Low
CVE-2017-9770
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2017-9770
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
A specially crafted IOCTL can be issued to the rzpnk.sys driver in Razer Synapse that can cause an out of bounds read operation to occur due to a field within the IOCTL data being used as a length.
Add Assessment
Ratings
-
Attacker ValueLow
-
ExploitabilityVery High
Technical Analysis
A vulnerability exists within the Razer Synapse driver rzpnk.sys
in the IOCTL dispatch routine for 0x226048 that can allow an attacker to pass an input buffer which can trigger an out of bounds read operation. A handle can be opened to issue this IOCTL from \\.\47CD78C9-64C3-47C2-B80F-677B887CF095
. The result will cause a denial of service condition on the system in the form of a blue screen of death (BSOD).
The first four bytes of the buffer are used as the size, first to allocate space and then to read from the source. Since the allocation is of the proper size, an out of bounds write can not be accomplished. If however the specified size is larger than the buffer, then the memcpy
will continue to read data after the buffer ends.
Build the buffer to trigger the exception in Python:
# the first 4 bytes are the size then it must be padded to at least 0x220 bytes buffer_ = struct.pack('I', 0x70000000) + (b'\x00' * 0x21c)
Proof of Concept code:
https://gist.github.com/zeroSteiner/829c313b942f944375b67a6535f01992#file-cve_2017_9770-py
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- razerzone
Products
- razer synapse
References
Miscellaneous
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: