Windows 10’s security issue: A zero-day in the device installer software grants admin rights just by plugging in a mouse or other compatible device. UPDATE: Microsoft is investigating.
A zero-day bug in the device installer software for Razer peripherals – be they a Razer mouse, keyboard or any device that uses the Synapse utility – gives the plugger-inner full admin rights on Windows 10, just by inserting a compatible peripheral & downloading Synapse.
Windows 11
There’s seemingly nothing keeping the vulnerability from allowing the same privilege escalation on Windows 11, although, if that operating system has in fact been tested, its vulnerability hasn’t yet been reported.
Razer manufactures popular, high-end hardware for gamers, including mouses, keyboards & gaming chairs. Its Razer Synapse software enables users to configure hardware devices, set up macros or map buttons.
The bug was reported by security researcher jonhat (@j0nh4t), who tweeted about it on Sat. after initially not hearing back from Razer.
As of Sun., the tweet had caught Razer’s attention, & the manufacturer told jonhat that its security team was working on getting out a fix ASAP. It also awarded jonhat a bug bounty, in spite of the fact that the bug was disclosed.
Physical Access
Need local admin & have physical access?
– Plug a Razer mouse (or the dongle)
– Windows Update will download & execute RazerInstaller as SYSTEM
– Abuse elevated Explorer to open Powershell with Shift+Right click
Tried contacting @Razer, but no answers. So, here’s a freebie pic.twitter.com/xDkl87RCmz
— jonhat (@j0nh4t) August 21, 2021
Installer
As the researcher tells it & has Bleeping Computer confirmed in its own tests, the problem is that when a user plugs in a Razer device (or dongle, if it’s a wireless peripheral), Windows automatically fetches an installer containing driver software & the Synapse utility.
The plug-&-play Razer Synapse installation then allows users to gain SYSTEM privileges on the Windows device lickety-split, since, as part of the setup routine, it opens an Explorer window that prompts the user to specify where the driver should be installed.
SYSTEM Privileges
SYSTEM privileges are the highest user privilege level in Windows: With a SYSTEM account, someone can get full control over the system, meaning that they can view, change, or delete data; can create new accounts with full user rights; & can install whatever they want – including malware.
In other words, the setup routine for Synapse runs with the highest available privileges in Windows 10. Since the RazerInstaller.exe executable was launched via a Windows process running with SYSTEM privileges, the Razer installation program inherited those same Admin privileges. jonhat found that if a user opts to change the default location of the installation folder, it triggers a “Choose a folder” dialog.
At that point, you can right-click the installation window & press the Shift key, which opens a PowerShell terminal with those same elevated privileges.
Proof-of-Concept Video
When j0nh4t initially didn’t hear back from Razer, the researcher posted a video that shows how the bug works.
Bleeping Computer had a Razer mouse around, so the outlet tested out the vulnerability & quickly confirmed the zero day, managing to gain SYSTEM privileges in Windows 10 within about 2 minutes of plugging it in.
Local Privilege Escalation (LPE)
Granted, anybody who wants to exploit this local privilege escalation (LPE) vulnerability needs 2 things: a Razer device & the ability to get at a targeted computer. As Bleeping Computer pointed out, it can be as easy as spending ~$24 on a Razer mouse & plugging it into Windows 10 to become an admin.
It doesn’t necessarily stop here.
Will Dormann (@wdormann), a vulnerability analyst with the CERT Coordination Center (CERT/CC), suggested that this vulnerability could in fact be universal.
Many Vulnerabilities
Many vulnerabilities fall into the class of “How has nobody realised this before now?”
If you combine the facts of “connecting USB automatically loads software” & “software installation happens with privileges”, I’ll wager that there are other exploitable packages out there… —Will Dormann
The privilege escalation might be possible in all sorts of peripherals due to the lack of safeguards in Windows that might prevent it.
UPDATE: From Microsoft
13:33 UPDATE: Microsoft was asked for feedback on further safety issues that could arise when it comes to connecting a USB that automatically triggers automatic software loading & when the installation comes with SYSTEM privileges.
Microsoft said that it’s aware of recent reports & is investigating the issue. “While this issue requires physical access to a targeted device, we will take any necessary steps to help protect customers,” a Microsoft spokesperson explained.
The vulnerability isn’t necessarily confined to just Razer peripherals. Another commenter, @Lechatquirit, claimed that the attack also works “with any asus ROG mouse.
It will prompt to install armory [sic] crate & execute it as Sys,” the user tweeted in response to jonhat. Armoury Crate is a software portal that displays real-time performance & settings information for connected devices & which works with ROG, TUF Gaming & ASUS products.
Razer Calls It a ‘Very Specific’
A Razer spokesperson revealed on Mon. that a fix should be out soon for what it called this “very specific use case.” Here’s the full statement:
We were made aware of a situation in which our software, in a very specific use case, provides a user with broader access to their machine during the installation process.
We have investigated the issue, are currently making changes to the installation application to limit this use case & will release an updated version shortly. The use of our software (including the installation application) does not provide unauthorised 3rd-party access to the machine.
Digital Safety & Security
We are committed to ensuring the digital safety & security of all our systems & services, & should you come across any potential lapses, we encourage you to report them through our bug bounty service, Inspectiv: https://app.inspectiv.com/#/sign-up.
https://www.cybernewsgroup.co.uk/virtual-conference-september-2021/