Security flaw allows Windows admin privileges just by plugging in a Razer peripheral

[Curufinwe_wins]

Well good news is that if you already have synapse installed, it doesn't look like it works hahahaha.

 

(Okay so shitting on Razer is totally valid, but the honest truth is that there isn't a real competitor to the amazing utility and formfactor of the Naga)

[CTR640]

Razer, the best piece of horseshit company for peripherals and products. Why do customers still keep buying their junk? Are they lured by RGB lights?

[Vanderburg]

But how?! Especially because Synapse is the least obtrusive software I've ever seen!

 

 

[StDragon]

3 hours ago, wanderingfool2 said:

It's not an issue with Microsoft.  Razer pay's Microsoft to have their drivers signed and distributed that way, and they have to follow guidelines in terms of coding practices.  It's not Microsoft's fault that Razer was silly enough to not run it in user-mode instead of system mode.

Are we sure of that?? If I recall, Windows Update runs as SYSTEM when installing device drivers. Perhaps it's Microsoft that's elevating the installer to SYSTEM, and thus presenting the user with SYSTEM level access via the file-open dialog box. If true, then Microsoft has a real problem on their hands in how they deliver drivers that presents user interaction involving the file-open dialog box.

[leadeater]

1 minute ago, StDragon said:

Are we sure of that?? If I recall, Windows Updates runs as SYSTEM when installing device drivers. Perhaps it's Microsoft that's elevating the installer to SYSTEM, and thus presenting the user with SYSTEM level access via the file-open dialog box. If true, then Microsoft has a real problem on their hands in how they deliver drivers that presents user interaction involving the file-open dialog box.

It's a both issue in my view, Microsoft should block certain calls during on demand automatic driver installs and drivers with accompanying software when submitted should go through an automated process to check for violations and get rejected and resubmission required. So if anything slips through the system will block it and in theory this would get prevented during the review process.

[StDragon]

1 minute ago, leadeater said:

So if anything slips through the system will block it and in theory this would get prevented during the review process.

Fair enough. I'm not a dev, so I don't know how or if that process occurred. When a driver gets certified, I'd assume it was just Microsoft validating the vendor as the legitimate source, not also checking for program behavior requirements.

 

Anyways, It's not the first time I've seen this type of driver installation behavior delivered through Windows Update; I've seen it with USB printer and scanner devices too. I've always assumed it was some old bug that patched long ago (as it's been years since I've encountered it.) Apparently it's still a nasty little "thing".

[leadeater]

2 minutes ago, StDragon said:

Fair enough. I'm not a dev, so I don't know how or if that process occurred. When a driver gets certified, I'd assume it was just Microsoft validating the vendor as the legitimate source, not also checking for program behavior requirements.

Yep, I think no such actual review process is in place, there needs to be.

[ouroesa]

Almost all exploits I've recently seen requires at least physical access to the machine and most also require admin privileges - which kind of negates the entire issue.

 

In my mind, if you have this kind of access and have ill intentions, there are many other and better ways of doing whatever you want to to - you could just manually replace permissions when this is the case or give yourself system privileges - something I need to do everytime I reinstall windows on my machine as windows store apps folder is inaccessible until I do.

[wanderingfool2]

48 minutes ago, StDragon said:

Are we sure of that?? If I recall, Windows Update runs as SYSTEM when installing device drivers. Perhaps it's Microsoft that's elevating the installer to SYSTEM, and thus presenting the user with SYSTEM level access via the file-open dialog box. If true, then Microsoft has a real problem on their hands in how they deliver drivers that presents user interaction involving the file-open dialog box.

It depends...some drivers do need system level access, so the plug and play system would need to run it as system.  There are suppose to be best practices that the developers are agreeing to (at least for drivers, I'd imagine for plug and play ones it's likely higher).  The question also becomes whether the driver itself is installed, and then launches the software itself.

 

Either way, I would put the major fault on Razer for doing such a thing.  Whenever developing drivers it's important to take deep care in preventing this sort of thing....they shouldn't be interfacing with an user-interface like that.

 

It's not to say that Microsoft shouldn't change things up, but at the same time device drivers inherently will require more access to the system and Microsoft wouldn't have the manpower to review all drivers..it's just without a major change to how Windows is done in the backend, I am not sure how feasible it would be for them to make the necessary changes

[Quackers101]

wasn't there also a keylogger/location issue with razer (might been a few years ago). Through firmware.

While customize your equipment is fun, some of the firmware access and software side is kinda screwed.

Access to information, the need between firmware and software... (bloatware) oof

[Quackers101]

1 hour ago, Vanderburg said:

But how?! Especially because Synapse is the least obtrusive software I've ever seen!

happened with ICUE too, I think. (the more recent one).

[Arika]

Not defending Razer, but just in general this still it requires physical access to a computer that is logged on. Honestly, how many people have non-admin users on their computer that such an elevation exploit would even be worth it.

 

The only things that i can think of would be a work computer or a child's account on a family PC, but if you left a work Laptop in public out of your sight where someone can run over, plug in a razer keyboard and gain admin privileges, then that's no one's fault but your own.

 

Also most workplaces would have additional measures in place to block things exactly like this. Can't even plug in a USB drive to my work laptop.

 

And if it was a family PC, who is breaking into a house just to gain admin privileges on a child's account instead of just taking the whole PC.

[Mnky313]

9 hours ago, SorryClaire said:

Razer: We are running tight QC on all of our products!
Also Razer:

 

Honestly, after seeing how high Blade and Deathadder RMA rates become, this brand is now a big fat fucking joke.

I gave up on Razer after having 2 keyboards fail in the same way (repeating keypresses) within a few months.

After this experience I noticed this is far from uncommon with razer's mice, keyboards, laptops, etc. Didn't all of the Blades Linus gave to his staff end up failing....

Also:
Who would win

multi billion dollar company's security on the world's most popular operating system    or    gamers making gaming mice.
^{guys it's a joke, don't think about it too hard.}

[CarlBar]

2 hours ago, leadeater said:

It's a both issue in my view, Microsoft should block certain calls during on demand automatic driver installs and drivers with accompanying software when submitted should go through an automated process to check for violations and get rejected and resubmission required. So if anything slips through the system will block it and in theory this would get prevented during the review process.

 

I'm in the both at fault camp here. No Razer really shouldn't be doing this, but equally Microsoft shouldn't have windows working in a way that allows this.

[Kisai]

11 hours ago, Middcore said:

 

 

My thoughts

 I haven't used any Razer peripherals recently. Do they really just start downloading Synapse automatically without any kind of check or prompting?

Not that I'm aware of. Perhaps they changed it.

 

DCH drivers put the driver in Windows Update, but put the control panels and other bloatware cruft in the Windows Store. This makes hardware management an extreme nightmare on Enterprise systems because users will get blocked from installing the nVidia, Intel and Realtek control panels and thus end up with being unable to change the screen resolution or get no audio from the analog ports.

 

There should be nothing that requires an "install" in Windows Update. So my guess is that either they had installed the Razer software once before (it requires a cloud login, and when I last had a Razer mouse, I could not be bothered to login to it, same with nvidia experience and everything else.)

 

Please hardware vendors, stop requiring cloud logins to use your dang hardware, it's literately becoming a purchase decision now. Razer's control panel is just as bloated as other hardware vendors, and it's excessive bloat. Microsoft really needs to make "Lighting controls" it's own universal settings menu and get rid of all these cloud rgb control panels.

 

[leadeater]

3 hours ago, wanderingfool2 said:

The question also becomes whether the driver itself is installed, and then launches the software itself.

Wouldn't make a difference, drivers that have accompanying software don't run as SYSTEM. Think of things like Radeon Suite, Geforce Control Panel, Intel Grahpics Settings, Synaptics Touchpad. None of these run as SYSTEM after installed and are installed during driver install. Intel and Synaptics drivers also install the control panel software when done through plug and play/Windows Update where as Geforce and Radeon do not.

 

The issue is specially with Razer and how it is calling up it's first run as under the context of SYSTEM.

[pas008]

39 minutes ago, leadeater said:

Wouldn't make a difference, drivers that have accompanying software don't run as SYSTEM. Think of things like Radeon Suite, Geforce Control Panel, Intel Grahpics Settings, Synaptics Touchpad. None of these run as SYSTEM after installed and are installed during driver install. Intel and Synaptics drivers also install the control panel software when done through plug and play/Windows Update where as Geforce and Radeon do not.

 

The issue is specially with Razer and how it is calling up it's first run as under the context of SYSTEM.

Not a programmer/coder 

But Could someone use this with any usb device already plugged in by switching hardware id etc and then piggy back with the admin privilege install? 

 

Prolly dumb question but figure is ask anyways

[leadeater]

29 minutes ago, pas008 said:

Not a programmer/coder 

But Could someone use this with any usb device already plugged in by switching hardware id etc and then piggy back with the admin privilege install? 

 

Prolly dumb question but figure is ask anyways

Yes, it's already a known and existing attack vector. However some protections have been added since that sort of thing became known. However, at least with this, you have to present a hardware device that Windows Update knows about and has a driver for (that is not installed already) and the attacker has either control of or is aware of a vulnerability with it i.e. Razer

[wanderingfool2]

2 hours ago, leadeater said:

Wouldn't make a difference, drivers that have accompanying software don't run as SYSTEM. Think of things like Radeon Suite, Geforce Control Panel, Intel Grahpics Settings, Synaptics Touchpad. None of these run as SYSTEM after installed and are installed during driver install. Intel and Synaptics drivers also install the control panel software when done through plug and play/Windows Update where as Geforce and Radeon do not.

 

The issue is specially with Razer and how it is calling up it's first run as under the context of SYSTEM.

A driver running as a system could open up the installer to run as system (it is against the best practices posted on MSDN, but somewhere they are violating best practices).  Things like Intel Graphics and such do it the proper way, distinguishing between user mode and kernel mode.

 

Ultimately I think it would be harder to Microsoft to police, which is why I think the blame is on Razer for writing horrible drivers (compared to Microsoft)

[suicidalfranco]

And yet youtubers are still going to advice razer products as the best thing ever made

[Kukielka]

15 hours ago, SorryClaire said:

Razer: We are running tight QC on all of our products!
Also Razer:

 

Honestly, after seeing how high Blade and Deathadder RMA rates become, this brand is now a big fat fucking joke.

>>Implying Razer was ever something other than a joke to begin with.

 

Razer products have notoriously high RMA rates. Every. Single. Product. Line.

They desperatly design your product to be rendered unusable right after warranty, this is planned obsolescence.

The original deathadder from 2006 is the only Razer product that is built to last.

[Mark Kaine]

I mean i dont know the technicalities, but shouldnt microsoft *check* if theyre signing a driver instead of handwaving it, isnt that the whole point of signing a driver?

Thats also the issue i see with the whole TPM/ security fluff… who gets access to this feature, Razer? Any random Steam developer? Good night if so…

[leadeater]

5 hours ago, wanderingfool2 said:

A driver running as a system could open up the installer to run as system (it is against the best practices posted on MSDN, but somewhere they are violating best practices).

The driver is not running as SYSTEM, this is a failure in the driver installation process. Also Kernel Mode drivers are still fully supported, User Mode is the preferred type and should be used wherever possible. Kernel Mode vs User Mode has nothing to do with this.

 

Kernel Mode vs User Mode has to do with memory space the driver is running in, not the security principle context it is running as. Anything can run as SYSTEM in User Context, as is Windows Update and drvinst which is where the exploitation is happening.

 

Quote

Starting with Windows Vista, when the Plug and Play (PnP) manager detects a new device in the system, the operating system starts the device installation host process (DrvInst.exe) to search for and install a driver for the device.

The most efficient way to debug the user-mode device installation host process is with a user-mode debugger, such as WinDbg or Visual Studio. Because the DrvInst.exe process would normally complete without any user interaction, Microsoft has added support to Windows Vista and later versions of Windows to allow the developer of a driver package to attach a debugger before the core stages of device installation are processed.

https://docs.microsoft.com/en-us/windows-hardware/drivers/install/debugging-device-installations-with-a-user-mode-debugger

[Qrtrmstr2k]

I find it particularly interesting, especially after all the crap about the Chinese government’s activities with Hisense televisions and the Huawei debacle…now we’re hearing about yet another Chinese company and it’s exploits…at what point does this become a pattern?

[Middcore]

16 minutes ago, Qrtrmstr2k said:

I find it particularly interesting, especially after all the crap about the Chinese government’s activities with Hisense televisions and the Huawei debacle…now we’re hearing about yet another Chinese company and it’s exploits…at what point does this become a pattern?

Razer is not a Chinese company.