Just by plugging in a USB mouse, keyboard, any other computer peripheral into a Windows 10 PC or laptop can grant Administrator rights. The scarily simple to execute ‘Razer Bug’ security vulnerability currently exists in Razer Synapse software, which helps customize the components.
A Twitter user discovered and alerted Razer about a security loophole that allowed anyone to merely plug in a Razer mouse, keyboard, or a dongle, to gain SYSTEM privileges. After Razer allegedly ignored the findings, the security researcher published the findings.
1. What's even more gobsmacking is that Group Policy Settings regarding downloading drivers from Windows Update are ignored.
2. It's been going on for more than 6 years according to this post. pic.twitter.com/pn8tXCk1Yg
— Kimberly (@StopMalvertisin) August 22, 2021
Razer Synapse Software can make anyone Windows 10 Administrator with SYSTEM privileges due to Razer Bug:
Razer is one of the most popular computer peripherals manufacturers. In fact, the company claims more than 100 million users worldwide use its Razer Synapse software.
The software allows users to configure their hardware devices, set up macros, or map buttons. Essentially, the Razer Synapse software is a customization tool for Razer-branded USB peripherals.
Need local admin and have physical access?
– Plug a Razer mouse (or the dongle)
– Windows Update will download and execute RazerInstaller as SYSTEM
– Abuse elevated Explorer to open Powershell with Shift+Right click
— jonhat (@j0nh4t) August 21, 2021
Security researcher ‘jonhat’ recently discovered a zero-day vulnerability in the plug-and-play Razer Synapse installation that allows users to gain SYSTEM privileges on a Windows device quickly.
As a good Samaritan, the researcher claims he quickly alerted Razer, but the company apparently ignored him. After not receiving any response, jonhat disclosed the zero-day vulnerability on Twitter.
It is important to note that any threat actor looking to gain elevated privileges will need physical access to the target machine and its USB ports. Additionally, the target machine should have the Razer Synapse software already installed. It is not clear if the software running in the background could disable the Razer bug.
How does a piece of software for USB peripherals grant Admin rights to anyone on a Windows 10 PC?
As the short video and accompanying explanation reveal, it is ridiculously easy to gain Admin rights by merely plugging in a Razer-branded computer peripheral.
Windows escalation with an OMG cable: from Guest account to System user!
— _MG_ (@_MG_) August 22, 2021
The researcher has discovered a Local Privilege Escalation (LPE) vulnerability. At present, there is no way to remotely achieve Administrator privileges remotely with the Razer bug.
That being said, the “hack” works by associating a Windows Terminal Window with the installation of the Razer Synapse Software that begins automatically when anyone plugs in a Razer-branded computer peripheral.
— Justin Shepherd (@justinshepherd) August 22, 2021
When Windows 10 OS detects a newly plugged-in Razer device, it automatically downloads and installs the driver and the Razer Synapse software. As the RazerInstaller.exe executable runs with SYSTEM privileges, the Razer installation program also gains the same privileges.
If you plug in a Razer device in Windows 10, plug-and-play will install the driver, as well as the Razer Synapse software.
As the plug-and-play process runs with SYSTEM privileges, the Razer Synapse installer is also launched with SYSTEM privileges. pic.twitter.com/dGevP8bYxL
— BleepingComputer (@BleepinComputer) August 22, 2021
When the Razer Synapse software is installing, it asks to choose the default installation folder or change the location. At this window, anyone with a lower access level, can simply press Shift and right-click on the dialog, and select ‘Open PowerShell window here.’
This PowerShell window, by association with the software installer executable, also gains the SYSTEM privileges. It truly is that easy.
I would like to update that I have been reached out by @Razer and ensured that their security team is working on a fix ASAP.
Their manner of communication has been professional and I have even been offered a bounty even though publicly disclosing this issue.
— jonhat (@j0nh4t) August 22, 2021
Incidentally, sometime after the Tweet went out, Razer contacted the security researcher and is collaborating with him to fix the Razer bug.
Many vulnerabilities fall into the class of "How has nobody realized this before now?"
If you combine the facts of "connecting USB automatically loads software" and "software installation happens with privileges", I'll wager that there are other exploitable packages out there…
— Will Dormann (@wdormann) August 22, 2021
While Razer is fixing the bug, it is quite likely that such loopholes might exist with other software. After all, there are thousands of USB peripherals. And there could be dozens of executables that Windows PC automatically downloads and installs.