CVE-2017-9770

A specially crafted IOCTL can be issued to the rzpnk.sys driver in Razer Synapse that can cause an out of bounds read operation to occur due to a field within the IOCTL data being used as a length.

Recent assessments:

zeroSteiner at December 18, 2019 1:17am UTC reported:

A vulnerability exists within the Razer Synapse driver rzpnk.sys in the IOCTL dispatch routine for 0x226048 that can allow an attacker to pass an input buffer which can trigger an out of bounds read operation. A handle can be opened to issue this IOCTL from \\.\47CD78C9-64C3-47C2-B80F-677B887CF095. The result will cause a denial of service condition on the system in the form of a blue screen of death (BSOD).

The first four bytes of the buffer are used as the size, first to allocate space and then to read from the source. Since the allocation is of the proper size, an out of bounds write can not be accomplished. If however the specified size is larger than the buffer, then the memcpywill continue to read data after the buffer ends.

Build the buffer to trigger the exception in Python:

# the first 4 bytes are the size then it must be padded to at least 0x220 bytes
buffer_ = struct.pack('I', 0x70000000) + (b'\x00' * 0x21c)

Proof of Concept code:
<https://gist.github.com/zeroSteiner/829c313b942f944375b67a6535f01992#file-cve_2017_9770-py&gt;

Assessed Attacker Value: 2
Assessed Attacker Value: 2Assessed Attacker Value: 5