PSA: Razer Synapse zero-day grants admin rights to anyone plugging in a Razer mouse
The flaw could allow someone to take over your PC.
PHOTO: Razer
PUBLISHED ONAugust 25, 2021 9:15 AMByKen Wong
According to online reports, a security researcher jonhat said in his Twitter feed that he has discovered a zero-day exploit that occurs during the installation of Razer Synapse configuration software that allows potential hackers admin privileges on a Windows-based device.
In his tweet post that included a video, jonhat said:
- Need local admin and have physical access?
- Plug a Razer mouse (or the dongle)Windows Update will download and execute Razer Installer as SYSTEM
- Abuse elevated Explorer to open Powershell with Shift+Right click
- Tried contacting @Razer, but no answers. So here's a freebie
What happens is that when a Razer mouse is connected to a Windows laptop, Windows fetches a Razer installer containing the driver software and the Razer Synapse utility. It then opens up an explorer window asking for the installation destination.
The problem is that this is done with Admin privileges, and if a user opts to change the default installation location, a 'Choose a folder' option is given to the user who can right-click the installation window and press the Shift key to open a Powershell terminal with those same Admin privileges.
[[nid:499830]]
With these privileges, anyone can get full control over the system, meaning that they can view, change or delete data, they can create new accounts with full user rights, and can install anything malicious they want.
Overall, executing it wouldn’t be easy as an attacker would need actual physical access to a laptop and time to plug in a peripheral and dl the software and run things from there. However, it is the ease of attack that makes it scary. At least until a patch is released.
When we reached out to Razer, they said that were aware of the situation and are currently making changes to the installation application to limit this use case and will release an updated version shortly. They also encourage any further discoveries to be submitted through their bug bounty service, Inspectiv.
This article was first published in Hardware Zone.