Windows co-installers, sneaky bloatware, and local privilege escalation

On 2021-08-21, security researcher @j0nh4t highlighted a local privilege escalation technique for Windows 10 which is about as simple as it gets. Plug in a Razer mouse, get an elevated PowerShell:

Need local admin and have physical access?
– Plug a Razer mouse (or the dongle)
– Windows Update will download and execute RazerInstaller as SYSTEM
– Abuse elevated Explorer to open Powershell with Shift+Right click

Tried contacting @Razer, but no answers. So here's a freebie pic.twitter.com/xDkl87RCmz
— jonhat (@j0nh4t) August 21, 2021

Lots of people have noted that this isn’t limited to Razer by any means, nor is it limited to mice. I own one Razer device – a Razer Kiyo webcam – and it is also vulnerable, because Razer decided to let the user select where the software should be installed using a UI with SYSTEM privileges. Nice.

Various other people have pointed out, not without cause, that this isn’t just a Razer problem. Razer should have listened to @j0nh4t, but this LPE, which requires almost no skill or knowledge to use, wouldn’t have been possible without Microsoft’s free and easy approach to installing stuff so it just works (PrintNightmare, anyone?)

Windows, could you please just not do this?

Still more people have suggested that the only mitigation available looks like this:

Keeping all your drivers up to date. Good call, but I don’t want to install the Razer bloatware and I never will, so it’s going to prompt me every time even if the drivers are up to date.
Controlling who has physical access to your machine. If someone’s in my house accessing my computer without my consent, I have a bigger issue anyway.
Err, that’s it. Really? No config switch to prevent Windows rolling out the red carpet and insisting we install bloatware with wide-open vulnerabilities?

Happily, there is a better way. Will Dormann, Vulnerability Analyst at the CERT/CC, points out that it is possible to tell Windows 10 that actually, no, you don’t want stuff automatically running and installing just because you’ve plugged in a mouse:

Do you not like the fact that connecting a Razer device auto-runs an arbitrary installer w/ privs?
Do you suspect that other devices may be exploitable?
Fear not!
Set HKLMSOFTWAREMicrosoftWindowsCurrentVersionDevice InstallerDisableCoInstallers = 1https://t.co/iMQ1MTO4vw https://t.co/qQM4URQEqf pic.twitter.com/Zi4VRv49TG
— Will Dormann (@wdormann) August 31, 2021

I tested it. Works for me. Here’s the .reg:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Installer]
"DisableCoInstallers"=dword:00000001Code language: JavaScript (javascript)

Learning how to learn

When another Twitter user asked, Will Dormann was also kind enough to explain how he discovered this one simple trick to stop Windows from being so annoying while simultaneously making it so easy to compromise a machine:

Sure thing. I didn't actually get the advice from anywhere. But rather, I had Process Monitor open while a new USB device triggered a driver install.
DrvInst.exe became a process of interest.
And one of the first things it looks for is DisableCoInstallers.
Set it and re-test!
— Will Dormann (@wdormann) August 31, 2021

Freedom, security, and convenience

Are there downsides to preventing automatic installation/running of whatever software has made it through the clearly lax Microsoft and vendor review processes? Sure, you will sacrifice some convenience here:

It is important to note that making this change will block a device’s configuration software from automatically being installed. Instead, you will need to download and install it from the vendor’s site manually.
Lawrence Abrams, BleepingComputer

I’m very much OK with that. Perhaps you are too.