There’s a Severe Privilege Escalation Vulnerability in Windows RPC Protocol That Microsoft Won’t Fix
Last updated September 23, 2021
A researcher has discovered a way to achieve elevation of privilege on Windows 10 through ‘Razer Synapse,’ the official hardware configuration tools for Razer devices such as mice or keyboards. The researcher says attempts to inform Razer of the problem have been made since April 2021, but they failed to provide any answers, so the public disclosure came through the tweet below.
The proof of concept clip shown below demonstrates how trivial it is to exploit the vulnerability and execute code as SYSTEM (local admin). The prerequisite is to have local access to the target machine.
Since this is working on the latest available version of Razer Synapse, used by over 100 million people, this vulnerability has a widespread impact. If you are using a product from Razer on Windows 10, be careful with who is allowed to access your system until a fixing patch is out.
Speaking of which, after the matter went public, it did eventually won Razer’s attention, and they promised to get a fix out as soon as possible. The firm has even thanked the researcher and offered him a bounty for his finding, even though he strayed for the path of proper disclosure.
The problem appears to be that the Razer Synapse tool can be installed anywhere on the system and not on a fixed location, so an attacker could click on the “Choose a Folder” option during the installation process and then open a PowerShell prompt on the selection window with “Shift+rmb.”
Because the installer is running with SYSTEM privileges, the PowerShell opened through it will allow the actor to run any command with administrative rights. The possible implications of this are dire, as admin rights mean the ability to plant malware, alter system settings, delete or add users, access and modify files, disable the anti-virus or firewall, and more.
The issue with drivers running on SYSTEM and attackers enjoying a multitude of ways to exploit it has been well documented on multiple occasions - and it is always a case of a combination of promoting ease of use to security while missing an obvious path to exploitation. On this occasion, the logic flaw that exists on the Razer Synapse tool may very likely be available on numerous other accompanying software that installs drivers or loads software upon the connection of a device.