While Microsoft works tirelessly to remove this stigma, Windows still retains an operating system image that is often too easily compromised. Many of these exploits take place on the remote side when people click on suspicious links or download software from unofficial sources.
However, there comes a point where it becomes almost too easy to hack into a system, such as when you plug in a Razer mouse, which in turn starts a process that allows virtually anyone with physical access to a computer to gain system-level administrator rights.
Windows users are accustomed to the concept of “Plug and Play”, where new peripherals “just work” when plugged in. This is usually done by using a program that automatically launches to download and install device drivers and configure the PC to recognize an external device. This system is used by almost every known Windows accessory, suggesting that this particular zero-day vulnerability is not exclusive to Razer.
Need local admin and have physical access?
– Plug a Razer mouse (or the dongle)
– Windows Update will download and execute RazerInstaller as SYSTEM
– Abuse elevated Explorer to open Powershell with Shift+Right click
— jonhat (@j0nh4t) August 21, 2021
What makes the matter more serious is that Razer’s Synapse software installer makes the process too easy. Synapse is an application that allows users to customize their Razer hardware with advanced features such as key and button remapping. The Synapse installer automatically launches when you plug in your Razer mouse, and that’s where the error crept in.
RazerInstaller.exe naturally runs with system-level privileges to make any changes to a Windows PC. However, it also allows the user to open an instance of File Explorer with the same permissions and launch PowerShell, which will allow them to do whatever they want with the system, including installing malware. Having received no response from Razer, security researcher @ j0nh4t decided to publicly disclose the vulnerability.
The good news is that this exploit requires an attacker to physically access the target Windows computer and Razer mouse. The latter, of course, is sold at every turn, and it is not difficult to buy it. Breaking the silence, Razer acknowledged the bug and promised to release a fix as soon as it can, although this still raises the question of how many installers have similar security holes.