Razer Nightmare for SysAdmins

[Ed P]

All those who have retired from the world of worrying about idiot staff fiddling with company systems can heave a sigh of relief and sympathise with today’s SysAdmins who are wondering how they explain the need for staff body searches!

The problem is that a bug in Razer’s installation programs enables any staff member with hardware and USER access to plug in a cheap Razer mouse and obtain SYSTEM rights (i.e even higher than mere Admins).

Dave’s old mates in the MOD must be doing their nuts!

https://www.bleepingcomputer.com/news/security/razer-bug-lets-you-become-a-windows-10-admin-by-plugging-in-a-mouse/

[Dave Rice]

All peripheral equipment is monitored so you can bet they are now on a black list!

This sort of endpoint protection is common in Corporates, it’s a by product of managing USB drives or CD burners, but a luxury for smaller businesses. I doubt many bean counters would sign this sort of software off. In theory it is simple to administer, but you need to know the hardware IDs.

[Ed P]

As you know Dave, the real work comes when some System Auditor wonk now comes along and says

‘OK. well done. You protected everything when it became common knowledge that Razer mice were a security issue. Now prove to me that no-one has used this security hole in the last five years. It also seems to my all-powerful twenty-twenty hindsight that this may be a fundamental problem with all unapproved plug-n-play equipment. Prove to me that no-one has plugged in any unauthorised plug-n-play kit in the last seven years!’

Of course they then escalate the amount of work when it proves impossible to churn out such answers for the time before the appropriate software/hardware was installed.

As most of these Auditors previously had some Sys Admin’s job, but failed the Interpersonal skills bit, I’ll swear that they deliberately choose questions that give you the most work!

[Dave Rice]

Of course. I remember when an ex Post Office Regional Manager joined one of the watchdogs when sidelined in a re-organization. Revenge is a dish best served as soon as you get the chance 😉

This sort of thing can be used to leverage outsourcers too, but luckily the ultimate security decisions are usually left with a retained rump team in the business. I would have just needed to prove I did what I was bidden to by the client.

There were also all sorts of software tools around dynamically elevating user rights, whether these would stop this activity I don’t know.

[Wheels-Of-Fire]

How the hell did this get past the Microsoft WHQL testing ?

The Windows PnP manager does indeed run from the System account so it can do its job of installing drivers.

If the PnP manager can’t find a driver locally it will visit Windows Update and look for a driver that supports the device ID it just got, if it finds one it will download and install it.

The system is meant for signed drivers, not user mode installation programs.

Someone at MS must have been asleep when they allowed THIS driver to be signed and put on Windows Update !

[Wheels-Of-Fire]

If your worried then you could try this,

https://www.laptopmag.com/articles/disable-automatic-driver-downloads-on-windows-10

[Author]

Posts