The Razer Bug brought into the spotlight the ridiculously easy way to secure Admin-level rights on any Windows 10 PC. There has been a desperate search for a way to block the Local Privilege Escalation (LPE) security vulnerability, and it just ended.
Security researchers recently discovered how easily anyone could gain access to Administrator or SYSTEM privileges on a Windows 10 computer by merely plugging a Razer-branded USB peripheral. Now, a Registry hack is available to block such potential threats.
Razer Bug highlights serious security vulnerabilities that can be easily exploited to gain Administrator rights:
A Twitter user recently discovered and alerted Razer about a security loophole that allowed anyone to merely plug in a Razer mouse, keyboard, or a dongle, to gain SYSTEM privileges. The security researcher published the findings on Twitter, allegedly to gain the company’s attention.
If you plug in a Razer device in Windows 10, plug-and-play will install the driver, as well as the Razer Synapse software.
As the plug-and-play process runs with SYSTEM privileges, the Razer Synapse installer is also launched with SYSTEM privileges. pic.twitter.com/dGevP8bYxL
— BleepingComputer (@BleepinComputer) August 22, 2021
The trick to gain SYSTEM privileges is surprisingly easy. A threat actor merely needs to insert a Razer-branded USB peripheral, and wait for the Razer Synapse software to start installing.
At the point where the software asks for an installation location, merely press Shift and right-click on the dialog, and select ‘Open PowerShell window here.’ As the RazerInstaller.exe executable runs with SYSTEM privileges, the Razer installation program also gains the same privileges. This PowerShell window, by association with the software installer executable, also gains the SYSTEM privileges.
I would like to update that I have been reached out by @Razer and ensured that their security team is working on a fix ASAP.
Their manner of communication has been professional and I have even been offered a bounty even though publicly disclosing this issue.
— jonhat (@j0nh4t) August 22, 2021
The security researcher has confirmed that Razer approached him and is now working to fix the security loophole. Needless to mention, even Microsoft needs to address the vulnerability. However, until the Windows OS maker blocks the Razer Bug for all other installations and USB peripherals, here is a simple registry hack.
Immediately block all Windows co-driver auto-installations of “support applications”:
It is amply clear that it is the computer peripheral supplier’s application that is the conduit to gain SYSTEM privileges in Windows 10. Simply put, PC users must block any and all co-driver support package installations until Microsoft patches the security vulnerability.
Here is the list distilled down to just the unique drivers (~350 worth) in CSV form.
The names of the drivers also make it pretty easy to see who each vendor is, if you don't want to look up the VIDs
Again, the list was compiled by @networkgrinch: https://t.co/xZdbIggYgf
6/n— _MG_ (@_MG_) August 28, 2021
Incidentally, reports indicate researchers have found more devices that may allow local privilege elevation, including SteelSeries devices. In other words, there could be more such notorious installations that could grant Admin rights.
The temporary workaround to block all co-drive support applications from installing needs tinkering with the Registry Editor. Do note that messing with the application can render the Windows OS unusable. Hence proceed with extreme caution.
Do you not like the fact that connecting a Razer device auto-runs an arbitrary installer w/ privs?
Do you suspect that other devices may be exploitable?
Fear not!
Set HKLMSOFTWAREMicrosoftWindowsCurrentVersionDevice InstallerDisableCoInstallers = 1https://t.co/iMQ1MTO4vw https://t.co/qQM4URQEqf pic.twitter.com/Zi4VRv49TG— Will Dormann (@wdormann) August 31, 2021
To block all auto-installers:
- Open the Registry Editor and navigate to the following Registry Key:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Installer.
- Under that key, add a DWORD-32 value named DisableCoInstallers and set it to 1.
Reboot the PC for the registry edit to take effect. Now moving ahead, Windows will block co-installers that are associated with any USB Peripherals.
The only drawback to the security measure is that it will block a device’s configuration software from auto-installing. Users will have to manually download any support packages.