Razer bug lets you become a Windows 10 admin by plugging in a mouse

[Gandalf_The_Grey]

Content source

https://www.bleepingcomputer.com/news/security/razer-bug-lets-you-become-a-windows-10-admin-by-plugging-in-a-mouse/

A Razer Synapse zero-day vulnerability has been disclosed on Twitter, allowing you to gain Windows admin privileges simply by plugging in a Razer mouse or keyboard.

Razer is a very popular computer peripherals manufacturer known for its gaming mouses and keyboards.

When plugging in a Razer device into Windows 10 or Windows 11, the operating system will automatically download and begin installing the Razer Synapse software on the computer. Razer Synapse is software that allows users to configure their hardware devices, set up macros, or map buttons.

Razer claims that that their Razer Synapse software is used by over 100 million users worldwide.

Security researcher jonhat discovered a zero-day vulnerability in the plug-and-play Razer Synapse installation that allows users to gain SYSTEM privileges on a Windows device quickly.

SYSTEM privileges are the highest user rights available in Windows and allow someone to perform any command on the operating system. Essentially, if a user gains SYSTEM privileges in Windows, they attain complete control over the system.

After not receiving a response from Razer, jonhat disclosed the zero-day vulnerability on Twitter yesterday and explained how the bug works with a short video.

After this zero-day vulnerability gained wide attention on Twitter, Razer has contacted the security researcher to let them know that they will be issuing a fix.

Razer also told the researcher that he would be receiving a bug bounty reward even though the vulnerability was publicly disclosed.

Razer bug lets you become a Windows 10 admin by plugging in a mouse

A Razer Synapse zero-day vulnerability has been disclosed on Twitter, allowing you to gain Windows admin privileges simply by plugging in a Razer mouse or keyboard.

www.bleepingcomputer.com

EDIT:
Some more info from mspoweruser:

Microsoft’s PrintNightmare fiasco has turned the eyes of the hacker community to the vulnerabilities exposed by installing 3rd party drivers and today hacker jonhat discovered that you can open a wide-open door in Windows 10 by simply plugging in a Razer wireless dongle.

The issue is that Windows Update downloads and executes RazerInstaller as system, and that the Installer offers users the opportunity to open an Explorer window to choose where to install the drivers.

From there it only takes a shift-right-click to open a Powershell terminal with system privileges, and the hacker can basically do whatever they want.

Additionally, if the user goes through the installation process and defines the save directory to a user-controllable path like Desktop, the Installer saves a service binary there which can be hijacked for persistence and which is executed before user login on boot.

Attackers do not even need a real Razer mouse, as the USB ID can be easily spoofed.

jonhat says he attempted to contact Razer but was unsuccessful, and has therefore released the vulnerability. We assume Microsoft will move somewhat faster and remove the driver from Windows Update soon, though there is no guarantee as it would leave Razer hardware users without an easy way to access the driver.

Turns out all you need to gain admin privileges on Windows 10 is to plug in a Razer mouse

Microsoft’s PrintNightmare fiasco has turned the eyes of the hacker community to the vulnerabilities exposed by installing 3rd party drivers and today hacker jonhat discovered that you can open a wide-open door in Windows 10 by simply plugging in a Razer wireless dongle. Need local admin and...

mspoweruser.com

 

[wat0114]

So I take it the Standard user account would have to be logged in already for this exploit to work?

 

[plat]

This is what Bleeping Computer said about access:



So one scenario would be your evil next door neighbor lurking in the bushes waiting for the perfect oppty.

 

[CyberTech]

Damn whats going on with the admin privileges? this is crazy

 

[wat0114]

Most of the time any facts that would allay user fears are never mentioned. What the security news industry accomplishes is to create needless user fear and wide spread security hysteria. Those authors want it that way because more dramas means more clicks.

This exactly has been my complaint about most of these types of security articles for years now.

 

[upnorth]

 

[show-Zi]

Does anyone honestly think or believe that users will take heed and act en masse in response to reports? We all know the answer to that question and it is "No. No they do not." So if users cannot understand such articles, or they are not given all the facts, or even if they are given all the facts in an easy to understand way, and yet still, they do nothing,... it means that the societal approach to security is broken on so many levels that go far beyond merely security software.

This is not limited to PC security. Similar cases can be seen in the real world. I presume that this is exactly why Japan's vaccination is so late.

My concern is that Razer is used a lot by game players. It's a feeling similar to the fact that the taste and quality of food are not emphasized in the fast-eating competition.

 

[CyberTech]

 

[wat0114]

Honestly I hate trying to decipher twitter posts as a source on the latest security threats. Yes I'm getting old. Rarely do I see well-written articles such as the one below that explain things sensibly with step-by-step detail and pictures:

https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack

 

[upnorth]

 

[plat]

More on what @upnorth posted:

SteelSeries bug gives Windows 10 admin rights by plugging in a device

The official app for installing SteelSeries devices on Windows 10 can be exploited to obtain administrator rights, a security researcher has found.

www.bleepingcomputer.com

 

[wat0114]

Your age has nothing to do with it.

Thanks, I tend to be self deprecating though and it doesn't help I'm not a social media kind of guy

Seriously, I get the gist of what's going on with this exploit, although I failed to find anywhere either in the twitter posts or elsewhere where it clearly states whether or not the user needs to be logged in.

 

[wat0114]

Because nobody mentioned it.

The user does not need to be logged-in.

Okay thanks for clarifying. So I guess it's just another case of ignoring small but important details.

Edit

Wait not so fast. The demo videos I see are starting with the user already logged in, or am I missing something??

 

[wat0114]

Try it for yourself. Log out of your system and then plug a keyboard and mouse into the system while logged out. The system detects the devices and you can use them to log into the system. Device detection is not dependent upon user login.

Nothing surprising here, but doesn't the adversary have to know the user's account credentials to log in?

 

[wat0114]

Actually, they do not need to know the login credentials. They can plug in a USB drive that has software on it to crack the login credentials. Some of this will be dependent upon the way authentication is configured, security patches applied, edition of Windows and others.

But to answer your question, barring the credential cracking, the yes... the system assailant does need to log into the system and then run the Razer software. This is based upon the totality of the information supplied in the sources linked here.

Thank you again for explaining. You have gone way above and beyond helping answer my queries than I could possibly have hoped for

They can plug in a USB drive that has software on it to crack the login credentials.

Sorry but I have to ask: so this is a trivial task?

 

[plat]

One reason why I'm interested in this topic: I have a Razer keyboard (which I luv btw). When I installed Windows 11, the Razer Synapse software was offered and I declined. It installed the Synapse driver and software anyway and its startup was Automatice (starting with Windows). Just goes to show you: if you can manage any updates to your hardware yourself, skip the proprietary software if you can. Fortunately, I got the basics off YouTube and don't need Synapse. Pfft, gone. Just a potential headache waiting to happen.

If the superintendant of my slummy apt. building wants to bust in here and backdoor my pute-pute, well Go Right Ahead, sir! Fix my stove while you're at it, will ya?

 

[wat0114]

It depends.

A few examples:

6 Ways to Login into Windows 10 without Password

In this article, we introduce 6 ways to guide you to login into Windows 10 without password.

passper.imyfone.com

Okay I don't see anything so trivial about this. On a Windows 10 device I'd be shocked if it was child's play to bypass a user account's credentials.

 

[upnorth]

Once Razer itself has patched the vulnerability, the next step will be pushing it to Microsoft for inclusion in Windows Catalog—where it will need to replace the current and vulnerable Razer HIDClass driver that Windows Update automatically downloads and runs whenever a Razer mouse is plugged into the system. (The vulnerable version in the Windows Catalog as of publishing time is 6.2.9200.16495, dated January 2017.)

Need to get root on a Windows box? Plug in a Razer gaming mouse

Razer's automatically downloaded installer exposes a SYSTEM shell to any user.

arstechnica.com