Skip to main content

Posts

Showing posts from 2020

CVE-2020-16602 - Remote File Execution on Razer Chroma SDK Server (<= v3.12.17)

Introduction This writeup is about a remote file execution vulnerability I found on the Razer Chroma SDK Server that comes with Razer Synapse. It chains several issues to enable me to remotely execute a file on the user’s system. This issue is still present in the latest version which is 3.12.17. Issue 1 The Chroma Server listens binds on all network interfaces and listens on port 54236. The server also does a hostname check to make sure that it is being accessed as https://chromasdk.io/ instead of an IP address. External clients can modify their hosts file to alias an IP address to chromasdk.io in order to access a remote Chroma Server. Issue 2 When the server receives a call to register an app (via a REST call), it will create a folder in C:\ProgramData\Razer Chroma SDK\Apps\<appname> and write 3 files, ChromaAppInfo.xml, appname.exe and a DLL. When these files are created, they are only modifiable by admin. The server will then execute the appname.exe file. However, the C:\Pr