Razer vulnerability lets anyone gain admin rights on a Windows PC
There’s no shortage of Windows vulnerabilities being discovered recently, even in the newly-launched Windows 365 service. Now, a security researcher has discovered a vulnerability that lets anyone with Razer peripherals gain admin rights on a Windows PC. The researcher, known as jonhat on Twitter, discovered that plugging in a Razer USB peripheral lets users easily get administrator permissions on the computer.
The way the vulnerability works is that once you plug in a Razer device, Windows Update will download and install Razer Synapse. This is Razer’s software for controlling things like macros and Chroma lighting effects. However, because the installer is being downloaded by Windows Update, it’s being run as a SYSTEM user – a highly trusted user group with administrator rights.
At one point during the installation, the installer asks users to choose a directory to install Synapse, and a File Explorer window opens. Because the installer is being run by the SYSTEM user, the user can press the Shift key and right-click an empty area to open a PowerShell window with administrator privileges. From there, it’s possible to do pretty much anything PowerShell allows you to do with administrator rights.
Need local admin and have physical access?
– Plug a Razer mouse (or the dongle)
– Windows Update will download and execute RazerInstaller as SYSTEM
– Abuse elevated Explorer to open Powershell with Shift+Right click
— jonhat (@j0nh4t) August 21, 2021
The problem gets even worse. If you save the Razer Synapse files to a user-controllable folder – such as Desktop, Documents, and others – one of the files saved there can be hijacked. This allows a potential attacker to persistently gain admin rights later. On top of that, you don’t even need a real Razer device. Device IDs can be spoofed to trick Windows Update into downloading Razer Synapse even if a different device is plugged in. Twitter user an0n shared a video with the same exploit being carried out using an Android phone instead of a Razer device.
The Windows vulnerability was initially reported to Razer, but without a response, the researcher made the issue public with the video above. Following its public visibility, though, Razer has reached out and confirmed that it will indeed fix the issue. As a bonus for the researcher, even though the vulnerability was disclosed publicly, the company will still offer a bounty reward for discovering the problem.