Tuesday, August 24th 2021

Hack a PC? Plug in a Razer Mouse with Automatic Synapse Installation

by
btarunr
 Discuss (61 Comments)
Over the past few generations, Razer has automated the download and installation of the Razer Synapse software by having it start the first time to plug in a Razer peripheral on your computer (mouse, keyboard, USB headset, etc.). This may be well-intentioned, but comes with a glaring security flaw, according to a LifeHacker report citing a security discovery by @j0nh4t on Twitter. Apparently, plugging in a Razer peripheral causes the Razer Synapse installer to prompt download and installation using a privileged Windows process (using Windows Update).

Once you download and run the installer, you can choose a custom installation folder for the application. This spawns a Windows Explorer dialog that is privileged and can access folders regular users probably don't have access to, as per an organization's group policy. Once in this dialog, you can simply shift+right-click on a folder, and click on "open PowerShell window here," to spawn a privileged PowerShell at that location, and knock yourself out with whatever it is you want to do to the machine. Visit the source link below for a video demo on how this hack works.
Sources: j0nh4t (Twitter), LifeHacker

Related News

Add your own comment

61 Comments on Hack a PC? Plug in a Razer Mouse with Automatic Synapse Installation

#1
Ferrum Master
While this is nothing new as a functionality... every modem does use autoplay from a storage partition and installs who knows what...

While everyone forgets, Razer Synapse also automatically installs from WU during installations and build upgrades, without your consent to opt in or out.

I've filed a suggestion in M$ Feedback Hub to get rid of it, but as usual it got lost...
Posted on Reply
#2
W1zzard
Ferrum MasterWhile this is nothing new as a functionality... every modem does use autoplay from a storage partition and installs who knows what...

While everyone forgets, Razer Synapse also automatically installs from WU during installations and build upgrades, without your consent to opt in or out.

I've filed a suggestion in M$ Feedback Hub to get rid of it, but as usual it got lost...
Their fail is that they execute GUI stuff during installation from Windows Update, with the wrong privileges. Lots of Windows 10's "security" is designed around the fact that even as "admin" you are running at a lower privilege level than NT Authority\SYSTEM (yes I know about psexec)
Posted on Reply
#3
DeathtoGnomes
Dont know how many times I've said there are issues with Razer software, this is one I didnt expect, but am not surprised either. Razer might be visually appealing to some people, ignoring the underlying risk that comes with owning one.
W1zzardthat even as "admin" you are running at a lower privilege level than NT Authority\SYSTEM
there ya go, now you've done it and spilled the beans, now average pc joe will be changing permissions....:p:eek:

Next we'll have OHSHIT.sys deleted posts....
Posted on Reply
#4
TheUn4seen
You know what they say, Razer might be a horrible company for childish posers, but at least they also screw up the security of your system.
Posted on Reply
#5
kayjay010101
Another reason to justify my total avoidance of Synapse and anything else Razer.
Posted on Reply
#6
nguyen
kayjay010101Another reason to justify my total avoidance of Synapse and anything else Razer.
Jup, the Synapse software sometimes just freeze all Keyboard and mouse Input when I play games LOL, lucky I was able to identify the culprit fairly quick and remove that POS software.
Posted on Reply
#7
c2DDragon
Nice !
Does this work in safe mode ?
If it does, you can disable Windows Defender on any machine you can plug your peripherical into and put everything you want on your targets' computers.
You just have to modify the registry in safe mode like this :

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend]
"Start"=dword:00000004

Those ones will be reverted to default if you didn't disable the SecurityHealthService in safe mode :
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000001
"DisableRealtimeMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
"DisableBehaviorMonitoring"=dword:00000001
"DisableOnAccessProtection"=dword:00000001
"DisableScanOnRealtimeEnable"=dword:00000001
Posted on Reply
#8
Ferrum Master
nguyenJup, the Synapse software sometimes just freeze all Keyboard and mouse Input when I play games LOL, lucky I was able to identify the culprit fairly quick and remove that POS software.
Prolly the moment it dumps your personal data(read pr0n habits) to the first buyer :D


Other than that. I cannot think anyone, but Microsoft has to act and put limits. Creating a ticket and mass voting it as a community until someone notices it. Linux has OpenRazer project, that is like best thing since sliced bread.
Posted on Reply
#9
W1zzard
c2DDragonWindows Defender
NT Authority\SYSTEM can bypass Defender Tamper Protection and just shut it down
Posted on Reply
#10
Vayra86
Ferrum MasterOther than that. I cannot think anyone, but Microsoft has to act and put limits. Creating a ticket and mass voting it as a community until someone notices it. Linux has OpenRazer project, that is like best thing since sliced bread.
Does it? Just let the cancerous thing fester for a few years until it gets a major hack that hits everyone with Razer gear.

Best teacher.
Posted on Reply
#11
c2DDragon
W1zzardNT Authority\SYSTEM can bypass Defender Tamper Protection and just shut it down
Yes but if you reboot, the protections will go back ON by default, right ? And try to remove the malicious stuff made x)
That's why I asked for the safe mode, to disable the security health service completly until people find out there is no protection anymore. There will be no warning nowhere without this service.
Posted on Reply
#12
W1zzard
c2DDragonwill go back ON by default
Not if you delete the required files, or delete the service, etc, which you now can when running as NT Authority\SYSTEM
Posted on Reply
#13
c2DDragon
W1zzardNot if you delete the required files, or delete the service, etc, which you now can when running as NT Authority\SYSTEM
I see, well, it's even more scary than I thought ahah.
Posted on Reply
#14
zlobby
DeathtoGnomesDont know how many times I've said there are issues with Razer software, this is one I didnt expect, but am not surprised either. Razer might be visually appealing to some people, ignoring the underlying risk that comes with owning one.


there ya go, now you've done it and spilled the beans, now average pc joe will be changing permissions....:p:eek:

Next we'll have OHSHIT.sys deleted posts....
Imagine when they discover about ssh and sudo!
Posted on Reply
#15
Tardian
I know we are, in our ways, all clever Dicks on TPU. Did anyone stop for a second and consider that telling the world this insider stuff is like publishing plans for a dirty bomb?

Tardian
Posted on Reply
#16
Ferrum Master
TardianI know we are, in our ways, all clever Dicks on TPU. Did anyone stop for a second and consider that telling the world this insider stuff is like publishing plans for a dirty bomb?

Tardian
While I certainly agree that we are D**** one way or another especially I, I have no problems with self critique.

Something like this is often needed for the further good. Shake up some IT department arses to start working like they should. Often the legal ways of telling, hey something is bad or wrong are slow or ineffective, so going nuclear ain't always a bad thing in my books.
Posted on Reply
#17
INSTG8R
Vanguard Beta Tester
I mean I’ve read of myriad of different issues Synapse has caused for users but I never expected it to go full on malware…
Posted on Reply
#19
Chomiq
I guess they didn't learn from HP and their drivers on a printer BS.
Posted on Reply
#20
Tardian
Ferrum MasterWhile I certainly agree that we are D**** one way or another especially I, I have no problems with self critique.

Something like this is often needed for the further good. Shake up some IT department arses to start working like they should. Often the legal ways of telling, hey something is bad or wrong are slow or ineffective, so going nuclear ain't always a bad thing in my books.
clever Dick:
a person who is irritatingly and ostentatiously knowledgeable or intelligent.
"she's such a clever Dick—you can't tell her anything"
Definitions from Oxford Languages
Posted on Reply
#21
Frick
Fishfaced Nincompoop
We're all sagacious penises.
Posted on Reply
#22
SL2
DeathtoGnomesthere ya go, now you've done it and spilled the beans, now average pc joe will be changing permissions....:p:eek:

Next we'll have OHSHIT.sys deleted posts....
Why do people act like this was a universal secret up until now? :confused: AFAIK, there are other tech sites and forums on the internet besides TPU.. ;)
Posted on Reply
#23
windwhirl
They're working on a fix now
https://twitter.com/i/web/status/1429462941070409728
W1zzardTheir fail is that they execute GUI stuff during installation from Windows Update, with the wrong privileges. Lots of Windows 10's "security" is designed around the fact that even as "admin" you are running at a lower privilege level than NT Authority\SYSTEM (yes I know about psexec)
. . . At this point WU-triggered installations should happen in a session without the ability to show anything on desktop.

Also it brings back the question of why they never bothered to put drivers at a lower privilege level than the kernel
Posted on Reply
#24
R-T-B
My thoughts are pretty simple:

Goddamnit Razer.
Posted on Reply
#25
Selaya
The better question is ... why would I need thirdparty drivers for a keyboard, mouse or headset/-phones to begin with? None of mines require any.
Posted on Reply
Add your own comment
Nov 21st, 2024 13:17 EST change timezone

Latest GPU Drivers

New Forum Posts

Popular Reviews

Controversial News Posts