You may want to keep an eye on your USB ports for the next few days. A security researcher has revealed an eerily simple way to get admin privileges in Windows 10 without password, and for once, it’s not Microsoft’s fault. This time around, it’s all thanks to Razer and its Synapse software. A fix is underway, but Razer missed the opportunity to eliminate it before it became an issue.
The story begins with security researcher Jonhat (@ j0nh4t on Twitter), who noted that Razer’s Synapse software automatically implemented itself whenever a Razer wireless mouse or receiver was connected. Like many feature-rich gaming peripherals, Razer requires the use of its desktop software to control lights, button mapping, and other functions.
This part is not unusual: Windows Update automatically loads a lot of software based on the connected hardware. It does this as a system, but the current Razer Synapse installer retains system permissions, which turns out to be a problem.
According to Jonhat, it is possible to hijack the Explorer process with elevated privileges from the installation to open Powershell. From there, you can install anything you want because the system has the highest user rights available in Windows. Plus, as if that weren’t enough, you can manually select a controllable installation path such as Desktop. The installer creates a binary file that can be further exploited to persist any changes to the system (the binary runs even before login).
Do you need a local administrator and do you have physical access?
– Plug in a Razer mouse (or dongle)
– Windows Update will download and run RazerInstaller as SYSTEM
– Explorer abuse high to open Powershell with Shift + right clickI tried to contact @Razer, but no answer. So here’s a giveaway pic.twitter.com/xDkl87RCmz
– jonhat (@ j0nh4t) August 21, 2021
With vulnerabilities of this severity, the discoverer is expected to reveal himself responsibly by passing through the company. However, Jonhat claims that Razer ignored his correspondence. Hence, he publicly revealed the zero day bug. Many others have since confirmed that a Razer mouse can help take control of a Windows 10 PC in minutes. Using this method, the attacker can install anything he wants without logging in as an administrator.
So, that’s not a big deal, and the only saving grace is that someone needs physical access to your computer (and a Razer peripheral). Following the disclosure, Razer confirmed it was working on a patch to be delivered soon. In the meantime, keep an eye out for the lurkers with the glowing mice.
Now read: