Due to Razer Synapse vulnerability, connecting a mouse to a Windows machine gives system privileges

Razer Synapse vulnerability

A security researcher known as jonhat discovered a 0-day vulnerability in Razer Synapse, thanks to which user can gain Windows administrator rights by simply connecting a Razer mouse or keyboard to your computer.

On Twitter, the expert writes that he tried to contact the manufacturer, but did not receive an answer and therefore decided to talk about the problem publicly. It is worth noting that the exploitation of the vulnerability requires physical access to the target machine, that is, the problem is of the type of local privilege escalation.

The fact is that when you connect the gadget to Windows 10 or Windows 11, the OS will automatically download and start installing the driver and Razer Synapse software, which allows user to customize Razer gadgets. Since the RazerInstaller.exe executable is run by a process with SYSTEM privileges, the Razer installer also gets SYSTEM privileges.

The installation wizard allows user to specify the folder where he want to install the software, and at this stage everything goes wrong. On Twitter, jonhat shows that when the user wants to change the installation folder, the Select Folder dialog box appears. If you press Shift and right-click on a dialog box, among other things, the user will be prompted to open a PowerShell window.

Since PowerShell is started by a process with SYSTEM privileges, the PowerShell application itself will inherit these privileges as well. As a result, a potential attacker is able to open the console with SYSTEM privileges.

After the publication of jonhat attracted the attention of the cybersecurity community, representatives of Razer contacted the researcher and said that they would prepare a patch in the near future. The specialist was also offered a bug bounty reward.

Additionally, if you go through the installation process and define the save dir to user controllable path like Desktop. A service binary is saved there which can be hijacked for persistance and is executed before user logon on boot. I would like to update that I have been reached out by @Razer and ensured that their security team is working on a fix ASAP. Their manner of communication has been professional and I have even been offered a bounty even though publicly disclosing this issue.jonhat said.

Let me remind you about the fact that Vulnerability in Windows 10 could allow gaining administrator privileges.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *