Razer bug lets you become a Windows 10 admin by plugging in a mouse

Gandalf_The_Grey

Level 51
Verified
Trusted
Content Creator
Apr 24, 2016
4,012
A Razer Synapse zero-day vulnerability has been disclosed on Twitter, allowing you to gain Windows admin privileges simply by plugging in a Razer mouse or keyboard.

Razer is a very popular computer peripherals manufacturer known for its gaming mouses and keyboards.

When plugging in a Razer device into Windows 10 or Windows 11, the operating system will automatically download and begin installing the Razer Synapse software on the computer. Razer Synapse is software that allows users to configure their hardware devices, set up macros, or map buttons.

Razer claims that that their Razer Synapse software is used by over 100 million users worldwide.

Security researcher jonhat discovered a zero-day vulnerability in the plug-and-play Razer Synapse installation that allows users to gain SYSTEM privileges on a Windows device quickly.

SYSTEM privileges are the highest user rights available in Windows and allow someone to perform any command on the operating system. Essentially, if a user gains SYSTEM privileges in Windows, they attain complete control over the system.

After not receiving a response from Razer, jonhat disclosed the zero-day vulnerability on Twitter yesterday and explained how the bug works with a short video.

After this zero-day vulnerability gained wide attention on Twitter, Razer has contacted the security researcher to let them know that they will be issuing a fix.

Razer also told the researcher that he would be receiving a bug bounty reward even though the vulnerability was publicly disclosed.
EDIT:
Some more info from mspoweruser:

Microsoft’s PrintNightmare fiasco has turned the eyes of the hacker community to the vulnerabilities exposed by installing 3rd party drivers and today hacker jonhat discovered that you can open a wide-open door in Windows 10 by simply plugging in a Razer wireless dongle.

The issue is that Windows Update downloads and executes RazerInstaller as system, and that the Installer offers users the opportunity to open an Explorer window to choose where to install the drivers.

From there it only takes a shift-right-click to open a Powershell terminal with system privileges, and the hacker can basically do whatever they want.

Additionally, if the user goes through the installation process and defines the save directory to a user-controllable path like Desktop, the Installer saves a service binary there which can be hijacked for persistence and which is executed before user login on boot.

Attackers do not even need a real Razer mouse, as the USB ID can be easily spoofed.

jonhat says he attempted to contact Razer but was unsuccessful, and has therefore released the vulnerability. We assume Microsoft will move somewhat faster and remove the driver from Windows Update soon, though there is no guarantee as it would leave Razer hardware users without an easy way to access the driver.
 
Last edited:

wat0114

Level 3
Apr 5, 2021
144
Most of the time any facts that would allay user fears are never mentioned. What the security news industry accomplishes is to create needless user fear and wide spread security hysteria. Those authors want it that way because more dramas means more clicks.

This exactly has been my complaint about most of these types of security articles for years now.
 

show-Zi

Level 31
Verified
Jan 28, 2018
1,993
Does anyone honestly think or believe that users will take heed and act en masse in response to reports? We all know the answer to that question and it is "No. No they do not." So if users cannot understand such articles, or they are not given all the facts, or even if they are given all the facts in an easy to understand way, and yet still, they do nothing,... it means that the societal approach to security is broken on so many levels that go far beyond merely security software.
This is not limited to PC security. Similar cases can be seen in the real world. I presume that this is exactly why Japan's vaccination is so late.

My concern is that Razer is used a lot by game players. It's a feeling similar to the fact that the taste and quality of food are not emphasized in the fast-eating competition.
 

wat0114

Level 3
Apr 5, 2021
144
Honestly I hate trying to decipher twitter posts as a source on the latest security threats. Yes I'm getting old. Rarely do I see well-written articles such as the one below that explain things sensibly with step-by-step detail and pictures:

https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack
 

wat0114

Level 3
Apr 5, 2021
144
Your age has nothing to do with it.
Thanks, I tend to be self deprecating though and it doesn't help I'm not a social media kind of guy ;)

Seriously, I get the gist of what's going on with this exploit, although I failed to find anywhere either in the twitter posts or elsewhere where it clearly states whether or not the user needs to be logged in.
 
  • Like
Reactions: Nevi and CyberTech

wat0114

Level 3
Apr 5, 2021
144
Because nobody mentioned it.

The user does not need to be logged-in.
Okay thanks for clarifying. So I guess it's just another case of ignoring small but important details.

Edit

Wait not so fast. The demo videos I see are starting with the user already logged in, or am I missing something??
 
  • Like
Reactions: Nevi

wat0114

Level 3
Apr 5, 2021
144
Try it for yourself. Log out of your system and then plug a keyboard and mouse into the system while logged out. The system detects the devices and you can use them to log into the system. Device detection is not dependent upon user login.
Nothing surprising here, but doesn't the adversary have to know the user's account credentials to log in?
 
  • Like
Reactions: Nevi

wat0114

Level 3
Apr 5, 2021
144
Actually, they do not need to know the login credentials. They can plug in a USB drive that has software on it to crack the login credentials. Some of this will be dependent upon the way authentication is configured, security patches applied, edition of Windows and others.

But to answer your question, barring the credential cracking, the yes... the system assailant does need to log into the system and then run the Razer software. This is based upon the totality of the information supplied in the sources linked here.
Thank you again for explaining. You have gone way above and beyond helping answer my queries than I could possibly have hoped for (y):)

They can plug in a USB drive that has software on it to crack the login credentials.

Sorry but I have to ask: so this is a trivial task?
 
Last edited:
  • Like
Reactions: Nevi

plat1098

Level 25
Verified
Sep 13, 2018
1,461
One reason why I'm interested in this topic: I have a Razer keyboard (which I luv btw). When I installed Windows 11, the Razer Synapse software was offered and I declined. It installed the Synapse driver and software anyway and its startup was Automatice (starting with Windows). Just goes to show you: if you can manage any updates to your hardware yourself, skip the proprietary software if you can. Fortunately, I got the basics off YouTube and don't need Synapse. Pfft, gone. Just a potential headache waiting to happen. 😬

If the superintendant of my slummy apt. building wants to bust in here and backdoor my pute-pute, well Go Right Ahead, sir! Fix my stove while you're at it, will ya? 🙏
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,451
Once Razer itself has patched the vulnerability, the next step will be pushing it to Microsoft for inclusion in Windows Catalog—where it will need to replace the current and vulnerable Razer HIDClass driver that Windows Update automatically downloads and runs whenever a Razer mouse is plugged into the system. (The vulnerable version in the Windows Catalog as of publishing time is 6.2.9200.16495, dated January 2017.)
 
Top