exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Razer Synapse 3.6.x DLL Hijacking

Razer Synapse 3.6.x DLL Hijacking
Posted Mar 28, 2022
Authored by Matthias Deeg, Dr. Oliver Schwarz | Site syss.de

Razer Synapse versions prior to 3.7.0228.022817 suffer from a dll hijacking vulnerability.

tags | exploit
advisories | CVE-2021-44226
SHA-256 | 002e65d1b8885606e6754a271ca91f9be7adcbea2fcaf38560beda10596e175d

Razer Synapse 3.6.x DLL Hijacking

Change Mirror Download
Advisory ID:               SYSS-2021-058
Product: Razer Synapse
Manufacturer: Razer Inc.
Affected Version(s): Versions prior to 3.7.0228.022817
Tested Version(s): 3.6.0920.091710, 3.6.1010.101113,
3.6.1018.101823,
3.6.1130.111217, 3.6.1201.111814,
3.7.0131.011810
Vulnerability Type: Improper Privilege Management (CWE-269)
Risk Level: Critical
Solution Status: Fixed
Manufacturer Notification: 2021-10-18
Solution Date: 2022-03-07
Public Disclosure: 2022-03-23
CVE Reference: CVE-2021-44226
Authors of Advisory: Dr. Oliver Schwarz, SySS GmbH
Matthias Deeg, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Razer Synapse is an additional driver software for Razer gaming devices.
The manufacturer describes the product as a "unified cloud-based hardware
configuration tool" (see [1]).

Due to an unsafe installation path and improper privilege management,
the associated system service "Razer Synapse Service" is vulnerable to
DLL hijacking.
As a result, local Windows users can abuse the Razer driver installer to
obtain administrative privileges on Windows.

In order to exploit the vulnerability, the attacker needs physical
access to the machine and needs to prepare the attack before Razer
Synapse is installed along with a Razer driver.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The attack scenario considers a Windows machine without any previous
installation of any Razer device or software.
The attacker has a local unprivileged Windows account, physical access
to the machine, and a device which is either a Razer peripheral or able
to pretend to be one (such as a Bash Bunny or a Raspberry Pi Zero).
The attacker aims at executing code with full system privileges.

The attack exploits the Razer Synapse Service which runs with elevated
privileges. While the main binary of the service is stored in the
protected location "C:\Program Files (x86)\Razer\Synapse3\Service", it
dynamically loads libraries from
"C:\ProgramData\Razer\Synapse3\Service\bin".
Before the installation, standard users can write to this path, since
"C:\ProgramData" is world-writable on a standard installation of Windows.

The Synapse installation procedure changes access privileges, so that
standard users cannot write to the path any longer. In addition, it
removes any previous files in that location.
Furthermore, upon service start, the location is checked for DLLs that
do not originate from Razer.

However, if the path is created before the driver installation, the
creator remains owner of the object and can still change directory and
file permissions. In particular, the creator can deny access for the
SYSTEM user and grant access for the attacker's user.

The attack consists of three phases:

1. Before the installation of the driver/Synapse, the attacker creates
"C:\ProgramData\Razer\Synapse3\Service" and denies write-access for
SYSTEM.

2. Afterwards, the attacker triggers the installation of Synapse.
This can be done without any elevated privileges by plugging in a
Razer device and following the installation procedure for Synapse,
if device-specific co-installers are not disabled.
Alternatively, a device such as Bash Bunny or a Raspberry Pi Zero
can be used and pretend to be a Razer device.

3. After the installation of Synapse has finished, the attacker grants
full access to "C:\ProgramData\Razer\Synapse3" for both the SYSTEM
user and the own low-privileged user account. Afterwards, the
attacker places a prepared set of DLLs into
"C:\ProgramData\Razer\Synapse3\Service\bin" and restarts the Razer
Synapse Service, typically, by restarting the machine.

SySS GmbH chose the following set of DLLs for a proof of concept:

* RzLightingEngine.dll from the original installation
* RSy3_LightingEffects.dll from the original installation
* userenv_orig.dll, a copy from the standard Windows DLL at
"C:\Windows\SysWOW64\userenv.dll"
* userenv.dll, a malicious 32-bit DLL that creates a new admin user
and redirects to userenv_orig.dll otherwise

The attack has been successfully tested for the following versions of
Razer Synapse:

* 3.6.0920.091710
* 3.6.1010.101113
* 3.6.1018.101823
* 3.6.1130.111217
* 3.6.1201.111814

A modified version of the exploit has been successfully tested
against version 3.7.0131.011810.

The attack has been successfully tested on the following versions of
Windows:

* Windows 10 Enterprise 20H2 19042.1237
* Windows 10 Pro 20H2 19042.1237
* Windows 10 Pro 21H1 19043.1237
* Windows 10 Pro 21H1 19043.1266


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Razer has published a patched version that will be deployed automatically
upon driver installation on current Windows builds.

To prevent similar attacks through other co-installers, system
administrators can disable them by setting the following key in the
Windows registry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device
Installer\DisableCoInstallers = 1

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2021-10-07: Vulnerability discovered
2021-10-11: Initial contact to Razer support
2021-10-18: Vulnerability reported to manufacturer
2022-01-18: First direct contact with developer team
2022-02-03: First fix attempt (3.7.0131.011810) announced to SySS GmbH
2022-03-07: Final fix (3.7.0228.022817) announced to SySS GmbH
2022-03-23: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Razer Synapse 3
https://www2.razer.com/eu-en/synapse-3
[2] SySS Security Advisory SYSS-2021-058

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-058.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy
[4] SySS Proof of Concept Video
https://www.youtube.com/watch?v=P75BtYcnZ-A

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Dr. Oliver Schwarz of SySS GmbH.

E-Mail: oliver.schwarz@syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/PGPKeys/Oliver_Schwarz.asc
Key ID: 0x9716294F1294280D
Key Fingerprint: D452 B014 E992 2886 E799 6B43 9716 294F 1294 280D

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close