Need to get root on a Windows box? Plug in a Razer gaming mouse
This weekend, security researcher jonhat disclosed a long-standing security bug in the Synapse software associated with Razer gaming mice. During software installation, the wizard produces a clickable link to the location where the software will be installed. Clicking that link opens a File Explorer window to the proposed location—but that File Explorer spawns with SYSTEM
process ID, not with the user’s.
Have mouse, will root
By itself, this vulnerability in Razer Synapse sounds like a minor issue—after all, in order to launch a software installer with SYSTEM
privileges, a user would normally need to have Administrator
privileges themselves. Unfortunately, Synapse is a part of the Windows Catalog—which means that an unprivileged user can just plug in a Razer mouse, and Windows Update will cheerfully download and run the exploitable installer automatically.
Jonhat isn’t the only—or even the first—researcher to discover and publicly disclose this bug. Lee Christensen publicly disclosed the same bug in July, and according to security researcher _MG_
, who demonstrated it using an OMG cable to mimic the PCI Device ID of a Razer mouse and exploit the same vulnerability, researchers have been reporting it fruitlessly for more than a year.
Vulnerability fixes coming soon to a Windows Catalog near you
Happily, Razer seems to have finally gotten the memo—jonhat reported that the company reached out to him shortly after his August 21 public disclosure to assure him that its security team is “working on a fix ASAP,” and the company even offered him a bounty despite the public disclosure.
Once Razer itself has patched the vulnerability, the next step will be pushing it to Microsoft for inclusion in Windows Catalog—where it will need to replace the current and vulnerable Razer HIDClass driver that Windows Update automatically downloads and runs whenever a Razer mouse is plugged into the system. (The vulnerable version in the Windows Catalog as of publishing time is 6.2.9200.16495, dated January 2017.)