Tuesday, August 24, 2021

Naked Security: How a gaming mouse can get you Windows superpowers!

No comments:
How a gaming mouse can get you Windows superpowers!
By Paul Ducklin,

What if you’re a gamer who wants to be a sysadmin? On someone else’s computer?

Well, apparently, until last week at least, gamer-centric mice and keyboards from popular vendor Razer could help you to do just that.
...

  • You plug in a Razer gaming mouse for the first time.
  • Windows detects that this device type has special software and drivers that will make it work Even Better than a regular mouse.
  • Windows finds Razer’s official addons in the Windows Update cloud.
  • Windows downloads and launches the offical addons so you don’t have to.
  • The Razer app helpfully ends with a clickable directory name, showing you what ended up where in the installation process.

...
The problem in this case is the point at which Razer’s app helpfully displays the name of the software installation directory at the end, even though it doesn’t need to.

That’s an active link in Razer’s app, so you can right-click on it and view the directory in File Explorer.

Then, once you’re in Explorer, you can do a Shift-and-right-click and use the handy option Open PowerShell window here, giving you a command-line alternative to the existing Explorer window.

But that PowerShell prompt was spawned from the Explorer process, which was spawned from Razer’s installer, which was spawned by the automatic device installer process in Windows itself…

..which was running under the all-powerful NT AUTHORITY\SYSTEM account, usually referred to as NTSYSTEM or just System for short.

So the PowerShell window is now running as System too, which means you have almost complete control over the files, memory, processes, devices, services, kernel drivers and configuration of the computer.

Wow. A chain of good intentions all leading to an exploitable system vulnerability. I realize that Razer has (or will soon) fix this bug in their driver installation tool, but it seems to me that Microsoft should do something to prevent this from being possible in the future. Maybe do something so an installer trying to open a URL (or an Explorer process) does so at the user's normal privilege level instead of at the driver installer's level (which, of course, needs to be at a higher level in order to perform the installation).

Tuesday, August 03, 2021

Homestar Runner rises again!

No comments:
If you have no idea what this subject line is talking about, then you missed out on what used to be one of the coolest parts of the Internet.

Homestar Runner is/was a web site full of silly animations and games, written almost entirely in Flash. Unfortunately, with the demise of Adobe Flash, most of the site ended up a giant mess of broken links. And for those of us who got rid of Flash before Adobe shut it down, the site stopped working a long time ago.

Fortunately, it appears that some enterprising engineers develpped Ruffle, a Flash Player emulator that can be embedded in web sites, and the Homestar Runner people have been busy converting their site over to it.

As its disclaimer says, "Not every cartoon and game works perfectly just yet so be patient and expect some jankiness here and there while we keep a-workin!", but it is pretty good. And I can once again enjoy all of the StrongBad Emails, not just the ones that have been converted to YouTube videos.

And since this post wouldn't be complete without them, here are a few of my all-time favorite StrongBad e-mail videos: