Razer mouse software bug easily grants Windows admin privileges

By JC Torres/Aug. 22, 2021 11:07 pm EST

Although Microsoft has been working tirelessly to remove that stigma, Windows still retains the image of an operating system that is almost too easy to compromise. Many such exploits occur on the remote end when people click on suspicious links or download software from unofficial sources. There comes a time, however, that an exploit happens almost too easily, like when you plug in a Razer mouse that, in turn, starts a process that will let almost anyone with physical access to the computer get system-level administrator control.

Windows users are pretty much used to the concept of "Plug and Play" (a.k.a. "Plug and Pray"), where new peripherals "just work" when plugged in. That usually involves a program that automatically runs in order to download and install device drivers and set up the PC to recognize the external device. This system is used by almost all reputable Windows accessories, which suggests that this particular zero-day vulnerability isn't exclusive to Razer alone.

What makes the matter a bit more serious is that Razer's Synapse software installer makes it almost too easy to exploit that process. Synapse is the application that allows users to configure their Razer hardware with advanced features, like remapping keys and buttons. The installer for Synapse automatically runs when you plug in a Razer mouse, and that's where things go south.

RazerInstaller.exe is naturally run with system-level privileges to make any changes to the Windows PC. It does, however, also allow the user to open a File Explorer instance with the same powers, and users can launch PowerShell that will let them do anything with the system, including installing malware. After failing to get a response from Razer, security researcher @jonhat decided to publicly disclose the vulnerability.

Need local admin and have physical access?
- Plug a Razer mouse (or the dongle)
- Windows Update will download and execute RazerInstaller as SYSTEM
- Abuse elevated Explorer to open Powershell with Shift+Right click

Tried contacting @Razer, but no answers. So here's a freebie pic.twitter.com/xDkl87RCmz

— ҉j҉o҉n҉h҉a҉t҉ (@j0nh4t) August 21, 2021

The slightly good news is that this exploit requires that the attacker has physical access to the target Windows computer and a Razer mouse. The latter is, of course, a dime a dozen, and it's trivial to buy one on the cheap. Breaking its silence, Razer acknowledged the bug and promised to roll out a fix as soon as they can, though it still raises the question of how many installers have similar security holes waiting to be exploited.