A security researcher known as jonhat discovered a 0-day vulnerability in Razer Synapse, thanks to which user can gain Windows administrator rights by simply connecting a Razer mouse or keyboard to your computer.
On Twitter, the expert writes that he tried to contact the manufacturer, but did not receive an answer and therefore decided to talk about the problem publicly. It is worth noting that the exploitation of the vulnerability requires physical access to the target machine, that is, the problem is of the type of local privilege escalation.
Need local admin and have physical access?
– Plug a Razer mouse (or the dongle)
– Windows Update will download and execute RazerInstaller as SYSTEM
– Abuse elevated Explorer to open Powershell with Shift+Right click
— jonhat (@j0nh4t) August 21, 2021
The fact is that when you connect the gadget to Windows 10 or Windows 11, the OS will automatically download and start installing the driver and Razer Synapse software, which allows user to customize Razer gadgets. Since the RazerInstaller.exe executable is run by a process with SYSTEM privileges, the Razer installer also gets SYSTEM privileges.
The installation wizard allows user to specify the folder where he want to install the software, and at this stage everything goes wrong. On Twitter, jonhat shows that when the user wants to change the installation folder, the Select Folder dialog box appears. If you press Shift and right-click on a dialog box, among other things, the user will be prompted to open a PowerShell window.
Since PowerShell is started by a process with SYSTEM privileges, the PowerShell application itself will inherit these privileges as well. As a result, a potential attacker is able to open the console with SYSTEM privileges.
After the publication of jonhat attracted the attention of the cybersecurity community, representatives of Razer contacted the researcher and said that they would prepare a patch in the near future. The specialist was also offered a bug bounty reward.
Let me remind you about the fact that Vulnerability in Windows 10 could allow gaining administrator privileges.