Razer Synapse 3 Profiles Download Razer Chroma
Download Razer Chroma, their software meant to customize the colors and Download Razer Synapse if.Vulnerability: Razer Synapse Windows Service EoPBrief Description: The Razer Synapse software has a service (Razer Synapse Service) that runs as “NT AUTHORITY\SYSTEM” and loads multiple. Question about LED controllers. Control RGB lighting and fan speeds, program keyboard macros.Product Version: Razer Synapse 3 (.112711) Windows ClientRazer Synapse 3 gaming software by Razer lets you customize and configure your Razer products.On the surface, it sounds simple, but it comes with a host of features like multiple profiles, cloud storage, Razer Hypershift to quickly unlock secondary functions, a wide range of macro capabilities, control of your Chrome RGB, and even voice commands to use with Alexa smart speakers.Chroma profiles synapse 3. -+- ADD A SHORTCUT SYNAPSE KEYBOARD PROFILES MODULES GLOBAL SHORTCUTS PHILIPS CHROMA STUDIOCORSAIR iCUE software connects all your compatible products together in a single interface. This feature only works for Razer Synapse 3-enabled device inputs. SYNAPSE KEYBOARD PROFILES MODULES GLOBAL SHORTCUTS DASHBOARD SHORTCUTS Global shortcuts are custom key combinations that work across all device profiles.
This means that to trigger the assembly loading code path, the box needs to be rebooted. Hijacking an existing assembly can be challenging as low privileged users do not have rights to stop or start the Razer Synapse service. For efficient exploitation, it is important to fully understand the conditions in which an assembly can be loaded successfully.The first issue to tackle is getting a malicious assembly planted in such a way that the service will try to load it.
This means that it is possible to use a tool such as SigPirate to clone the certificate from a valid Razer assembly onto a malicious one, due to the fact that the signature of said assembly is never actually verified.Once the assembly passes the certificate check, the service will then load it into the current app domain via Assembly.LoadFile(). NET assemblies before loading them is good, the implementation wasn’t robust, as X509Certificate.CreateFromSignedFile() only extracts the certificate chain and in no way attests the validity of the signature of the file being checked ( ). While the thought behind checking the trust of. This is done by grabbing certificate information from “Razer.cer”, calling X509Certificate.CreateFromSignedFile() on each assembly and then comparing the certificate chain from Razer.cer with the assembly being loaded.If the certificate chain on the assembly doesn’t match that of Razer.cer, the service will not load it. Looking at the service, this problem is solved pretty easily as it recursively enumerates all DLLs in “C:\ProgramData\Razer\*”.This means that we can simply drop an assembly in one of the folders (C:\ProgramData\Razer\Synapse3\Service\bin, for example) and it will be treated the same as an existing, valid assembly.After recursively enumerating all DLLs in “C:\ProgramData\Razer\*”, the service attempts to ensure those identified assemblies are signed by Razer.
Write a custom assembly that implements the IPackage interface from the SimpleInjector project All that needs done is to add malicious logic in the “RegisterServices()” method within the IPackage interface of our malicious assembly.At this point, we have found ways to abuse all of the requirements to get elevated code-execution. Once this is done for all the assemblies found in “C:\ProgramData\Razer\*”, the list is then passed to SimpleInjector’s “ RegisterPackages() ” function.RegisterPackages() will take the list of “verified” assemblies and call the “ RegisterServices() ” function within the IPackage interface of each assembly.This is the point in which we, as an attacker, can execute malicious code. Once the service validates the certificate chain of the assembly and verifies the presence of IPackage, it adds the assembly to a running list. The only requirement to pass this check is to implement the IPackage interface in our malicious assembly. After doing so, the service will check to make sure there is an IPackage interface implemented.This interface is specific to the SimpleInjector project, which is well documented.
Once the reference is added, we just need to implement the interface and add malicious logic. To do so, a reference to the “SimpleInjector” and “SimpleInjector.Packaging” assemblies need to be added from the SimpleInjector project. First, we need to create our malicious assembly that implements the required IPackage interface. Drop the final malicious assembly into “C:\ProgramData\Razer\Synapse3\Service\bin”After understanding the requirements to get arbitrary code-execution in an elevated context, we can now exploit it. Compile the assembly and use a tool such as SigPirate to clone the certificate chain from a valid Razer assembly
By validating the integrity of the file, an attacker can no longer clone the certificate off of a signed Razer file as the signature of the newly cloned file will not be valid.For additional reading on trust validation, I encourage you to read the whitepaper “ Subverting Trust in Windows ” by Matt Graeber. The service will now call “WinTrust.VerifyEmbeddedSignature() right after pulling all the “*.dll” files from the Razer directory.When looking at “WinTrust.VerifyEmbeddedSignature()”, the function utilizes “WinTrust.WinVerifyTrust()” to validate that the file being checked has a valid signature (through WinVerifyTrust() ).If the file has a valid signature AND the signer is by Razer, then the service will continue the original code path of checking for a valid IPackage interface before loading the assembly. Once the host restarts, you will see that “Razer Synapse Service.exe” (running as SYSTEM) will have loaded “lol.dll” out of “C:\ProgramData\Razer\Synapse3\Service\bin”, causing the “RegisterServices()” method in the implemented IPackage interface to execute cmd.exe.When the service loads “lol.dll”, it sees it as valid due to the cloned certificate, and EoP occurs due to the “malicious” logic in the IPackage implementation.Razer fixed this by implementing a new namespace called “Security.WinTrust”, which contains functionality for integrity checking. The last step is to drop “lol.dll” in “C:\ProgramData\Razer\Synapse3\Service\bin” and reboot the host. Since the service is using X509Certificate.CreateFromSignedFile() without any signature validation, we can simply clone the certificate from a signed Razer assembly using SigPirate :Using “Get-AuthenticodeSignature” in PowerShell, we can verify that the certificate was applied to our “lol.dll” assembly that was created from SigPirate:At this point, we have a malicious assembly with a “backdoored” IPackage interface that has a cloned certificate chain from a valid Razer assembly. Once compiled, we need to pass the certificate chain check.
Once I was provided an internal contact, the timeline and experience improved drastically. Submitted additional information to Razer’s H1 program, along with notice to Razer’s Manager of Information Security : I was contacted by someone at Razer with a link to an internal build for remediation verification : Per their request, provided feedback on the implemented mitigation via the H1 report : Asked for a timeline update for the fixed build to be provided to the public (via H1) : Informed that the build is now available to the public: Requested permission for public disclosure: Permission for public disclosure granted by Razer*Note: While the disclosure timeline was lengthy, I have to assume it was due to a disconnect between the folks at Razer managing the H1 program and the folks at Razer working on the fix. I was provided context that a fix would be pushed out to the public in a couple of weeks : Pulled down the latest Synapse 3 build and investigated vulnerable code path. No response : Asked for a security contact for Razer via Twitter : H1 program manager reached out to investigate the H1 report : Razer CEO Min-Liang Tan reached out directly asking for a direct email to pass to the security team : The Information Security Manager and SVP of Software reached out directly via email.
0 kommentar(er)
