same system privileges as the process that launched it.
Many vulnerabilities fall into the class of "How has nobody realized this before now?"— Will Dormann (@wdormann) August 22, 2021
If you combine the facts of "connecting USB automatically loads software" and "software installation happens with privileges", I'll wager that there are other exploitable packages out there...
Researchers say that similar bugs will likely be present in other companies' installers for their plug-and-play peripherals.
The biggest caveat here is that anyone intending to use the exploit for nefarious reasons needs physical access to the device in question—in addition to a Razer product—but it still has potentially serious implications.
Jonhat added that he reached out to Razer's security team and it is working on a fix. The researcher added that he had been offered a bounty despite publicly disclosing the bug. Expect to see Razer roll out an update that addresses the issue very soon.