Razer Mouse Grants Windows Admin Privileges

As the common saying goes, “all networked computers are vulnerable to exploits, but some networked computers are more vulnerable than others”. While not the exact wording from Animal Farm, the saying does have plenty of merit nonetheless. Sure, there are some viruses and issues with Linux distributions but by far most of the exploits target Windows, if only because more people use it daily than any other operating system. The latest Windows 10 exploit, discovered by [jonhat], is almost comically easy too, and involves little more than plugging in a mouse.

While slightly comforting in that an attacker would need physical access to the device rather than simple network access, it is very concerning how simple this attack is otherwise. Apparently plugging in a Razer mouse automatically launches Windows Update, which installs a driver for the mouse. The installation is run with admin privileges, and a Power Shell can be opened by the user simply by pressing Shift and right-clicking the mouse. While [jonhat] originally tried to let the company know, they weren’t responsive until he made the exploit public on Twitter, and are now apparently working on solving the issue.

Others have confirmed the exploit does in fact work, so hopefully there is a patch released soon that solves the issue. In the meantime, we recommend not allowing strangers to plug any devices into your personal computers as a general rule, or plugging in anything where its origins are unknown. Also remember that some attacks don’t required physical or network access at all, like this one which remotely sniffs keystrokes from a wireless keyboard with less than stellar security, also coincidentally built by Microsoft.

50 thoughts on “Razer Mouse Grants Windows Admin Privileges

  1. And anyone with Linux Kernel 5.x with an NVIDIA driver had better
    blacklist hid_logitech_hidpp
    blacklist hid_logitech_dj

    It is worse in many ways, as it leaves no trace of what happens on some Intel hardware. CVE will likely never be filed… we only spotted it out of shear luck.

  2. It is the 21st century. Windows has gone through several (ahem) “revisions”. The fact that this is a live exploit is incredulous.

    Vendors are relying on “caveat emptor” a little too much.

      1. I can’t use a Razer mouse (or keeb,) an account, login and a 200mb driver just to access settings that can’t be saved to the mouse, due to cost cutting the flash needed to store the settings.

        Fail. Fail.

        1. That is my biggest complaint. I have my mouse set to 1000hz and 400DPI, but I need the whole razer synapse program to keep those settings. Really wish I could just save to mouse and plug it into any other computer and have it act the same. At least you don’t actually need an account though, you can continue as guest

      1. You have to modify three registry settings listed here:

        Also, you need to rename a system file called “WaasMedicSvc.dll” to something else, as this dll is used for Windows update. Renaming is a bit of a process, as the file is owned by the “system” and so you need to change ownership before you can rename the file.

        I have done the above and I have completely disabled the Windows Auto updates. When I want to update my files I simply reverse the above, perform the update, and the redo the above.


  3. bad software, great hardware

    Could say the same about all razer products, headphones, mices, joys, keyboards. Their razer control centre runs a plethora of services and crapware in the background most of them even broken on windows7 the sonofa btches still doing it anyway.
    Windows 7 should be supported forever as 10 is a pure garbage.

    1. They put out good and bad operating systems alternately. ME good, 98 bad, XP good, Vista bad, 7 good, 10 bad. Guess we might see a good one next if they stick to their business model.
      Sometimes it’s better to just get a machine to a good state, do a full backup and airgap what you can.

        1. Windws 7 was the last Win OS I owned. I use Win10 at work and it is ‘ok’, but I liked Win7 much better.
          Of course, we all Linux based at home and have been for years. Win7 sits in a VM if for some reason we need to run it (I don’t but once in awhile my wife will pull it up to run say Print Shop). Oh and the Win VM has ‘no’ connection to the internet as I disable that interface.

          As for the mouse, it should be supplied in the box it came in, or you have to manually go to their website and pull down an install app. Then install manually.

        1. I wouldn’t say it’s good (I preferred win 2k anyway, lightweight and on an nt base), but I suspect at least part of its bad reputation is because it’s from the same time period as the peak capacitor plague, which produced some severe stability problems to say the least.

          1. win2k was rock solid. i only stopped using it when amd64 became a thing, and switched to xp 64 pro. used that until 7 came out.

            hardware was really flakey back then. a lot of people blame the software but i knew hardware was to blame. though the one piece of software that did break things was crysis and cry-engine derived games. renowned for turning shoddy capacitors into dead capacitors.

          1. Windows 95 rev C had IE4 on the CD, and would install it automatically if you didn’t eject the disc during the reboot.

            Windows 98 and later shipped with IE4 installed during the OS install, no choice in the matter.

            Windows 2000 (NT5) shipped with IE5.

            NT4 had IE2 IIRC, but it wasn’t “integrated” the way it was with Windows 98 / Windows 2000 and later.

        1. every new version of windows just upgrades a small number of subsystems while the rest of the os is more or less the same. every time they push a ‘new look’ is just a cover for the fact that they didn’t upgrade as much as they wanted to.

      1. idk. ms are asking me to give up more of the windows experience for more of a phone experience. i mean if the ui went back to windows 2000 style it would be an upgrade. easily solved with a windows-like de.

        windows is really the only way to make sure all your cutting edge technology works out of the box. linux runs best on hardware at least a couple generations old. every time i try to run linux on a new machine, i feel like i leave some capabilities on the table. linux drivers just seem to be waiting on open source devs to hammer out the bugs.

    2. Yes, Microsoft selling the Z80 Softcard for the Apple II helped move them away from “that company that makes BASIC”. As I recall, IBM went to Microsoft for an operating system because they thought they did CP/M. So surely the Softcard created that illusion.

    3. The scrollwheel of the one Razer Deathadder mouse I ever bought crapped out after less than a year, and the side buttons started glitching too. Maybe their quality is better now, but I don’t really care.

      One oddity I remember of that mouse is that the mouse itself was a very dumb device, and most functionality was implemented in the device driver running on the host computer. The driver would take exclusive control of the USB HID device, and create its own virtual mouse device. For example, the mouse didn’t support resolution scaling, and would always send movement using the highest sensitivity. The driver would then perform the scaling in software for the virtual mouse. Naturally, none of the configuration settings were stored on the mouse itself, which had no storage. So if you used the setup program to stop the moron lightshow, and plugged the mouse into another computer, it would immediately start flashing like a fucking Christmas tree.

      I always found the whole thing very funny as the mouse was marketed as some high-tech ultra low-latency fancy gaming gear, while in reality it was the cheapest piece of shit imaginable, built using Chinese clones of Alps and CUI parts. I think the only genuine mechanical parts they used were the Alps main left and right button switches, but even they weren’t the high-end long-life models.

      1. The middle mouse button switch is notorious on those, and such weird dimensions a replacement is hard to find in the same size. I replaced my whole mouse with an IntelliMouse Classic, then replaced the DA mmb switch (to keep as a spare) with a switch that’s accidentally a little too stiff and not quite centered. Oops. But hey, it does work now.

        (Technicality: when they don’t use name brand stuff, here considering Kailh as name brand by now, I get the impression they tend to stick with made in Taiwan, given they have their main manufacturing in Taiwan I think)

    4. I bought a Razer Tartarus a couple of years ago, to use when modeling etc, and love the hardware (great buttons, feels nice, etc.). But the software is not the worst I’ve used (But not far from it*).
      The keys are a bit cumbersome, especially if you don’t use US/EN Qwerty, to program (not always detecting key presses in “key recordings” etc).
      But the software have also lost the configuration after updates, and restarts (sometimes loading with the “right” profile, but it’s “empty”), loosing random keybindings, etc, and now I have four profiles with the same name, and six copies of every macro.

      And the software doesn’t always start on startup, and when I start it manually it have started without any profiles (apparently requiring another reboot before it “finds the config” again). And “of course” you need to have the software running, because the bindings aren’t saved on the actual device.

      I wasn’t really surprised to hear that Razer’s software had security issues (even if it might be broader than just Razor, but still..)

      (*I recently bought a Royal Kludge, RK61, keyboard, and the software for that is worse than Synapse)

      (And let’s not forget when they wanted to use their users’ computers to mine cryptocurrency, basically without compensation..)

    5. I’ve never had a good experience with their hardware either. RMAd 3 KBs because of bad switches, replaced switches in death adder 2013 with 50m because those seem to go bad right after the warranty quits.

  4. As gets pointed out in this thread (https://twitter.com/_MG_/status/1429293225181814784), the problem here is mostly that Windows (and other OSes including most Linux distros) run installer scripts with high privileges, without adequate checks on how trustworthy such scripts are (such as their provenance, eg: signed by MS, random 3rd party download? etc) and often without user interaction (although it’s questionable how effective an “are you sure” pop up is!). In this case Razer are making things worse by shipping a badly written closed-source installer, however they are far from unique…

    1. sudo launched Installer scripts on Linux?
      these are things I see only from hardware vendors, and are a sign of poor support (and no updates 90% of the time, jsut one-shot attempt to deliver a working Linux driver)

      In that particular Razer case ? There is this open-source project https://openrazer.github.io/ which daemon runs in userland and that supports most razer products. Just add the repository to your distro and let dkms build it for you.

    2. How did they manage to get Microsoft to approve, whql, and host on Windows update, a driver whose inf launches an executable with a ui? I was under the impression review was tough, and that new driver submissions weren’t supposed to do stuff like that which is why the graphics control panels are now installed via the MS Store, just triggered by the inf. I don’t think I’ve ever seen any ui from a windows update driver.

      Microsoft might be more responsive in this case than Razer, since if I understand this correctly it’s a vuln because of the privilege associated with being a blessed and auto installed driver from Windows Update. (Right? That’s how it’s coming in, not via some hokey built in mass storage or something?)

  5. Well..that came handy to get administrator account on my company laptop that is almost unusable because of to-restrictive-to-zealous security (half of memory occupied, 10% CPU by MDM spyware, no powersaving mode settings whatever, can’t even change default background color for god sake…).

    The thing is…it isn’t even the driver it selves. It just registers as a generic mouse but wants to download & start al the razer “gadgetsoftware” that expands the driver with ability to reassing buttons and macro’s, but also RGB colors and dpi settings. Hell, they want you to register and login for their “cloud saving” and RGB christmas lighting for all your razer stuff and “gamer tools” you never asked for too. Why on earth has the installer run under system rights and can only be answered by Razer, not Microsoft..

    So…I think Microsoft probably did a good job checking the driver, but never peeked at the bloatware software that comes along with it. Even if you cancel the installation of that, the mouse will work fine.
    I wonder if the same thing is there in the software crap when installing printer drivers from – for example – canon or HP..

  6. While windows defenders are quick to respond with this quote from the article ” if only because more people use it daily than any other operating system. “.

    Its certainly not the only nor the largest reason. The commonality of and ease of point and drool interfaces for exploit tools is another reason but a smaller reason. The biggest reason is still the ease of exploiting when compared to other OS’s which then can be broken down to issues such as over complicated and under documented api’s and system calls that third parties are expected to use. Corporate policies and preferences that lean toward hiding or simply omissions of details rather than having an open and collaborative relationship with outsiders to test/replicate/fix issues so exploits can be randomly discovered and utilized by multiple attackers before being adequately prevented and fixed. The bloat of so many features bundled in that some one wanted but not everyone else needs. inability to lock out those features that are not needed. etc.

    1. Also the fact that it’s meant to run code from older versions of Windows, including Windows 95. Meaning security holes it had are still present for the sake of backwards compatibility.

  7. While terrible, it does get worse.

    Use of Razer hardware differentiators (RGB, DPI settings, for instance) requires personal information to log into a cloud-managed account. While it’s painfully clear that alteration of on-device profiles doesn’t ever require PII, Razer has been less than honest during my requests for what’s captured/stored

    Ditto nVidia GeForce Experience, who declined to provide privacy policies, retention guidelines or security posture assessment attestation.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.