Razer Cortex Unquoted Search path Vulnerability - $750 USD
I found this bug in Razer Cortex Service vesion 7.3.23.124 .By default RzKLService.exe runs with system privileges, and it executes RazerCortex.exe with administrator privileges but the way its load this binary i.e RazerCortex.exe is vulnerable to Unquoted Search path Vulnerability. So any attacker to can executes its binary which is places in these two paths:-
C:\Program.exe and C:\Program Files (x86)\Razer\Razer.exe which is not present. So if an attacker places their malicious binary at this place, then whenever the user logged in it, attacker binary executes with administrator privilege.
Root Cause of this Vulnerability
On Reversing RzKLService.exe i found that it excutes RazerCortex.exe after concating -systray in RazerCortex.exe path. So final with argument becomes
C:\Program Files (x86)\Razer\Razer Cortex\RazerCortex.exe -systray there is no quotes between path spaces and argument. and that’s why it’s happening.
Vulnerable code -
print_log((int)L"Run main processex[0] %s %s", path_ptr, v33);
sub_402FA0((void **)&v34, L"RazerCortex.exe");
LOBYTE(v37) = 10;
cancat((int)&path_ptr, (int)L" %s", v33);
Above psudo code decompile by IDA.
here v33 = -systray
path_ptr = C:\Program Files (x86)\Razer\Razer Cortex\RazerCortex.exe
Reported on Hackerone, link is below :
Razer-hackerone-report
Similar bug reference :-
Safebreach-Windows-Unquoted-Search-Path-CVE-2019-16647
Let me know what you think of this article on twitter @_dr3dd_ or leave a comment below!