Posts Yet Another Local Privilege Escalation Attack via Razer Synapse Installer (CVE-2021-44226)

Yet Another Local Privilege Escalation Attack via Razer Synapse Installer (CVE-2021-44226)

During a research project in fall 2021, SySS IT security expert Dr. Oliver Schwarz found a security vulnerability in the Razer Synapse installer for Windows which can be exploited in a local privilege escalation attack. Due to the use of an insecure installation path and improper privilege management, the installation of the associated Razer system service is vulnerable to a so-called DLL hijacking attack.

In this specific attack scenario, an attacker is able to replace or add a program library, i.e. a dynamic link library (DLL) file, with one that contains malicious code. Because of the high-privileged context in which the attacker-controlled code is executed, a local Windows user can exploit this security issue to obtain local administrative privileges as the Windows user account SYSTEM.

This security vulnerability can be exploited by a local Windows user who can attach a real or fake Razer USB device, for instance a gaming mouse, to the target system that is supported by Razer Synapse.

You can find more detailed information about this security issue in our SySS security advisory SYSS-2021-058 (CVE-2021-44226).

Furthermore, a successful local privilege escalation attack exploiting the described security vulnerability is demonstrated in our SySS PoC video Yet Another Local Privilege Escalation Attack via Razer Synapse Installer.

This reported security vulnerability has already been fixed by Razer, so that the demonstrated privilege escalation attack is not successful anymore on current Windows systems with newer Razer Synapse software versions.

The assigned CVE ID concerning the demonstrated security issue is CVE-2021-44226.

As a general security measure, we recommend disabling Windows co-driver auto-installations via the corresponding configured Windows registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Installer\DisableCoInstallers set to 1.

This post is licensed under CC BY 4.0 by the author.