Razer bug lets you become a Windows 10 admin by plugging in a mouse:
A Razer Synapse zero-day vulnerability has been disclosed on Twitter, allowing you to gain Windows admin privileges on a local computer simply by plugging in a mouse.
[...] When plugging in a Razer device into Windows 10 or Windows 11, the operating system will automatically download and begin installing the Razer Synapse software on the computer. Razer Synapse is software that allows users to configure their hardware devices, set up macros, or map buttons.
Security researcher jonhat discovered a zero-day vulnerability in the plug-and-play Razer Synapse installation that allows users to gain SYSTEM privileges on a Windows device quickly.
[...] When we plugged the Razer device into Windows 10, the operating system automatically downloaded and installed the driver and the Razer Synapse software.
Since the RazerInstaller.exe executable was launched via a Windows process running with SYSTEM privileges, the Razer installation program also gained SYSTEM privileges
[...] When the Razer Synapse software is installed, the setup wizard allows you to specify the folder where you wish to install it. The ability to select your installation folder is where everything goes wrong.
When you change the location of your folder, a 'Choose a Folder' dialog will appear. If you press Shift and right-click on the dialog, you will be prompted to open 'Open PowerShell window here,' which will open a PowerShell prompt in the folder
]...] As this PowerShell prompt is being launched by a process with SYSTEM privileges, the PowerShell prompt will also inherit those same privileges.
(Score: 5, Insightful) by maxwell demon on Monday August 23 2021, @05:21AM (25 children)
Wait, Windows automatically downloads and installs software as soon as you plug in a device? Without even asking for an admin password? Who on earth thought this to be a good idea?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 5, Insightful) by Fluffeh on Monday August 23 2021, @06:24AM (4 children)
This is exactly what I was thinking.
Plug in a device, enable pre-installed generic windows software for that type of device. If it wants to install new software, it should ask permission.
Even if you put security to the side for a moment (just for a moment), what's to stop shitware/bloatware/crapware being installed on my damned system as a user? Sometimes I prefer my mouse to be treated just as a basic mouse - and not install it's own super duper mouse software with it. If I want the fancy stuff, I can either install it myself, or ALLOW the software to be installed. What's to stop the "mouse software" also installing something to constantly drops ads into my system.
Now, back to the security. What the hell... This sounds like a security nightmare that's about to be revisited by the folks in Microsoft in some hurriedly organised meetings.
(Score: 4, Touché) by Opportunist on Monday August 23 2021, @07:22AM
Why do you think that's a bug and not a feature? At least according to your corporate overlords.
(Score: 5, Interesting) by looorg on Monday August 23 2021, @09:11AM (1 child)
Isn't, or wasn't, this the standard previously to Win10/11? It would look at what is already on the system and run some default generic stuff and if you wanted to get all the bells and whistles you would have to run that separately afterwards. I recall mice previously just working but if I wanted to turn on/off the lights, reconfigure all the buttons and add various other things I had to install some manufacturer software specific to the mouse. It was not automagically installed.
(Score: 1, Interesting) by Anonymous Coward on Monday August 23 2021, @11:00AM
It did a sort of hybrid. It would install the generic driver that fits the class of device and then look for a more specific driver from their online update system to install if enabled. If that driver had other support software listed or certain other criteria were hit, it would prompt you to install it. If you didn't or if the online search was disabled, then it would pop up a notification about installing the correct driver every time the hardware was redetected.
(Score: 2) by edIII on Tuesday August 24 2021, @07:41PM
We're talking about one of the holes on the pasta strainer that is Microsoft Security. I have a thumbdrive that will give me admin on any Windows machine from a simple reboot. Easiest money I ever made was rescuing some business owner from a disgruntled employee that locked up their MS Server. I was done in literally 5 minutes and out the door for lunch.
They must be smoking good shit at those meetings and laughing their asses off. It's not like I've seen Microsoft actually secure anything in the last 10 years since those meetings should've started in earnest.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 3, Insightful) by Opportunist on Monday August 23 2021, @07:20AM (12 children)
The same people who thought that automatically running an app from an unknown CD-Rom would be a good idea.
(Score: 0) by Anonymous Coward on Monday August 23 2021, @07:28AM (1 child)
even that didnt run them as system or administrator though
(Score: 4, Informative) by vux984 on Monday August 23 2021, @04:26PM
It didn't have to, as at that time, pretty much everyone ran as an administrator all the time anyway.
(Score: 3, Interesting) by FatPhil on Monday August 23 2021, @08:32AM (7 children)
This particular exploit, however, does remind me of another one from about the mid to late 90s - not sure if NT- or 95-family, not that it matters. I think the login dialog box had a help button. Click on help, and the help popup had a system menu that had a "print" option. Select print, and a printer selection dialog pops up that included something like a "find other printer" option - which was basically just "explorer", and gave you full access (as user, so not as serious as this) to the system before you were logged in.
Ahhhh, Microsoft, the pioneers of BaaF - Bugs-as-a-Feature. There's a reason I abandoned you over 2 decades ago. More like a million reasons.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 3, Insightful) by maxwell demon on Monday August 23 2021, @08:43AM (5 children)
Must be NT-family, because 95-family had no concept of admin or login. It had the same security properties as DOS.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Interesting) by kazzie on Monday August 23 2021, @10:03AM (4 children)
Well there was an option of enabling user logons in Windows 95, but it could be bypassed by pressing Escape at the login dialog.
(Score: 2) by Freeman on Monday August 23 2021, @01:30PM (1 child)
That's a helpful feature . . .
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by kazzie on Monday August 23 2021, @04:05PM
Yeah, all it really enabled was per-user configuration of desktop wallpaper, start menu, and My Documents path. Nothing security-related whatsoever.
(Score: 0) by Anonymous Coward on Tuesday August 24 2021, @01:07AM (1 child)
I remember the login prompt that you speak of but I'm certain that was a login window for 'Client for Microsoft Networks', not a computer login. Win95 is a single user OS so no login was ever needed.
(Score: 0) by Anonymous Coward on Wednesday August 25 2021, @01:54AM
Windows 95/98 are single-user OSes. By default, the login window was for the network client services and affected the selection of your roaming profile and that is it. In certain circumstances, you could set 95/98 to use user profiles, but that was relatively rare. In Windows 98 SE, they changed the default so that way logging in would change your profile and roaming profile. However, there was not the concept of separate users and the different settings between user profiles were limited beyond Microsoft customizing things like the wallpaper and a few other things because of that. It wasn't until XP, which had separate users in addition to the separate profiles, that dividing things up properly was more important.
(Score: 0) by Anonymous Coward on Tuesday August 24 2021, @01:12AM
25 years old bug, eh?
Hmmm....maybe someone could fire up Windows 95, point winNuke.exe at a Win10 machine, and see what happens. (Does the BSOD still exist in Win10?)
(Score: 0) by Anonymous Coward on Monday August 23 2021, @03:33PM (1 child)
Sony. The backdooring crony. Did they even cop a fine for that rootkit fiasco?
(Score: 2) by Opportunist on Monday August 23 2021, @04:32PM
Oh c'mon, Most people, I think, don't even know what a rootkit is, so why should they care about it? [afterdawn.com].
(Score: 2) by ElizabethGreene on Monday August 23 2021, @02:22PM (6 children)
Is this not the desired behavior? If you plug in another component like a GPU or somesuch do you not want the machine to identify the device, grab that driver, install, and enable it? That's the default behavior in Windows.
Clarification: The driver download is done by Windows update and the lookup is based on the hardware ID. If Razer pulls this download from windows update then the vulnerability will be instantly closed.
That Razer makes crap software should be no huge shock. I cannot fathom why they'd ask you to install a constantly-running cloud agent package just to turn the blinky lights off on a keyboard.
(Score: 4, Insightful) by Thexalon on Monday August 23 2021, @03:48PM (1 child)
No, really what the desired behavior should be is that said component adheres to standards which means that the machine doesn't need to download and install special anything to run it, just a standards-compliant driver.
One reason we don't have that is that hardware manufacturers want to differentiate themselves in the marketplace on (often useless) features rather than on price, speed, and durability, and also love being able to install spyware as part of having their stuff installed and running.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by ElizabethGreene on Monday August 23 2021, @07:05PM
I couldn't agree more on that. If you're picking hardware please do this. Since printers are what I'm heads-down on right now then a big plug for Type 4 printer drivers that do this.
To your second point, one person's useless feature is another's killer app. On the opposite side of the coin one OS manufacturer's attempt to standardize drivers is another's "parasite monopoly closed ecosystem". Are there any win-win solutions in that kind of problem? I don't know.
(Score: 2) by Fnord666 on Monday August 23 2021, @05:25PM (1 child)
I think the real questions are
1. what controls whether you get a File dialog and
2. why does this File dialog allow you to open a powershell prompt?
(Score: 3, Informative) by EvilSS on Monday August 23 2021, @06:20PM
Windows file dialogs have been a security hole for a while now. So much so there are 3rd party products to lock them down. I do a lot of Citrix/VDI work and using a file dialog to break out to a command prompt, run a executable on the system, or even make your own script/batch file and run it all from a file dialog has been problem (or useful tool, depending on your point of view that particular day) for a long time now.
There is no reason that Windows should be running this in an interactive manner (ignoring going way beyond just installing a basic driver and installing full blown software in the first place) with no as admin UAC prompt. I think the reason no one noticed this before is that Razor and Enterprise don't have a lot of overlap in their user base Venn diagrams, and I don't know of a lot of other products that do this like Razer does so it's not something you see everyday.
(Score: 2) by maxwell demon on Monday August 23 2021, @05:42PM
No, if you are a non-administrator, by default you shouldn't be able to install any software. Including drivers for random hardware that you plug into the computer.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Tuesday August 24 2021, @03:52PM
EG posts almost always help to reinforce the perception that MS just has no clue about security.
(Score: 0) by Anonymous Coward on Monday August 23 2021, @02:13PM (1 child)
Someone didn't tell the razer interns not to do UI stuff in services.
(Score: 0) by Anonymous Coward on Monday August 23 2021, @04:54PM
This "UI Stuff" is part of the installer - not the service it installs.
(Score: 2) by mobydisk on Monday August 23 2021, @05:46PM
It makes sense if this is a simple, silent, Microsoft-curated driver. When installing a printer driver, I often try to install the minimal driver possible by finding the .inf file. Because if you launch the "HP Installer" it installs stuff that displays a GUI with ink levels, ads that offer you paper and ink, or even third-party printing-related services. I would not mind it auto-downloading a driver, but not if it displays a GUI and installs something that makes a desktop icon or a start menu folder or an always-running service of some kind. That's not a driver.