Vulnerabilities > CVE-2017-9769 - Unspecified vulnerability in Razer Synapse 2.20.15.1104

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
razer
critical
exploit available
metasploit

Summary

A specially crafted IOCTL can be issued to the rzpnk.sys driver in Razer Synapse 2.20.15.1104 that is forwarded to ZwOpenProcess allowing a handle to be opened to an arbitrary process.

Vulnerable Configurations

Part Description Count
Application
Razer
1

Exploit-Db

descriptionRazer Synapse 2.20.15.1104 - rzpnk.sys ZwOpenProcess (Metasploit). CVE-2017-9769. Local exploit for Win_x86-64 platform. Tags: Metasploit Framework
fileexploits/windows_x86-64/local/42368.rb
idEDB-ID:42368
last seen2017-07-24
modified2017-07-24
platformwindows_x86-64
port
published2017-07-24
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/42368/
titleRazer Synapse 2.20.15.1104 - rzpnk.sys ZwOpenProcess (Metasploit)
typelocal

Metasploit

descriptionA vulnerability exists in the latest version of Razer Synapse (v2.20.15.1104 as of the day of disclosure) which can be leveraged locally by a malicious application to elevate its privileges to those of NT_AUTHORITY\SYSTEM. The vulnerability lies in a specific IOCTL handler in the rzpnk.sys driver that passes a PID specified by the user to ZwOpenProcess. This can be issued by an application to open a handle to an arbitrary process with the necessary privileges to allocate, read and write memory in the specified process. This exploit leverages this vulnerability to open a handle to the winlogon process (which runs as NT_AUTHORITY\SYSTEM) and infect it by installing a hook to execute attacker controlled shellcode. This hook is then triggered on demand by calling user32!LockWorkStation(), resulting in the attacker's payload being executed with the privileges of the infected winlogon process. In order for the issued IOCTL to work, the RazerIngameEngine.exe process must not be running. This exploit will check if it is, and attempt to kill it as necessary. The vulnerable software can be found here: https://www.razerzone.com/synapse/. No Razer hardware needs to be connected in order to leverage this vulnerability. This exploit is not opsec-safe due to the user being logged out as part of the exploitation process.
idMSF:EXPLOIT/WINDOWS/LOCAL/RAZER_ZWOPENPROCESS
last seen2020-06-14
modified1976-01-01
published1976-01-01
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/razer_zwopenprocess.rb
titleRazer Synapse rzpnk.sys ZwOpenProcess

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/143450/razer_zwopenprocess.rb.txt
idPACKETSTORM:143450
last seen2017-07-24
published2017-07-22
reporterSpencer McIntyre
sourcehttps://packetstormsecurity.com/files/143450/Razer-Synapse-rzpnk.sys-ZwOpenProcess.html
titleRazer Synapse rzpnk.sys ZwOpenProcess