Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Monday August 23 2021, @04:46AM   Printer-friendly
from the Razer-should've-read-the-email dept.

Razer bug lets you become a Windows 10 admin by plugging in a mouse:

A Razer Synapse zero-day vulnerability has been disclosed on Twitter, allowing you to gain Windows admin privileges on a local computer simply by plugging in a mouse.

[...] When plugging in a Razer device into Windows 10 or Windows 11, the operating system will automatically download and begin installing the Razer Synapse software on the computer. Razer Synapse is software that allows users to configure their hardware devices, set up macros, or map buttons.

Security researcher jonhat discovered a zero-day vulnerability in the plug-and-play Razer Synapse installation that allows users to gain SYSTEM privileges on a Windows device quickly.

[...] When we plugged the Razer device into Windows 10, the operating system automatically downloaded and installed the driver and the Razer Synapse software.

Since the RazerInstaller.exe executable was launched via a Windows process running with SYSTEM privileges, the Razer installation program also gained SYSTEM privileges

[...] When the Razer Synapse software is installed, the setup wizard allows you to specify the folder where you wish to install it. The ability to select your installation folder is where everything goes wrong.

When you change the location of your folder, a 'Choose a Folder' dialog will appear. If you press Shift and right-click on the dialog, you will be prompted to open 'Open PowerShell window here,' which will open a PowerShell prompt in the folder

]...] As this PowerShell prompt is being launched by a process with SYSTEM privileges, the PowerShell prompt will also inherit those same privileges.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by ElizabethGreene on Monday August 23 2021, @02:22PM (6 children)

    by ElizabethGreene (6748) Subscriber Badge on Monday August 23 2021, @02:22PM (#1169873) Journal

    Is this not the desired behavior? If you plug in another component like a GPU or somesuch do you not want the machine to identify the device, grab that driver, install, and enable it? That's the default behavior in Windows.

    Clarification: The driver download is done by Windows update and the lookup is based on the hardware ID. If Razer pulls this download from windows update then the vulnerability will be instantly closed.

    That Razer makes crap software should be no huge shock. I cannot fathom why they'd ask you to install a constantly-running cloud agent package just to turn the blinky lights off on a keyboard.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 4, Insightful) by Thexalon on Monday August 23 2021, @03:48PM (1 child)

    by Thexalon (636) on Monday August 23 2021, @03:48PM (#1169893)

    Is this not the desired behavior? If you plug in another component like a GPU or somesuch do you not want the machine to identify the device, grab that driver, install, and enable it? That's the default behavior in Windows.

    No, really what the desired behavior should be is that said component adheres to standards which means that the machine doesn't need to download and install special anything to run it, just a standards-compliant driver.

    One reason we don't have that is that hardware manufacturers want to differentiate themselves in the marketplace on (often useless) features rather than on price, speed, and durability, and also love being able to install spyware as part of having their stuff installed and running.

    --
    "Think of how stupid the average person is. Then realize half of 'em are stupider than that." - George Carlin
    • (Score: 2) by ElizabethGreene on Monday August 23 2021, @07:05PM

      by ElizabethGreene (6748) Subscriber Badge on Monday August 23 2021, @07:05PM (#1169974) Journal

      No, really what the desired behavior should be is that said component adheres to standards which means that the machine doesn't need to download and install special anything to run it, just a standards-compliant driver.

      I couldn't agree more on that. If you're picking hardware please do this. Since printers are what I'm heads-down on right now then a big plug for Type 4 printer drivers that do this.

      To your second point, one person's useless feature is another's killer app. On the opposite side of the coin one OS manufacturer's attempt to standardize drivers is another's "parasite monopoly closed ecosystem". Are there any win-win solutions in that kind of problem? I don't know.

  • (Score: 2) by Fnord666 on Monday August 23 2021, @05:25PM (1 child)

    by Fnord666 (652) on Monday August 23 2021, @05:25PM (#1169922) Homepage

    Is this not the desired behavior? If you plug in another component like a GPU or somesuch do you not want the machine to identify the device, grab that driver, install, and enable it? That's the default behavior in Windows.

    Clarification: The driver download is done by Windows update and the lookup is based on the hardware ID. If Razer pulls this download from windows update then the vulnerability will be instantly closed.

    That Razer makes crap software should be no huge shock. I cannot fathom why they'd ask you to install a constantly-running cloud agent package just to turn the blinky lights off on a keyboard.

    I think the real questions are
    1. what controls whether you get a File dialog and
    2. why does this File dialog allow you to open a powershell prompt?

    • (Score: 3, Informative) by EvilSS on Monday August 23 2021, @06:20PM

      by EvilSS (1456) Subscriber Badge on Monday August 23 2021, @06:20PM (#1169946)

      2. why does this File dialog allow you to open a powershell prompt?

      Windows file dialogs have been a security hole for a while now. So much so there are 3rd party products to lock them down. I do a lot of Citrix/VDI work and using a file dialog to break out to a command prompt, run a executable on the system, or even make your own script/batch file and run it all from a file dialog has been problem (or useful tool, depending on your point of view that particular day) for a long time now.

      There is no reason that Windows should be running this in an interactive manner (ignoring going way beyond just installing a basic driver and installing full blown software in the first place) with no as admin UAC prompt. I think the reason no one noticed this before is that Razor and Enterprise don't have a lot of overlap in their user base Venn diagrams, and I don't know of a lot of other products that do this like Razer does so it's not something you see everyday.

  • (Score: 2) by maxwell demon on Monday August 23 2021, @05:42PM

    by maxwell demon (1608) on Monday August 23 2021, @05:42PM (#1169925) Journal

    No, if you are a non-administrator, by default you shouldn't be able to install any software. Including drivers for random hardware that you plug into the computer.

    --
    The Tao of math: The numbers you can count are not the real numbers.
  • (Score: 0) by Anonymous Coward on Tuesday August 24 2021, @03:52PM

    by Anonymous Coward on Tuesday August 24 2021, @03:52PM (#1170361)

    EG posts almost always help to reinforce the perception that MS just has no clue about security.