back to article Razer ponders how to fix installer that grants admin powers if you plug in a mouse

Razer is said to be working on an updated installer after it was discovered you can gain admin privileges on Windows by plugging in one of the gaming gear maker's mice or keyboards. In fact, inserting any USB device that declares itself a Razer mouse or keyboard will lead to an exploitable situation. As documented late last …

  1. oiseau Silver badge
    Facepalm

    WTF?

    ... if you plug into a Windows 10 or 11 machine a device identified as a Razer mouse or keyboard, Microsoft's OS will automatically download and run Razer's installer.

    Right ...

    What could possibly go wrong with such an interesting scheme?

    Never mind ...

    We wonder how many Windows installers have these same weaknesses.

    Er ...

    More than one?

    O.

    1. Anonymous Coward
      Anonymous Coward

      Re: WTF?

      It's a good example of a generic security issue that general "security testing" will miss, although the issue with plugging in a something that says it's a "keyboard" and gains access has been documented for years now. I've got a Rubber Ducky that does this.

      1. Lil Endian

        Re: WTF?

        By golly, it's clean clear to Flag Town, c'mon. Yeah, that's a big 10-4 there, Pig Pen, yeah.

    2. Loyal Commenter Silver badge

      Re: WTF?

      Merely plugging something in will run an installer, with elevated permissions? There's your security problem, right there. It doesn't matter whether Razer screwed this one up, having Windows allow a user action to trigger code that downloads and executes other code with elevated permissions is a generic security hole.

      Device driver installation, which by its nature is modifying part of the OS that is shared between users, should not be runnable by a user at all if they do not have the required permissions to do so. The fact that this "leaks" and allows the user to spawn a PowerShell instance is moot. There should at the very least be a prompt along the lines of "allow the installer to run?" and a further one to authenticate and authorise if the user does not have permissions.

      This looks like yet another example of how easy it is to get security wrong. I am a little surprised that Windows allows it in this day and age!

      1. oiseau Silver badge
        Facepalm

        Re: WTF?

        Device driver installation, which by its nature is modifying part of the OS that is shared between users, should not be runnable by a user at all if they do not have the required permissions to do so.

        Indeed ...

        You know that.

        I know that.

        MS developers know that, they just don't give a monkey's toss.

        But 99.9% of Windows users don't know that.

        Because if they did, they would most probably use a systemd-free Linux distribution.

        O.

        1. jtaylor Bronze badge

          Re: WTF?

          "99.9% of Windows users don't know that. Because if they did, they would most probably use a systemd-free Linux distribution."

          I'm surrounded by people in that remaining 0.1%. These are people whose computer is just a base to run software like Word, Quicken, whatever software came with their digital camera, and of course the Web. They want to be able to buy a new printer when the current one dies. They don't know what "systemd-free Linux" means, nor do they care. They do care whether tech support for (ISP / new software package / PC manufacturer) will support them.

          If these people heard about the Razer problem and asked me for advice, I would reply "just don't buy a Razer brand mouse."

      2. ewanm89

        Re: WTF?

        Razer's code is doing nothing wrong, windows update is here.

        1. LDS Silver badge

          Re: WTF?

          No, probably the Razer installer is doing something very wrong when run. An installer should not let others to mess with it this way. If it needs to install something to be run on boot, it should not allow others to mess with it.

          You can write bad rpms or debs if you're not understanding what you're doing - and they're executed with elevated privileges as well.

          Here the problem is amplified by Plug&Play being able to run installer automatically.

          1. oiseau Silver badge
            Facepalm

            Re: WTF?

            You can write bad rpms or debs if you're not understanding what you're doing ...

            Yes, you certainly can.

            But it is highly unlikely (not to say impossible).

            People who don't know what they are doing just do not get to write a bad Linux package (rpm, deb, etc.) which will actually get into a distribution's repository and then be downloaded and installed.

            In 10+ years running Linux distributions I have never seen such a thing happen.

            It would have to be done on purpose and then a great many safeguards would have to fail at the same time.

            Safeguards that MS evidently does not have in place.

            Like I said: highly unlikely or impossible.

            O.

            1. ewanm89

              Re: WTF?

              Even then, with RPM/DEB packages... Well apt and yum are not essentially set to run with SETUID bit set to root, and automatically run if a USB device is plugged in. Where an automatic update for security is run silently in the background, well, RPM/DEB packages will only install if they do not need an interactive configuration part by the user.

    3. karlkarl Silver badge

      Re: WTF?

      Do people really not have firewalls to prevent Microsoft from communicating outside from your Windows? Wow, that seems very careless.

      That is the first thing that should be set up. Prevention of downloading broken drivers is just *one* of the benefits of not being a mug.

    4. ewanm89
      Mushroom

      Re: WTF?

      The issue is not the installer, it is Windows Update and the Windows API and Windows Driver certification allowing interactive installers at all.

      There is nothing Razer's installer is doing that MS Office installer, MS Visual Studio installer, Windows 10 Media Creation Tool or numerous other installers and tools do. The only thing is it is being launched by windows update which launches it as the system account bypassing the UAC check for even non-admin users.

      1. diodesign (Written by Reg staff) Silver badge

        Windows at fault?

        We alluded to the possibility that's more than just Razer affected, and there may be a greater underlying issue. Now that we know more about the vulnerability, I've expanded that part to make it clearer.

        The issue appears to be that Windows runs some installers automatically at SYSTEM level, bypassing UAC and the like. Those installers don't care if someone can spawn a PS shell from Explorer during the install process because if the user can run the installer as admin, they can open an admin shell whenever they want anyway.

        Razer is at the forefront of this story because it neatly demonstrates the problem with this approach, and how it can be easily exploited. Depending on how Razer responds, and Microsoft, we'll follow up with more coverage.

        C.

        1. Mage Silver badge
          Alert

          Re: Windows at fault?

          The underlying issue since USB was added to Win95 AFTER initial release is USB HID.

          Some years ago someone added a CPU and Flash to a stock mouse and proved plugging in a USB mouse could silently install a trojan.

          Probably a €10 Trust brand USB mouse from a random local shop is safer than a gift delivered by post/courier.

  2. Cybersaber

    Apple will not bow - riiiight

    So Apple is saying they will defy a legal request from the Party in the PCR, if they change the law to require it? This is complete an utter tripe.

    So very dishonest. "Apple complies with Beijing's demands and censors some content in China, saying it complies with the laws in the countries it operates." So when a country in the middle East, knowing Apple has this tech, makes a law that requires them to add other types to it, they're going to do what now? Yeah. They'll comply with the law.

    This is nothing more than either complete disconnect with reality, or dishonest political spin from the House that Jobs (and co) built. Oh, except they'll be using it to track down and persecute people like Jobs because they are 'complying with the laws of the country.'

    1. Anonymous Coward
      Anonymous Coward

      @Cybersaber - Re: Apple will not bow - riiiight

      Look at what is presently happening to Huawei CFO for not complying with the law of the country. If I'm not mistaking, you can't conduct business within US sphere of influence without complying with US law. Why should Apple, Microsoft, Google or any other US mega corp. not do the same somewhere else ?

      When in Rome, do as the Romans do. Oh, and please stop whining, just comply OK ?

  3. Pascal Monett Silver badge

    "[Apple] complies with the laws in the countries it operates"

    Apple - the friend of dictatorships everywhere.

    1. Ian Mason

      Re: "[Apple] complies with the laws in the countries it operates"

      They really have screwed the pooch on this one, in the breif space of a couple of weeks they have effectively gone from "We're the champions of our customer's privacy" to "Let's face it, we were lying through our teeth and you really should have worked that out".

      I note that they have stopped running their privacy campaign adverts in the UK. I don't know whether this is because they can't bring themselves to continue to tell such a bald faced lie, or whether it's simply that they realise they'd be wasting what they really care about - money.

  4. Denarius Silver badge

    the usual snark ?

    Big business, Big government, same thing, different branch

  5. Andrew Williams

    So… Razer are fixing their installer. But Microsoft are not addressing the open window of an installer being used to hijack the system. I Mahoney quite a few naughty people will be stocking up on the “bad razer” items.

    1. This post has been deleted by its author

    2. ewanm89

      Why? Just get something that can emit any vendor ID and product ID you choose. Hell, you can even do it over RDP via the USB device forwarding :D

  6. elregidente

    Razer went full evil back in about 2013 or so

    I used to swear by Razer mice - and in terms of the hardware, I still do; I think they're amazing to hold and use.

    Then back in something like 2013 or so, Razer jumped the shark.

    The mouse driver, which should just be a driver, became spyware. You needed an *account on the Razer web-site* to use your mouse, the driver spawned an always-on user-mode app with it's icon in the taskbar which you had to have it or you couldn't configure the mouse away from its default settings for DPI and so on, and I recall you had to be on-line or you couldn't log into the app. It also became a living nightmare to install - downloads from the mothership, hundreds of megabytes, install failures which I put down to a complex app being used in the real world, the full evil.

    I bailed at that point.

    This latest outcome where their complex spyware, which blackmails the user into installation by their purchase of the mouse, has security issue, is the least surprising event this year.

    1. Dave K

      Re: Razer went full evil back in about 2013 or so

      There were some workarounds, but generally you are correct. It was possible to bump the Synapse app into "offline" mode, but you had to create an account and sign in first. I think I used a disposable e-mail address for this back when I had a Razer mouse. Still, the app was simply dreadful and being forced to create a Razer account just to control a local peripheral on your computer was sheer madness.

      Either way though, I did the same as yourself and bailed when my previous Razer mouse reached end of life - I blacklisted them and ended up with a Logitech mouse as a replacement instead.

    2. Waseem Alkurdi

      Re: Razer went full evil back in about 2013 or so

      You might like this then: https://github.com/CalcProgrammer1/openrazer-win32

      1. elregidente

        Re: Razer went full evil back in about 2013 or so

        Hmm!

        That is interesting. I'm on Linux, but the OpenRazer project originates there and so it's fine.

        Problem is, it would mean buying a Razer product - giving money to them - and also constantly seeing and using their product, when I'm so horrified by what they do. I don't think that will fly, sadly.

    3. Loyal Commenter Silver badge

      Re: Razer went full evil back in about 2013 or so

      Yup, that's why I bought a Corsair mouse instead.

      Admittedly, their "configuration" software is just as nasty as Razer's, but at least their mice and keyboards work without it running. And continue to work after it crashes.Of course, most importantly, it doesn't require you to create an account and sign in.

      Now, Nvidia, can we have a word about your driver-update crapware...

      1. Mage Silver badge
        Linux

        Re: Razer went full evil back in about 2013 or so

        I buy a Trust mouse (Dutch brand, but made in China) for about €10 in the local shops. When the left click wears out you can't be waiting for the online order. I don't go to a local computer (or related) shop.

    4. ewanm89

      Re: Razer went full evil back in about 2013 or so

      While you may not like the software, the issue here is not Razer's software, it is windows update and microsoft driver certification even allowing this sort of installer.

  7. sitta_europea

    "The bug finder said they had no luck in getting Razer's attention when trying to report these flaws, and after they put a zero-day exploit for the Powershell hole on Twitter, the manufacturer got in touch..."

    About par for the course.

  8. Waseem Alkurdi
    Devil

    Nicely played ...

    ... with the order you've put the two Apple incidents in!

  9. Howard Sway Silver badge

    you can gain admin privileges on Windows by plugging in one of the gaming gear maker's mice

    Once I'd stopped laughing, it struck me yet again that this isn't really the fault of the mouse maker, and more the fault of the operating system.

    I've no idea what this mouse does that's so amazing that it needs such privileges and needs to download its own super special software in order to function, but it would still be a ridiculous idea whatever it is. Also, once you have the admin privileges, you can of course make yourself an administrator, although you'd be deeply stupid to do so if you ran any kind of risk for having done it.

    1. ewanm89

      Re: you can gain admin privileges on Windows by plugging in one of the gaming gear maker's mice

      It is absolutely primarily a Microsoft issue not a Razer one.

      1. Mage Silver badge
        Windows

        Re: absolutely primarily a Microsoft issue

        Since USB was added to a later release of Win 95 and then Win 2K. NT 4.0 didn't officially have USB and neither did initial Win95 release. HID is a problem.

        I've no idea what the Mac OS and Linux do when a USB HID device is plugged in. This might be a problem for ANYTHING.

  10. Chris the bean counter

    DDoS Cloudflare

    Does Cloudflare notify the ISPs hosting the hacked IoTs so the bots can be blocked/rectified ?

    I assume not so easy and might be collateral damage, although no doubt able to mitigate.

    A cycnic would say not in Cloudflares interests to actually do that, but I expect long term it is as an extra service that can be charged for.

  11. fidodogbreath Silver badge
    FAIL

    Both of these cannot be true

    Apple has said it will not bow to demands to add non-CSAM images to its database.

    Apple complies with Beijing's demands and censors some content in China, saying it complies with the laws in the countries it operates.

    So, when countries inevitably pass (or decree) laws requiring Apple to add non-CSAM images to its database, Apple will NOT comply with the laws in the countries it operates?

  12. Mage Silver badge
    Devil

    USB HID

    Variations of this are well known.

    HID devices silently install, or at most there is an alert USB Mouse/keyboard etc installed.

    Security experts (and I) have been saying for YEARS that the design of USB-HID protocol (used for keyboards, mice, touch pads,. graphics tablets and maybe joysticks) is a disaster as it lets an evil mouse gift sent to Finance Director install stuff to capture everything. Hence a Lenovo min PC box recently has no USB. It has PS/2 ports for mouse and keyboard.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022