Simply plugging in a Razer keyboard or mouse could give an attacker administrator privileges on Windows 10 machines by automatically installing device software, a security researcher has discovered.
Twitter user jonhat shared the vulnerability publicly on Saturday, saying getting local admin privileges was as easy as plugging in a Razer peripheral and opening Powershell.
In a video accompanying his tweet, jonhat showed the full attack.
Once he connects the Razer device to the Windows 10 virtual machine, it automatically downloads and installs the device drivers.
This is normal for plug and play devices which automatically tell the system which drivers to install so users can start using their new peripherals right away.
But the problem comes with the Razer Synapse software bundled with the company’s driver.
Razer Synapse lets users personalise their keyboards and mice with custom configurations like key macros and ambient lighting. When the installer loads, it lets the user choose the install location which opens a window in file explorer.
Inside file explorer, jonhat holds down shift and right clicks to bring up a menu with ‘Open PowerShell window here’ as one option.
Because the installer had system privileges, this meant he was able to open PowerShell as system – which jonhat confirms by typing the ‘whoami’ command.
Need local admin and have physical access?
— jonhat (@j0nh4t) August 21, 2021
- Plug a Razer mouse (or the dongle)
- Windows Update will download and execute RazerInstaller as SYSTEM
- Abuse elevated Explorer to open Powershell with Shift+Right click
Tried contacting @Razer, but no answers. So here's a freebie pic.twitter.com/xDkl87RCmz
Jonhat reported the issue to Razer which, after some delay, did reach out to the researcher.
According to jonhat, the issue being fixed and he will receive a bug bounty for his efforts.
The revelation that Razer’s software opened the door for Windows 10 system privileges caused a stir among security researchers who wondered whether a similar issue affects other plug and play devices that automatically launch installers for GUI software like Razer Synapse.
Despite being a local attack – meaning it requires physical access to the machine – this type of vulnerability could cause headaches for system administrators for workplaces and schools who try to limit privileges for normal users.
“There’s no reason to believe that Razer is the only automatically-installed-via-Windows-Update software for USB devices that can be abused for privilege escalation,” said Will Dormann, an analyst at the US Computer Emergency Response Team Coordination Centre (CERT/CC).
“Think of the attack surface of every single device driver on Windows Update that is triggerable via a USB connection.
“All you need is a single one with a vulnerability. Physical access (or RemoteFX via RDP) is a dangerous thing indeed.”
