So, this is a bit unsettling—a white hat hacker has discovered a bug in Razer's device installer software that could give a hacker full admin rights in Windows 10, simply by plugging in a compatible peripheral and downloading the accompanying Synapse utility. This could be a Razer mouse or keyboard, or any device that taps in the Synapse software.
A user who goes by "jonhat" on Twitter publicly disclosed the security flaw after contacting Razer and initially not getting a response from the company. The post also contains a video highlighting how incredibly simple it is to exploit the newly discovered attack vector, as a user with only limited standard system privileges.
Need local admin and have physical access?- Plug a Razer mouse (or the dongle)- Windows Update will download and execute RazerInstaller as SYSTEM- Abuse elevated Explorer to open Powershell with Shift+Right clickTried contacting @Razer, but no answers. So here's a freebie pic.twitter.com/xDkl87RCmzAugust 21, 2021
What's at issue here is that when plugging in a Razer device (or dongle, if it's a wireless peripheral), Windows fetches a Razer installer containing driver software and the Synapse utility. As part of the setup routine, it opens up an Explorer window prompting the user to select where the driver should be installed.
This setup routine is run with elevated Admin privileges, the highest available in Windows 10. What jonhat found is that if a user opts to change the default location of the installation folder, which brings up a 'Choose a folder' dialog, a user can right-click the installation window and press the Shift key to open a Powershell terminal with those same Admin privileges. That's not good. From there, an attacker could wreak all kinds of havoc.
The video in the Twitter post demonstrates this process, and the folks at BleepingComputer (opens in new tab) confirmed it as well, noting "the bug is so easy to exploit as you just need to spend $20 on Amazon" for a Razer peripheral.
In one of the responses, a user said it also "works great" to spoof the vendor ID (opens in new tab) of an existing, non-Razer peripheral, so an attacker wouldn't even need to purchase anything. And yet another user claimed (opens in new tab) this attack vector "works also with any Asus ROG mouse. It will prompt to install Armory Crate" and execute it with the same elevated system privileges.
For its part, Razer acknowledged the issue in a statement provided to ComputerBase (opens in new tab), saying a fix is on the way.
"We were made aware of a situation in which our software, in a very specific use case, provides a user with broader access to their machine during the installation process," Razer said. "We have investigated the issue, are currently making changes to the installation application to limit this use case, and will release an updated version shortly. The use of our software (including the installation application) does not provide unauthorized third-party access to the machine."
"We are committed to ensuring the digital safety and security of all our systems and services, and should you come across any potential lapses, we encourage you to report them through our bug bounty service, Inspectiv: https://app.inspectiv.com/#/sign-up," Razer added.
Likewise, jonhat said Razer has subsequently been in touch and offered up a bounty despite publicly disclosing the issue.
Should you be worried about this? Not really, for the most part. Razer note this is bug only applies to a "very specific use case," and that's because an attacker would need physical access to a machine in order to exploit the vulnerability—this is not something that can be accomplished remotely.
That said, this is another reason why you should never leave your laptop unattended in places where others might have access to it. The risk of theft, of course, is the other good reason not to do such a thing.
While Razer is working on a fix, it will be interesting to see if Microsoft comes up with any safeguards that would do away with this method of bypassing limited account privileges. This presumably would work in Windows 11 as well, though at this point, it does not seem as though anyone has tested it yet.