Analysis

The Razer rzpnk.sys driver exposes a device \\.\47CD78C9-64C3-47C2-B80F-677B887CF095 which can be used to open an handle to an arbitrary process from any user. A user needs to open a handle to this device and issue NtDeviceIoControlFile using the IOCTL 0x22a050 to trigger the vulnerable code path. The buffer to be passed to the process is the target PID to open and 0 packed as two QWORD values (buffer = [pid, 0].pack('QQ'). This ultimately leads to a call to ZwOpenProcess which does not perform as many security checks as NtOpenProcess, thus allowing a user to open a handle to an arbitrary process.

To gain code execution from this vulnerability, the user32!LockWindowStatoin function can be hooked within the winlogon process. This process and function are ideal targets because winlogon runs as NT_AUTHORITY\SYSTEM and the function can be triggered on demand. As a by product of exploiting this, the screen will be locked, which may tip off an observant user who is interacting with the system at the time of exploitation.

Exploitation of this vulnerability is quite reliable as it does not rely on memory corruption.

References

• https://warroom.rsmus.com/cve-2017-9769/
  
• https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/razer_zwopenprocess.rb