Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Windows

Gain Admin Privileges To a Windows Machine By Plugging In a Razer Mouse (bleepingcomputer.com) 85

An anonymous reader writes: A Razer Synapse zero-day vulnerability has been disclosed that allows you to gain Windows admin privileges simply by plugging in a Razer mouse or keyboard.
This discussion has been archived. No new comments can be posted.

Gain Admin Privileges To a Windows Machine By Plugging In a Razer Mouse

Comments Filter:
  • obviously (Score:5, Insightful)

    by grave367 ( 6314720 ) on Monday August 23, 2021 @01:47PM (#61721687) Homepage
    This is why we say "Physical access is root access"
  • by Anonymous Coward

    From a company that expects people to create an account just to use a mouse. The basic operating principal is the user is the product. They should fully expect to be disrespected and disregarded. After all products have no rights.

    • You are still the primary customer. They just wanna get a few extra pennies or dollars from you selling your name to advertisers for mice, accessories, computers, video games, and suckers of overpriced hype.

    • by laxguy ( 1179231 )

      Used to be a die-hard Razor fan, stopped using their products a few years ago because of the stupid Synapse software and account requirement. Most of their newer products feel cheap and chintzy anyway.

      • They are in fact pretty low quality and rarely make it a year with light use. I like that I have 12 buttons on the side of the mouse, but I don't want to pay all that money for low quality shit, with spyware to boot.

        Strictly speaking you don't *have* to use their spyware, but it's more functional if you do, so fuck them with a stick.

      • by ewhac ( 5844 )

        I'm in that club, too, for the same reason. I switched over to Corsair.

        According to an acquaintance of mine who used to work for Razer, they added the forced cloud account thing to placate potential investors who were vacuously demanding that they needed to improve "engagement" with their Web site.

      • by Kaenneth ( 82978 )

        you need an online account to use added features, or even for basic mouse stuff?

        I just bought a razor bundle on sale, but haven't opened it yet.

        • The basic buttons and mouse functions work.

          The extra buttons, resolution settings, and various other config (e.g. button macros, illumination) need an account. Not only that, but even if you do have an account, the software spams you with pop ups, needs regular updates, etc.

          The release of the synapse basically ruined their products for me. I didn't have a super fancy mouse, so didn't use the advanced features, so synapse got promptly uninstalled and blocked. However, I won't be buying any more Razer p
  • by Sebby ( 238625 ) on Monday August 23, 2021 @01:53PM (#61721733)

    I'm all for making things concise, but this isn't HN - I like the fact that most (all?) stories have a useful summary that provides a general overview of that subject matter, and then decide if I want to click the link(s) to get more info.

    Still better than HN, but find this a little light.

    • by raymorris ( 2726007 ) on Monday August 23, 2021 @02:12PM (#61721859) Journal

      Plugging in one of these mice gives you admin access with a couple clicks. Here's how:

      When a mouse from this company is plugged in, Windows automatically runs an installer for the software. That installer runs as "System", which is kinda like "Administrator".

      Within that installer, the user is prompted to choose a directory where it should be installer. This is the regular "file open" dialog.

      The standard file open dialog is actually a copy of File Explorer. So now the user has a copy of File Explorer running at high privilege. Th y can do what they want from there. One option is to do shift-right-click to open a Powershell command line. They could do other things too, like probably navigate to c:\windows\system, right-click, and give their user account right access to system\. With that write access, they could overwrite parts of the OS with programs of their choosing.

      That's it.

      For a bonus chuckle, Windows *automatically downloads the software from the internet*, then runs it as System. So physical access really isn't needed. One could instead mess with the network connection or the source file and Windows will run it as System whenever someone plugs in a mouse from this company.

      • Sounds like an easy way to disable Cortana.

      • "The standard file open dialog is actually a copy of File Explorer. So now the user has a copy of File Explorer running at high privilege."

        Geez. So now people shouldn't use the standard file open dialog?

        • Well, not automatically as a privileged user without asking for a password or other identity confirmation and authorization, no.

          Since when is blind privilege escalation something that software should be doing?

          • Well, not automatically as a privileged user without asking for a password or other identity confirmation and authorization, no.

            Since when is blind privilege escalation something that software should be doing?


            Chrome does this. You don't need admin rights to install it. All you have to do is click through the prompts.

            To answer your question, since at least Chrome was created, though I'm certain others who are more knowledgable will point out something from an earlier time.
            • Chrome does this. You don't need admin rights to install it. All you have to do is click through the prompts.

              Chrome only installs for all users (i.e. in a system folder, and with Start menu shortcuts for all) if you're running the installer as admin (or Power User or whatever role allows you to install programs). If you run it as a normal user it will install to your own profile, and you cannot e.g. set it as default browser.

            • So, no it doesn't. You don't need admin rights to install it into your own user profile. You need admin rights to install it in Program Files (x86) where anyone could use it from.

              Second, even if it did, that doesn't mean that blind privilege escalation is ok. It hasn't been ok in 20 years.

          • That was windows update that did that not the installer itself. In fact you run the installer manually, and UAC popup is the very first thing.

      • by reanjr ( 588767 ) on Monday August 23, 2021 @04:02PM (#61722425) Homepage

        One minor quibble: System is more like Linux "root" than Administrator. Administrator is still essentially a regular user that may or may not have rights to things. System is more like "root" in that it bypasses permissions entirely in most cases.

        (at least that's how it worked in 2003, the last time I administered Windows)

        • I'm not sure there is a great mapping between the two systems.
          For at least the last 10 years (on default Redhat for example), running as root hasn't meant automatic access to everything, ignoring all access controls. 'cause SeLinux.

          On the other hand, Administrator can generally run things as System easily - such as by creating a scheduled task or service. Because Administrator can run things as System, they can do whatever system can do.

          Similarly, SeLinux will sometimes day no to root, but an interactive ro

      • by Cederic ( 9623 )

        One option is to do shift-right-click

        I hate you! Why didn't you tell me this 15 years ago! :(

      • Yes and no, one can do it via network via RDP usb forwarding to forward an emulated device with the right product and vendor ids.

        One can not mess with the actual installer so much as I'm sure windows update checks the signatures of that package.

        • > I'm sure windows update checks the signatures of that package

          On average, seventy new vulnerabilities are found in Windows each month. That's more than twice a day.

          Don't be so sure that Windows is secure if you haven't actually checked. :)

          • I'm not, I specifically pointed at one feature, which is when windows update downloads a package from the windows update catalogue.

            Don't be so sure I don't know what I'm talking about when I'm refering to a specific thing where I do know there is a check happening:
            https://superuser.com/question... [superuser.com]

            • You're suggesting that this vendor's utility is installed via Windows Update?

              • Yes, that is the part of the issue.

                A lot of windows drivers have configuration tools to be installed with the driver. Windows update is downloading and installing a driver automatically from Microsoft Update Catalogue. Windows Update runs these as SYSTEM (to specifically ignore UAC prompts).

                In this specific case, it is launching an interactive installer with a file location picker for install location. Saide file location picker is standard Windows API provided picker of explorer.exe instance, all Razer cod

                • It would appear that's correct, it is being handled by Windows Update.

                  https://amp.reddit.com/r/pcgam... [reddit.com]

                  • Yeah, though the issue here is not really how good/bad synapse is itself (everything from printers to webcams can have control software with their drivers). The issue here is the interactive installer for it.

                    • Yeah the combination of the interactive installer plus the fact it runs as System *without requiring the user to be admin*.

                      If the interactive installer ran only when the user has permission, or ran as the interactive user, that would be okay.

  • by SuperKendall ( 25149 ) on Monday August 23, 2021 @01:54PM (#61721737)

    Occam's Razer - The simplest way to log in is to use a Razer.

  • This dialog allows right-click context menu. If you have powershell or command prompt here installed you can escape out to a command prompt. This can occur with any installer which has a folder selector.

    • by znrt ( 2424692 )

      maybe that's why most installers use a restricted form of folder selector, not a full blown explorer.

      i do agree the responsibility is a bit fuzzy here (are third party providers conveniently informed of these nuances?) but anyway ... i have used razer products and ... never again. it's expensive utter crap for clueless teens with too much money. e.g. it is true that they ask you to make an account in the cloud to store your mouse configuration. i nearly fell off my chair :-D welcome to the machine!!!! ofc i

    • except for most normal installers, if you have only a user account you must provide admin auth details to run it as admin. here because its spawned from a different layer of windows you get the higher privelages without the need for an admin password, thus local privelage escallation.
      • Even Razer's installer does this... Go download it from Razer's website and run it. Boom, UAC prompt. Windows Update is running it as SYSTEM and so it say do I need to elevate, no, continue, if windows update ran the windows 10 media creation tool as SYSTEM, the same issue would apply with the save iso file location.

    • So does the ISO file save box in Windows 10 Media Creation Tool. The issue here is any interactive installer or tool run as SYSTEM by windows update. Not really Razer's fault.

  • by Mal-2 ( 675116 ) on Monday August 23, 2021 @02:09PM (#61721835) Homepage Journal

    In my experience, a Razer mouse only works properly for about six months before at least one of the buttons (usually the middle button) craps out. I suppose this gives the non-functional units a second chance as hacking tools. That still doesn't explain how they can cost more than Logitech while being demonstrably inferior most of the time.

  • Old problem (Score:5, Insightful)

    by 89cents ( 589228 ) on Monday August 23, 2021 @02:09PM (#61721839)
    This is a twist on the old issue where you can break out of kiosk system without a shell (such as Explorer.exe) by using a file open dialogue box to run cmd/powershell. In this case we have a shell but are breaking out of a program ran with administrative privileges to run a shell as system. I'm not sure whether to fault razor or Microsoft. Razor shouldn't let a user execute Powershell from their software, but Microsoft shouldn't allow a file/open or even a path select dialogue box to open programs.
    • by znrt ( 2424692 )

      funny how you got to the gist of it without even understanding what actually happens here:

      you are correct in that this is just a "break out of shell" problem.

      yet you are mistaken about everything else:
      - razer never "let a user execute powershell". they just opened a file dialog (the wrong one)
      - "powershell" isn't the problem either, process root access level is. your words: "breaking out of a program ran with administrative privileges"
      - microsoft simply has to "allow a file open" lest their os become unusa

      • Consider it like this: The alternative to a file picker would just be a text field where you have to write out or paste the file path. Ideally, the file picker dialog would act the same way, by doing one thing and one thing only - let you see and pick files.
        • by znrt ( 2424692 )

          this is obviously not the case. windows has modal dialogs for folder selection that don't have any fancy context menu commands to break out, and actually most installers use those instead of a full blown FileDialog.

          this is just razer's installer being naive, and microsoft not warning them about it and running it right away with admin privilege. result: on millions of machines you can now do with a mouse what you could already do for a decade with a regular usb stick ;-)

      • Re:Old problem (Score:4, Insightful)

        by tlhIngan ( 30335 ) <slashdot&worf,net> on Monday August 23, 2021 @03:23PM (#61722259)

        The bigger problem is why hasn't Microsoft disabled this?

        The problem is that the driver is being downloaded and executed, and knowing the driver has a bug, Microsoft should block the download (it comes from Windows Update) forcing users to have to download their fancy mouse software package themselves until it's fixed.

        Otherwise, this is a wicked way of getting admin until it's fixed...

        • by AmiMoJo ( 196126 )

          I'm not sure the guy actually reported it to Microsoft. He says he tried to contact Razor about it but nothing about Microsoft.

          That might have been the best way to resolve this when Razor where unresponsive. Microsoft would likely have kicked them off Windows Update and removed the certification on their driver, like they did when FTDI released code that bricked non-genuine parts.

          Microsoft has a bug bounty programme and are generally responsive to security issue reports.

      • - razer never "let a user execute powershell". they just opened a file dialog (the wrong one)

        That is the problem. A background process, started by the Windows system itself, should not be able to interact with the user desktop. In fact I was under the impression this was already blocked - if a background process tries to interact with the desktop, Windows gives it its own (empty) desktop to display on. It then pops up a prompt on the current user's desktop to notify them and let them switch to this other desktop - and I was under the impression that only administrators get this prompt.

        That is the

    • Re:Old problem (Score:5, Insightful)

      by AmiMoJo ( 196126 ) on Monday August 23, 2021 @03:08PM (#61722191) Homepage Journal

      Razor should not need admin for their installer. Microsoft should not have certified it and put it on Windows Update.

      • this. its razers bad code but very much also microsofts fault for signing it knowing its an ota automatic download running as system. both companies at fault.
    • Razer isn't allowing it, they are just asking windows API to run the file location picker. That is Microsoft code running at that point. On top of that, why is windows update running interactive installers as SYSTEM at all?

  • by Dwedit ( 232252 ) on Monday August 23, 2021 @02:10PM (#61721843) Homepage

    Whenever you open a File Dialog in a program, it runs the full Windows Explorer Shell as part of that. You can right click on things, open them with other programs, manage files, etc. all from the Open File dialog.

    In this case, the Open File Dialog with full Explorer Shell was running as an administrator due to being invoked from an installer. There are ways to lower your permission level on Windows, but it's tedious to do so. In this case, it was simply the devs not realizing that File Dialogs as an administrator are very dangerous. Any installed shell extensions also get admin rights too.

    • "...devs not realizing that File Dialogs as an administrator are very dangerous..."

      Which would suggest a staggering ignorance or unconcern about pretty fundamental security issues, imo.

  • Recently saw a relative plug one of these in to a new (refurb) PC and the mouse's software executed and apparently installed all by itself, I figured some U3 trickery was afoot but assumed it had installed the program to userspace to bypass the need for the user to allow admin access, apparently not so...

  • ...pluggin in this device [wikipedia.org].
    • Go ahead, try it. Sure, there will be a snap and maybe a small wisp of smoke, but that doesn't sound like much fun to me, and you can only do it once.
  • Comment removed based on user account deletion
  • by sjames ( 1099 ) on Monday August 23, 2021 @03:00PM (#61722133) Homepage Journal

    Perhaps someone can help me with this, Why does Windows need to download a driver to handle a standard USB device? Where are the generic USB drivers for things like a serial port, mouse, or printer port?

    • The mouse works as a generic device but to customize the buttons or make the blinky lights work you need their bloated software. You also have to create an account with Razer of the software will not install.

      • by sjames ( 1099 )

        Even a plain old generic device seems to need a song and dance to install the drivers.

        I can see why special features might need a special driver.

    • by Rhipf ( 525263 )

      They are there and will be used if a custom driver isn't found. Windows will try to find the custom driver for you first though so that you can program buttons, etc. that the generic driver doesn't do.

    • For the same reason the Linux kernel needs the occasional different driver for a mouse. There are mice that have features not covered by the regular mouse driver like high speed sensors, RGB lighting, or work arounds for bugs.
      • by sjames ( 1099 )

        That's the thing though, even the most generic USB device requires the whole song and dance for Windows, in Linux I just plug it in and it appears in /dev.

    • by AmiMoJo ( 196126 )

      Windows doesn't need to download a driver for generic USB devices like mice, CDC (serial/parallel ports), basic webcams and the like.

      The problem is that Razor devices are not generic USB keyboard devices, they are heavily customized to support key remapping/macros, RGB lighting and higher update rates. Normally USB keyboards can only poll at a maximum of 1000Hz, and most only poll at 125Hz. Obviously for gamers 1000Hz is too slow so Razor made special drivers that support even high rates.

      Some of their keybo

  • by Baconsmoke ( 6186954 ) on Monday August 23, 2021 @03:35PM (#61722313)
    Always has been. If you have physical access to a box, there's about 50 ways to break into it. This really isn't a huge risk unless you have a public computer somewhere.
  • It's not just Razer, you can do this with many other drivers and USB devices, such as USB sound cards etc, which are not even user control devices, because they install system level DSPs, and do present an elevated Explorer to launch powershell from. Sad that this still works, maybe this is more of a reason for people to use Windows Ameliorated Edition style system policies that require explicite admin password before elevation or installer launch.

  • I see no Razer as the source of issue here, but Microsofts old problem - plug something in and run whatever executable is there. And another one - Windows trusts somebody and I have no possibility to affect that although the trust should be mine and controllable by me. Like - do I trust downloading executables from this or that repository, provider.
    • It's a combination of MS allowing this shit to happen and Razor writing shitty drivers.

      But in its essence, you identified the problem correctly: MS trusts something that it should not trust.

  • Just create a USB device that identifies with the correct VID/PID.

    Arduinos and their clones are heaps cheaper that can give you the same results.

    • Oh, mod up. Laptops can be defeated by slipping in a ribbon attached to a different touchpad too. It seems touchpads need elevated privs too - the same brand that had keylogger code accidentally included.
  • I have a Razer mouse. I'm not worried about getting hacked because I run Linux.

    But my Razer mouse can use Bluetooth. Does that mean a machine could be hacked from across the room using Bluetooth? Or would a user have to approve pairing first?

    At the very least, be careful what peripherals you pair with!

  • AH! So that explains why mac only supports basic mouse functions on these mice . . . security!

    Seriously, no one thought it kinda iffy that you WRITE changes to the mouse, but it still needs 3rd party software to support a basic color change?

    It's like someone wrote the original code in a .bat file and the marketing department kept saying "OOH! Add THIS!"

"...a most excellent barbarian ... Genghis Kahn!" -- _Bill And Ted's Excellent Adventure_

Working...