When connecting a Razer mouse, Windows automatically installs the brand’s software, Synapse. A researcher managed to hijack this seemingly harmless process to gain administrator rights on the computer, which would allow it to install malware, among other things.
A funny demonstration of vulnerability was widely shared on Twitter on August 21, and then tested by the Bleeping Computer. A researcher, under the nickname “jonhat”, explained that by simply plugging a Razer mouse into a computer, he managed to gain administrator rights on the system. This kind of right allows the user to make any modification on the device or in other words, to take control of it. For example, it may install malware, which is why elevation of privilege methods are among the most sought after by cybercriminals.
Need local admin and have physical access?
– Plug a Razer mouse (or the dongle)
– Windows Update will download and execute RazerInstaller as SYSTEM
– Abuse elevated Explorer to open Powershell with Shift + Right click
– jonhat (@ j0nh4t) August 21, 2021
The researcher explained that since Razer did not follow up on his messages to discuss the bug, he had made the decision to publish his findings – when the normal disclosure procedure should allow time for the manufacturer to fix the flaw. But the next day, jonhat added that the hardware manufacturer had finally contacted him, and had even rewarded him with a bonus (a ” bug bounty In the jargon), despite the public disclosure of the flaw.
An unforeseen domino effect
The bug discovered by jonhat is in the interaction between the Razer Synapse software and the Windows operating system. As soon as a user plugs a Razer device into their computer, Synapse downloads automatically. The program is used to configure the brand’s devices: in the case of mice, it allows, for example, to assign a command to each of the additional buttons.
The researcher knew that it is not the user, but a Windows program intended for this purpose, which starts the automatic download of Synapse. Problem: This program – unlike the user, in our scenario – has administrator rights on the computer. Worse, he transfers that same level of privilege to the Razer installer that he downloaded.
Once the software is installed, the Windows wizard offers the user to choose in which folder it will be placed. This is where Jonhat diverts the maneuver to his advantage. He uses the command “shift + right click” on the dialog window, and the computer prompts him to ” open a PowerShell window ” [PowerShell est un logiciel natif de Windows, qui permet d’entrer des lignes de commandes à exécuter, ndlr]. In doing so, he opens the window … with administrator privileges, when in theory he should have less access. All he has to do is enter commands into the tool to make changes on the computer.
Microsoft may also have changes to make
As explained several researchers in reaction to the demonstration, this bug has a great risk of being also present on other software which benefit from the automatic installation by Windows. In other words, if Razer can prevent the exploitation of the vulnerability on its own, Microsoft may also have changes to make on its side.
The fact remains that for a hacker to take advantage of the flaw, he will have to obtain physical access to the computer. This constraint greatly limits the dangerousness of the flaw, since it considerably reduces the number of attack scenarios and increases their difficulty of setting up. For example, to attack a business, the hacker would have to go to their premises, plug in a Razer mouse (which hardly goes unnoticed with its green backlight) to a computer, and then enter command lines. Or, he will have to bribe an employee already there to do it. Not easy.