The automatic installation of drivers via Windows Update allows attackers to gain admin rights with the help of peripherals from Razer and Asus. All you need to do is plug an appropriate input device or dongle into the affected computer.
Razer has not yet responded
User “jonhat” published a video on Twitter that shows the exploitation of the hack. The publication took place after Razer showed no reaction to attempts at contact.
In the context of Responsible Disclosure, it is a common procedure to draw attention to the Direct problem.
Need local admin and have physical access?
– Plug a Razer mouse (or the dongle)
– Windows Update will download and execute RazerInstaller as SYSTEM
– Abuse elevated Explorer to open Powershell with Shift + Right clickTried contacting @Razer, but no answers. So here & # 39; sa freebie pic.twitter.com/xDkl87RCmz
& mdash; jonhat (@ j0nh4t) August 21, 2021
It is enough to pretend
While the driver is being installed, the command prompt can be called up from a normal user account via Explorer with administrator rights. Because the driver, as a device driver, needs corresponding rights for the installation, which the Explorer receives; uploading takes place at the system level. If the installation directory is placed on the desktop, the hack can be made persistent by executing the file during the boot process.
It is not even necessary to have the affected input device. According to security expert Cristian Mariolini, the vendor ID can also simply be faked (“spoofing”) in order to trigger the installation process. This can be done using a cheap Arduino or Raspberry, for example, which saves the purchase of expensive gaming hardware. In addition, the installation can be restarted by changing the USB port.
The hack is demonstrated with input devices from Razer that require the Snyapse software, but according to a comment in the Twitter thread, it can also be used with ROG mice. However, there is no further confirmation of this, which can be found under the Twitter publication for Razer products, for ROG products.
There is not yet any from Razer itself full opinion. Only the social media team spoke up on Twitter and asked “jonhat” to send the case number so that the problem could be passed on to the responsible employees. This is criticized as inadequate: Razer should deal with the problem without further external input, is the tenor in the comments.
Hey Jonhat! Thanks for bringing this to our attention. Let us assist you with your concern. Send us a DM with your case number so we can escalate it to the relevant team.
& mdash; RΛZΞR Support (@RazerSupport) August 22, 2021