[German]Connecting a Razer mouse is enough to gain administrative privileges as a standard user. The background is that the driver installation is executed with SYSTEM rights and the user can then open an administrative prompt. He already has administrative access to the system. Razer did not respond to a request from the discoverer of the vulnerability.
Anyone who has direct access to a Windows 10 system can do all sorts of dirty things there. However, I was surprised how easy it is to gain administrative privileges as a standard user by plugging in a mouse.
Razer mouse driver installation as a vulnerability
I have just been alerted on Twitter by other users to the tweet in question by @jonhat. This one has come across a vulnerability that allows Local Privilege Escalation (LPE).
It was enough to connect a Razer mouse (or the dongle) to a USB port of a Windows 10 computer. Then the RazerInstaller is downloaded via Windows Update and run as SYSTEM. In the video embedded in the tweet above, you can see how the user is guided through the driver installation steps under a standard user account. So far so good. During the installation, the Razer driver can be selected from the download folder (see the following image – this video has a better quality).
In the driver selection dialog box however, a context menu for opening the PowerShell console can also be called up. Here it would already be conceivable to specify the desktop or another user-controlled folder for the drivers as the target folder. Then a hijacking by exchange of the driver files or possibly DLL hijacking would be possible.
But there is more. Since the driver installation runs with SYSTEM rights, the dialog box gets these rights as well. The SYSTEM rights are also passed on to the PowerShell console window. The default user now has administrative privileges. Will Dormann points out that this scenario is possible with all drivers that are requested for installation via USB device.
By the way, this installation is triggered every time the USB device is connected to a new USB port. And the whole thing has another aspect. With appropriate devices, the hardware ID of a Razer mouse can be emulated.
Hardware ID: usb\vid_1532&pid_0078&mi_02
Update ID: f3073b05-17af-4abf-98a1-d93b4c5af0cd
@jonhat tried to reach out to Razer on the issue, but was unsuccessful. Only because of the now emerging Twitter discussion someone from the Razer social media team contacted us and wants to take care of it.
Will Razer fix that?
When I published the German edition of this blog post yesterday, the case was still open. But the newest tweet from @j0nh4t says:
Well, that sounds positive, but wait, I've seen just the following tweets – the first one could be a joke, although the rather support joined in and asked for a direct message (DM) to assists:
The user has had serious trouble to reactivate his case again. But the 2nd tweet sheds also some other light on risk of USB devices under Windows:
They uses an O.MG hacker usb loading cable (that acts as a USB device) to gain admin rights from a Windows 10 guest account. Let's bring it to the point: That's just broken. So I like to left just a last tweet for further reading, without commenting it.