Razer mouse gives system privileges on Windows 10 | Information age
Razer automatically installs software that can be abused to gain access to the system. Image: Shutterstock
Simply plugging in a Razer keyboard or mouse could give an attacker administrator privileges on Windows 10 machines by automatically installing the device’s software, a security researcher has found.
Twitter user jonhat shared the vulnerability publicly on Saturday, claiming that gaining local administrator privileges was as easy as plugging in a Razer device and opening Powershell.
In a video accompanying his tweet, Jonhat showed the full attack.
Once it connects the Razer device to the Windows 10 virtual machine, it automatically downloads and installs the device drivers.
This is normal for plug and play devices which automatically tell the system which drivers to install so that users can start using their new devices immediately.
But the problem is with the Razer Synapse software that comes with the company’s driver.
Razer Synapse allows users to customize their keyboards and mice with custom configurations such as key macros and ambient lighting. When the installer loads, it allows the user to choose the installation location which opens a window in the file explorer.
In File Explorer, Jonhat holds down the Shift key and right-clicks to bring up a menu with “Open PowerShell window here” as an option.
Since the installer had system privileges, that meant it could open PowerShell as system – which Jonhat confirms by typing the ‘whoami’ command.
Need a local administrator and physical access?
– Connect a Razer mouse (or dongle)
– Windows Update will download and run RazerInstaller as SYSTEM
– Abuse elevated explorer to open Powershell with Shift + right click
– jonhat (@ j0nh4t) August 21, 2021
Jonhat reported the issue to Razer who after a while to reach to the researcher.
According to Jonhat, the issue is resolved and he will receive a bug bounty for his efforts.
The revelation that Razer’s software opened the door to Windows 10 system privileges caused a stir among security researchers who wondered if a similar issue was affecting other plug and play devices that automatically launch installers for GUI software like Razer Synapse.
Although this is a local attack – meaning it requires physical access to the machine – this type of vulnerability could cause headaches for system administrators in workplaces and schools attempting to limit the privileges of normal users.
“There is no reason to believe that Razer is the only automatic update software via Windows for USB devices that can be abused for elevation of privilege,” said Will Dormann, analyst at the Center. United States Computer Emergency Response Team (CERT / CC) Coordinator.
“Think about the attack surface of each device driver on Windows Update that can be triggered over a USB connection.
“All you need is one with a vulnerability. Physical access (or RemoteFX via RDP) is indeed a dangerous thing.