An severe crash on windows was discovered this week. By simply plugging in a USB accessory, such as a mouse or flash drive, intruders can win full control of the computer of the victim.
While physical access to the computer is required to carry out the attack, the vulnerability is worrisome. This is because, even if the victim does not have administrator privileges on the machine, the attacker is able to perform system-level commands.
The attack works like this: some USB accessories, when connected to the computer, tell Windows that download a program specific from the equipment manufacturer. This is common, for example, in mice and keyboards aimed at gamer audiences, which allow you to configure lighting and advanced options through these programs.
The problem happens because this download is done automatically by Windows with the highest level of permissions on the system, even if the user does not have this type of access. As the program’s installer runs automatically, it will also open with so-called “administrator privileges”, which give full machine control.
If the installer allows, for example, to choose a target location for the program, you can open a File Explorer window and run the command terminal, called in Windows Prompt or PowerShell, also with full permissions. From there, the invader can perform various actions, such as disabling system security components and downloading viruses.
The fault was initially detected in Razer brand accessories, specializing in game items. The vulnerability was discovered by user @J0nh4t and posted on Twitter. Another user from the same social network, @zux0x3a, noticed that SteelSeries devices, also aimed at gamers, have a similar problem – although more difficult to run. It is likely that products from other companies have similar problems, although so far only the two brands have been explored in equipment.
Need local admin and have physical access?
– Plug a Razer mouse (or the dongle)
– Windows Update will download and run RazerInstaller as SYSTEM
– Abuse elevated Explorer to open Powershell with Shift+Right click
— jonhat (@j0nh4t) August 21, 2021
— Lawrence (@zux0x3a) August 23, 2021
A seemingly simple solution would be not to use accessories from these companies, especially if offered by unknown people. However, Windows uses a system called a “hardware identifier” to detect what kind of device is connected to the computer. This identifier can be easily faked by someone with technical knowledge, so any USB accessory could be “disguised” as an equipment of the brands that generate the vulnerability, activating the fault. Another Twitter user, @an0n_r0, demonstrated the vulnerability being triggered by connecting a smartphone with the modified identifier to his computer.
Here is my PoC for exploiting the @Razer device driver installation LPE using a generic Android phone instead of a stock Razer device.
gist for the gadget setup: https://t.co/zMkCK0ziSh
— an0n (@an0n_r0) August 22, 2021
Yet there is no information from microsoft about a fix for the glitch. Razer said it will release updates for its products so that they no longer cause the problem, while SteelSeries hasn’t commented so far.
More about Microsoft
Questions, Criticisms and Suggestions? Talk to us