Attacker Value
Low
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
0

CVE-2017-9770

Disclosure Date: August 02, 2017
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A specially crafted IOCTL can be issued to the rzpnk.sys driver in Razer Synapse that can cause an out of bounds read operation to occur due to a field within the IOCTL data being used as a length.

Add Assessment

2
Ratings
  • Attacker Value
    Low
  • Exploitability
    Very High
Technical Analysis

A vulnerability exists within the Razer Synapse driver rzpnk.sys in the IOCTL dispatch routine for 0x226048 that can allow an attacker to pass an input buffer which can trigger an out of bounds read operation. A handle can be opened to issue this IOCTL from \\.\47CD78C9-64C3-47C2-B80F-677B887CF095. The result will cause a denial of service condition on the system in the form of a blue screen of death (BSOD).

The first four bytes of the buffer are used as the size, first to allocate space and then to read from the source. Since the allocation is of the proper size, an out of bounds write can not be accomplished. If however the specified size is larger than the buffer, then the memcpywill continue to read data after the buffer ends.

Build the buffer to trigger the exception in Python:

# the first 4 bytes are the size then it must be padded to at least 0x220 bytes
buffer_ = struct.pack('I', 0x70000000) + (b'\x00' * 0x21c)

Proof of Concept code:
https://gist.github.com/zeroSteiner/829c313b942f944375b67a6535f01992#file-cve_2017_9770-py

CVSS V3 Severity and Metrics
Base Score:
5.5 Medium
Impact Score:
3.6
Exploitability Score:
1.8
Vector:
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
None
Integrity (I):
None
Availability (A):
High

General Information

Additional Info

Technical Analysis