November 30, 2023

Razer is a very popular computer peripherals manufacturer known for its gaming mouses and keyboards. A Razer Synapse zero-day vulnerability allowing user to gain Windows admin privileges simply by plugging in a Razer mouse or keyboard into Windows Machine the operating system will automatically download and begin installing the Razer Synapse software on the computer. Razer claims that that their Razer Synapse software is used by over 100 million users worldwide.

Researchers discovered a zero-day vulnerability in the plug-and-play Razer Synapse installation that allows users to gain SYSTEM privileges on a Windows device quickly.

Admin privileges by plug in a mouse

When plugged the Razer device into Windows 10, the operating system automatically downloaded and installed the driver and the Razer Synapse software.

Since the RazerInstaller.exe executable was launched via a Windows process running with SYSTEM privileges, the Razer installation program also gained SYSTEM privileges, as shown below.

RazerInstaller.exe running with SYSTEM privileges

When the Razer Synapse software is installed, the setup wizard allows you to specify the folder where you wish to install it. The ability to select your installation folder is where everything goes wrong.

When you change the location of your folder, a ‘Choose a Folder’ dialog will appear. If you press Shift and right-click on the dialog, you will be prompted to open ‘Open PowerShell window here,’ which will open a PowerShell prompt in the folder shown in the dialog.

Razer Synapse installation prompt

As this PowerShell prompt is being launched by a process with SYSTEM privileges, the PowerShell prompt will also inherit those same privileges.

Once opened the PowerShell prompt and typed the ‘whoami’ command, it showed that the console has SYSTEM privileges allowing us to issue any command we want.

PowerShell prompt with SYSTEM privileges
PowerShell prompt with SYSTEM privileges

After this zero-day vulnerability gained wide attention, Razer has contacted the security researcher to let them know that they will be issuing a fix. Razer also told the researcher that he would be receiving a bug bounty reward even though the vulnerability was publicly disclosed.

Leave a Reply

%d bloggers like this: