Due to Razer Synapse vulnerability, connecting a mouse to a Windows machine gives system privileges

Vladimir Krasnogolovy
Vladimir Krasnogolovy
3 Min Read
Razer Synapse vulnerability

A security researcher known as jonhat discovered a 0-day vulnerability in Razer Synapse, thanks to which user can gain Windows administrator rights by simply connecting a Razer mouse or keyboard to your computer.

On Twitter, the expert writes that he tried to contact the manufacturer, but did not receive an answer and therefore decided to talk about the problem publicly. It is worth noting that the exploitation of the vulnerability requires physical access to the target machine, that is, the problem is of the type of local privilege escalation.

The fact is that when you connect the gadget to Windows 10 or Windows 11, the OS will automatically download and start installing the driver and Razer Synapse software, which allows user to customize Razer gadgets. Since the RazerInstaller.exe executable is run by a process with SYSTEM privileges, the Razer installer also gets SYSTEM privileges.

The installation wizard allows user to specify the folder where he want to install the software, and at this stage everything goes wrong. On Twitter, jonhat shows that when the user wants to change the installation folder, the Select Folder dialog box appears. If you press Shift and right-click on a dialog box, among other things, the user will be prompted to open a PowerShell window.

Since PowerShell is started by a process with SYSTEM privileges, the PowerShell application itself will inherit these privileges as well. As a result, a potential attacker is able to open the console with SYSTEM privileges.

After the publication of jonhat attracted the attention of the cybersecurity community, representatives of Razer contacted the researcher and said that they would prepare a patch in the near future. The specialist was also offered a bug bounty reward.

Additionally, if you go through the installation process and define the save dir to user controllable path like Desktop. A service binary is saved there which can be hijacked for persistance and is executed before user logon on boot. I would like to update that I have been reached out by @Razer and ensured that their security team is working on a fix ASAP. Their manner of communication has been professional and I have even been offered a bounty even though publicly disclosing this issue.jonhat said.

Let me remind you about the fact that Vulnerability in Windows 10 could allow gaining administrator privileges.

You Might Also Like

Malicious Loan Apps in Play Store Decieved 12M Users

Dharma Ransomware Criminals Captured in Ukraine, Europol Reports

Researcher Published PoC Exploit for ProxyLogon Vulnerabilities in Microsoft Exchange

NASA has faced 6000 cyberattacks in the past four years

Binance Smart Contracts Blockchain Abused in Malware Spreading

Share This Article
By Vladimir Krasnogolovy
Follow:
Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.
Previous Article Hacked the US Census Bureau Attackers hacked the US Census Bureau using Citrix exploit
Next Article most attacked Linux vulnerabilities Experts list 15 most attacked Linux vulnerabilities
Leave a comment

Stay Connected

Latest News

What is email phishing scams from Meta Security?
Meta Security Email Phishing Scams Explained
Security News
GitLab Releases Security Update, Patches Authentication Bypass Flaw
GitLab Fixes Critical Kubernetes Agent Takeover Vulnerability
Security News
FakeBat Malware Exploits Google Search Ads, Again
FakeBat Loader is Back With New Tactics and Payload
Security News
Ivanti EPM RCE vulnerability fixed, patch now
RCE Vulnerability in Ivanti Endpoint Manager Uncovered, Patch Now
Security News