A cybersecurity researcher has discovered a vulnerability in Razer Synapse software that lets anyone possessing Razer peripherals obtain administration rights on a Windows PC.
Razer Synapse is a software that allows users to configure Windows hardware devices, set up macros and Chrome lighting effects, and map buttons. The company is a leader development of gaming accessories including laptops, keyboards, mouse, therefore, it is surprising that a vulnerability allowing admin rights by plugging in a keyboard, dongle, or mouse still exists.
The researcher who goes by the Twitter handle of @j0nh4t disclosed the vulnerability and reported it to the software vendor. When the company didn’t give a favorable response, @j0nh4t decided to disclose its details on Twitter.
Bug Can Be Exploited with a $20 Mouse
For your information, in Windows 10, RazerInstaller is downloaded and executed as SYSTEM that grants full privileges. Anyone can open PowerShell with a keyboard shortcut and do just about anything on the computer using the elevated Explorer.
But, the catch is that you must have physical access to the computer to plug in a Razer peripheral since the bug cannot be remotely exploited. It is an LPE (local privilege escalation) vulnerability. This means you must have a Razer device and access to the targeted computer. This can be done with a $20 Razer mouse.
How does It work?
When a Razer device is plugged in, Windows Update will download/install Razer Synapse. Since Windows Update installs it, it will be run as a SYSTEM user, a highly trusted user group with admin rights. The installer will ask the user to select a director where Synapse will be stored and open a File Explorer window during the installation process.
Since a SYSTEM user is running it, they can press the Shift key and right-click on an empty space to open a PowerShell window with administrator privileges. SYSTEM privileges are the highest level of user rights in Windows and let users perform any OS command.
If a user gains Windows’ SYSTEM privileges, they will get complete control over the machine and install any software, including malware. If you chose to save the Razer Synapse file on a user-controlled folder like Documents or Desktop, any of the files stored on the folder can be hijacked and let an attacker gain persistence as device admin.
Watch the demo
Need local admin and have physical access?
– Plug a Razer mouse (or the dongle)
– Windows Update will download and execute RazerInstaller as SYSTEM
– Abuse elevated Explorer to open Powershell with Shift+Right click
— jonhat (@j0nh4t) August 21, 2021