Skip to main content

CVE-2020-16602 - Remote File Execution on Razer Chroma SDK Server (<= v3.12.17)


This writeup is about a remote file execution vulnerability I found on the Razer Chroma SDK Server that comes with Razer Synapse. It chains several issues to enable me to remotely execute a file on the user’s system.

This issue is still present in the latest version which is 3.12.17.

Issue 1

The Chroma Server listens binds on all network interfaces and listens on port 54236. The server also does a hostname check to make sure that it is being accessed as instead of an IP address. External clients can modify their hosts file to alias an IP address to in order to access a remote Chroma Server.

Issue 2

When the server receives a call to register an app (via a REST call), it will create a folder in C:\ProgramData\Razer Chroma SDK\Apps\<appname> and write 3 files, ChromaAppInfo.xml, appname.exe and a DLL. When these files are created, they are only modifiable by admin.

The server will then execute the appname.exe file.

However, the C:\ProgramData\Razer Chroma SDK\Apps\ folder is user writable. If a user process creates an app folder (eg “testapp”) and creates the file, testapp.exe, in it before calling the register endpoint, the server will overwrite the file with its precanned data, but will not reset the permissions before executing the executable file.

Figure 1 CopyFile():

Thus, there is a small sliver of time where an external user process can change this file before the server executes it. As the server is executing it using CreateProcessAsUser using the current user token, there is no privilege escalation.

Video of PoC 



Lumin said…
Hi, I am doing a Uni project and our group of 2 have decided to use your exploit to present to the class if its ok with you can i ask you a few questions about this ^.^
gabriellesadek said…
Colorful, T-Shirt - Colinumbia's Titanium Pants
Colorful, T-Shirt: titanium oxide formula COLUMBERRY T-Shirt. can titanium rings be resized Brand. Colorful, T-Shirt. This titanium alloy nier color is found nier titanium alloy in color that can be seen on the "shirt" section of the titanium sheet metal color
Anonymous said…
ELK studios make a very small 바카라사이트 number of video games, however they are all of a very high normal, with high quality graphics. Similarly, Thunderkick makes only video slot video games and at present has lower than 30 available, however these have nice graphics, unique music and distinctive gameplay. SIGN UPThe goal of the sport with on-line slots is matching symbols on paylines, but the bonus options are where slots get reely fun!
t8qefcen29 said…
Are you 스포츠토토 looking for a roulette desk with high limits, for essentially the most exciting half in} experience? Perhaps you take pleasure in half in} with progressive methods and are struggling to maintain doubling your bets because of of} low desk limits. Whatever your reason for eager to discover a desk with high betting limits, here you will find the net casinos the place have the ability to|you presumably can} play roulette with the highest stakes. You may even discover why there are no tables may be} truly without a a|with no} limit. You have an opportunity to win real cash if you guess using real funds.
8e1ssf973f said…
Similar to how certain symbols will activate a bonus round, special symbols will do the identical. The bonus might be be} within the form of free spins, a pick-a-prize recreation, or a thriller bonus, amongst different things. The denomination of a slot machine refers to the to the} worth of a single credit score. Some machines even let you choose your denomination, allowing you to play for pennies, dimes, nickels, dimes, quarters, dollars, or even $100. 메리트카지노 When you insert cash into the machine, it gives you credits in trade. Sometimes we’d play together, typically go to completely different video games then meet up in an hour.
ddz12nmi1q said…
Save on betting charges, earn cash again bonuses, referral bonuses, and different cool perks whenever 카지노사이트 you bet in SPORTS tokens. Accept any cool bets you discover, or create your individual bets with your individual odds and phrases. Those who enter therapy packages are usually white, in their mid-40s, have about $25,000 in debt and smoke and drink more than the average particular person — the stereotypical demographic when many envision a playing addict, Fong mentioned. But in actuality, he mentioned, they represent solely a fraction of the gamblers who actually need assistance. Those with playing addictions extra likely to|usually have a tendency to} binge drink and smoke, Fong mentioned, which might be troublesome to attribute to playing addiction, end result of|as a result of} they're addictions unto themselves. Suicide rates are additionally up amongst playing addicts — a reason for dying that's contained unto itself and not formally attributed to the basis causes in one’s personal life.

Popular posts from this blog

How to Get Libraries to Load in Fixed Addresses

Problem I was using DynamoRIO to do instruction tracing to troubleshoot the runtime execution stability of my program and a DLL it was loading and realised that I could not easily diff the files as the addresses were always different. Figure 1. Sample DynamoRIO trace The output shown in Figure 1 illustrates a trace. My program starts to execute at line 83. The address — 0x20XXXX would be where my program was being loaded in. On modern Windows systems, this would be different whenever my program ran due to ASLR. Disabling ASLR The quick fix to this would have been: “use Windows 7 duh”. However, I didn’t think it was a future proof solution and just merely postponed the inevitable, so I decided to see if I could do that on a fully patched Windows 10. The first recourse was to use Google: “Windows 10 disable alsr”. Sadly though, none of it worked. (Sadly, the “MoveImages” registry key only seems to work on Windows 7.) I tried turning off Exploit Guard, but to no avail too. Luckily, disabl