A couple of days ago, security researcher Jon Hat (@j0nh4t on Twitter) revealed that it is possible to gain admin privileges to a PC using just a Razer mouse as long as you have local access to the machine. The researcher privately reported this to Razer, but decided to disclose it publicly after no response from the company. The exploit was widely circulated especially given that it's so easy to trigger and reproduce. Although it has a local attack surface and is, thus, not as dangerous as remote exploits, Razer is now working on patching the issue.
Essentially, you can plug in a Razer mouse or a dongle to your PC, which will trigger Windows Update to download and execute RazerInstaller.exe. This installer runs with SYSTEM privileges but also allows users to utilize the File Explorer to open Windows PowerShell with admin privileges. This means that an attacker with local access to your machine can utilize this technique to gain admin access to your PC and potentially install malicious software. The exploit can be seen in action below:
Need local admin and have physical access?— jonhat (@j0nh4t) August 21, 2021
- Plug a Razer mouse (or the dongle)
- Windows Update will download and execute RazerInstaller as SYSTEM
- Abuse elevated Explorer to open Powershell with Shift+Right click
Tried contacting @Razer, but no answers. So here's a freebie pic.twitter.com/xDkl87RCmz
Hat also stated that:
Additionally if you go through the installation process and define the save dir to user controllable path like Desktop. A service binary is saved there which can be hijacked for persistance (sic) and is executed before user logon on boot.
The good news is that Razer is apparently working on a fix. Hat reports that the company has reached out to him and informed him that it is working on a patch on an urgent basis. Even though the security researcher disclosed the bug publicly, a bounty has reportedly been offered. The value of the bounty and an ETA for a fix have not been revealed as of yet.