Threat actors could gain Windows admin privileges by connecting in a Razer mouse or keyboard because of a zero-day vulnerability in Razer Synapse.
Razer is a well-known computer accessory company that creates, develops, and sells consumer electronics, financial services, and gaming hardware, such as gaming mice and keyboards. Razer says that their Razer Synapse software is used by more than 100 million people around the world.
By plugging in a Razer mouse or keyboard, attackers can gain SYSTEM privileges on Windows PCs via a local privilege escalation (LPE) zero-day exploit in Razer Synapse. When a Razer device is connected to a computer running Windows 10 or Windows 11, the operating system will immediately download and install the Razer Synapse driver and software, which allows the devices to be configured.
BleepingComputer reports, the vulnerability was found by security researcher jonhat, who announced it on Twitter. The attackers can completely take over the system once they have SYSTEM capabilities in Windows.
SYSTEM privileges are the highest level of user rights in Windows, allowing anyone to run any command on the system. In Windows, gaining SYSTEM privileges gives a user complete control over the system, allowing them to install anything they want, even malware.
After receiving no response from the company, the researcher decided to go public with his findings. He also released a video proof-of-concept of the attack. Users can choose where they want to install the Razer Synapse software using the setup process.
Need local admin and have physical access?
– Plug a Razer mouse (or the dongle)
– Windows Update will download and execute RazerInstaller as SYSTEM
– Abuse elevated Explorer to open Powershell with Shift+Right clickTried contacting @Razer, but no answers. So here's a freebie pic.twitter.com/xDkl87RCmz
— jonhat (@j0nh4t) August 21, 2021
If the attacker right-clicks on a ‘Choose a Folder’ dialogue while holding Shift, he will be offered to open ‘Open PowerShell window here,’ which allows the attacker to open a PowerShell prompt in the folder displayed in the dialogue.
Since the PowerShell prompt is launched by a process with SYSTEM privileges, he gains access to those as well.
The company has contacted the security researcher to inform them that they will be releasing a patch after this zero-day issue got widespread notice on Twitter. The company also agreed to provide a bug bounty to the researcher.
I would like to update that I have been reached out by @Razer and ensured that their security team is working on a fix ASAP.
Their manner of communication has been professional and I have even been offered a bounty even though publicly disclosing this issue.
— jonhat (@j0nh4t) August 22, 2021
You might also like:
Threat actor asks insiders help to plant Black Kingdom ransomware
Threat actor leaked a million stolen credit cards on dark web
StealthWorker botnet targets Synology NAS machines with ransomware
FlyTrap Android malware attacks several Facebook accounts