CVE-2020-16602
published 2020-09-02CVE-2020-16602: Razer Chroma SDK Rest Server through 3.12.17 allows remote attackers to execute arbitrary programs because there is a race condition in which a file created…
PriorityP261high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
5.99%
92.4th percentile
Razer Chroma SDK Rest Server through 3.12.17 allows remote attackers to execute arbitrary programs because there is a race condition in which a file created under "%PROGRAMDATA%\Razer Chroma\SDK\Apps" can be replaced before it is executed by the server. The attacker must have access to port 54236 for a registration step.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| razer | chroma_sdk | <= 3.12.17 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthorized file creation or replacement events under the Razer Chroma SDK Apps directory, which is user-writable and does not require admin privileges. ↗
- →Detect inbound HTTP PUT requests to /heartbeat and /keyboard endpoints on port 54236, which are used by the exploit to interact with the Razer Chroma SDK REST server. ↗
- →Detect inbound HTTP POST requests to /razer/chromasdk on port 54236 from non-local or unexpected sources as a registration step indicator for exploitation. ↗
- →Alert on rapid, repeated file write attempts to C:\ProgramData\Razer Chroma SDK\Apps\ subdirectories, indicative of a race condition exploitation loop. ↗
- →Monitor for process execution originating from C:\ProgramData\Razer Chroma SDK\Apps\ — legitimate software should not execute binaries from this path. ↗
- ·Exploitation requires network access to port 54236 on the target; blocking or firewalling this port from untrusted networks mitigates remote attack surface. ↗
- ·The vulnerability affects Razer Chroma SDK Rest Server through version 3.12.17 per NVD, but the exploit-db PoC targets version 3.16.02, suggesting the vulnerable window may be broader than initially documented. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/160225/Razer-Chroma-SDK-Server-3.16.02-Race-Condition.htmlhttps://assets.razerzone.com/dev_portal/REST/html/index.htmlhttps://www.angelystor.com/2020/09/cve-2020-16602-remote-file-execution-on.htmlhttps://www.youtube.com/watch?v=fkESBVhIdIAhttp://packetstormsecurity.com/files/160225/Razer-Chroma-SDK-Server-3.16.02-Race-Condition.htmlhttps://assets.razerzone.com/dev_portal/REST/html/index.htmlhttps://www.angelystor.com/2020/09/cve-2020-16602-remote-file-execution-on.htmlhttps://www.youtube.com/watch?v=fkESBVhIdIA
2020-09-02
Published