UPDATE 8/23: Razer has now publicly responded to news of this vulnerability, with a spokesperson explaining:
“We were made aware of a situation in which our software, in a very specific use case, provides a user with broader access to their machine during the installation process.
Original Story:Hardware company Razer is currently offering an easy way for anyone with physical access to a Windows 10 machine to gain admin privileges: Plug in a keyboard or mouse.
As BleepingComputer reports, a security researcher who goes by the name jonhat on Twitter discovered a zero-day vulnerability made possible by Razer’s peripherals. The vulnerability was disclosed to Razer, but the company didn’t respond, so jonhat decided to go public and posted a video of the privilege escalation being carried out. You can see it in the tweet below, or watch a higher quality version on Streamable.
The privileges escalation is possible because plugging in a Razer peripheral automatically triggers the Razer Synapse software to be downloaded and installed. Because the installation is launched via a Windows process, which has system privileges, the Razer software installation also gets the same level of privileges.
If you decide to manually select which folder to install the software in, it’s possible to then press Shift and right-click, at which point you can open a PowerShell window. As the installation is running with system privileges, the PowerShell window gets them, too.
With system privileges and a PowerShell window open, a malicious user has everything they need to install whatever they like on your PC before unplugging the peripheral and making their escape. However, this vulnerability is hopefully going to disappear soon. Since posting the video, jonhat confirmed Razer has reached out and a fix is being worked on to be released as soon as possible. Until then, be weary of anyone checking out your Windows PC who also happens to be carrying a Razer mouse or keyboard.