Gaining SYSTEM rights on a Windows 10 computer is as simple as plugging in a Razer mouse or keyboard, due to a zero-day flaw in the Synapse device installer software.
Razer is a manufacturer of high-end peripherals that target gamers, with the company’s product portfolio including mice, keyboards, and gaming chairs. Razer provides software that can be downloaded to allow users to configure their peripherals and map buttons or set up macros.
A flaw was identified in the software by a security researcher with the moniker jonhat, who sent a Tweet about the flaw after claiming not to have heard back from Razer. After seeing the Tweet, Razer investigated and says it is working on a patch to correct the vulnerability.
When a Razer device is plugged in, Windows automatically searches for the installer, which includes driver software and the Synapse utility. The installer, razerInstaller.exe, is executed via a Windows process that runs with SYSTEM privileges. The user is given the option of choosing where the driver is installed during the software installation. If the default location is changed, a “Choose a folder” dialog box is opened. Right clicking on the installation window and pressing the shift key will open a PowerShell terminal with SYSTEM privileges.
“Need local admin and have physical access? – Plug a Razer mouse (or the dongle) – Windows Update will download and execute RazerInstaller as SYSTEM – Abuse elevated Explorer to open PowerShell with Shift+Right click,” explained jonhat.
The vulnerability was tested by Bleeping Computer with a Razer device and it was confirmed that the zero-day vulnerability existed and allowed them to gain SYSTEM privileges in about 2 minutes. SYSTEM privileges are the highest user rights in Windows and will allow a user to perform any command on the operating system, which would give the user full control of the device. Simply plugging in a mouse or keyboard could be all that is required to install malware or ransomware. Naturally, any attacker would need local access to a Windows 10 computer and a Razer device in order to exploit the local privilege escalation flaw.
While this flaw can be exploited with a Razer device, that may not be the only type of peripheral that allows the flaw to be exploited. It is the ability to change the installation folder that is the issue, and other devices that require software downloads via the Windows Plug and Play process may also be affected. Microsoft is currently investigating.