Vulnerabilities > CVE-2017-9769 - Unspecified vulnerability in Razer Synapse 2.20.15.1104
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
A specially crafted IOCTL can be issued to the rzpnk.sys driver in Razer Synapse 2.20.15.1104 that is forwarded to ZwOpenProcess allowing a handle to be opened to an arbitrary process.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Exploit-Db
| description | Razer Synapse 2.20.15.1104 - rzpnk.sys ZwOpenProcess (Metasploit). CVE-2017-9769. Local exploit for Win_x86-64 platform. Tags: Metasploit Framework |
| file | exploits/windows_x86-64/local/42368.rb |
| id | EDB-ID:42368 |
| last seen | 2017-07-24 |
| modified | 2017-07-24 |
| platform | windows_x86-64 |
| port | |
| published | 2017-07-24 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/42368/ |
| title | Razer Synapse 2.20.15.1104 - rzpnk.sys ZwOpenProcess (Metasploit) |
| type | local |
Metasploit
| description | A vulnerability exists in the latest version of Razer Synapse (v2.20.15.1104 as of the day of disclosure) which can be leveraged locally by a malicious application to elevate its privileges to those of NT_AUTHORITY\SYSTEM. The vulnerability lies in a specific IOCTL handler in the rzpnk.sys driver that passes a PID specified by the user to ZwOpenProcess. This can be issued by an application to open a handle to an arbitrary process with the necessary privileges to allocate, read and write memory in the specified process. This exploit leverages this vulnerability to open a handle to the winlogon process (which runs as NT_AUTHORITY\SYSTEM) and infect it by installing a hook to execute attacker controlled shellcode. This hook is then triggered on demand by calling user32!LockWorkStation(), resulting in the attacker's payload being executed with the privileges of the infected winlogon process. In order for the issued IOCTL to work, the RazerIngameEngine.exe process must not be running. This exploit will check if it is, and attempt to kill it as necessary. The vulnerable software can be found here: https://www.razerzone.com/synapse/. No Razer hardware needs to be connected in order to leverage this vulnerability. This exploit is not opsec-safe due to the user being logged out as part of the exploitation process. |
| id | MSF:EXPLOIT/WINDOWS/LOCAL/RAZER_ZWOPENPROCESS |
| last seen | 2020-06-14 |
| modified | 1976-01-01 |
| published | 1976-01-01 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/razer_zwopenprocess.rb |
| title | Razer Synapse rzpnk.sys ZwOpenProcess |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/143450/razer_zwopenprocess.rb.txt |
| id | PACKETSTORM:143450 |
| last seen | 2017-07-24 |
| published | 2017-07-22 |
| reporter | Spencer McIntyre |
| source | https://packetstormsecurity.com/files/143450/Razer-Synapse-rzpnk.sys-ZwOpenProcess.html |
| title | Razer Synapse rzpnk.sys ZwOpenProcess |