Razer bug lets you become a Windows 10 admin by plugging in a mouse:
A Razer Synapse zero-day vulnerability has been disclosed on Twitter, allowing you to gain Windows admin privileges on a local computer simply by plugging in a mouse.
[...] When plugging in a Razer device into Windows 10 or Windows 11, the operating system will automatically download and begin installing the Razer Synapse software on the computer. Razer Synapse is software that allows users to configure their hardware devices, set up macros, or map buttons.
Security researcher jonhat discovered a zero-day vulnerability in the plug-and-play Razer Synapse installation that allows users to gain SYSTEM privileges on a Windows device quickly.
[...] When we plugged the Razer device into Windows 10, the operating system automatically downloaded and installed the driver and the Razer Synapse software.
Since the RazerInstaller.exe executable was launched via a Windows process running with SYSTEM privileges, the Razer installation program also gained SYSTEM privileges
[...] When the Razer Synapse software is installed, the setup wizard allows you to specify the folder where you wish to install it. The ability to select your installation folder is where everything goes wrong.
When you change the location of your folder, a 'Choose a Folder' dialog will appear. If you press Shift and right-click on the dialog, you will be prompted to open 'Open PowerShell window here,' which will open a PowerShell prompt in the folder
]...] As this PowerShell prompt is being launched by a process with SYSTEM privileges, the PowerShell prompt will also inherit those same privileges.
(Score: 3, Informative) by EvilSS on Monday August 23 2021, @06:20PM
Windows file dialogs have been a security hole for a while now. So much so there are 3rd party products to lock them down. I do a lot of Citrix/VDI work and using a file dialog to break out to a command prompt, run a executable on the system, or even make your own script/batch file and run it all from a file dialog has been problem (or useful tool, depending on your point of view that particular day) for a long time now.
There is no reason that Windows should be running this in an interactive manner (ignoring going way beyond just installing a basic driver and installing full blown software in the first place) with no as admin UAC prompt. I think the reason no one noticed this before is that Razor and Enterprise don't have a lot of overlap in their user base Venn diagrams, and I don't know of a lot of other products that do this like Razer does so it's not something you see everyday.