Zero-Day Bug in Razer Software Leads to Admin Privileges in Minutes

A security researcher has discovered a zero-day bug in Razer Synapse software, which is automatically installed with Razer’s mouse or keyboards when connected to Windows 10 or 11 PCs.

This system privilege bug lets an attacker with physical access to the system gain administrative privileges and take over the system. Razer acknowledged the bug and said it’s preparing a fix for it.

Zero-day Bug in Razer Software

Razer is a popular peripherals brand among gamers, specialized in making gaming mice and keyboards. Any of this hardware connected to the system for the first time will automatically install software called Synapse.

Razer’s Synapse software will allow the devices to configure the setup, set up macros and map buttons. As this is essential, it happens automatically in Windows 10 and Windows 11 when plugged in.

But, there’s a catch, as discovered by jonhat – a security researcher. After getting no response from Razer through a private disclosure, he released the details of this zero-day bug along with a short video on how it works.

Need local admin and have physical access?
– Plug a Razer mouse (or the dongle)
– Windows Update will download and execute RazerInstaller as SYSTEM
– Abuse elevated Explorer to open Powershell with Shift+Right click

Tried contacting @Razer, but no answers. So here's a freebie pic.twitter.com/xDkl87RCmz

— jonhat (@j0nh4t) August 21, 2021

This led the news to go viral, and Razer came up with a statement that it’s preparing a fix for this issue. Also, it will be rewarding the security researcher through a bug bounty program, even though it’s made public now.

An average Razer mouse is available for around $20 on Amazon, and it is easy to exploit the said bug with this. After plugging in the mouse and downloading the Synapse software automatically, it will ask for a location to install the executable.

The problem triggers when you change the folder to select somewhere else, and Shift+ right-click on the “Choose a Folder” dialogue box. This opens the menu with the “Open PowerShell window here” option, and clicking on it will open the PowerShell.

Since PowerShell opens with admin (system) privileges by default, all the processes conducted from there on will be done with system privileges. While it’s easy to escalate privileges in minutes with this bug, it still needs physical access to the system to do so.