Razer Synapse Bug Gives Windows Admin Access to Anyone Who Can Plug in a Mouse

Razer Synapse Bug Gives Windows Admin Access to Anyone Who Can Plug in a Mouse

You might want to keep an eye on your USB ports for the next few days. A security researcher has disclosed a disturbingly easy way to gain admin privileges in Windows 10 without a password, and for once, it’s not Microsoft’s fault. This time, it’s all thanks to Razer and its Synapse software. A fix is in the works, but Razer missed the opportunity to head this one off before it was a problem.

The story starts with security researcher Jonhat (@j0nh4t on Twitter), who noticed that Razer’s Synapse software would deploy automatically whenever a Razer mouse or wireless receiver was plugged in. Like many feature-rich gaming peripherals, Razer requires the use of its desktop software to control lights, button mapping, and other features.

This part isn’t unusual — Windows Update automatically loads plenty of software for you based on attached hardware. It does this as System, but the current Razer Synapse installer retains System permissions, which turns out to be an issue.

According to Jonhat, it is possible to hijack the elevated Explorer process from the installation to open Powershell. From there, you can install anything you want because the System has the highest user rights available in Windows. In addition, as if that wasn’t bad enough, you can manually select a controllable installation path like Desktop. The installer creates a binary file that can be further leveraged to make any system changes persistent (the binary is executed even before login).

Need local admin and have physical access?– Plug a Razer mouse (or the dongle)– Windows Update will download and execute RazerInstaller as SYSTEM– Abuse elevated Explorer to open Powershell with Shift+Right click

Tried contacting @Razer, but no answers. So here's a freebie pic.twitter.com/xDkl87RCmz

— jonhat (@j0nh4t) August 21, 2021

With vulnerabilities of this severity, it’s expected that the discoverer will responsibly disclose by going through the company. However, Jonhat says Razer ignored his correspondence. So, he’s disclosed the zero-day bug publicly. Several others have since confirmed that a Razer mouse can help take over a Windows 10 PC in as little as a few minutes. Using this method, the attacker can install anything they want without logging in as an administrator.

So, that’s not a great situation, and the only saving grace is that someone needs physical access to your computer (and a Razer peripheral). Following the disclosure, Razer confirmed that it was working on a patch to be delivered soon. In the meantime, keep an eye out for lurkers with glowing mice.

Continue reading

Razer’s Tomahawk Ultra-Compact Desktop PC Goes on Sale This Month
Razer’s Tomahawk Ultra-Compact Desktop PC Goes on Sale This Month

The ultra-compact PC will be available for pre-order this very month with specs including a Core i7 CPU and up to an Nvidia RTX 3080 graphics card. Razer's new PC won't come cheap, though.

Razer Updates Raptor 27 Gaming Monitor: Higher Refresh Rate, Price
Razer Updates Raptor 27 Gaming Monitor: Higher Refresh Rate, Price

The company has just announced a new version of its premium gaming monitor with faster refresh and the option to ditch some of those LEDs with a custom stand. However, the Raptor 27 doesn't come cheap.

Qualcomm-Powered Razer Handheld Game Console Leaks
Qualcomm-Powered Razer Handheld Game Console Leaks

Razer is prepping the release of a Qualcomm-powered gaming handheld known as the Snapdragon G3X Handheld Developer Kit. As the name implies, this device will be aimed at developers, but it could lead to a new generation of Android-powered game machines.

LG Announces Monitor with Crazy 16:18 Aspect Ratio
LG Announces Monitor with Crazy 16:18 Aspect Ratio

LG's new panel eschews the ultrawide Zeitgeist for a monitor that's basically a really big square.