Interesting Privilege Escalation Vulnerability

If you plug a Razer peripheral (mouse or keyboard, I think) into a Windows 10 or 11 machine, you can use a vulnerability in the Razer Synapse software — which automatically downloads — to gain SYSTEM privileges.

It should be noted that this is a local privilege escalation (LPE) vulnerability, which means that you need to have a Razer devices and physical access to a computer. With that said, the bug is so easy to exploit as you just need to spend $20 on Amazon for Razer mouse and plug it into Windows 10 to become an admin.

Posted on August 26, 2021 at 6:28 AM12 Comments

Comments

Hedo August 26, 2021 9:57 AM

No need for a mouse. You can stop right there at “physical access”.
A lot of free tools floating around (various “Commanders”, etc.).

Chelloveck August 26, 2021 10:52 AM

@Fazal Majid – In this case, such a seal wouldn’t help. It’s not like people are buying these unwittingly and would choose differently if they knew a specialized driver was required. Razer makes expensive gaming-oriented products. People buy them specifically because they have non-standard features which require specialized drivers.

TimH August 26, 2021 11:55 AM

Doesn’t seem like there’s much to stop getting a custom USB memory stick’s driver approved by MSFT with a an escalation feature like that, so plugging the stick in a running machine installs something in a few seconds, and off you go. 10 second attack window…

lurker August 26, 2021 1:43 PM

This Bear of Very Little Brain wonders what was the purpose of the Universal Serial Bus? On the few unfortunate occasions when using s Windows device it has always been a source of wonder and amazement: plug in a USB device be it ever so humble, and a message appears on screen that
“Windows is [searching for | installing] drivers for the device.” Perhaps there wasn’t any USB code in that dumpster…

Fay August 26, 2021 1:44 PM

@Chelloveck

In this case, such a seal wouldn’t help. It’s not like people are buying these unwittingly and would choose differently if they knew a specialized driver was required. Razer makes expensive gaming-oriented products. People buy them specifically because they have non-standard features which require specialized drivers.

Not really. They buy them for features, and maybe grudgingly accept that they’ll need drivers. It’s unlikely that the features would, in principle, “require” drivers. The manufacturers might require them due to poor design, or might (with Microsoft’s help) push drivers that aren’t actually required. I’ve seen lots of devices that work just fine with no special drivers on Linux, but trigger all kinds of crapware when plugged into a Windows machine.

As others have pointed out, the point is somewhat moot, because there’s no reason to think that it will be the willing buyers of these devices being attacked.

@Fazal, does Logitech put decent microswitches in those mice? I doubt it, as the ones in the much more expensive Marble Mouse trackball rarely last a year. (It takes all of 10 minutes to fix—much easier than repeated warranty claims, while avoiding the interdiction risks—though obviously I can’t recommend Logitech products to people that don’t solder. They use Chinese Omron switches, which for 10-15 years have been total garbage. I don’t know if that relates to manufacturing era or location, but the Japanese Omron switches in the old Microsoft Intellimice are usually good for 5-10 years of heavy use.)

Peter Galbavy August 27, 2021 8:39 AM

I have not tested it, but I suspect the Kiyo Pro camera I just bought will also present the same hole as it similarly installs the same software. Must try it on a “friends” PC soon.

SpaceLifeForm August 27, 2021 5:25 PM

@ Winter, ALL

Do you really trust USB driver software?

The LPE problem is in the USB Host software, not the device. Well, mostly.

Note that a USB flash drive is a computer, and therefore can pretend to be any possible device that can exploit a backdoor. Possibly silently with an Evil Maid. Possibly even if the computer is ‘logged off’.

Clogging up USB ports with glue may not just be a defense against exfiltration.

hxtps://www.twitter.com/MG/status/1431059999866843137

The Razer & SteelSeries Windows PrivEsc vulns are fun, but there are tons of devices that may be vulnerable.

We have a list of ~2500 possible devices! The easiest way to test is to use something like an OMG Cable or BashBunny to spoof the VID/PID.

Clive Robinson August 27, 2021 8:12 PM

@ SpaceLifeForm, ALL,

Do you really trust USB driver software?

I used to design hardware devices and write device driver software, so to me that is a silly question, of course I would not trust it, even if I wrote it…

As for the actual hardware device the driver is for the same reasoning applies…

With modern “System on a Chip”(SoC) and earlier Microcontrolers that contain Flash ROM etc, or anything that could give external communications, you would be daft to “trust” them.

Thus the question should be,

“How do you mitigate necessarily untrusted USB devices and drivers?”

To which part of the answer is “with a lot of care and caution”.

SpaceLifeForm August 28, 2021 7:06 PM

Looks like the approximately 3500 devices has been reduced to 332 driver packages.

If you are interested, grab now. The names will not surprise.

hxxps://pastebin.com/raw/7AEWBgcq

Andrew August 29, 2021 9:32 AM

Is the installer used by Razor custom developed by Razer or are they using a third-party tool that may point to an even larger issue?

SpaceLifeForm September 1, 2021 4:05 PM

Highly probable reduction of the attack surface

Set HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Installer\DisableCoInstallers = 1

hxtps://www.twitter.com/wdormann/status/1432703702079508480

hxtps://threadreaderapp.com/thread/1432703702079508480.html

[threadreader has some issues for me showing parts of the thread. YMMV]

[Note: Had to escape the backslashes with backslashes to get it thru the markup and markdown filters]

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.