Bug in Razer Software Enables Admin Privileges in Windows 10 (Update)
Admin rights in just a few steps
Gaining admin privileges in Windows 10 usually requires authentication. However, sometimes exploits bypass these measures and give users direct access to admin privileges. According to a story on Bleeping Computer, Razer has a bug in its software that lets you gain admin access to Windows 10 operating system in a few simple steps.
When using Windows 10 a typical user, will be limited in making changes to the system without all the needed privileges. To perform these tasks you need system privileges, which is the star of today's show. Thanks to security researcher jonhat, who found a hole in Razer's Synapse software, there is a way to gain system privileges.
When you plug any Razer device into Windows 10 or Windows 11 PC, the OS downloads Razer's Synapse software to accommodate the device and set up a range of available functions on Razer devices, like adjustable lighting, hot-keys, and plenty of others. According to Razer over 100 million PCs use Synapse software worldwide.
Update: August 23, 4:28 p.m. ET:
"We were made aware of a situation in which our software, in a very specific use case, provides a user with broader access to their machine during the installation process," a Razer spokesperson told Tom's Hardware in a prepared statement. "We have investigated the issue, are currently making changes to the installation application to limit this use case, and will release an updated version shortly. The use of our software (including the installation application) does not provide unauthorized third-party access to the machine."
The company also said that anyone who finds an issue with Razer's security should report them through Inspectiv, it's bug bounty service.
The original story continues below:
As Windows OS itself calls and executes the RazerInstaller.exe file, it already does it with system privileges. Once you start the installation process, choosing where to install the software you just choose the option to select a folder, and once you are in the file explorer just press Shift on your keyboard with right-click. There is an option in the dropdown menu to "Open PowerShell Window Here", which you select to open Windows PowerShell. If you type the "whoami" command that lists your user privilege, it outputs "nt authority\system", which means you are accessing the console as an admin, allowing you to execute any command you wish to do.
Need local admin and have physical access?- Plug a Razer mouse (or the dongle)- Windows Update will download and execute RazerInstaller as SYSTEM- Abuse elevated Explorer to open Powershell with Shift+Right clickTried contacting @Razer, but no answers. So here's a freebie pic.twitter.com/xDkl87RCmzAugust 21, 2021
In the Tweet above, you can see the process of how it is done. If any software that automatically installs like this and has the option for opening the Windows PowerShell in the file explorer exists, it could be that it is also vulnerable to the exploit. The researcher later Tweeted that Razer has contacted him and is working on a fix as soon as possible, so be sure to update your Razer Synapse software every time there is an update.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
-
Synapse is the worst!!! I have always detested their software and now I have another reason to do soReply
-
BillyBuerger This seems to be Razer's stupid push that their users have to install their bloated crap just to use even the minimum function of their hardware. Most hardware when attached installs a default driver that at least gives the minimal functions of the device. A keyboard or mouse should be able to just work like that. But they want their full software which includes logging into an account with them even to get anything working with the hardware. So it seems as though this basic driver that Windows installs pushes this whole thing on the user. And since running any driver install requires admin access, they are kicking off this big install from the local system account. So yeah, makes sense that you could easily take advantage of that. Nice work Razer.Reply
But at the same time, don't these drivers that get installed automatically by windows have to be approved for WHQL or something? Sounds like maybe a flaw in Microsofts system if a bad driver like this can be allowed. -
BillyBuerger Actually, while Razer definitely deserves blame for this, it reminds me of another similar "bug" that I noticed years ago related to the Windows default file open/save dialog. For instance, if you're using a remote system like Citrix where a single application is exposed to a user and that application has any option that would open the Windows open/save dialog, you can right click on a folder and pick "open in a new window" and you now have a Windows Explorer window even though that application wasn't specifically exposed by the Citrix application. Could probably do that to open other software on the remote system. Now this won't give admin access like with the Razer driver bug. But the point was to only expose a single application and doing this gives you access to other applications. Part of the issue is that the Windows open/save dialog itself uses Windows Explorer and lets you do pretty much anything you can do in explorer with it. Really, this should be locked down to only let you open/save files and not do things like open applications. If that were the case, the Razer bug would still be a problem but it could at least limit the effect of it by not letting the admin account actually execute anything. They could maybe create folders where they shouldn't and see file lists. But not open a command prompt. So bad on Microsoft here as well. I mean sure, it's convenient to be able to sometime do some things like this sometimes. But it also is a potential security issue. Or at the very least makes taking advantage of an unrelated security issue that much easier.Reply -
Giroro I still can't figure out why Razer needs a permanent 100MB of system memory just to change 2 registers in my mouse's firmwareReply -
bigdragon This problem isn't limited to Razer. A lot of gamer peripherals have add-on crap with zero security precautions. Asus ROG USB devices have the same problem as Razer. Microsoft really needs to clamp down on this behavior and stop allowing gaming-focused industries to break computer security. It's bad enough that we already have ineffective, security-breaking anti-cheat garbage forced on the market.Reply -
waltc3 It seems sort of obvious that this hack requires physical access to a machine, so that really diminishes the importance of the find, imo. It's not something that can be administered remotely, apparently. If you have physical access...well...there isn't much you cannot get to...;)Reply -
USAFRet
Yes, but simply plugging in a random mouse should not result in this escalation.waltc3 said:It seems sort of obvious that this hack requires physical access to a machine, so that really diminishes the importance of the find, imo. It's not something that can be administered remotely, apparently. If you have physical access...well...there isn't much you cannot get to...;)
Major fail on Razer, physical access or no. -
Findecanor The response was the usual doublespeak from Razer avoiding the actual issue ...Reply
The issue is not that an authorised user gets administrator privileges.
The issue is when a user that is authorised to use the machine gets administrator privileges he/she was not authorised to get. -
PiranhaTech I bought a Razer arcade stick. It's absolutely wonderful. The responsiveness is amazing, and the button action just feels nice, but...Reply
... its Windows 10 drivers are horrible. You are lucky to get 6 out of 8 buttons working. It only works on the Xbox One by default. Luckily the community out there will get you the 8 buttons.