Embarrassing Razer Software Exploit Gives Full Windows 10 Admin Access
In this case, the problem stems from Razer's Synapse software, which configures its peripherals like gaming mice and keyboards. This software can adjust macros, program mouse buttons, and control your RGB lighting. However, security researcher jonhat revealed via Twitter that an unscrupulous person with a Razer mouse or keyboard could gain SYSTEM access to a Windows 10 (or Windows 11) PC simply by plugging the device into the target PC.
Need local admin and have physical access?— jonhat (@j0nh4t) August 21, 2021
- Plug a Razer mouse (or the dongle)
- Windows Update will download and execute RazerInstaller as SYSTEM
- Abuse elevated Explorer to open Powershell with Shift+Right click
Tried contacting @Razer, but no answers. So here's a freebie pic.twitter.com/xDkl87RCmz
When a Razer peripheral (or dongle) is first plugged into a Windows 10 (or Windows 11) PC, the operating system will automatically attempt to download the requisite Synapse software to enable full functionality. The operating system then runs RazerInstaller.exe with SYSTEM privileges, prompting you to select a folder for the installation. However, while within File Explorer, you can press Shift + right click with your mouse to reveal "Open PowerShell Windows" in the resulting dropdown menu.
Within PowerShell, you can type "whoami' which then presents "nt authority\system", confirming full SYSTEM privileges to execute commands.
While this exploit is bad enough given its simplicity, the problem is made worse by Razer's initial response; or rather lack of response. According to jonhat, he reached out to Razer privately to disclose the security issue, but they didn't bother acknowledging his discovery.
Given the non-response, jonhat decided to go public with his findings, which seems to have awakened the security team within Razer. He posted an update saying that not only did the security team reach out to him, but they are working on a fix that will be incorporated into a future software update. Perhaps even better for jonhat, Razer is offering him a bounty for the bug discovery even though he already spilled the beans to the public.