Dr. Oliver Schwarz

**Name of the Vulnerable Software and Affected Versions** Razer Synapse versions 3.7.1209.121307 and earlier **Description** The issue allows for privilege escalation due to an unsafe installation path and improper privilege management. Attackers can place DLLs into `%PROGRAMDATA%RazerSynapse3Servicebin` if they do so before the service is installed and if they deny write access for the `SYSTEM` user. Although the service will not start if it detects malicious DLLs in this directory, attackers can exploit a race condition and replace a valid DLL with a malicious DLL after the service has already checked the file. As a result, local Windows users can abuse the Razer driver installer to obtain administrative privileges on Windows. **Recommendations** For Razer Synapse versions 3.7.1209.121307 and earlier, consider disabling the service until a patch is available to prevent exploitation of the race condition. Restrict access to the `%PROGRAMDATA%RazerSynapse3Servicebin` directory to minimize the risk of malicious DLL placement. Avoid using the Razer driver installer until the issue is resolved to prevent potential privilege escalation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Razer Synapse versions prior to 3.7.0830.081906 **Description** The issue arises due to an unsafe installation path, improper privilege management, and improper certificate validation. Attackers can exploit this by placing malicious DLLs into `%PROGRAMDATA%RazerSynapse3Servicebin` before the service is installed, and then denying write access for the SYSTEM user. Although the service will not start if the malicious DLLs are unsigned, using self-signed DLLs is sufficient for exploitation. The validity of the DLL signatures is not checked, allowing local Windows users to abuse the Razer driver installer to obtain administrative privileges on Windows. **Recommendations** For versions prior to 3.7.0830.081906, update to version 3.7.0830.081906 or later to resolve the issue. As a temporary workaround, consider restricting access to the `%PROGRAMDATA%RazerSynapse3Servicebin` directory to prevent malicious DLL placement. Additionally, ensure proper privilege management and certificate validation to minimize the risk of exploitation.

**Nome do software vulnerável e versões afetadas** Versões do Razer Synapse anteriores à 3.7.0228.022817 **Descrição** A vulnerabilidade permite a escalada de privilégios porque o Razer Synapse depende do diretório `%PROGRAMDATA%RazerSynapse3Servicebin`, mesmo que o diretório `%PROGRAMDATA%Razer` tenha sido criado por qualquer usuário sem privilégios antes da instalação do Synapse. Um usuário sem privilégios pode ter colocado DLLs de cavalos de Tróia nesse diretório. **Recomendações** Para versões anteriores à 3.7.0228.022817, atualize para a versão 3.7.0228.022817 ou posterior para resolver o problema. Como solução alternativa temporária, considere restringir o acesso ao diretório `%PROGRAMDATA%RazerSynapse3Servicebin` para evitar possíveis explorações.