Razer Cortex Unquoted Search path Vulnerability - $750 USD

by on under Bug-Bounty
1 minute read

I found this bug in Razer Cortex Service vesion .By default RzKLService.exe runs with system privileges, and it executes RazerCortex.exe with administrator privileges but the way its load this binary i.e RazerCortex.exe is vulnerable to Unquoted Search path Vulnerability. So any attacker to can executes its binary which is places in these two paths:- C:\Program.exe and C:\Program Files (x86)\Razer\Razer.exe which is not present. So if an attacker places their malicious binary at this place, then whenever the user logged in it, attacker binary executes with administrator privilege.

Root Cause of this Vulnerability

On Reversing RzKLService.exe i found that it excutes RazerCortex.exe after concating -systray in RazerCortex.exe path. So final with argument becomes C:\Program Files (x86)\Razer\Razer Cortex\RazerCortex.exe -systray there is no quotes between path spaces and argument. and that’s why it’s happening.

Vulnerable code -

  print_log((int)L"Run main processex[0] %s %s", path_ptr, v33);
  sub_402FA0((void **)&v34, L"RazerCortex.exe");
  LOBYTE(v37) = 10;
  cancat((int)&path_ptr, (int)L" %s", v33);

Above psudo code decompile by IDA.
here v33 = -systray
path_ptr = C:\Program Files (x86)\Razer\Razer Cortex\RazerCortex.exe

Reported on Hackerone, link is below :
Similar bug reference :-

Bug-Bounty, Windows Code Path Vulnerability, Razer, HackerOne
comments powered by Disqus