![]() ![]() Razer fixed this vulnerability by moving “RzSurroundVADStreamingService.exe” and the associated dependencies to a secured location in “C:\Program Files (x86)\Razer”.Īs committed as SpecterOps is to transparency, we acknowledge the speed at which attackers adopt new offensive techniques once they are made public. In this instance, the new service executable will start cmd.exe as SYSTEM: ![]() Once the payload is copied, rebooting the host will cause the service to start the new executable as SYSTEM. Given a low privileged user has “FullControl” over the folder and included files, it is possible to just replace the service executable for the “RzSurroundVADStreamingService” system service: Improper file and folder permissions were the culprit in this case as “Everyone” was eventually granted “FullControl” over any files in “C:\ProgramData\Razer\Synapse\Devices\Razer Surround\Driver”Īs previously noted, this path is where the “RzSurroundVADStreamingService” ImagePath for the service executable was pointing to. If an installer simply creates a folder in C:\ProgramData, that folder and any subfolders will have inherited permissions of C:\ProgramData, which include the “GenericWrite” access right for “BUILTIN\Users”. Why is this interesting? By default, “BUILTIN\Users” have “GenericWrite” access to C:\ProgramData:Ī very common error that software developers make is not properly locking down the permissions of any created subfolders in C:\ProgramData. After dumping the ImagePath, the location of the service executable stood out as it was running out of “C:\ProgramData\Razer\Synapse\Devices\Razer Surround\Driver\” This led me to the “RzSurroundVadStreamingService” system service with the ImagePath set to the executable of interest. To verify, it was easy enough to do “Get-Service *Rz*” in Powershell, which returned all of the services with “Rz” in the name. Given the name of the process has “service” in it, that is a good starting point. The next step was to figure out how that process was being started. This revealed that “RzSurroundVADStreamingService.exe” was running as “NT AUTHORITY\SYSTEM”. In the instance of Razer Surround, I began by checking what privileged processes the software uses by looking at the process list. Log file permissions in folders like C:\ProgramDataĪs far as tooling goes, I mostly stick to Process Monitor and James Forshaw’ s NTObjectManager project.Installed services (both the service permissions and the service executable/path permission).The things I typically look for initially are: I typically start with the basics and then resort to dynamic/static analysis if needed. This stage involves analyzing the potential attack surface that the target software has exposed. When looking for vulnerabilities, there is often a common workflow that I follow once the software of interest is installed. It is hard to ignore the urge to look when you use a product and the software associated with it every day. In this case, I own various Razer products. You may ask, why Razer? How do you identify a piece of software to begin hunting for vulnerabilities in? The answer is simple: Investigate what interests you. I’d like to use this vulnerability as an example as to why the act of hunting for vulnerabilities isn’t as hard as it sounds. Hunting for bugs in large software platforms can be intimidating as there is an assumption that all vulnerabilities are complex and take a special skill set to identify. When doing vulnerability research, picking a target to go after can be challenging. The permissions on RzSurroundVADStreamingService.exe and “C:\ProgramData\Razer\Synapse\Devices\Razer Surround\Driver” allow for overwriting the service binary with a malicious one, resulting in elevation of privilege to SYSTEM. This service runs “RzSurroundVADStreamingService.exe” out of “C:\ProgramData\Razer\Synapse\Devices\Razer Surround\Driver”. Razer Surround installs a service named “RzSurroundVADStreamingService” that runs as SYSTEM. Additionally, I’d like it to serve as a reminder to not discount the low hanging fruit, no matter how large the organization. While this bug can be considered simple, the primary purpose of this post is to outline the methodology behind how to get started and what to look for. I hope that this post serves as a motivator for folks who see vulnerability research as an intimidating area to get started in. ![]() Vulnerability: Razer Surround Elevation of Privilege through Insecure folder/file permissions ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |