Share
## https://sploitus.com/exploit?id=PACKETSTORM:174696
Advisory ID: SYSS-2023-002  
Product: Razer Synapse  
Manufacturer: Razer Inc.  
Affected Version(s): Versions before 3.8.0428.042117 (20230601)  
Tested Version(s): 3.8.0228.022313 (20230315)  
under Windows 10 Pro (10.0.19044)  
under Windows 11 Home (10.0.22621)  
Vulnerability Type: Improper Privilege Management (CWE-269)  
Time-of-check Time-of-use Race Condition   
(CWE-367)  
Risk Level: High  
Solution Status: Fixed  
Manufacturer Notification: 2023-03-23  
Solution Date: 2023-04-28  
Public Disclosure: 2023-08-31  
CVE Reference: CVE-2022-47631  
Author of Advisory: Dr. Oliver Schwarz, SySS GmbH  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
Razer Synapse is an additional driver software for Razer gaming devices.  
The manufacturer describes the product as a "unified cloud-based  
hardware configuration tool" (see [1]).  
  
Due to an unsafe installation path, improper privilege management, and a  
time-of-check time-of-use race condition, the associated system service  
"Razer Synapse Service" is vulnerable to DLL hijacking.  
As a result, local Windows users can abuse the Razer driver installer to  
obtain administrative privileges on Windows.  
  
In order to exploit the vulnerability, the attacker needs physical  
access to the machine and needs to prepare the attack before Razer  
Synapse is installed along with a Razer driver.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
The attack scenario considers a Windows machine without any previous  
installation of any Razer device or software.  
The attacker has a local unprivileged Windows account, physical access  
to the machine, and a device which is either a Razer peripheral or able  
to pretend to be one (such as a Bash Bunny or a Raspberry Pi Zero).  
The attacker aims at executing code with full system privileges.  
  
The attack exploits the Razer Synapse Service which runs with elevated  
privileges. While the main binary of the service is stored in the  
protected location "C:\Program Files (x86)\Razer\Synapse3\Service", it  
dynamically loads libraries from  
"C:\ProgramData\Razer\Synapse3\Service\bin".  
Before the installation, standard users can write to this path, since  
"C:\ProgramData" is world-writable on a standard installation of  
Windows.  
  
The Synapse installation procedure changes access privileges, so that  
standard users cannot write to the path any longer.  
However, if the path is created before the driver installation, the  
creator can set own files to be read-only and deny write access for  
the SYSTEM user.  
  
Upon start, the Synapse service checks the location for foreign DLLs,  
removes them, and aborts upon failure to delete them.  
However, due to a time-of-check time-of-use race condition, attackers  
can replace a benign DLL after it has been checked and before it is  
loaded.  
  
Note that the described vulnerability is similar to CVE-2021-44226  
(SYSS-2021-058) and CVE-2022-47632 (SYSS-2022-047), which Razer Inc.  
fixed in March and September of 2022, respectively.  
The new attack differs from the earlier ones in that the attacker  
now has to exploit a race condition.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
The attack consists of the following steps:  
  
1. Before the installation of the driver/Synapse, the attacker creates  
"C:\ProgramData\Razer\Synapse3\Service\bin", copies a custom  
malicious version of userenv.dll into the directory, sets the DLL to  
read-only, and denies write access for SYSTEM.  
  
2. Afterwards, the attacker triggers the installation of Synapse.  
This can be done without any elevated privileges by plugging in a  
Razer device and following the installation procedure for Synapse  
if device-specific co-installers are not disabled.  
Alternatively, a device such as Bash Bunny or a Raspberry Pi Zero  
can be used and pretend to be a Razer device.  
  
3. With the help of a script, the attacker monitors the installation  
progress. As soon as legitimate DLL files show up in the directory,  
the attacker temporarily overwrites the malicious DLL with a  
legitimate one, waits for the DLL to be assessed (i.e., read), and  
then quickly copies back the malicious content to the DLL before it  
is actually loaded and executed.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
Razer has published a patched version that will be deployed automatically  
upon driver installation on current Windows builds.  
  
To prevent similar attacks through other co-installers, system  
administrators can disable them by setting the following key in the  
Windows registry:  
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device   
Installer\DisableCoInstallers = 1  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2022-12-19: Vulnerability discovered  
2023-03-23: Vulnerability reported to manufacturer  
2023-04-28: Patch released by manufacturer  
2023-08-31: Public disclosure of vulnerability  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Product website for Razer Synapse 3  
https://www2.razer.com/eu-en/synapse-3  
[2] SySS Security Advisory SYSS-2023-002  
  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-002.txt  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/responsible-disclosure-policy  
[4] SySS Proof of Concept Video  
https://youtu.be/0myDcqmtt0U  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Dr. Oliver Schwarz of SySS GmbH.  
  
E-Mail: oliver.schwarz@syss.de  
Public Key:   
https://www.syss.de/fileadmin/dokumente/PGPKeys/Oliver_Schwarz.asc  
Key ID: 0x9716294F1294280D  
Key Fingerprint: D452 B014 E992 2886 E799 6B43 9716 294F 1294 280D  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: https://creativecommons.org/licenses/by/3.0/deed.en