A hacker published details of a flaw with Razer’s wireless dongle that could allow an attacker to gain access to and execute commands at a system-level priviledge.
First spotted by MSPowerUser, a hacker who goes by the Twitter username ‘jonhat’ (@j0nh4t) shared details of the flaw online, noting that Razer had not responded to his attempts to contact the company. However, jonhat followed up in a thread under the initial tweet that Razer did eventually reach out, that their security team is working on a fix and that they offered a bug bounty despite going public with the issue.
Update 08/26/2021: A Razer spokesperson confirmed to MobileSyrup that the company is working to update the installation program and plans to release a version with a fix shortly. You can read the full statement below:
“We were made aware of a situation in which our software, in a very specific use case, provides a user with broader access to their machine during the installation process.
We have investigated the issue, are currently making changes to the installation application to limit this use case, and will release an updated version shortly. The use of our software (including the installation application) does not provide unauthorized third-party access to the machine.
We are committed to ensuring the digital safety and security of all our systems and services, and should you come across any potential lapses, we encourage you to report them through our bug bounty service, Inspectiv: https://app.inspectiv.com/#/sign-up.”
Need local admin and have physical access?
– Plug a Razer mouse (or the dongle)
– Windows Update will download and execute RazerInstaller as SYSTEM
– Abuse elevated Explorer to open Powershell with Shift+Right click
Tried contacting @Razer, but no answers. So here's a freebie pic.twitter.com/xDkl87RCmz
— jonhat (@j0nh4t) August 21, 2021
The flaw exists within the installation process for Razer’s drivers. In short, when someone plugs in a Razer wireless dongle — typically used to connect accessories like mice and keyboards to a computer — Windows Update will download and run the RazerInstaller program, which installs the software drivers for the connected accessory.
I would like to update that I have been reached out by @Razer and ensured that their security team is working on a fix ASAP.
Their manner of communication has been professional and I have even been offered a bounty even though publicly disclosing this issue.
— jonhat (@j0nh4t) August 22, 2021
However, the program installs the drivers at the system level and offers users the ability to open File Explorer and select a location to install the drivers. While in the Explorer window, users can shift-right-click to open a Powershell terminal with the same system privileges. If an attacker were to do this, they’d effectively be able to do whatever they wanted on your computer. Additionally, if users choose to save the drivers in a user-controllable place, such as the Desktop, RazerInstaller saves a service binary that an attacker could hijack for persistence.
While that all sounds scary, it’s worth keeping in mind that an attacker would need access to your PC to take advantage of the flaw. The entire issue hinges on plugging in a Razer dongle (or a USB device spoofed to trick Windows into thinking it’s a Razer dongle). In other words, you probably don’t need to worry too much about this vulnerability unless your computer is at risk of being accessed when you’re not around.
Although the flaw is with Razer’s software, it also shows that Windows still has potentially huge vulnerabilities, especially when it comes to implementing third-party drivers and software. Windows Update arguably shouldn’t install stuff with system privileges, especially if that could allow the user to access critical software at that level. It’s worth noting that some have reported similar vulnerabilities with other driver install software, further indicating it’s a larger Windows issue Microsoft needs to address.
This latest flaw comes not long after the PrintNightmare vulnerability and head of Windows 11, which Microsoft has positioned as a more secure version of Windows thanks to implementations of things like an (arguably confusing) TPM requirement.
Source: jonhat (Twitter) Via: MSPowerUser, TechRadar
Update 08/26/2021: Added a statement from Razer about the issue.