Hacker News new | past | comments | ask | show | jobs | submit login
Razer bug lets you become a Windows 10 admin by plugging in a mouse (bleepingcomputer.com)
389 points by giuliomagnifico on Aug 23, 2021 | hide | past | favorite | 166 comments



I was asking, "How can a Razer bug let you break into Windows? Is it a Razer device driver?" Yes. I'll just quote jonhat's tweet from the article:

  Need local admin and have physical access?
  - Plug a Razer mouse (or the dongle)
  - Windows Update will download and execute RazerInstaller as SYSTEM
  - Abuse elevated Explorer to open Powershell with Shift+Right click


Wow. That's a Windows 98 level of "school kid" privilege escalation bug...



Hah, I like that one. The other classic is Right Click -> New -> Shortcut -> cmd.exe in an explorer "open" window, typically one in an otherwise very locked-down environment.

This has recently got me service access on an old (but new in 2009!) ultrasound machine, for example, for getting raw data and dicom images off in a hurry when the proper authentication details were lost...


> ultrasound machine

The real boss move was navigating a machine with a UI that involved a trackball, keyboard, touch screen(s), touch pad, weird array of custom buttons and a truely stupid menu system.

Configuring US machines is horrible.

But my major US machine rant is them burning metadata into the images (rather than displaying DICOM tags as an overlay). It’s is beyond ridiculous.


Exactly! MR ("my" modality) has it right -- raw data and reconned images are very, very different and although most raw data never ends up in a dicom the mere fact that you genuinely could reconstruct dramatically different bits of info (e.g. magnitude vs phase images) means that the vast expanse of the dicom spec is wide enough to encompass all possible metadata requirements.

US machines do a lot of fun physics on proprietary FPGAs. For inexplicable reasons, every one I've ever worked with or done echo with saves the images as some variation on a theme of screenshots, shoehorned badly into a dicom wrapper, with the metadata burned at 640x480 px (or similar) on top. Even for clever derived modes like doppler -- even for annotations showing things like cardiac E/E' or E/A. They are laptops with a custom pcmcia / pcie card and a 100k-UNIT_OF_CURRENCY price tag, inevitably running a shitty OS with a shittier custom UI...


MRI is my modality of choice too. I’m currently loving most of what Siemens is up to (with some notable exceptions).

The hell of US knows no bounds. Most modalities calibrate a display and then display images (with varying degrees of post processing). US calibrates the screen, sometimes with each boot or even each probe change. Their black levels are abysmal.

> saves the images as some variation on a theme of screenshots

GE has a habit of making DICOMs from screen grabs. I’ve seen it on their PET, CT and MR systems. It causes irritating problems - like reference lines won’t work so you can’t cross reference.


Ophcrack works too, at least if the underlying machine still runs Windows XP: https://en.wikipedia.org/wiki/Ophcrack


Wow! What a trip down memory lane, I actually remember figuring this one out when I was.. dating myself here[1], about 7 years old, I really wanted to play my Thinking Things Collection 3.[2]

When I inevitably got caught I remember my dad let me have my own user, but put some sort of further time-restriction software on the PC, no idea what it was, but I figured out that if I timed Ctrl-Alt-Delete at just the right time during the start cycle, I could, if I worked fast enough, end the process before it locked me out of login. XD

Oh to be a 90s kid.

[1] to be fair though we didn't update Windows immediately on release and never had '98.

[2]https://www.myabandonware.com/game/thinkin-things-collection...


I remember our school administrator used to delete all our silly images we'd made with paint on the school PCs. We asked why but never got a good answer.

I figured out that putting a certain character in front of a file name made it not show up in explorer. So I did that to a folder in my home directory and put all my stuff there, accessing them from the command line instead. Never had them deleted, again.


My mother just unplug the keyboard and take it away. She underestimated my ability to navigate Windows 98 and play AoE I using only mouse...


That's impressive


Apart from the security issue, it's really annoying, too. Say you refuse to install the Razer device driver - after all the mouse will largely work fine without it thanks to HID. Every time you plug the mouse in, Windows re-runs the driver installer.


Corsair has something similar called "iCue". Even if you don't bother installing it, the default Windows driver pops up an advertisement for it: https://imgur.com/0fKRYLT (as discussed at https://old.reddit.com/r/pcmasterrace/comments/9ws0qi/corsai...)

Similarly, I've had Windows 10 spam me about a paid subscription for Dolby Atmos.

This is just one of several reasons that I don't use Windows anymore.


I just got a Razer Kiyo webcam, excellent stuff, but I had to open regedit to get it to stop asking me if I want to install additional software every time I plugged it in or rebooted.

It works fine without it, but whoever programmed this thing has never heard of a "No, and Don't Ask Me Again" Button.

In regedit, F3 for razerinstaller and add a DWORD key "Start" with value "4" .

Yea that's how far they went XD


How often do you re plug in your mouse?


Possibly multiple times a day if they're using a laptop dock


Physically? Basically never. Practically? Dozens of times a day as I machine hop using my USB hub in my monitor.


Is this issue equivalent of setuid 4701 on executable owned by root in Linux?

What's the easiest way to scan whole windows file system for directories with this issue?


> What's the easiest way to scan whole windows file system for directories with this issue?

    tree c:\ /f  prn
Source: https://docs.microsoft.com/en-us/windows-server/administrati...


(It wouldn't help to scan the filesystem, since the way the vulnerability works is that the driver will be automatically downloaded and run when a peripheral's plugged in.)


This was exactly how I was able to break out of an unprivileged user account in Windows XP, except it involved setting a timer with `at`


Recently my son is using / installing lots of gaming peripherals and software for it and I have to say that I have not seen this much crapware bullshit since Windows XP (with no Service Pack).

If you want to setup the LED lights for your fans - you must install this crap; if you want to customize your mouse somehow - install this other crap. Same companies have not one, but two software suits that manage different peripherals.

Razer is the worst of these. Asus ROG takes second place.


I recently picked up a new mouse and was shocked by how much of a problem this has become.

For RGB controls check out https://openrgb.org/.

The UI is pretty bad but once you figure it out it works great otherwise.

As an aside, are there any periferal brands that are known for minimalist drivers etc?


My Glorious Model D and Model O mice works perfectly fine with the normal HID driver. I suppose there's an app for RGB control and changing the DPI settings but the defaults are fine for me. It doesn't attempt to download anything when I plug it in.


I’m just going by the screenshot on the website, but I think the UI looks fine just the way it is.


Or my personal favorite: The old tool that did exactly what you wanted, didn't need to start with the system, and didn't require login gets 'upgraded' to a more intrusive new version that has 1/10th as many features and doesn't work right anymore.


The windows 10 settings app takes personal offense to this comment


<Start Key> Control Panel

"What are you crying for, Windows 10 piece of shit settings app that doesn't understand how to let me control individual sound devices the way I want?"


i have a shortcut on the lower-right of my desktop called "real windoze sound settings" (linking, of course, to the actually useful windows sound settings) for exactly this purpose xD


You need EarTrumpet! It replaces the janky windows 10 sound thing with a more modern (and actually useful) one. There's also a registry hack to just enable the old one that opens mixer, if you'd like.


I had to install software to turn off the lights on my CPU cooler (wraith prism included with an AMD CPU) - it's ridiculous.


Oh god, that's just the worst. My laptop defaults to maximally bright blue lights for the keyboard whenever it's turned on. Had to keep Windows 10 installed just so I could turn that shit off via proprietary manufacturer crapware that takes one minute to even get an unresponsive interface on the screen. Pissed me off so much I reverse engineered it into a Linux program that does it instantly.

Seriously what are these manufacturers thinking? It's like they go out of their way to make things as bad as possible.


If you're exclusively running Linux, you actually can't turn off the lights on a GTX3000-Series card :c


I'd just open up the card and unplug the cable to the lights. It's not a bad idea to open up the card to reapply thermal paste/pads anyway if you're hitting the card hard, a lot of manufacturers don't do a great job with heatsink contact, thermal paste quality, or both. On the lower tier cards in their product stack half the time there won't even be thermal pads on the vrm or memory chips. And recently I saw a post where powercolor forgot to remove the tape from the thermal pads at the factory [0]. And no, in most countries they can't void your warranty for opening it up.

[0] https://www.reddit.com/r/Amd/comments/oyu1j6/thanks_powercol...


I had been meaning to google how to do that... thanks for saving me the time :(


Why? Not even with proprietary nvidia drivers? If it's using a proprietary interface I'd expect those to be reverse engineered for such a major product.


Does that mean you have to temporarily install Windows or plug it into a PC with Windows, turn off the lights, and then go about your day with Linux?


I had to install drivers from the Arch User Repository to turn off the lights on a Razer keyboard. It still stays lit and in color-cycle mode unless it's plugged in directly to a USB port on the laptop.


Same for me and my GPU!


Yes, and it is extremely aggravating! It's always some incredibly shitty proprietary software with a bloated gamer interface that takes seconds if not minutes to even start up.

My laptop came with this crapware too and it pissed me off so much I reverse engineered it into a simple free software program that turns all the stupid lights off instantly.

Turns out all these shitty apps do is send a bunch of USB configuration packets which were easy enough to figure out with wireshark. The Razer products do the same thing, open source code is already out there. Sometimes they use convoluted interfaces like I2C and ACPI/WMI. Haven't had luck with these.


> Razer is the worst of these.

Given Razer's general shenanigans, such as tracking mouse and keyboard behavior and sending it to their cloud (without which, by the way, much of their new hardware simply won't work), their unintentional breaches of security pale in comparison to their deliberate breaches of privacy.


You should give the Gigabyte software a spin. It’s really bad.


The actual problem here is that Microsoft allows OEMs to install user space programs via their drivers, which are installed automatically without user intervention using Windows Update. This is unacceptable. Microsoft should only accept kernel mode drivers. If users want user space tools they can find them in the OEM website.


Uhm. If you can't trust them to write a user-mode program without messing up security this badly, you absolutely can't trust them to write a kernel-mode driver without completely screwing everything up. Not to mention one that is automatically downloaded and installed whenever something shows up claiming to be a particular vendor/product ID!


It has nothing to do with 'trusting them' and everything to do with the threat model because it significantly increases the attack surface area.

Just because I want to grant system access to a relatively simply USB driver doesn't mean I want to grant the same access to a 150MB UI app.


I think the OP's point is that any malicious code residing in the USB driver has access to a much larger attack surface in kernel space than the UI app running in userspace.

If I were attacking the system along this vector, my exploit would sit in the USB driver, not the UI code.


Same. Was wondering when the conversation would get around to this.

You could take advantage of being SYSTEM much earlier along this cycle and still take control of the computer. This is actually a very nasty bug in how arbitrary code can be run at SYSTEM level when inserting a usb device.


This isn't about malicious code in the drivers.

And once malicious code is in kernel space it wouldn't even need access to an attack surface.


I expect the developers who write the kernel mode drivers to be much more competent and senior than those who write the flashy, slow GUIs that come with them. Yes, naive assumption, but still!


Speaking as someone who worked at major software companies, on projects which included multiple kernel drivers:

You are sorely mistaken.


I would say that the higher you get up the privilege level tree, the worse the software becomes. The people writing legacy BIOS extensions are the absolute bottom of the barrel.


In modern software development, this is usually a task for the junior engineer as it's code the client never sees. Only in specific industries where the client is also highly technical (e.g. a data-acquisition component in an instrument) where the quality of the low-level code matters, would it be someone senior. In those cases, it usually matters a lot more than the UI.


I wish that were the case—I also wish it were the case that “senior” meant “competent.” Judging by the number of device drivers I’ve had cause serious problems, especially with consumer gaming hardware (as is the case here), I don’t think it’s safe to make any assumptions about the quality of drivers.

For anyone else reading this who’s feeling smug because they would never buy such a device: you don’t need to; only the attacker needs to. Windows will happily download and install the drivers automatically the first time the device is plugged in.


It's also not about seniority or competence. Writing kernel mode drivers is being given the task of juggling running chainsaws with real chains while on a balancing board. "Success" is declared when you're able to do this in a lab without there being an issue, ignoring the fact that in the real world there are dodgeballs being thrown at you. Also, no one I've ever worked with writing them has ever wanted to maintain & improve the quality of the drivers they wrote - they wanted to move on to "interesting" work as quickly as possible. This includes myself. The work isn't interesting, fun & usually not important to the business.

In this case, why does a mouse driver need to live in the kernel in the first place? Microsoft should be improving the HID layer to make that unnecessary.


They don't even need to buy the device, they just need something presenting that PID/VID.

Foe a $2 example, see: https://github.com/chris408/digispark-usbkey-board (PID/VID set here: https://github.com/chris408/digispark-usbkey-board/blob/6f0a...). And yes, it can be much, much smaller than this.


Exhibit A: Turing-complete font hinting language evaluated in kernel mode. Found to be exploitable.

https://googleprojectzero.blogspot.com/2015/07/one-font-vuln...


Not at all. The only thing going in favor of the kernel mode drivers is that they have to pass Microsoft's approval process.


I still don’t get why companies who design hardware a so poor at writing drivers/supporting software. They design and test hardware, because recalls are expensive, but somehow feel like shipping shitty software is just fine.

Why is it so hard to priorities good drivers? Or is it just impossible to hire good driver developers?


Well there's 1) The businesses that sell hardware are run by people whose expertise is hardware, not software and 2) the type of people who have the right combination of skills and inclination to write drivers are rare but also can earn a lot more doing other type of software (hardware margins aren't all all that high compared to software).


> you absolutely can't trust them to write a kernel-mode driver without completely screwing everything up

Absolutely. The overwhelming majority of hardware companies are not competent enough to write drivers of any kind. They're not even competent enough to write user space software. They treat software as a cost center. To them software's just wasted money, to be made as cheaply as possible and only because they have to.

Linux kernel is great as a litmus test. If a company can't get a driver into the kernel it shouldn't be trusted with writing drivers of any kind.


The driver is generally written by people whose task is to get the device to work

the development of the application is driven by concerns with UX trendiness, brand management, marketing, telemetry, etc.


This seems to work for Linux kernel just fine when every pull request is audited.


This is Windows where kernel drivers are proprietary and written by random companies that do not care about anything but shipping things. The same company that messed up completely in usermode.


Would be an interesting step, if Microsoft would only allow open source drivers into Windows Update.

There could be another option: If you want to ship it without exposing the source, you need your drivers vetted by some third party that has access to the code.


I think you're conflating two separate things here.

The major difference between user mode programs and kernel mode programs is security and stability (at least in this context). Things in kernel mode have basically no restrictions on what they can do, from a security sense. Things in kernel mode can also crash the thing they're part of: the kernel. That's a blue screen (or cyan, now). One of the reasons those blue screens are so much less common is that Microsoft really pushes OEMs to make userspace drivers. If they die, they just get restarted, no need to crash the whole OS.

The other issue is of installing user-facing utilities alongside the driver. That needs to stop. It's orthogonal to the kernel vs user mode issue though, because Razer can make their UI run in kernel mode. It's a horrible, terrible idea that no one will enjoy, but they can. And really, we want the drivers to run in user space too if we can.


While what you're saying would be nice, I think if this were to be enforced then it would end up going like the nvidia control panel. You install your drivers and if you want access to the nvidia control panel then you have to install them from the Microsoft Store.


That would be fine for me. I don't want or need the control panel for the most part. Just like do the driving please, thanks.


I disagree. I want the tools to be installed. Maybe you could have it behave it differently for non admin.


This is more a Windows bug. Bad enough for Razer customers, but it affects all Windows users.

Windows should not install random drivers from the Internet when a non-admin user is logged in.


Well, no. It's a Razer bug. Razer wrote the software. They wrote it to run as admin when you plug a new device in. They wrote it to launch a browser (!!!) under user control. Those are all Razer mistakes, Microsoft didn't do that.

Now, it's true that MS has a flawed architecture here. But it's not inherently so as I see it. Third party devices do need automatic driver install of some form. Drivers do need elevated privileges. Microsoft's model was that they'd audit and authenticate the software through the WHQL process. And it turns out that let a really glaring hole through.

But the problem is just really, really hard. If you want third party driver software to run on your system (and not all vendors want that: iOS has nothing of the sort, obviously, and Linux vendors ship all the drivers themselves) then you need to be prepared to do a ton work ensuring it's safe.


>Microsoft's model was that they'd audit and authenticate the software through the WHQL process. And it turns out that let a really glaring hole through.

Not to let Razer off the hook here, because they're responsible as well, but in doing as you've described here, Microsoft are have willingly placed the onus for security on themselves.

>Linux vendors ship all the drivers themselves

Not all of them. Nvidia is a famous exception to this. If you want to install their drivers, I don't know of a Linux distro that will allow you to without root privilege.


To be clear: there are obviously lots of third party Linux drivers out there. But they're delivered, installed and supported by that third party. Security of the NVIDIA driver is NVIDIA's job, and no one is surprised. And as a result, you need to run a tool as the root user and elevate the privilege level yourself to get it installed.

Now, that user experience broadly sucks vs. plugging the same PCIe card into a Windows box and booting it up to get an automatically installed driver. But it's not subject to the same security problems either, which was my point.


There's a difference, though. Microsoft's Windows Update driver installer does not require launching executables, it never has in the past, it simply got the inf and supporting files and put them in the system's driver location. Now they're automatically running executable code that microsoft isn't verifying as an Administrator. Yes a malicious driver could be bad, but since drivers have a more finite api surface they should call, they can be audited / restricted with static analysis checks. launching a userspace app with admin privileges automatically is a bad idea.

Would you be ok with the AMD kernel driver launching a web browser as root on first boot? Or every boot?


WHQL means almost nothing, except that you have an expensive EV code signing certificate to verify your identity to Microsoft. At best it means that your drivers don't completely break the system.


> I don't know of a Linux distro that will allow you to without root privilege.

Sure, but a tonne of them come with them by default these days


I don't have much experience under Windows so I may be a bit off here, but this article mentioned the driver was installed by Windows Update from a non-administrative account, made no mention of UAC popping up to get administrative credentials, and allowed the installer to present a user interface. The installation wizard allowed for interactions that are intended for people who manually download and execute the driver package, which is fine in that context since the end user has already provided or has to provide administrative credentials at a UAC prompt. It is not fine in this case since a standard Windows component with elevated privileges is allowing the end user to circumvent restrictions on their account.

Clearly Razer played a role here since they were doing something that is (from my experience) unusual by presenting a wizard during a Windows Update installation. On the other hand, this is a fault that Microsoft has to fix.


It's a new 'feature' of Windows update. In the past, driver vendors that were supplying to the Windows Update driver DB only had the option of providing infs and firmware, basically. I think they could provide apps too, but they had to be 'move it into place and it works' sort of apps. The mistake is that now Microsoft allows installers to run, Logitech does the same thing, plug in any logitech device and Logitech Options pops up a custom notification prompting you to 'continue' installation.


I can understand why the vendor would want this features, and perhaps even most users. On the other hand, the one thing I liked about the limited approach was the ease of installing basic drivers. (Linux is my primary OS, so I'm accustomed to basic drivers and find the additional software that accompanies many Windows drivers repulsive. Knowing that the installer for these enhanced drivers can also present a security risk simply makes it worse.)


Completely agree, I've been an on-again-off-again linux user for the last 15-ish years... but these days it's more and more on, the only reason I haven't virtualized my gaming rig yet is the DRM some games I play use using those fucking kernel drivers. So that install hangs out and has steam, chrome, and other various games / game launchers and that's it. I disable as much of the OS as I can and only boot into it for games that don't work on linux (usually ones with the aforementioned DRM). Gaming on linux is getting better every day!


When this "feature" released? It should be reviewed not to this happen.


Even more than a bug, it's a flaw in industry _culture_.

It's a flaw in Windows culture, where application publishers and device manufacturers are allowed and perhaps even encouraged to run amok, especially at install time, and run all manner of bespoke procedures with elevated privileges.

And it's a flaw in device manufacturer culture, where first-party device ‘drivers’ are expected to be bundled (sometimes optionally, sometimes by mandate) with entire applications for managing them, usually with flashy wizards and always-on GUIs that live in the system tray. More and more, it seems like manufacturers push that shit so they can track users usage of their devices, as well.

This is as much a result of device manufacturers' marketing teams' ruinous desires for customized, unique user interfaces and branding as it is a result of anything else. This kind of shit is really alien on platforms where universal management interfaces are the norm, package installation is expected to be well-behaved and non-interactive, etc. It's par for the course on Windows (and significantly so, but to a lesser extent, on macOS).


> Third party devices do need automatic driver install of some form.

This is a mouse. It works perfectly fine as a USB HID device. The software install is to unlock optional features on the device, and that can be done after the user has authenticated to the host and gone through a security elevation prompt.

In fact there are precious few third party devices without a usable built-in driver that absolutely need to be available before the user had logged in. I can't think of any.


> The software install is to unlock optional features on the device, and that can be done after the user has authenticated to the host and gone through a security elevation prompt.

That's not true. It may help you to watch the video.

The user was authenticated as a regular logged-in user. It was the driver installation that had elevated rights as SYSTEM, and there was no security elevation prompt.


Yeah, that's my point. There should be no automatic rights elevation. Adding a driver should require a prompt, period.

I assume the mouse driver only bypasses it because it wants to have the driver installed before the user has logged in.


I'm reading the "can" here as normative, i.e. because the optional stuff CAN be done after auth, it SHOULD be restricted to being done only after auth.


It is perfectly acceptable for a device to come with either a printed url where you can get the driver or software.

Also it should be if possible minimally fit for use without extra software even if all features aren't available.

There is no way any of this should ever happen automatically. People installed custom hardware for windows in the year 2000 and it worked fine then.


A third party driver shouldnt be installable without local admin (or a UAC prompt). This is the problem.


yeah it's shared, MS was rumored to have a very strong and deep (haskell based long ago IIRC) driver testing system .. it's odd something that big escaped the net.


> Third party devices do need automatic driver install of some form.

I don't see why. Particularly not if the user wouldn't have permissions to do it themselves. If the user doesn't have permission to install a driver, there is probably a good reason for it and the system shouldn't be automatically installing drivers on their behalf either.


You or I don't. But in the market, if you can't make your product work with no fuss, your customers will buy someone else's (or flee to another platform entirely).

If you accept the paradigm of third party hardware sales at all, then you need to have some kind of automatic secure install.


> if you can't make your product work with no fuss, your customers will buy someone else's

If Razor can't make their gamer mouse autoinstall drivers, then neither can Logitech. This would be an equal playing field.

> (or flee to another platform entirely).

If somebody can't type in their own password when prompted to install a driver, it probably isn't their computer in the first place. The computer almost certainly belongs to their school or employer, or at least another family member, and I think any of those would rarely be receptive to "Please replace your dell with a macbook because the turbo button on my gamer mouse doesn't work."

Furthermore, the gamer mouse will have basic functionality without the razor driver anyway, and from my experience I doubt most clueless computer users would notice the difference. If they can "click the internet button and the google shows up", then the mouse is working as far as most users of this sort are concerned.


On Windows you don't even need to type in the password to install something. UAC just gives you a yes/no dialog. Most home users have the permissions for that.

Only if your user doesn't have admin permissions you need to type in a password to run something elevated.


Perhaps you long for the good old days where we carried around piles of floppies for our hardware, but I suspect you are in a small minority.


I'm not saying we should go back to floppies. A prompt for the administrator password followed by an otherwise automatic driver installation should be fine.


And the great thing is you don't even need Razer device to exploit this! You can just any Linux device, e.g. a phone running LineageOS as in this PoC https://twitter.com/an0n_r0/status/1429386474902917124 https://gist.github.com/tothi/3cdec3aca80e08a406afe695d54489...


I remember a different form of this from years ago. At the login screen, go to the accessibility/help prompts and open cmd.exe just like was done here to open PS>. This has been a standard kiosk breakout method of various effectiveness for a long time. The user rights were not always SYSTEM, though...


Or presumably any USB microcontroller would work!


In this case, I think it's fair to blame Razer. They are clearly installing way more than a driver.


If Microsoft lets anyone owning a Razer mouse/keyboard do whatever it wants to anyone's computer then that's on Microsoft as well.

If only Razer customers are affected then, sure let's put all of the blame on Razer but this affects everyone using Windows 10. There are some very good reasons why you cannot simply install device drivers without admin rights and if Microsoft chooses to wave those rights for trusted suppliers then they can very much be blamed for this kind of oversight.


Off course. But as a Windows customer I would expect Microsoft to prevent such issues.


I agree they should block this sort of stuff, but don't count on it; When I plug in a Microsoft mouse, a Microsoft IntelliMouse install wizard pops up.

In the end, the driver is running executable code which could (I believe) just start an EXE install wizard anyway so this seems unpreventable.


A privileged executable can always launch another executable with less privileges.


Windows Update should behave differently depending on what it's handling. If it's signed by MS sure go on, if it's a simple signed driver file maybe directly load it too. But for anything else always request admin credentials and meanwhile keep using generic drivers if available.


And then you need to call an admin to plug in a mouse. That's not really practical for a lot of organizations.


There are generic mouse drivers.


All (I hope) gaming mice with fancy drivers will also just work fine without them.


That's already the case in more secure environments (company-provided devices plugged into internal USB ports - all other ports filled with sealant).


Oh that's why they did that! I'd forgotten until your comment, but I remember thinking that was odd on an internship. Didn't occur to me that it was to prevent there being usable ports (and nor did I try to plug in any car park devices, like a good intern!).

My work was only confidential (and that only by default) but it was definitely interesting to be an in environment with secret sauce about, and processes for handling it. (Fire procedure not being drop everything and exit the building, for one.)


That's probably more to prevent data exfiltration. If you don't want random drivers being downloaded you can more reliably prevent it using group policy.


A 3rd party driver's capabilities should be scoped to whatever type of component it's for and in this case a mouse driver should only be allowed to do mouse things.

OAuth for Windows, I rest my case.


> Windows should not install random drivers from the Internet when a non-admin user is logged in.

In a perfect world, or at least a tech user world, sure. But there was a compromise to make, either this (and that behavior can be disabled), or user stayed on admin account at all time. Which was the norm for windows since forever. Even on vista people disabled UAC.

From that point of view this is still the more secure outcome, at least the admin hatch is only broken through sometimes, instead of always.

Not saying this shouldn't be improved, but if you look not only at the end result but also at the path to get there, it does make some sense.


Microsoft seem to be fiddling around with eBPF, would be nice to see verified driver bytecode for simple stuff.


HP printers have the same bug then during installation, if you do it from USB.


Razer, the same company where installing Linux voids the warranty and BIOS and firmware upgrades need to be installed from Windows 10 just so you can have a black and green GUI.


This is related to a different thread which is currently at #1:

My mouse driver is asking for a firewall exemption (2019) - https://news.ycombinator.com/item?id=28274305

Normally we'd downweight one or the other (https://hn.algolia.com/?dateRange=all&page=0&prefix=true&sor...) but in this case I don't think that makes sense.


They appear to be two unrelated issues.


Technically unrelated yes, but the one post seems clearly a follow-up to the other. Normally we downweight those, since avoiding repetition is a principle here:

https://hn.algolia.com/?dateRange=all&page=0&prefix=true&sor...

https://hn.algolia.com/?dateRange=all&page=0&prefix=false&so...

In this case that didn't seem indicated though.


They are 100% unrelated.

One is a twitter thread about a Roccat Mouse driver.

This one is about a security vulnerability in Razer software.


We're talking about two different kinds of "related".


There must be a USB gadget where you can just set any USB device ID to report to the host, so any infiltrator not wishing to give Razer money can just copy one of their USB IDs and plug the "yes I'm a Razer USB device" into a USB port.



I visited the article's linked tweet and the author's retweeted a product mention called OMG cable, that can do this (a product that looks like a normal USB cable but has things like okeylogging capabilities)


Someone added a payload for Bash Bunny here https://twitter.com/hak5darren/status/1429463473700888577


So err... easy root access to any Windows 10 machine until this is fixed?


It's probably possible to disable auto-installation of drivers, or even disable USB via software...


Yep. All it takes is to find a vulnerability in any USB device driver at all, and you have an effective evil maid attack.


You can configure an Android phone to use arbitrary device/product IDs like this.


Does the phone have to be rooted for this? I've only found one app that claims to emulate any USB VID and PID on f Droid and it required rooting.


The big question is can you do this over RDP, without physical access.


How do companies still think it's acceptable to ignore responsible disclosure in the hopes the problem just goes away?

Even companies with the most automated non-existent customer service know they need to provide separate channels for legal and security so that actually get read by a human.


It could be user or system or prices error rather than malice in this case: the message not getting to the right person (general mail fail, people monitoring that target being unavailable, misidentification as junk, ...) or that person/group missing it assist a sea of other comms. We don't know how much effort was made to chase a response.

Their response after the issue hit social media was far more decent than companies have done in the past:

> I would like to update that I have been reached out by @Razer and ensured that their security team is working on a fix ASAP. Their manner of communication has been professional and I have even been offered a bounty even though publicly disclosing this issue.


“Prices” should have been “policy” there. Also, “assist” → “amongst”.

Darned auto-carrot strikes again, and I was far too late noticing to be able to edit. Two in a short post, I'm not sure if the slide-keyboard is getting worse over time or my coordination is failing as I age but something seems to be failing more these days than it used to…


They probably just don't read their emails or messages.

Maybe customer support agents are just very badly trained. Or there is a second/third/forth level that investigates those emails, but they are getting too many messages to go through all of them.


> How do companies still think it's acceptable to ignore responsible disclosure in the hopes the problem just goes away?

its not responsible to disclose in secret and hope the company doesn't ignore you or curb stomp you to oblivion

its not responsible to push for a little pat on the back and maybe an undervalued $ compensation

proverbially nuke them from orbit, responsible is not a factor here


Because it would mean spending money and the buck stopping somewhere other than the void.


I tested this with a Raspberry Pi Pico and it works. The usb device name doesn't even have to match, only the VID and PIDs. I used Adafruits circuitpython and changed these two to 0x1532 and 0x0084. After attaching the Pico to a Windows VW wit all current updates, the Razer Installer comes up and opens a file explorer NT authority/system.

The "open powershell here" option was missing in my VW, I don't think it's on by default. EDIT: Oh I have to hold shift while right clicking! My bad.

In case anyone want's to try this, I've uploaded the compiled firmware for the Pico here: https://anonfiles.com/T9L8F8D9u1/firmware_uf2 (circuitpython with changed VID / PID values)


> The owner of this website (www.bleepingcomputer.com) has banned your IP address

I don’t know what I did to deserve this, but I guess I’ll continue my morning without reading this article?


They're still on IPv4 and chances are your ISP has you on CG-NAT.



There are a lot of issues here, but isn't a glaring one the fact that any random file browser window lets you get a shell? Shouldn't this be something for the developer to disable for their particular program if their use case of browsing to choose an install folder in no means requires it? Do the Microsoft APIs even allow for this kind of configuration?

Given they already have admin rights it's basically game over, but not having the option to open a shell would have still reduced the attack surface and required a "real" exploit to do so.


Not really, the windows file browser also lets you create and move files and directories. I guess you could ask to go down the route of not allowing that, but directory creation for one is super common.


Creating and moving files and directories doesn't result in arbitrary code execution with elevated privileges.


Just to be anal here.

It’s not admin, it’s NTAuth\SYSTEM, a much much higher privileged account. System is the most powerful account in Windows, bypassing almost any system protection in place such as group policy, privilege and permissions, it can talk out of the box to a DC using the machine account password (this is different to a user password), and essentially become uncontested in a network.


On the plus side, now people can remove the invasive software installed by education institutions and some enterprise companies


If you're looking for a good keyboard I recommend KeyChron. I have used their mechanical keyboards (K4) for gaming and they feel great while I use their slim optical keyboard (K3) for software and general use. Both keyboards are 1/2 to 1/3 of the cost of the mainstream, brand name equivalents and, IMHO, double the quality.

Razer makes a lot of junk. I saw a headset stand with plastic and RGB. I don't know why someone would waste money or a bus port on a 5 dollar part with lights. That said, I do own one of their cameras and it's incredible quality. Corsair and Steel Series are usually my go to's.


Corsair is just as bad with their iCue junk software in my experience. Want to configure the LED colour of your mouse? That'll be a 750MB download currently with iCue 4.

What's even worse is that Windows automatically installs some Corsair software, which spams you with an iCue popup: https://imgur.com/0fKRYLT


Never buying another razer device after I recently found out that the user agreement allows them to collect all the keystrokes from my keyboard and send them to their company -- you know, so I can customize my keys' colors.


Can you provide citation on this?

Edit: I’m genuinely curious about it, as opposed to accusing you of lying.


https://www.razer.com/legal/services-and-software-terms-of-u...

<ctrl-f>keystrokes

It does mention you can turn it off, but still sounds over the top to me.

"Mouse Usage Statistics. Synapse 2.0 offers a feature of collecting mouse usage statistics, specifically keystrokes, mouse-clicks, wheel-rotations and pointer distance travelled. Such collection of statistics may be turned on or off within Synapse and is under your own control."


From my reading of the paragraph it looks like that feature is totally local? A few sentences before they list out all the data they collect and send to razer, but the sentence about keystrokes doesn't give any indication it's sent to them.


Have a look for Razer heatmaps; Razer do in fact run mouse and keyloggers that send your data to their cloud.


They should approach this the complete other way: when you WANT admin rights, you have to insert a special device. Sort of like the cash registers where the manager needs to turn a special key to gain access to refund functionality.

Maybe you build it into specific other devices-- the administrator's favourite keyboard or mouse has the admin token, but the $4.99 Dells they hand out to the hoi palloi don't have it.


Does this vulnerability have a CVE?

The database has several entries for Razernon eof which is the only only I've ever seen rated 10.

I come away with the impression that Razer care even leaa about security than Microsoft did in the early days of XP: an utterly unacceptable state to be in over 20 years later.


surprising that the auto-fetch/install stuff allows for non msi based installers. there's a whole vetting process for drivers, you'd think msi would be a requirement.

why non msi based installers still exist in any form in 2021 is a mystery to me.


Not surprised. I once bought top of the line Razer mechanical keyboard. The software if a steaming pile of crap and a known bug (random spamming of c key when pressing Ctrl + c) makes it unusable. Avoid.


This is part of why I don't use Razer (or Microsoft) products anymore.

Razer's UX is horrible on Windows, which is a shame since that's where most of their customers will use their products. The moment you plug in a Razer device, Windows starts downloading a 300mb installer that will prompt you to install the Razer management software each time you reboot/plug in the device. If you deny it, Windows will keep the installer and ask you next time anyways.


Good lord.......I've been on Linux for years and rarely look at Windows anymore but that's dumb on so many levels. Come to Linux. It's nice over here.


fuck razer products.

Go ahead and make my hardware automatically install software i don’t want. Watch how fast it goes in the dumpster


Shouldn't Jonhat disclose it to Microsoft before publishing it as a zero-day? This would really be something that Microsoft can and should block on their side.

It's a bit crazy that Windows downloads and install random drivers when plugging in a device when a non-admin user is logged in and that should be fixed but besides this, they also have a way to block the offending driver for a while. Publishing it as a zero-day instead feels a bit irresponsible


it always wound me up that the SteelSeries 900mb bullshit keyboard bloatware somehow downloaded itself and popped up on a brand new clean Windows install

(even disconnecting the machine from the internet first and disabling the various automatic driver downloads in GPO wasn't enough to stop it...)


I'm sorry, how is this seen as anything other than critical vulnerability in Windows?


This should qualify as a modern-day Captain Crunch whistle.


Unless the system has been vaccinated by plugging one beforehand.


All of windows is a 0-day vulnerability.


"its not a bug, its a feature"




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: