On August 21st, 2021, security researcher @j0nh4t tweeted the discovery of a vulnerability in the Razer Synapse software that allows local privilege escalation on fully patched Windows 10 systems.
I first came across this in Bleeping Computer’s coverage and decided to reproduce the vulnerability myself. This was documented on my YouTube channel:
The vulnerability works like this (as demonstrated in the video):
- Plug in a compatible Razer device. I used the Death Adder Elite (RZ01-0201) to reproduce the bug. I also tried an older model, the Death Adder 2013, however this did not work because it is not compatible with the Razer Synapse 3 software.
- Windows will check the device ID against it’s database of devices and use Windows Update to automatically download the driver. The driver comes bundled with the Razer Synapse 3 software, and starts installing it automatically.
- Because Windows installs drivers as SYSTEM (the built-in super administrator account), the Synapse software is also installed as system. This isn’t a silent installer, it’s an interactive installer.
- The installer allows users to select a location to install the software to. In doing so, an interactive, fully functional Windows File Explorer window is presented to the user.
- The user holds down SHIFT and right clicks within the Explorer window. A context menu appears, and includes the option ‘Open PowerShell window here’.
- Selecting this option opens a PowerShell prompt running as SYSTEM.
As many, including myself, speculated, this vulnerability is likely present in many other instances where Windows Update will automatically launch a software application that comes bundled with device drivers. In fact, it took only days for users to report the same bug for Steel Series devices (credit to Lawrence Amer).
Another way of exploiting this is to spoof device ID’s and trick Windows into downloading drivers for devices that haven’t even been plugged in. This is demonstrated by researcher István Tóth, who published a script called USB Gadget Generator Tool. As far as I can tell, a rooted Android device is required. After plugging in the phone to a computer’s USB port, the script can be run on the phone to spoof certain Hardware ID’s including Razer and SteelSeries devices.
SteelSeries have acknowledged the vulnerability and have promised to release a fix. As far as I can tell, SteelSeries plan on changing the driver so that it is no longer bundled with the offending software. István Tóth that the exploit would still be possible by leveraging a DNS poisoning attack to server the old driver. I’m interested in testing out both the Gadget Generator Tool and the DNS poisoning attack and publishing my findings.
|Vulnerability Type||Local Privilege Escalation|
|Discovery Date||21 August 2021|
|CVSS 3.1 Base Score||7.2|
|CVSS 3.1 Temporal Score||7.2|
|STRIDE-LM Threat Model||Elevation of Privilege|
|MITRE ATT&CK||T1200 – Hardware Additions
T1548 – Abuse Elevation Control Mechanism
Detection with Splunk
To detect this, we want to watch for any programs, processes, or executables bring launched as child processes of the RazerInstaller.exe process.
Sysmon logs are required for this to work. Follow this guide to install Sysmon on your system with the SwiftOnSecurity configuration.
The Splunk Add-on for Sysmon must be installed on the Windows systems that you are monitoring (Splunk Universal Forwarder) and on the Splunk Search Head.
Splunk Processing Language
index=winsysmon source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational parent_process_path IN ("*RazerInstaller.exe", "*SteelSeries*.exe") | fields _time host user signature process_path process_guid parent_process_path parent_process_guid | eval matchfield = process_guid | join type=outer matchfield host [ search index=winsysmon source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational | rename process_guid AS end_process_guid process_path AS end_process_path parent_process_guid AS end_parent_process_guid parent_process_path AS end_parent_process_path | fields host end_process_guid end_process_path end_parent_process_guid | eval matchfield = end_parent_process_guid ] | table _time host user signature parent_process_path process_path end_process_path