| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5d9591f6-efda-f4ec-1a48-8ac84ac5f795@tempest.com.br>
Date: Mon, 30 Oct 2017 13:15:12 -0300
From: filipe <filipe.xavier@...pest.com.br>
To: fulldisclosure@...lists.org
Subject: [FD] Advisory SyncBreeze Enterprise 10.1.16 Buffer Overflow
[CVE-2017-15950]
=====[ Tempest Security Intelligence - ADV-10/2017 ]===
Sync Breeze 10.1.16 Buffer Overflow
Author: Filipe Xavier Oliveira
Tempest Security Intelligence - Recife, Pernambuco - Brazil
=====[ Table of Contents
]=====================================================
* Overview
* Detailed description
* Aggravating factors
* Timeline of disclosure
* Thanks & Acknowledgements
* References
=====[ Overview
]==============================================================
* System affected : Sync Breeze Enterprise [1].
* Software Version : 10.1.16 (other versions may also be affected).
* Impact : A user may be affected by opening a malicious
importing command XML file, through a long destination directory path
or remotely using the passive mode.
=====[ Detailed description
]==================================================
Sync Breeze version 10.1.16 is vulnerable to buffer overflow, which can
be exploited remotely or locally to achieve arbitrary code execution.
The flaw is triggered by providing a long input into the "Destination
directory" path of the application.
The following information regards the state of the CPU and stack at the
moment of the crash:
(cb8.930): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=0010f118 ecx=00000000 edx=0010a1f4 esi=02091c98
edi=0314db50
eip=41414141 esp=0010b20c ebp=0010b264 iopl=0 nv up ei pl nz na
po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010202
41414141 ?? ???
STACK_TEXT:
0010b208 41414141 41414141 41414141 41414141 0x41414141
0010b264 0039bc37 0314db50 02132170 0110b884 0x41414141
0010b88c 6517add6 5d56f800 030f81c8 030f8488
libsbg!SCA_SyncHistoryDlg::qt_metacall+0x6f87
00000000 00000000 00000000 00000000 00000000
QtGui4!QButtonGroup::checkedId+0x6e9
=====[ Aggravating factors
]===================================================
It's possible to trigger the buffer overflow remotely if the user
activates the passive mode. In this case an remote attacker can set a
destination directory and exploit the vulnerability.
=====[ Timeline of disclosure
]===============================================
10/07/2017 - Vulnerability reported. Vendor did not respond.
10/17/2017 - Tried to contact vendor again, without success.
10/28/2017 - CVE assigned [1]
10/30/2017 - Advisory publication date.
=====[ Thanks & Acknowledgements
]============================================
- Breno Cunha < brenodario () gmail.com >
- Henrique Arcoverde < henrique.arcoverde () tempest.com.br
- Tempest Security Intelligence / Tempest's Pentest Team [3]
=====[ References
]===========================================================
[1] http://www.syncbreeze.com/
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15950
[3] http://www.tempest.com.br
=====[ EOF
]====================================================================
--
Filipe Oliveira
Tempest Security Intelligence
View attachment "advSyncBreeze.txt" of type "text/plain" (3126 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists