Hole in Razer lets you become a Windows 10 admin just by sticking in your mouse

Hole Razer lets become Windows 10 admin just sticking mouse

A vulnerability in the Razer Synapse middleware allows any command to be run with the highest privilege level. The main thing is to seize the moment.

The dangers of connecting mice

A vulnerability in Razer Synapse-branded peripheral software allows users to become an admin in Windows 10 simply by connecting a Razer mouse or other device from the same manufacturer to the computer.

Razer Synapse is a provider of highly popular gaming controllers, mice and other peripherals; according to the company itself, its products are used by 100 million people around the world.

Information security expert under the nickname johnat discovered and published on his Twitter information that the installer of drivers and software for Razer Synapse peripherals can be used to get the highest privileges in the system to which these peripherals are connected.

The fact is that the Razer Synapse installer runs with SYSTEM privileges, and therefore all child processes will also run with the same privileges.

Trivial exploitation

Exploiting the vulnerability is extremely trivial.

The procedure is as follows. When a peripheral device (such as a mouse) is connected, the installation procedure for the driver and Razer software will automatically start.

RazerInstaller.exe is launched with SYSTEM privileges, while the installation wizard prompts you to select a directory where all software “stuffing” will be installed. When the directory selection dialogue appears, you can press SHIFT + right mouse button and thereby open a PowerShell window. The utility will also be launched with SYSTEM privileges, which means that no matter what rights the user who installs the peripherals for a new mouse has initially, he can now run any commands with the highest privileges in the system.

Vulnerability in Razer driver allows any command with the highest privilege level to run on Windows 10

“This means taking full control of the system,” says Anastasia Melnikova, an information security expert at SEC Consult Services. – Running any commands with maximum privileges means being able to do whatever you want on the local system. Naturally, we are talking only about local attacks, but in this way, you can simply install a backdoor to remotely control the system in the future. Not the most elegant, but quite effective way. By the way, the question arises whether it is possible to use Middleware and other peripheral suppliers in this way. “

The existence of similar “bugs” in other peripheral vendors’ middleware is far from zero, says Will Dormann, an analyst at CERT / CC.

“Many vulnerabilities fall into the ‘Like no one thought of this before,'” Dormann wrote on Twitter. “Putting together the fact that” the USB connection automatically loads the software “and the fact that” the software is installed with certain privileges, “I would bet that other installers can be exploited in this way.”

According to the publication Bleeping Computer, jonhat tried to inform Razer about the discovered vulnerability. Having received no response, he posted information about his discovery on Twitter.

Later, Razer said they plan to make the necessary fix to their software.

Catch up on more stories here

Follow us on Facebook here

Leave a Reply