A recently discovered vulnerability in Razer’s Synapse allows any user to become administrator of a Windows 10 PC by simply connecting a mouse or keyboard.
When you connect your Razer device to a computer running Windows 10 or Windows 11, the operating system automatically downloads and installs the Razer Synapse software, which configures and controls your Razer hardware. According to Razer, this software is used by more than 100 million people around the world.
The vulnerability in Razer Synapse was discovered by a computer security expert, who posted the issue on the social network Twitter, after notifying Razer without receiving any response from the company. This issue allows the user to easily obtain administration privileges on a Windows machine.
Administration privileges are the highest you can get on a Windows PC and allow any command within the operating system to be executed. This means that whoever is in charge of the computer has complete control over it and can install anything they want, including malware.
Although considered a serious security issue, as it is very easy to exploit, it is still local. This means that in order to work, it is necessary to have physical access to the computer.
Do you need a local admin and have physical access?
Connect a Razer mouse (or dongle)
– Windows Update will download and run RazerInstaller as system
– Abuse Elevated Explorer to open Powershell with Shift + Right Click
– Jonhat (@j0nh4t) August 21, 2021
When you connect your Razer device to a Windows 10 PC, the operating system downloads and installs the software. The installation executable is run by the operating system with “SYSTEM” privileges, such as system administrator.
During the installation process, the program gives you the option to choose the folder in which it will be saved to the disk. This is where things start to get bad. When you choose to change the installation location, the usual dialog for choosing a folder appears, if you hold Shift and right-click on the dialog a menu appears that gives you the option to open a window. If you choose, a PowerShell window opens in the folder.
The problem is that this PowerShell window was also created with “SYSTEM” privileges inherited from the Razer Synapse installer. This allows you to run any command within a PowerShell window.
According to Will Dorman, a security analyst at CERT / CCHowever, it is possible that other software of this type, provided by other brands of hardware, may encounter similar problems.
After announcing this vulnerability on Twitter, Razer contacted the security professionals who discovered it to let them know that they are working on a fix.
“Friendly zombie fanatic. Analyst. Coffee buff. Professional music specialist. Communicator.”