Razer Cortex Unquoted Search path Vulnerability - $750 USD
I found this bug in Razer Cortex Service vesion
188.8.131.52 .By default
RzKLService.exe runs with system privileges, and it executes
RazerCortex.exe with administrator privileges but the way its load this binary i.e
RazerCortex.exe is vulnerable to
Unquoted Search path Vulnerability. So any attacker to can executes its binary which is places in these two paths:-
C:\Program Files (x86)\Razer\Razer.exe which is not present. So if an attacker places their malicious binary at this place, then whenever the user logged in it, attacker binary executes with administrator privilege.
Root Cause of this Vulnerability
RzKLService.exe i found that it excutes
RazerCortex.exe after concating
RazerCortex.exe path. So final with argument becomes
C:\Program Files (x86)\Razer\Razer Cortex\RazerCortex.exe -systray there is no quotes between path spaces and argument. and that’s why it’s happening.
Vulnerable code -
print_log((int)L"Run main processex %s %s", path_ptr, v33); sub_402FA0((void **)&v34, L"RazerCortex.exe"); LOBYTE(v37) = 10; cancat((int)&path_ptr, (int)L" %s", v33);
Above psudo code decompile by IDA.
here v33 =
C:\Program Files (x86)\Razer\Razer Cortex\RazerCortex.exe
Reported on Hackerone, link is below :
Similar bug reference :-
Let me know what you think of this article on twitter @_dr3dd_ or leave a comment below!