Hack a PC? Plug in a Razer Mouse with Automatic Synapse Installation

[btarunr]

Over the past few generations, Razer has automated the download and installation of the Razer Synapse software by having it start the first time to plug in a Razer peripheral on your computer (mouse, keyboard, USB headset, etc.). This may be well-intentioned, but comes with a glaring security flaw, according to a LifeHacker report citing a security discovery by @j0nh4t on Twitter. Apparently, plugging in a Razer peripheral causes the Razer Synapse installer to prompt download and installation using a privileged Windows process (using Windows Update).

Once you download and run the installer, you can choose a custom installation folder for the application. This spawns a Windows Explorer dialog that is privileged and can access folders regular users probably don't have access to, as per an organization's group policy. Once in this dialog, you can simply shift+right-click on a folder, and click on "open PowerShell window here," to spawn a privileged PowerShell at that location, and knock yourself out with whatever it is you want to do to the machine. Visit the source link below for a video demo on how this hack works.



View at TechPowerUp Main Site

 

[Ferrum Master]

While this is nothing new as a functionality... every modem does use autoplay from a storage partition and installs who knows what...

While everyone forgets, Razer Synapse also automatically installs from WU during installations and build upgrades, without your consent to opt in or out.

I've filed a suggestion in M$ Feedback Hub to get rid of it, but as usual it got lost...

 

[W1zzard]

While this is nothing new as a functionality... every modem does use autoplay from a storage partition and installs who knows what...

While everyone forgets, Razer Synapse also automatically installs from WU during installations and build upgrades, without your consent to opt in or out.

I've filed a suggestion in M$ Feedback Hub to get rid of it, but as usual it got lost...

Their fail is that they execute GUI stuff during installation from Windows Update, with the wrong privileges. Lots of Windows 10's "security" is designed around the fact that even as "admin" you are running at a lower privilege level than NT Authority\SYSTEM (yes I know about psexec)

 

[DeathtoGnomes]

Dont know how many times I've said there are issues with Razer software, this is one I didnt expect, but am not surprised either. Razer might be visually appealing to some people, ignoring the underlying risk that comes with owning one.

that even as "admin" you are running at a lower privilege level than NT Authority\SYSTEM

there ya go, now you've done it and spilled the beans, now average pc joe will be changing permissions....

Next we'll have OHSHIT.sys deleted posts....

 

[TheUn4seen]

You know what they say, Razer might be a horrible company for childish posers, but at least they also screw up the security of your system.

 

[kayjay010101]

Another reason to justify my total avoidance of Synapse and anything else Razer.

 

[nguyen]

Another reason to justify my total avoidance of Synapse and anything else Razer.

Jup, the Synapse software sometimes just freeze all Keyboard and mouse Input when I play games LOL, lucky I was able to identify the culprit fairly quick and remove that POS software.

 

[c2DDragon]

Nice !
Does this work in safe mode ?
If it does, you can disable Windows Defender on any machine you can plug your peripherical into and put everything you want on your targets' computers.
You just have to modify the registry in safe mode like this :

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend]
"Start"=dword:00000004

Those ones will be reverted to default if you didn't disable the SecurityHealthService in safe mode :
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000001
"DisableRealtimeMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
"DisableBehaviorMonitoring"=dword:00000001
"DisableOnAccessProtection"=dword:00000001
"DisableScanOnRealtimeEnable"=dword:00000001

 

[Ferrum Master]

Jup, the Synapse software sometimes just freeze all Keyboard and mouse Input when I play games LOL, lucky I was able to identify the culprit fairly quick and remove that POS software.

Prolly the moment it dumps your personal data(read pr0n habits) to the first buyer


Other than that. I cannot think anyone, but Microsoft has to act and put limits. Creating a ticket and mass voting it as a community until someone notices it. Linux has OpenRazer project, that is like best thing since sliced bread.

 

[W1zzard]

Windows Defender

NT Authority\SYSTEM can bypass Defender Tamper Protection and just shut it down

 

[Vayra86]

Other than that. I cannot think anyone, but Microsoft has to act and put limits. Creating a ticket and mass voting it as a community until someone notices it. Linux has OpenRazer project, that is like best thing since sliced bread.

Does it? Just let the cancerous thing fester for a few years until it gets a major hack that hits everyone with Razer gear.

Best teacher.

 

[c2DDragon]

NT Authority\SYSTEM can bypass Defender Tamper Protection and just shut it down

Yes but if you reboot, the protections will go back ON by default, right ? And try to remove the malicious stuff made x)
That's why I asked for the safe mode, to disable the security health service completly until people find out there is no protection anymore. There will be no warning nowhere without this service.

 

[W1zzard]

will go back ON by default

Not if you delete the required files, or delete the service, etc, which you now can when running as NT Authority\SYSTEM

 

[c2DDragon]

Not if you delete the required files, or delete the service, etc, which you now can when running as NT Authority\SYSTEM

I see, well, it's even more scary than I thought ahah.

 

[zlobby]

Dont know how many times I've said there are issues with Razer software, this is one I didnt expect, but am not surprised either. Razer might be visually appealing to some people, ignoring the underlying risk that comes with owning one.


there ya go, now you've done it and spilled the beans, now average pc joe will be changing permissions....

Next we'll have OHSHIT.sys deleted posts....

Imagine when they discover about ssh and sudo!

 

[Tardian]

I know we are, in our ways, all clever Dicks on TPU. Did anyone stop for a second and consider that telling the world this insider stuff is like publishing plans for a dirty bomb?

Tardian

 

[Ferrum Master]

I know we are, in our ways, all clever Dicks on TPU. Did anyone stop for a second and consider that telling the world this insider stuff is like publishing plans for a dirty bomb?

Tardian

While I certainly agree that we are D**** one way or another especially I, I have no problems with self critique.

Something like this is often needed for the further good. Shake up some IT department arses to start working like they should. Often the legal ways of telling, hey something is bad or wrong are slow or ineffective, so going nuclear ain't always a bad thing in my books.

 

[INSTG8R]

I mean I’ve read of myriad of different issues Synapse has caused for users but I never expected it to go full on malware…

 

[W1zzard]

I know we are, in our ways, all clever Dicks on TPU. Did anyone stop for a second and consider that telling the world this insider stuff is like publishing plans for a dirty bomb?

It's not exactly insider stuff, and security through obscurity doesn't work anyway

Security through obscurity - Wikipedia

en.wikipedia.org

Tardian

don't put your signature into posts, go to this page, to set it properly: https://www.techpowerup.com/forums/account/signature

 

[Chomiq]

I guess they didn't learn from HP and their drivers on a printer BS.

 

[Tardian]

While I certainly agree that we are D**** one way or another especially I, I have no problems with self critique.

Something like this is often needed for the further good. Shake up some IT department arses to start working like they should. Often the legal ways of telling, hey something is bad or wrong are slow or ineffective, so going nuclear ain't always a bad thing in my books.

clever Dick:
a person who is irritatingly and ostentatiously knowledgeable or intelligent.
"she's such a clever Dick—you can't tell her anything"
Definitions from Oxford Languages

 

[Frick]

We're all sagacious penises.

 

[SL2]

there ya go, now you've done it and spilled the beans, now average pc joe will be changing permissions....

Next we'll have OHSHIT.sys deleted posts....

Why do people act like this was a universal secret up until now? AFAIK, there are other tech sites and forums on the internet besides TPU..

 

[windwhirl]

They're working on a fix now

https://twitter.com/i/web/status/1429462941070409728

Their fail is that they execute GUI stuff during installation from Windows Update, with the wrong privileges. Lots of Windows 10's "security" is designed around the fact that even as "admin" you are running at a lower privilege level than NT Authority\SYSTEM (yes I know about psexec)

. . . At this point WU-triggered installations should happen in a session without the ability to show anything on desktop.

Also it brings back the question of why they never bothered to put drivers at a lower privilege level than the kernel

 

[R-T-B]

My thoughts are pretty simple:

Goddamnit Razer.