Gain Admin Privileges To a Windows Machine By Plugging In a Razer Mouse (bleepingcomputer.com) 85
An anonymous reader writes: A Razer Synapse zero-day vulnerability has been disclosed that allows you to gain Windows admin privileges simply by plugging in a Razer mouse or keyboard.
Re: (Score:3)
Eh, I used to get system access by selecting accessibility options at locked login screen, opening 'Help', choosing to print the help topic to a file, and once in the file selector, opening Explorer.
It's been a long standing issue of developers, inside and outside of MS, misusing the common dialogs.
Re: Don't worry, Razor is working on a fix for thi (Score:3)
obviously (Score:5, Insightful)
Not surprising (Score:1)
From a company that expects people to create an account just to use a mouse. The basic operating principal is the user is the product. They should fully expect to be disrespected and disregarded. After all products have no rights.
Re: (Score:2)
You are still the primary customer. They just wanna get a few extra pennies or dollars from you selling your name to advertisers for mice, accessories, computers, video games, and suckers of overpriced hype.
Re: (Score:3)
Used to be a die-hard Razor fan, stopped using their products a few years ago because of the stupid Synapse software and account requirement. Most of their newer products feel cheap and chintzy anyway.
Re: (Score:2)
They are in fact pretty low quality and rarely make it a year with light use. I like that I have 12 buttons on the side of the mouse, but I don't want to pay all that money for low quality shit, with spyware to boot.
Strictly speaking you don't *have* to use their spyware, but it's more functional if you do, so fuck them with a stick.
Re: Not surprising (Score:3)
I canâ(TM)t remember past three buttons. Iâ(TM)m always in awe of people who can use those multibutton devices.
Re: (Score:3)
I'm in that club, too, for the same reason. I switched over to Corsair.
According to an acquaintance of mine who used to work for Razer, they added the forced cloud account thing to placate potential investors who were vacuously demanding that they needed to improve "engagement" with their Web site.
Re: (Score:2)
you need an online account to use added features, or even for basic mouse stuff?
I just bought a razor bundle on sale, but haven't opened it yet.
Re: (Score:3)
The extra buttons, resolution settings, and various other config (e.g. button macros, illumination) need an account. Not only that, but even if you do have an account, the software spams you with pop ups, needs regular updates, etc.
The release of the synapse basically ruined their products for me. I didn't have a super fancy mouse, so didn't use the advanced features, so synapse got promptly uninstalled and blocked. However, I won't be buying any more Razer p
A little light on the summary (Score:3)
I'm all for making things concise, but this isn't HN - I like the fact that most (all?) stories have a useful summary that provides a general overview of that subject matter, and then decide if I want to click the link(s) to get more info.
Still better than HN, but find this a little light.
Here's a useful summary (Score:5, Interesting)
Plugging in one of these mice gives you admin access with a couple clicks. Here's how:
When a mouse from this company is plugged in, Windows automatically runs an installer for the software. That installer runs as "System", which is kinda like "Administrator".
Within that installer, the user is prompted to choose a directory where it should be installer. This is the regular "file open" dialog.
The standard file open dialog is actually a copy of File Explorer. So now the user has a copy of File Explorer running at high privilege. Th y can do what they want from there. One option is to do shift-right-click to open a Powershell command line. They could do other things too, like probably navigate to c:\windows\system, right-click, and give their user account right access to system\. With that write access, they could overwrite parts of the OS with programs of their choosing.
That's it.
For a bonus chuckle, Windows *automatically downloads the software from the internet*, then runs it as System. So physical access really isn't needed. One could instead mess with the network connection or the source file and Windows will run it as System whenever someone plugs in a mouse from this company.
Re: (Score:2)
Sounds like an easy way to disable Cortana.
Re: (Score:2)
"The standard file open dialog is actually a copy of File Explorer. So now the user has a copy of File Explorer running at high privilege."
Geez. So now people shouldn't use the standard file open dialog?
Re: (Score:3)
Well, not automatically as a privileged user without asking for a password or other identity confirmation and authorization, no.
Since when is blind privilege escalation something that software should be doing?
Re: (Score:3)
Since when is blind privilege escalation something that software should be doing?
Chrome does this. You don't need admin rights to install it. All you have to do is click through the prompts.
To answer your question, since at least Chrome was created, though I'm certain others who are more knowledgable will point out something from an earlier time.
Re: (Score:1)
Chrome does this. You don't need admin rights to install it. All you have to do is click through the prompts.
Chrome only installs for all users (i.e. in a system folder, and with Start menu shortcuts for all) if you're running the installer as admin (or Power User or whatever role allows you to install programs). If you run it as a normal user it will install to your own profile, and you cannot e.g. set it as default browser.
Re: (Score:2)
So, no it doesn't. You don't need admin rights to install it into your own user profile. You need admin rights to install it in Program Files (x86) where anyone could use it from.
Second, even if it did, that doesn't mean that blind privilege escalation is ok. It hasn't been ok in 20 years.
Re: (Score:2)
That was windows update that did that not the installer itself. In fact you run the installer manually, and UAC popup is the very first thing.
Re: Here's a useful summary (Score:5, Informative)
One minor quibble: System is more like Linux "root" than Administrator. Administrator is still essentially a regular user that may or may not have rights to things. System is more like "root" in that it bypasses permissions entirely in most cases.
(at least that's how it worked in 2003, the last time I administered Windows)
Re: (Score:2)
I'm not sure there is a great mapping between the two systems.
For at least the last 10 years (on default Redhat for example), running as root hasn't meant automatic access to everything, ignoring all access controls. 'cause SeLinux.
On the other hand, Administrator can generally run things as System easily - such as by creating a scheduled task or service. Because Administrator can run things as System, they can do whatever system can do.
Similarly, SeLinux will sometimes day no to root, but an interactive ro
Re: Here's a useful summary (Score:4, Informative)
The mapping is:
System is root
Administrator is a regular user who has sudo privileges and as such can become root.
If selinux blocks you then you can (as root) do "setenforce 0", then it won't block you anymore. There is nothing you can't do as root.
Re: (Score:2)
One option is to do shift-right-click
I hate you! Why didn't you tell me this 15 years ago! :(
Re: (Score:2)
Okay you got me - what's the story?
Re: (Score:1)
The story is me not knowing about shift-right-click for probably decades.
Awesome I (Score:3)
It's pretty awesome that you are one of today's 10,000.
https://xkcd.com/1053/ [xkcd.com]
Re: (Score:2)
Yes and no, one can do it via network via RDP usb forwarding to forward an emulated device with the right product and vendor ids.
One can not mess with the actual installer so much as I'm sure windows update checks the signatures of that package.
Re: (Score:2)
> I'm sure windows update checks the signatures of that package
On average, seventy new vulnerabilities are found in Windows each month. That's more than twice a day.
Don't be so sure that Windows is secure if you haven't actually checked. :)
Re: (Score:2)
I'm not, I specifically pointed at one feature, which is when windows update downloads a package from the windows update catalogue.
Don't be so sure I don't know what I'm talking about when I'm refering to a specific thing where I do know there is a check happening:
https://superuser.com/question... [superuser.com]
Re: (Score:2)
You're suggesting that this vendor's utility is installed via Windows Update?
Re: (Score:2)
Yes, that is the part of the issue.
A lot of windows drivers have configuration tools to be installed with the driver. Windows update is downloading and installing a driver automatically from Microsoft Update Catalogue. Windows Update runs these as SYSTEM (to specifically ignore UAC prompts).
In this specific case, it is launching an interactive installer with a file location picker for install location. Saide file location picker is standard Windows API provided picker of explorer.exe instance, all Razer cod
Re: (Score:2)
It would appear that's correct, it is being handled by Windows Update.
https://amp.reddit.com/r/pcgam... [reddit.com]
Re: (Score:2)
Yeah, though the issue here is not really how good/bad synapse is itself (everything from printers to webcams can have control software with their drivers). The issue here is the interactive installer for it.
Re: (Score:2)
Yeah the combination of the interactive installer plus the fact it runs as System *without requiring the user to be admin*.
If the interactive installer ran only when the user has permission, or ran as the interactive user, that would be okay.
Occam's Razer (Score:5, Funny)
Occam's Razer - The simplest way to log in is to use a Razer.
The issue seems to be the Select Folder dialog (Score:2)
This dialog allows right-click context menu. If you have powershell or command prompt here installed you can escape out to a command prompt. This can occur with any installer which has a folder selector.
Re: (Score:2)
maybe that's why most installers use a restricted form of folder selector, not a full blown explorer.
i do agree the responsibility is a bit fuzzy here (are third party providers conveniently informed of these nuances?) but anyway ... i have used razer products and ... never again. it's expensive utter crap for clueless teens with too much money. e.g. it is true that they ask you to make an account in the cloud to store your mouse configuration. i nearly fell off my chair :-D welcome to the machine!!!! ofc i
Re: The issue seems to be the Select Folder dialog (Score:2)
Re: (Score:2)
Obviously you aren't familiar with the PrintNightmare problem then.
Re: (Score:2)
Even Razer's installer does this... Go download it from Razer's website and run it. Boom, UAC prompt. Windows Update is running it as SYSTEM and so it say do I need to elevate, no, continue, if windows update ran the windows 10 media creation tool as SYSTEM, the same issue would apply with the save iso file location.
Re: (Score:2)
So does the ISO file save box in Windows 10 Media Creation Tool. The issue here is any interactive installer or tool run as SYSTEM by windows update. Not really Razer's fault.
Second Life for Razer Mice? (Score:5, Interesting)
In my experience, a Razer mouse only works properly for about six months before at least one of the buttons (usually the middle button) craps out. I suppose this gives the non-functional units a second chance as hacking tools. That still doesn't explain how they can cost more than Logitech while being demonstrably inferior most of the time.
Re:Second Life for Razer Mice? (Score:5, Informative)
You can actually use a cheap USB microcontroller, or even something like an FTDI cable with the VID/PID changed to one Razor uses. That is enough to trigger the Razor software to install.
Re: (Score:2)
A semi-broken mouse that can be had for the cost of a dumpster dive is even cheaper. :)
Old problem (Score:5, Insightful)
Re: (Score:3)
funny how you got to the gist of it without even understanding what actually happens here:
you are correct in that this is just a "break out of shell" problem.
yet you are mistaken about everything else:
- razer never "let a user execute powershell". they just opened a file dialog (the wrong one)
- "powershell" isn't the problem either, process root access level is. your words: "breaking out of a program ran with administrative privileges"
- microsoft simply has to "allow a file open" lest their os become unusa
Re: (Score:2)
Re: (Score:3)
this is obviously not the case. windows has modal dialogs for folder selection that don't have any fancy context menu commands to break out, and actually most installers use those instead of a full blown FileDialog.
this is just razer's installer being naive, and microsoft not warning them about it and running it right away with admin privilege. result: on millions of machines you can now do with a mouse what you could already do for a decade with a regular usb stick ;-)
Re:Old problem (Score:4, Insightful)
The bigger problem is why hasn't Microsoft disabled this?
The problem is that the driver is being downloaded and executed, and knowing the driver has a bug, Microsoft should block the download (it comes from Windows Update) forcing users to have to download their fancy mouse software package themselves until it's fixed.
Otherwise, this is a wicked way of getting admin until it's fixed...
Re: (Score:2)
I'm not sure the guy actually reported it to Microsoft. He says he tried to contact Razor about it but nothing about Microsoft.
That might have been the best way to resolve this when Razor where unresponsive. Microsoft would likely have kicked them off Windows Update and removed the certification on their driver, like they did when FTDI released code that bricked non-genuine parts.
Microsoft has a bug bounty programme and are generally responsive to security issue reports.
Re: (Score:2)
- razer never "let a user execute powershell". they just opened a file dialog (the wrong one)
That is the problem. A background process, started by the Windows system itself, should not be able to interact with the user desktop. In fact I was under the impression this was already blocked - if a background process tries to interact with the desktop, Windows gives it its own (empty) desktop to display on. It then pops up a prompt on the current user's desktop to notify them and let them switch to this other desktop - and I was under the impression that only administrators get this prompt.
That is the
Re:Old problem (Score:5, Insightful)
Razor should not need admin for their installer. Microsoft should not have certified it and put it on Windows Update.
Re: Old problem (Score:3)
Re: (Score:2)
Razer isn't allowing it, they are just asking windows API to run the file location picker. That is Microsoft code running at that point. On top of that, why is windows update running interactive installers as SYSTEM at all?
Full Explorer Shell inside of Common Dialog (Score:5, Informative)
Whenever you open a File Dialog in a program, it runs the full Windows Explorer Shell as part of that. You can right click on things, open them with other programs, manage files, etc. all from the Open File dialog.
In this case, the Open File Dialog with full Explorer Shell was running as an administrator due to being invoked from an installer. There are ways to lower your permission level on Windows, but it's tedious to do so. In this case, it was simply the devs not realizing that File Dialogs as an administrator are very dangerous. Any installed shell extensions also get admin rights too.
Re: (Score:2)
"...devs not realizing that File Dialogs as an administrator are very dangerous..."
Which would suggest a staggering ignorance or unconcern about pretty fundamental security issues, imo.
A timely article (Score:2)
Recently saw a relative plug one of these in to a new (refurb) PC and the mouse's software executed and apparently installed all by itself, I figured some U3 trickery was afoot but assumed it had installed the program to userspace to bypass the need for the user to allow admin access, apparently not so...
You can have more fun... (Score:2)
Re: (Score:2)
Re: (Score:2)
Question (Score:3)
Perhaps someone can help me with this, Why does Windows need to download a driver to handle a standard USB device? Where are the generic USB drivers for things like a serial port, mouse, or printer port?
Re: (Score:3)
The mouse works as a generic device but to customize the buttons or make the blinky lights work you need their bloated software. You also have to create an account with Razer of the software will not install.
Re: (Score:3)
Even a plain old generic device seems to need a song and dance to install the drivers.
I can see why special features might need a special driver.
Re: (Score:2)
They are there and will be used if a custom driver isn't found. Windows will try to find the custom driver for you first though so that you can program buttons, etc. that the generic driver doesn't do.
Re: (Score:2)
Re: (Score:2)
That's the thing though, even the most generic USB device requires the whole song and dance for Windows, in Linux I just plug it in and it appears in /dev.
Re: (Score:3)
Windows doesn't need to download a driver for generic USB devices like mice, CDC (serial/parallel ports), basic webcams and the like.
The problem is that Razor devices are not generic USB keyboard devices, they are heavily customized to support key remapping/macros, RGB lighting and higher update rates. Normally USB keyboards can only poll at a maximum of 1000Hz, and most only poll at 125Hz. Obviously for gamers 1000Hz is too slow so Razor made special drivers that support even high rates.
Some of their keybo
Physical access is king (Score:4, Interesting)
Typical, old style user level escalation on Win10! (Score:2)
It's not just Razer, you can do this with many other drivers and USB devices, such as USB sound cards etc, which are not even user control devices, because they install system level DSPs, and do present an elevated Explorer to launch powershell from. Sad that this still works, maybe this is more of a reason for people to use Windows Ameliorated Edition style system policies that require explicite admin password before elevation or installer launch.
Razer or Windows issue? (Score:2)
Re: (Score:2)
It's a combination of MS allowing this shit to happen and Razor writing shitty drivers.
But in its essence, you identified the problem correctly: MS trusts something that it should not trust.
Re: (Score:2)
The razer driver is of limited problem here. The issue is windows update.
No need to buy a shitty mouse, by the way (Score:2)
Just create a USB device that identifies with the correct VID/PID.
Arduinos and their clones are heaps cheaper that can give you the same results.
Re: (Score:2)
Physical access or bluetooth range? (Score:2)
I have a Razer mouse. I'm not worried about getting hacked because I run Linux.
But my Razer mouse can use Bluetooth. Does that mean a machine could be hacked from across the room using Bluetooth? Or would a user have to approve pairing first?
At the very least, be careful what peripherals you pair with!
Security (Score:2)
Seriously, no one thought it kinda iffy that you WRITE changes to the mouse, but it still needs 3rd party software to support a basic color change?
It's like someone wrote the original code in a