Razor Synapse 3 Software Has A
You can toggle bass boost, sound normalization, or voice clarity on/off, and nothing changes.Vulnerability: Razer Synapse Windows Service EoPMaximize your unfair advantage with Razer Synapse 3, the unified cloud-based hardware configuration tool that takes your Razer devices to the next level.Brief Description: The Razer Synapse software has a service (Razer Synapse Service) that runs as “NT AUTHORITY\SYSTEM” and loads multiple. In the past people have debated how useful this software actually is but after.Product Version: Razer Synapse 3 (.112711) Windows ClientYou will still get audio in your games, THX spatial-synapse will still be the 'default device' in your sound settings, but the synapse 3 app and any settings you have within it, become unresponsive. Razer Synapse is compatible with Razer Blackwidow Ultimate, Razer Mamba, and the ever popular Razer Megasoma.Razer Synapse 3 - Cloud-based configurator and manager for Razer devices. There are no third party applications that work with this keyboard because it is designed to interface only with the official razer devices. Razer Synapse 3 supports all of the latest Razer devices.
NET assembly with a malicious one, reboot the system and let the Razer Synapse Service load it when it starts. NET assemblies out of various directories within “C:\ProgramData\Razer\*”, such as “C:\ProgramData\Razer\Synapse3\Service\bin”.When looking at the DACL on the folder “C:\ProgramData\Razer\Synapse3\Service\bin”, you will notice that “Everyone” has “FullControl” rights over the folder (including any files within the folder):In theory, an attacker could simply replace an existing. It is possible to circumvent signing checks and elevate to SYSTEM using assembly sideloading.When the Razer Synapse service starts, it will load. The folder “ C:\ProgramData\Razer\*” and recursive directories/files have weak permissions that grant any authenticated user FullControl over the contents.
This means that it is possible to use a tool such as SigPirate to clone the certificate from a valid Razer assembly onto a malicious one, due to the fact that the signature of said assembly is never actually verified.Once the assembly passes the certificate check, the service will then load it into the current app domain via Assembly.LoadFile(). NET assemblies before loading them is good, the implementation wasn’t robust, as X509Certificate.CreateFromSignedFile() only extracts the certificate chain and in no way attests the validity of the signature of the file being checked ( ). While the thought behind checking the trust of. This is done by grabbing certificate information from “Razer.cer”, calling X509Certificate.CreateFromSignedFile() on each assembly and then comparing the certificate chain from Razer.cer with the assembly being loaded.If the certificate chain on the assembly doesn’t match that of Razer.cer, the service will not load it.
Write a custom assembly that implements the IPackage interface from the SimpleInjector project All that needs done is to add malicious logic in the “RegisterServices()” method within the IPackage interface of our malicious assembly.At this point, we have found ways to abuse all of the requirements to get elevated code-execution. Once this is done for all the assemblies found in “C:\ProgramData\Razer\*”, the list is then passed to SimpleInjector’s “ RegisterPackages() ” function.RegisterPackages() will take the list of “verified” assemblies and call the “ RegisterServices() ” function within the IPackage interface of each assembly.This is the point in which we, as an attacker, can execute malicious code. Once the service validates the certificate chain of the assembly and verifies the presence of IPackage, it adds the assembly to a running list. The only requirement to pass this check is to implement the IPackage interface in our malicious assembly. After doing so, the service will check to make sure there is an IPackage interface implemented.This interface is specific to the SimpleInjector project, which is well documented.
A PoC assembly would look something like this:Since the Razer service is 32-bit, we compile the assembly as x86. Once the reference is added, we just need to implement the interface and add malicious logic. To do so, a reference to the “SimpleInjector” and “SimpleInjector.Packaging” assemblies need to be added from the SimpleInjector project. First, we need to create our malicious assembly that implements the required IPackage interface. Drop the final malicious assembly into “C:\ProgramData\Razer\Synapse3\Service\bin”After understanding the requirements to get arbitrary code-execution in an elevated context, we can now exploit it. Compile the assembly and use a tool such as SigPirate to clone the certificate chain from a valid Razer assembly
By validating the integrity of the file, an attacker can no longer clone the certificate off of a signed Razer file as the signature of the newly cloned file will not be valid.For additional reading on trust validation, I encourage you to read the whitepaper “ Subverting Trust in Windows ” by Matt Graeber. The service will now call “WinTrust.VerifyEmbeddedSignature() right after pulling all the “*.dll” files from the Razer directory.When looking at “WinTrust.VerifyEmbeddedSignature()”, the function utilizes “WinTrust.WinVerifyTrust()” to validate that the file being checked has a valid signature (through WinVerifyTrust() ).If the file has a valid signature AND the signer is by Razer, then the service will continue the original code path of checking for a valid IPackage interface before loading the assembly. Once the host restarts, you will see that “Razer Synapse Service.exe” (running as SYSTEM) will have loaded “lol.dll” out of “C:\ProgramData\Razer\Synapse3\Service\bin”, causing the “RegisterServices()” method in the implemented IPackage interface to execute cmd.exe.When the service loads “lol.dll”, it sees it as valid due to the cloned certificate, and EoP occurs due to the “malicious” logic in the IPackage implementation.Razer fixed this by implementing a new namespace called “Security.WinTrust”, which contains functionality for integrity checking. The last step is to drop “lol.dll” in “C:\ProgramData\Razer\Synapse3\Service\bin” and reboot the host. Since the service is using X509Certificate.CreateFromSignedFile() without any signature validation, we can simply clone the certificate from a signed Razer assembly using SigPirate :Using “Get-AuthenticodeSignature” in PowerShell, we can verify that the certificate was applied to our “lol.dll” assembly that was created from SigPirate:At this point, we have a malicious assembly with a “backdoored” IPackage interface that has a cloned certificate chain from a valid Razer assembly.
0 kommentar(er)
