=====[ Tempest Security Intelligence - ADV-10/2017 ]=== Sync Breeze 10.1.16 Buffer Overflow Author: Filipe Xavier Oliveira Tempest Security Intelligence - Recife, Pernambuco - Brazil =====[ Table of Contents ]===================================================== * Overview * Detailed description * Aggravating factors * Timeline of disclosure * Thanks & Acknowledgements * References =====[ Overview ]============================================================== * System affected : Sync Breeze Enterprise [1]. * Software Version : 10.1.16 (other versions may also be affected). * Impact : A user may be affected by opening a malicious importing command XML file, through a long destination directory path or remotely using the passive mode. =====[ Detailed description ]================================================== Sync Breeze version 10.1.16 is vulnerable to buffer overflow, which can be exploited remotely or locally to achieve arbitrary code execution. The flaw is triggered by providing a long input into the "Destination directory" path of the application. The following information regards the state of the CPU and stack at the moment of the crash: (cb8.930): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000001 ebx=0010f118 ecx=00000000 edx=0010a1f4 esi=02091c98 edi=0314db50 eip=41414141 esp=0010b20c ebp=0010b264 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 41414141 ?? ??? STACK_TEXT: 0010b208 41414141 41414141 41414141 41414141 0x41414141 0010b264 0039bc37 0314db50 02132170 0110b884 0x41414141 0010b88c 6517add6 5d56f800 030f81c8 030f8488 libsbg!SCA_SyncHistoryDlg::qt_metacall+0x6f87 00000000 00000000 00000000 00000000 00000000 QtGui4!QButtonGroup::checkedId+0x6e9 =====[ Aggravating factors ]=================================================== It's possible to trigger the buffer overflow remotely if the user activates the passive mode. In this case an remote attacker can set a destination directory and exploit the vulnerability. =====[ Timeline of disclosure ]=============================================== 10/07/2017 - Vulnerability reported. Vendor did not respond. 10/17/2017 - Tried to contact vendor again, without success. 10/28/2017 - CVE assigned [1] 10/30/2017 - Advisory publication date. =====[ Thanks & Acknowledgements ]============================================ - Breno Cunha < brenodario () gmail.com > - Henrique Arcoverde < henrique.arcoverde () tempest.com.br - Tempest Security Intelligence / Tempest's Pentest Team [3] =====[ References ]=========================================================== [1] http://www.syncbreeze.com/ [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15950 [3] http://www.tempest.com.br =====[ EOF ]====================================================================