DeepSec Talk 2022: We Are Sorry That Your Mouse Is Admin – Windows Privilege Escalation Through The Razer Co-installer – Oliver Schwarz
Device-specific co-installers have repeatedly allowed for Windows privilege escalation. Through Windows’ plug’n’play concept, attackers don’t need to rely on any pre-installed software on the victim client. All they need is a peripheral device associated with the vulnerable driver – or simpler, a hacking device that simply impersonates such device.
In this talk, I’ll will report on his responsible-disclosure journey for a DLL hijacking in the Razer Synapse service for gaming devices. The journey starts with me trying to fake a vulnerability and suddenly realizing that the vulnerability is actually real. It continues with a support team that apologized to me for my escalated privileges. You will also learn about a number of fixing attempts and insights about Windows’ access control that helped to circumvent these attempts. The final twist: we recently discovered that the fix we ended up approving can be fooled quite easily. In other words: this story is the sequel to what we have published before.
The main purpose of the presentation is to entertain you by sharing the anecdotes from this interesting journey and demoing the attack. But besides that, admins, developers and researchers will also learn about the security risks that arise from co-installers and placing binaries into directories where they don’t belong to. Finally, I want to motivate researchers to have a closer look into other co-installers. Interesting Windows privilege escalation vulnerabilities seem to wait out there.
We asked Oliver a few more questions about his talk.
Please tell us the top 5 facts about your talk
- The talk is about becoming admin on (almost) every Windows machine with the help of Windows’ automatic driver installation and vulnerable co-installers.
- I will report on a specific vulnerability of a Razer product and the responsible disclosure journey we took, including a few funny twists.
- While some details have been published before, we discovered a new issue after our first public disclosure and will reveal it in this presentation.
- But the general problem includes other vendors as well, it did so in the past and it probably still is doing so right now, which is why it deserves more attention.
Actually, 4 facts should do.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
I was actually preparing for another presentation where I wanted to talk about both DLL injections and recent IT security topics. Just for the story, I planned to take up the Razer co-installer exploit from summer 2022 and add an imaginary DLL injection vulnerability to it. And suddenly I realized that I don’t have to fake anything, since the DLL injection vulnerability was already there.
Why do you think this is an important topic?
My main motivation is that it is a fun story, with a few funny twists. But actually it is also an important topic indeed, since it appears that co-installers are a security risk almost no-one has thought about so far. Vulnerable co-installers set a lot of Windows computers at risk, and we only discover vulnerabilities by chance. So I think it is time that the community looks into this issue and tries to discover susceptible drivers more systematically.
Is there something you want everybody to know – some good advice for our readers maybe?
I am not the first one to say this, but don’t take any reasonable assumption for granted. Maybe this goes for life in general, but at least for IT security in particular. You will be surprised what you will find when trying the impossible.
On a less philosophical note: Don’t underestimate DLL injections!
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
I hope a few listeners will feel motivated to go and find similar vulnerabilities. After a few golden years for pentesters and security researchers, admins will have learned that they have to disable co-installers, and Microsoft will hopefully think of a different approach to handling drivers.
Oliver works as a pen-tester for the German IT security company SySS GmbH. Besides finding vulnerabilities in applications and networks, he also enjoys presenting hacks to laypeople, for fun and awareness. This was also how he discovered the vulnerability presented in his talk.Before his practical hacking career, Oliver worked as academic security researcher and did his PhD at KTH Royal Institute of Technology on the formal verification of separation kernels.