So much for Windows 10’s security: A zero-day in the device installer software grants admin rights just by plugging in a mouse or other compatible device. UPDATE: Microsoft is investigating.
A zero-day bug in the device installer software for Razer peripherals – be they a Razer mouse, keyboard or any device that uses the Synapse utility – gives the plugger-inner full admin rights on Windows 10, just by inserting a compatible peripheral and downloading Synapse.
There’s apparently nothing keeping the vulnerability from allowing the same privilege escalation on Windows 11, although, if that operating system has in fact been tested, its vulnerability hasn’t yet been reported.
Razer manufactures popular, high-end hardware for gamers, including mouses, keyboards and gaming chairs. Its Razer Synapse software enables users to configure hardware devices, set up macros or map buttons.
The bug was reported by security researcher jonhat (@j0nh4t), who tweeted about it on Saturday after initially not hearing back from Razer. As of Sunday, the tweet had caught Razer’s attention, and the manufacturer told jonhat that its security team was working on getting out a fix ASAP. It also awarded jonhat a bug bounty, in spite of the fact that the bug was disclosed.
As the researcher tells it and has BleepingComputer confirmed in its own tests, the problem is that when a user plugs in a Razer device (or dongle, if it’s a wireless peripheral), Windows automatically fetches an installer containing driver software and the Synapse utility. The plug-and-play Razer Synapse installation then allows users to gain SYSTEM privileges on the Windows device lickety-split, since, as part of the setup routine, it opens an Explorer window that prompts the user to specify where the driver should be installed.
SYSTEM privileges are the highest user privilege level in Windows: With a SYSTEM account, someone can get full control over the system, meaning that they can view, change or delete data; can create new accounts with full user rights; and can install whatever they want – including malware.
In other words, the setup routine for Synapse runs with the highest available privileges in Windows 10. Since the RazerInstaller.exe executable was launched via a Windows process running with SYSTEM privileges, the Razer installation program inherited those same Admin privileges. jonhat found that if a user opts to change the default location of the installation folder, it triggers a “Choose a folder” dialog. At that point, you can right-click the installation window and press the Shift key, which opens a PowerShell terminal with those same elevated privileges.
Read more here: threatpost.com
