By Paul Ducklin,
What if you’re a gamer who wants to be a sysadmin? On someone else’s computer?
Well, apparently, until last week at least, gamer-centric mice and keyboards from popular vendor Razer could help you to do just that.
...
- You plug in a Razer gaming mouse for the first time.
- Windows detects that this device type has special software and drivers that will make it work Even Better than a regular mouse.
- Windows finds Razer’s official addons in the Windows Update cloud.
- Windows downloads and launches the offical addons so you don’t have to.
- The Razer app helpfully ends with a clickable directory name, showing you what ended up where in the installation process.
...
The problem in this case is the point at which Razer’s app helpfully displays the name of the software installation directory at the end, even though it doesn’t need to.
That’s an active link in Razer’s app, so you can right-click on it and view the directory in File Explorer.
Then, once you’re in Explorer, you can do a Shift-and-right-click and use the handy option Open PowerShell window here, giving you a command-line alternative to the existing Explorer window.
But that PowerShell prompt was spawned from the Explorer process, which was spawned from Razer’s installer, which was spawned by the automatic device installer process in Windows itself…
..which was running under the all-powerful NT AUTHORITY\SYSTEM
account, usually referred to as NTSYSTEM
or just System
for short.
So the PowerShell window is now running as System
too, which means you have almost complete control over the files, memory, processes, devices, services, kernel drivers and configuration of the computer.
Wow. A chain of good intentions all leading to an exploitable system vulnerability. I realize that Razer has (or will soon) fix this bug in their driver installation tool, but it seems to me that Microsoft should do something to prevent this from being possible in the future. Maybe do something so an installer trying to open a URL (or an Explorer process) does so at the user's normal privilege level instead of at the driver installer's level (which, of course, needs to be at a higher level in order to perform the installation).