This Mouse Gives you Admin on Windows

Razer gaming mice come with a buggy installer. It starts automatically when you plug in one of Razer’s devices.

The installer runs as SYSTEM. And it lets you start a shell—which also runs as SYSTEM. A classic elevation-of-privilege bug. And one that’s incredibly simple to exploit.

AWS Builder Community Hub

Déjà vu? It’s like PrintNightmare all over again. In today’s SB Blogwatch, we point the fingers of blame.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: A VHS player with a window.

Not This One, That One

What’s the craic? Lawrence Abrams reports—“Become a Windows 10 admin by plugging in a mouse”:

It took us about two minutes
Razer is a very popular computer peripherals manufacturer known for its gaming mouses and keyboards. When plugging in a Razer device into Windows 10 or Windows 11, the operating system will automatically download and begin installing the Razer Synapse software.

A zero-day vulnerability in the plug-and-play Razer Synapse installation … allows users to gain SYSTEM privileges [which is] the highest user rights available in Windows. … It took us about two minutes to gain SYSTEM privileges in Windows 10 after plugging in our mouse.

Razer has contacted the security researcher to let them know that they will be issuing a fix. … Razer also told the researcher that he would be receiving a bug bounty reward.

O RLY? Surur Davids adds—“All you need to gain admin privileges on Windows 10 is to plug in a Razer mouse”:

It only takes a shift-right-click
Microsoft’s PrintNightmare fiasco has turned the eyes of the hacker community to the vulnerabilities exposed by installing 3rd party drivers. … Attackers do not even need a real Razer mouse, as the USB ID can be easily spoofed.

The issue is that Windows Update downloads and executes RazerInstaller as SYSTEM, and that the installer offers users the opportunity to open an Explorer window. … From there it only takes a shift-right-click to open a Powershell terminal with system privileges.

Horse’s mouth? Here’s @j0nh4t:

Hijacked for persistence
Tried contacting Razer, but no answers.

[Update:] I have been reached out to by Razer and assured that their security team is working on a fix ASAP. Their manner of communication has been professional and I have even been offered a bounty even though publicly disclosing this issue.

Additionally if you go through the installation process and define the save dir to user controllable path like Desktop. A service binary is saved there which can be hijacked for persistence and is executed before user logon on boot.

Who’s really to blame? hhsbz fingers the culprit:

Microsoft should only accept kernel mode drivers
The actual problem here is that Microsoft allows OEMs to install user space programs via their drivers, which are installed automatically without user intervention using Windows Update. This is unacceptable. Microsoft should only accept kernel mode drivers. If users want user space tools they can find them in the OEM website.

And fromFirefoxToVivaldi piles on:

Credentials and permission
Easy solution for this and all future issues like this: Windows should stop installing/upgrading drivers without prompting the user for credentials and permission first.

How has nobody realized this before? Will Dormann—@wdormann—patiently explains:

All you need is a single one
Many vulnerabilities fall into the class of “How has nobody realized this before?” … There’s no reason to believe that Razer is the only automatically-installed-via-Windows-Update software for USB devices that can be abused for privilege escalation.

Think of the attack surface of every single device driver on Windows Update that is triggerable via a USB connection. All you need is a single one with a vulnerability.

And Tomas goes further:

Suite of spyware
This isn’t a new class of exploit, though articles like this one are important for bringing the USB vector to more people’s attention.

One of the IT teachers at the tech school I work at showed me how to install a suite of spyware using a USB drive and keyboard driver. That one installed silently, and it’s why I don’t let students or faculty just plug their personal USB devices into my computer anymore.

So why did Razer ignore the researcher? cube00 boggles thuswise:

Read by a human
How do companies still think it’s acceptable to ignore responsible disclosure in the hopes the problem just goes away?

Even companies with the most automated non-existent customer service know they need to provide separate channels for legal and security that actually get read by a human.

It gets worse. Admins can’t block bad installers via Windows policies, as u/andcoffeforall discovered:

razerinstaller.exe … runs as SYSTEM, bypassing any User Group Policy. … Doesn’t work.

Meanwhile, here’s azalemeth:

Wow. That’s a Windows 98 level of … privilege escalation bug.

And Finally:

VHS? Ask your parents.

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Sandy Millar (via Unsplash)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 516 posts and counting.See all posts by richi