'[FD] Advisory SyncBreeze Enterprise 10.1.16 Buffer Overflow [CVE-2017-15950]'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] Advisory SyncBreeze Enterprise 10.1.16 Buffer Overflow [CVE-2017-15950]
From:       filipe <filipe.xavier () tempest ! com ! br>
Date:       2017-10-30 16:15:12
Message-ID: 5d9591f6-efda-f4ec-1a48-8ac84ac5f795 () tempest ! com ! br
[Download RAW message or body]

=====[ Tempest Security Intelligence - ADV-10/2017 ]===

  Sync Breeze 10.1.16 Buffer Overflow

  Author: Filipe Xavier Oliveira

  Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of Contents
]=====================================================

  * Overview 
  * Detailed description 
  * Aggravating factors     
  * Timeline of disclosure   
  * Thanks & Acknowledgements 
  * References

=====[ Overview
]==============================================================

 * System affected  : Sync Breeze Enterprise [1].
 * Software Version : 10.1.16 (other versions may also be affected).
 * Impact           : A user may be affected by opening a malicious
importing command XML file, through a long destination  directory path
or remotely using the passive mode.

=====[ Detailed description
]==================================================

Sync Breeze version 10.1.16 is vulnerable to buffer overflow, which can
be exploited remotely or locally to achieve arbitrary code execution.
The flaw is triggered by providing a long input into the "Destination
directory" path of the application.

The following information regards the state of the CPU and stack at the
moment of the crash:

(cb8.930): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=0010f118 ecx=00000000 edx=0010a1f4 esi=02091c98
edi=0314db50
eip=41414141 esp=0010b20c ebp=0010b264 iopl=0         nv up ei pl nz na
po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000            
efl=00010202
41414141 ??              ???

STACK_TEXT: 
0010b208 41414141 41414141 41414141 41414141 0x41414141
0010b264 0039bc37 0314db50 02132170 0110b884 0x41414141
0010b88c 6517add6 5d56f800 030f81c8 030f8488
libsbg!SCA_SyncHistoryDlg::qt_metacall+0x6f87
00000000 00000000 00000000 00000000 00000000
QtGui4!QButtonGroup::checkedId+0x6e9

=====[ Aggravating factors
]===================================================

It's possible to trigger the buffer overflow remotely if the user
activates the passive mode. In this case an remote attacker can set a
destination directory and exploit the vulnerability.

=====[ Timeline of disclosure 
]===============================================

10/07/2017 - Vulnerability reported. Vendor did not respond.
10/17/2017 - Tried to contact vendor again, without success.
10/28/2017 - CVE assigned [1]
10/30/2017 - Advisory publication date.

=====[ Thanks & Acknowledgements
]============================================

     - Breno Cunha          < brenodario () gmail.com >
    - Henrique Arcoverde < henrique.arcoverde () tempest.com.br
    - Tempest Security Intelligence / Tempest's Pentest Team [3]

=====[ References
]===========================================================

[1] http://www.syncbreeze.com/

[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15950

[3] http://www.tempest.com.br

=====[ EOF
]====================================================================

-- 
Filipe Oliveira
Tempest Security Intelligence

["advSyncBreeze.txt" (text/plain)]

=====[ Tempest Security Intelligence - ADV-10/2017 ]===

  Sync Breeze 10.1.16 Buffer Overflow

  Author: Filipe Xavier Oliveira

  Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of Contents ]=====================================================

  * Overview  
  * Detailed description  
  * Aggravating factors      
  * Timeline of disclosure    
  * Thanks & Acknowledgements  
  * References

=====[ Overview ]==============================================================

 * System affected  : Sync Breeze Enterprise [1].
 * Software Version : 10.1.16 (other versions may also be affected).
 * Impact           : A user may be affected by opening a malicious importing command XML file, \
through a long destination  directory path or remotely using the passive mode.

=====[ Detailed description ]==================================================

Sync Breeze version 10.1.16 is vulnerable to buffer overflow, which can be exploited remotely \
or locally to achieve arbitrary code execution. The flaw is triggered by providing a long input \
into the "Destination directory" path of the application.

The following information regards the state of the CPU and stack at the moment of the crash:

(cb8.930): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=0010f118 ecx=00000000 edx=0010a1f4 esi=02091c98 edi=0314db50
eip=41414141 esp=0010b20c ebp=0010b264 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
41414141 ??              ???

STACK_TEXT:  
0010b208 41414141 41414141 41414141 41414141 0x41414141
0010b264 0039bc37 0314db50 02132170 0110b884 0x41414141
0010b88c 6517add6 5d56f800 030f81c8 030f8488 libsbg!SCA_SyncHistoryDlg::qt_metacall+0x6f87
00000000 00000000 00000000 00000000 00000000 QtGui4!QButtonGroup::checkedId+0x6e9

=====[ Aggravating factors ]===================================================

It's possible to trigger the buffer overflow remotely if the user activates the passive mode. \
In this case an remote attacker can set a destination directory and exploit the vulnerability.

=====[ Timeline of disclosure  ]===============================================

10/07/2017 - Vulnerability reported. Vendor did not respond.
10/17/2017 - Tried to contact vendor again, without success.
10/28/2017 - CVE assigned [1]
10/30/2017 - Advisory publication date.

=====[ Thanks & Acknowledgements ]============================================

 	- Breno Cunha     	 < brenodario () gmail.com >
	- Henrique Arcoverde < henrique.arcoverde () tempest.com.br
	- Tempest Security Intelligence / Tempest's Pentest Team [3]

=====[ References ]===========================================================

[1] http://www.syncbreeze.com/ 

[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15950

[3] http://www.tempest.com.br

=====[ EOF ]====================================================================

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[prev in list] [next in list] [prev in thread] [next in thread] 