Need local admin and have physical access?
— ҉j҉o҉n҉h҉a҉t҉ (@j0nh4t) August 21, 2021
- Plug a Razer mouse (or the dongle)
- Windows Update will download and execute RazerInstaller as SYSTEM
- Abuse elevated Explorer to open Powershell with Shift+Right click
Tried contacting @Razer, but no answers. So here's a freebie pic.twitter.com/xDkl87RCmz
A Razer mouse security flaw can give admin access to non-admin PC users
Anyone with a Razer mouse can theoretically install malware or access
A huge security flaw has been discovered in some Razer mice that allows users to gain admin-level access to a PC.
Twitter user jonhat discovered that the installation software that boots up when a Razer mouse is being installed accidentally gives the player access to Window’s file explorer at the SYSTEM account level, even if they’re only logged in with a standard, non-admin user account.
When any new USB device is plugged into a Windows PC, the device is temporarily given SYSTEM-level access (which is the highest privilege level in the Windows user hierarchy) so the drivers can be installed in the Windows folder. This is usually a background process that doesn’t involve the user.
However, plugging in a Razer mouse for the first time opens up an installer for Razer’s Synapse software, which gives users the option to choose where the software is installed.
If a user chooses to the change the default install location, the software will bring up a File Explorer window to let them pick a new install folder. However, because this window is opened during the install process, the software still has system level rights, which means the user technically has administrator access.
Jonhat discovered that by Shift-right-clicking on this window, users can open a Windows Powershell window, which gives them a command-line prompt with full admin rights.
Users with admin access on a PC have full control over the PC’s software and settings. They can access all files on the PC, change security settings and install software and hardware.
Theoretically, in a worst-case scenario, someone with a Razer mouse could use this workaround to install malware or spyware (such as keylogging software) on a PC that isn’t properly protected (such as a friend or partner’s computer, or a work PC).
A few days after jonhat’s discovery, he posted on Twitter that Razer had contacted him and told him its security team was “working on a fix ASAP”.
However, other users have since discovered similar problems in other USB hardware with installation software, such as gaming hardware company SteelSeries’ GG software, so it would appear that this is a security flaw that may need to be addressed by Microsoft itself.