Razer rzpnk.sys IOCTL 0x226048 OOB Read (CVE-2017-9770)

Today SecureState is releasing the first of two unpatched vulnerabilities identified within drivers used in the gaming peripheral company Razer’s Synapse application. The driver in question is rzpnk.sys (md5: B4598C05D5440250633E25933FFF42B0) which exposes some functionality via an IOCTL interface.

Section of code showing where the size is read out of the source buffer.

Today’s vulnerability is an out of bounds read condition that can be exploited by a local attacker to trigger a denial of service condition using IOCTL code 0x226048. SecureState has determined this vulnerability to have a CVSS v2 base score of 4.7 (AV:L/AC:M/Au:N/C:N/I:N/A:C).The vulnerability is due to the first 4 bytes of the input buffer being used to specify its size at rzpnk.sys+0x2b03. Just prior to this operation, the same value is used as the size parameter to allocate a new buffer which is then used as the destination parameter to a memcpy call. Due to the destination being a (technically) appropriate size, no data is overwritten. If, however, the source size is vastly larger than the size of the buffer and the buffer is located towards the end of a page boundary, the kernel will throw a bug check condition resulting in a Blue Screen of Death (BSOD) being displayed to the user. These conditions are necessary for triggering the denial of service condition and contribute to the exploitability being moderately reliable.

 

An example of the BSOD shown to the user when exploitation is successful.

The following script is a short proof of concept to demonstrate the vulnerability. Successfully leveraging it results in a denial of service condition due to the kernel bug check. The script leverages the mayhem library for Window type definitions. In the proof of concept a buffer of 0x220 bytes has a header claiming it is 0x70000000 bytes in length. The actual input buffer size must be at least 0x220 bytes to reach the vulnerable code path. The fake size of 0x70000000 was selected as it is small enough that the allocation generally succeeds on a 64-bit VM with 3GB of RAM, but is also large enough to increase the odds that an out of bounds read will occur.

An additional vulnerability in the same driver, which SecureState will disclose tomorrow (July 14th, 2017) is of a more serious nature as it can be reliably exploited to elevate the privileges of a user to those of NT_AUTHORITY\SYSTEM without having to deal with memory corruption. A proof of concept in the form of a Metasploit module will be released to demonstrate the vulnerability.

CVE-2017-9770 Timeline:

  • March 31st, 2017
    • Original Disclosure sent via Razer’s Bug Report / Contact Us form, assigned case #01143771
  • April 3rd, 2017
    • Additional disclosure sent via the Razer Synapase internal bug reporting form at the request of the Razer technical support team
  • June 21st, 2017
  • July 13th, 2017