This writeup is about a remote file execution vulnerability I found on the Razer Chroma SDK Server that comes with Razer Synapse. It chains several issues to enable me to remotely execute a file on the user’s system.
This issue is still present in the latest version which is 3.12.17.
The Chroma Server listens binds on all network interfaces and listens on port 54236. The server also does a hostname check to make sure that it is being accessed as https://chromasdk.io/ instead of an IP address. External clients can modify their hosts file to alias an IP address to chromasdk.io in order to access a remote Chroma Server.
When the server receives a call to register an app (via a REST call), it will create a folder in C:\ProgramData\Razer Chroma SDK\Apps\<appname> and write 3 files, ChromaAppInfo.xml, appname.exe and a DLL. When these files are created, they are only modifiable by admin.
The server will then execute the appname.exe file.
However, the C:\ProgramData\Razer Chroma SDK\Apps\ folder is user writable. If a user process creates an app folder (eg “testapp”) and creates the file, testapp.exe, in it before calling the register endpoint, the server will overwrite the file with its precanned data, but will not reset the permissions before executing the executable file.
Figure 1 CopyFile(): https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-copyfile
Thus, there is a small sliver of time where an external user process can change this file before the server executes it. As the server is executing it using CreateProcessAsUser using the current user token, there is no privilege escalation.
Video of PoC