Conversation

jonhat
@j0nh4t
Additionally if you go through the installation process and define the save dir to user controllable path like Desktop. A service binary is saved there which can be hijacked for persistance and is executed before user logon on boot.
4
707
jonhat
@j0nh4t
I would like to update that I have been reached out by
@Razer
and ensured that their security team is working on a fix ASAP. Their manner of communication has been professional and I have even been offered a bounty even though publicly disclosing this issue.
19
1,152
jonhat
@j0nh4t
This is a bit out of my comfort zone so idk, I dont see why not unless there are signatures involved. I did try it over RDP (RemoteFX enabled) and was able to trigger the installer, but the session is different from a local one so won't show the window :(
2
103
Show replies
David
@hcetamd
Replying to
@j0nh4t
@ZephrFish
and
@Razer
Yeah unfortunately many devices trigger downloaders via Windows Update. I think this happened to me with a Logitech webcam once, and I immediately wondered if this could be done, but I was lazy.
1
27
Smaxx
@TheSmaxx
The problem isn't the installer itself. It's the installer running as System *and* providing a common file dialog to escape from.
1
66
Show replies
Will Dormann
@wdormann
Replying to
@j0nh4t
and
@Razer
Think of the attack surface of EVERY SINGLE device driver on Windows Update that is triggerable via a USB connection. All you need is a single one with a vulnerability. Physical access (or RemoteFX via RDP) is a dangerous thing indeed...
4
302
Show replies