Just when you thought things couldn’t get much worse for Windows 10 users after a miserable few weeks of security issues from PrintNightmare through to SeriousSAM and even a potential Windows Hello facial recognition bypass, they only went and did.
A security researcher was so fed up with being ignored when reporting a shockingly simple hack that could give any user admin rights on a Windows 10 computer that he tweeted the zero-day exploit. A tweet that quickly went viral.
Annoyed security researcher discovers simple Windows 10 zero-day
I spoke with the security researcher, who only wants to be known by the Twitter handle of j0nh4t, who told me how the hack came to light. “I noticed the Razer Synapse installer was bundled with ‘driver’ installs via Windows Update,” while using the mouse, j0hn4t says, “I was annoyed by this behavior and decided to take a deeper look.” Unfortunately, what that look revealed was an issue that’s shockingly trivial to exploit.
Need local admin and have physical access?— jonhat (@j0nh4t) August 21, 2021
– Plug a Razer mouse (or the dongle)
– Windows Update will download and execute RazerInstaller as SYSTEM
– Abuse elevated Explorer to open Powershell with Shift+Right click
Tried contacting @Razer, but no answers. So here's a freebie pic.twitter.com/xDkl87RCmz
All it took for anyone to exploit this vulnerability was to plug in a Razer mouse, or the dongle it uses, and then shift-right from the Explorer window opened by Windows Update to choose a driver location and open a PowerShell with complete SYSTEM, or admin if you prefer, rights. And it got worse as an attacker would also be able to use the hack and save a service binary that could be “hijacked for persistence” and executed before the user even logs on during the boot process.
“I think Microsoft should take a look in the mirror on how they manage ‘driver’ updates,” j0nh4t says, whilst appreciating the fine line of balancing user experience and usability involved. “Should Windows Update solely provide drivers so the device works at a minimum level and the user goes out of their way to download additional software?” the researcher says, adding that “this is a somewhat dangerous and interesting attack vector.”
I reached out to Microsoft regarding the privilege escalation issue, and a spokesperson told me, “We are aware of recent reports, and we are investigating the issue. While this issue requires physical access to a targeted device, we will take any necessary steps to help protect customers.”
The exploit elephant in the Razer hack room
Ah, the physical access elephant in the exploit room. This does, of course, take the criticality of the vulnerability, the ability for an attacker to execute the hack, down a level or three. Even j0nh4t admits as much, telling me, “I honestly thought from an exploit coolness level that this was kind of lame. It is reasonable to assume that if you have physical access, you can get admin privileges in one way or another.”
However, a friend of Straight Talking Cyber, Mike Grover of OMG cable fame, warns that “the OMG Cable adds the implication that an attacker doesn’t need to be physically present.” Having found that by spoofing a vulnerable device USB ID, the cable can be used to exploit the flaw, Grover says, “so long as they have a way to let a USB cable slip into the target location,” then it’s game back on.
What’s more, Grover has warned that there are “tons of devices” that may be vulnerable and thus lead to the same potential Windows 10 hacking outcome. How many are tons? “We have a list of around 2,500 possible devices,” Grover has confirmed and suggests these can be tested using an OMG cable or trusted USB device emulator and penetration testing tool BashBunny.
Indeed, Grover says that even when Razer modifies its installer to mitigate the exploit, “it’s still fundamentally a Windows issue for allowing it,” and so the threat will remain.
Security researchers are already exploring more devices to see which are vulnerableDavey Winder
Another researcher, Lawrence Amer, writing at 0xsp, has already revealed a similar privilege escalation vulnerability with a SteelSeries gaming keyboard, for example. It would appear that the Danish manufacturer has already responded by making changes to the how the installation software works.
Razer responds quickly to the viral hack threat
I spoke to Razer as the initial j0nh4t tweet started going viral on a Sunday, and a spokesperson was quick to engage. “We have investigated the issue, are currently making changes to the installation application to limit this use case, and will release an updated version shortly,” I was told.
However, the spokesperson also said that “the use of our software (including the installation application) does not provide unauthorized third-party access to the machine.” This would seem like a semantics stretch to me, as surely that’s precisely what this exploit enables. “I think my proof-of-concept video speaks for itself,” j0nh4t says.
j0nh4t offered a bounty by Razer
Where Razer was not as quick to engage, though, was in the initial reporting of the vulnerability by the researcher. “I initially reported this via their security vulnerability reporting form and within the Synapse app as a bug report,” j0nh4t says, “I received nothing from these reports.” That all changed after the zero-day tweet started going viral. Within a few hours, not only had j0nh4t been contacted by Razer, confirming both his report and that a fix was now being developed, but also offering a bug bounty reward for good measure. Although j0nh4t doesn’t feel comfortable disclosing the amount of the bounty, the researcher told me that it is in line with similar vulnerabilities, “maybe on the higher end.”
J0nh4t was also somewhat uncomfortable with the fact that other researchers had also apparently reported this vulnerability, or similar ones, previously and had no response from Razer. “I just got lucky as this gained attention; my exploit is not necessarily any better than anyone else’s.”
One of these other researchers has tweeted that when reporting the issue for a second time, to Razer support, he eventually gave up as he was asked for not only contact information but also serial numbers and a photo of proof of purchase to investigate further.
I asked Razer about this, and a spokesperson told me that “we are committed to ensuring the digital safety and security of all our systems and services, and should you come across any potential lapses, we encourage you to report them through our bug bounty service, Inspectiv.”
On the specific reporting issues, the spokesperson says “we have identified these support tickets and are reaching out to the researchers directly. We are also revisiting our internal processes and ways to contact us in order to report vulnerabilities.”
Mitigation is all about trust
So, what about mitigation advice? What should worried Windows 10 users be doing in order to prevent falling victim to this shocking simple new hacking exploit?
Unfortunately, there isn’t much mitigation for consumers beyond making sure you have the latest installers for any peripherals on the assumption that vendors will be looking to close this security hole. Well, that, and being careful in who you trust with physical access to your Windows 10 devices. There’s a good reason that most anyone involved in the security industry will tell you it’s as good as game over if an attacker has physical access to your machine. Unfortunately, this exploit is just one of the hundreds that could be executed in such circumstances.
For the business user, Saryu Nayyar, CEO at Gurucul, says, “an analytics-driven cybersecurity approach is likely to find this when it occurs through the system and network log files and can flag security professionals to investigate the offending computer.” Otherwise, she warns, “it can wreak havoc on the entire network.”