Skip to main content


Showing posts from 2020

CVE-2020-16602 - Remote File Execution on Razer Chroma SDK Server (<= v3.12.17)

Introduction This writeup is about a remote file execution vulnerability I found on the Razer Chroma SDK Server that comes with Razer Synapse. It chains several issues to enable me to remotely execute a file on the user’s system. This issue is still present in the latest version which is 3.12.17. Issue 1 The Chroma Server listens binds on all network interfaces and listens on port 54236. The server also does a hostname check to make sure that it is being accessed as instead of an IP address. External clients can modify their hosts file to alias an IP address to in order to access a remote Chroma Server. Issue 2 When the server receives a call to register an app (via a REST call), it will create a folder in C:\ProgramData\Razer Chroma SDK\Apps\<appname> and write 3 files, ChromaAppInfo.xml, appname.exe and a DLL. When these files are created, they are only modifiable by admin. The server will then execute the appname.exe file. However, the C:\Pr