Sync Breeze v9.5.16 - Buffer Overflow Vulns in File Sync Solutio
Document Title:
===============
Sync Breeze v9.5.16 - Buffer Overflow Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2045
Video: https://www.vulnerability-lab.com/get_content.php?id=2049
Release Date:
=============
2017-03-29
Vulnerability Laboratory ID (VL-ID):
====================================
2045
Common Vulnerability Scoring System:
====================================
5.2
Vulnerability Class:
====================
Buffer Overflow
Product & Service Introduction:
===============================
SyncBreeze is a fast, powerful and reliable file synchronization solution for local disks, network shares, NAS storage devices and enterprise
storage systems. Users are provided with multiple one-way and two-way file synchronization modes, periodic file synchronization, real-time
file synchronization, bit-level file synchronization, multi-stream file synchronization, background file synchronization and much more.
SyncBreeze is developed and supported by Flexense Ltd. - an independent software vendor specialized in data management software products
for automated disk space analysis, file classification, file synchronization, rule-based file management, server monitoring, file delete
and data wiping operations. Flexense Ltd. sells its software products to more than 75 countries around the world and provides full support
for all types of customers including consumers, small businesses, large enterprises, educational institutions and governments.
(Copy of the Vendor Homepage: http://www.syncbreeze.com/about.html)
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a multiple local buffer overflow vulnerabilities in the official Sync Breeze v9.5.16 software.
Vulnerability Disclosure Timeline:
==================================
2017-03-29: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Syncbreeze
Product: Sync Breeze - Desktop GUI (Web-Application) 9.5.16
Exploitation Technique:
=======================
Local
Severity Level:
===============
Medium
Technical Details & Description:
================================
Multiple local buffer overflow vulnerabilities are detected in the official Sync Breeze v9.5.16 software.
The vulnerabilities allows local attackers to escalate out of the affected vulnerable software modules with system process privileges.
1.1
The first local buffer overflow vulnerability is located in the Synchronize Directories & Dirs modules. Attackers are able to execute
arbitrary large unicode payload [AAAAAAAAAAAAAAAA...+] in Source Directory & Destination Directory Directories with the privileges of
the software process when processing Extended or Expert / Configuration mode (buffer). The result is a local exploitable buffer overflow
via the main executable syncbr.exe file of the software.
Vulnerable Module(s):
[+] Synchronize Directories & Dirs
Vulnerable Directory (s):
[+] Source Directory
[+] Destination Directory
1.2
The second vulnerability is located in the Synchronize Directories & Rules & Advanced File Search Criteria modules. Attackers are able to
execute arbitrary large unicode payload [AAAAAAAAAAAAAAAA...+] by usage of the search functions. TheExifTag, fileExtension & DirectoryName
fields are not filtered or sanitized when process to save large inputs via add to the synchronize files matching criteria (buffer). The result
is a local exploitable buffer overflow via the main executable syncbr.exe file of the software.
[+] Search JPEG Images with Exif Tag
[+] Search Files With the file Extension
[+] Search Files With the Directory Name
1.3
The third vulnerability is located in the `Add` function of the `Synchronize Directories & Exclude` module. Local attackers are able to load
special crafted arbitrary large unicode payloads like [AAAAAAAAAAAAAAAA...+] to overwrite the eip register to compromise the local system
process of the software. An attacker can manipulate the EIP register to execute the next instruction of their choice. Attackers are able to
execute arbitrary code with the privileges of the software process. The `ADD` Exclude Directory is are not filtered or sanitized when process
to save large inputs. The result is a local exploitable buffer overflow via the main executable syncbr.exe file of the software.
Vulnerable Module(s):
[+] Synchronize Directories & Exclude
Vulnerable Function(s):
[+] Add
Proof of Concept (PoC):
=======================
1.1
The buffer overflow vulnerability can be exploited by local attackers with local privileged system user account and without required user inter action.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
--- Debug Error Exception Log ---
(25d8.15c4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=00000000 ecx=00000000 edx=00113e1c esi=01eb9838 edi=02078b48
eip=34783134 esp=00114e34 ebp=00114e88 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212
34783134 ?? ???
-
00114e7c: 34783134
Invalid exception stack at 78313478
--- Debug Logs [00114e7c] ---
00114e7c 78 34 31 78 34 31 78 34-31 78 34 31 78 34 31 78 x41x41x41x41x41x
00114e8c 34 31 78 34 31 78 34 31-78 34 31 78 34 31 78 34 41x41x41x41x41x4
00114e9c 31 78 34 31 78 34 31 78-34 31 78 34 31 78 34 31 1x41x41x41x41x41
00114eac 78 34 31 78 34 31 78 34-31 78 34 31 78 34 31 78 x41x41x41x41x41x
00114ebc 34 31 78 34 31 78 34 31-78 34 31 78 34 31 78 34 41x41x41x41x41x4
00114ecc 31 78 34 31 78 34 31 78-34 31 78 34 31 78 34 31 1x41x41x41x41x41
00114edc 78 34 31 78 34 31 78 34-31 78 34 31 78 34 31 78 x41x41x41x41x41x
00114eec 34 31 78 34 31 78 34 31-78 34 31 78 34 31 78 34 41x41x41x41x41x4
--- Debug Logs [Exception Analysis] ---
FAULTING_IP:
+34783134
34783134 ?? ???
EXCEPTION_RECORD: ffffffff -- (.exr ffffffffffffffff)
ExceptionAddress: 34783134
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 34783134
Attempt to read from address 34783134
FAULTING_THREAD: 000015c4
PROCESS_NAME: syncbr.exe
FAULTING_MODULE: 77030000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
READ_ADDRESS: 34783134
BUGCHECK_STR: ACCESS_VIOLATION
IP_ON_HEAP: 78313478
The fault address in not in any loaded module, please check your build's rebase
log at <releasedir>binbuild_logstimebuildntrebase.log for module which may
contain the address if it were loaded.
IP_IN_FREE_BLOCK: 8001080000004
FRAME ONE INVALID: 1800200000000a
LAST_CONTROL_TRANSFER: from 78313478 to 34783134
FAILED_INSTRUCTION_ADDRESS:
+34783134
34783134 ?? ???
STACK_TEXT:
00114e30 78313478 34783134 31347831 78313478 0x34783134
00114e88 34783134 31347831 78313478 34783134 0x78313478
00114e8c 31347831 78313478 34783134 31347831 0x34783134
00114e90 78313478 34783134 31347831 78313478 0x31347831
00114e94 34783134 31347831 78313478 34783134 0x78313478
00114e98 31347831 78313478 34783134 31347831 0x34783134
00114e9c 78313478 34783134 31347831 78313478 0x31347831
00114ea0 34783134 31347831 78313478 34783134 0x78313478
00114ea4 31347831 78313478 34783134 31347831 0x34783134
00114ea8 78313478 34783134 31347831 78313478 0x31347831
00114eac 34783134 31347831 78313478 34783134 0x78313478
00114eb0 31347831 78313478 34783134 31347831 0x34783134
00114eb4 78313478 34783134 31347831 78313478 0x31347831
00114eb8 34783134 31347831 78313478 34783134 0x78313478
00114ebc 31347831 78313478 34783134 31347831 0x34783134
00114ec0 78313478 34783134 31347831 78313478 0x31347831
00114ec4 34783134 31347831 78313478 34783134 0x78313478
00114ec8 31347831 78313478 34783134 31347831 0x34783134
00114ecc 78313478 34783134 31347831 78313478 0x31347831
00114ed0 34783134 31347831 78313478 34783134 0x78313478
00114ed4 31347831 78313478 34783134 31347831 0x34783134
00114ed8 78313478 34783134 31347831 78313478 0x31347831
00114edc 34783134 31347831 78313478 34783134 0x78313478
00114ee0 31347831 78313478 34783134 31347831 0x34783134
00114ee4 78313478 34783134 31347831 78313478 0x31347831
00114ee8 34783134 31347831 78313478 34783134 0x78313478
00114eec 31347831 78313478 34783134 31347831 0x34783134
00114ef0 78313478 34783134 31347831 78313478 0x31347831
00114ef4 34783134 31347831 78313478 34783134 0x78313478
00114ef8 31347831 78313478 34783134 31347831 0x34783134
00114efc 78313478 34783134 31347831 78313478 0x31347831
00114f00 34783134 31347831 78313478 34783134 0x78313478
00114f04 31347831 78313478 34783134 31347831 0x34783134
00114f08 78313478 34783134 31347831 78313478 0x31347831
00114f0c 34783134 31347831 78313478 34783134 0x78313478
00114f10 31347831 78313478 34783134 31347831 0x34783134
00114f14 78313478 34783134 31347831 78313478 0x31347831
00114f18 34783134 31347831 78313478 34783134 0x78313478
00114f1c 31347831 78313478 34783134 31347831 0x34783134
00114f20 78313478 34783134 31347831 78313478 0x31347831
00114f24 34783134 31347831 78313478 34783134 0x78313478
00114f28 31347831 78313478 34783134 31347831 0x34783134
00114f2c 78313478 34783134 31347831 78313478 0x31347831
00114f30 34783134 31347831 78313478 34783134 0x78313478
00114f34 31347831 78313478 34783134 31347831 0x34783134
00114f38 78313478 34783134 31347831 78313478 0x31347831
00114f3c 34783134 31347831 78313478 34783134 0x78313478
00114f40 31347831 78313478 34783134 31347831 0x34783134
00114f44 78313478 34783134 31347831 78313478 0x31347831
00114f48 34783134 31347831 78313478 34783134 0x78313478
00114f4c 31347831 78313478 34783134 31347831 0x34783134
00114f50 78313478 34783134 31347831 78313478 0x31347831
00114f54 34783134 31347831 78313478 34783134 0x78313478
00114f58 31347831 78313478 34783134 31347831 0x34783134
00114f5c 78313478 34783134 31347831 78313478 0x31347831
00114f60 34783134 31347831 78313478 34783134 0x78313478
00114f64 31347831 78313478 34783134 31347831 0x34783134
00114f68 78313478 34783134 31347831 78313478 0x31347831
00114f6c 34783134 31347831 78313478 34783134 0x78313478
00114f70 31347831 78313478 34783134 31347831 0x34783134
00114f74 78313478 34783134 31347831 78313478 0x31347831
00114f78 34783134 31347831 78313478 34783134 0x78313478
00114f7c 31347831 78313478 34783134 31347831 0x34783134
00114f80 78313478 34783134 31347831 78313478 0x31347831
00114f84 34783134 31347831 78313478 34783134 0x78313478
00114f88 31347831 78313478 34783134 31347831 0x34783134
00114f8c 78313478 34783134 31347831 78313478 0x31347831
00114f90 34783134 31347831 78313478 34783134 0x78313478
00114f94 31347831 78313478 34783134 31347831 0x34783134
00114f98 78313478 34783134 31347831 78313478 0x31347831
00114f9c 34783134 31347831 78313478 34783134 0x78313478
00114fa0 31347831 78313478 34783134 31347831 0x34783134
00114fa4 78313478 34783134 31347831 78313478 0x31347831
00114fa8 34783134 31347831 78313478 34783134 0x78313478
00114fac 31347831 78313478 34783134 31347831 0x34783134
DEFAULT_BUCKET_ID: WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS: STACK_CORRUPTION
SYMBOL_NAME: ANALYSIS_INCONCLUSIVE
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Unknown_Module
IMAGE_NAME: Unknown_Image
STACK_COMMAND: ~0s ; k
BUCKET_ID: WRONG_SYMBOLS
Note: The access violation with the exception and followup offsets shows that the ecx & eip was overwritten.
1.2
The second vulnerability is located in the "Synchronize Directories & Rules & Advanced File Search Criteria" module .
The module allows an local user to execute arbitrary large unicode payload in :
[+] Search JPEG Images with Exif Tag
[+] Search Files With the file Extension
[+] Search Files With the Directory Name
--- Exception Log ---
(24c8.17dc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=00000000 edx=00114ce0 esi=31347831 edi=02075bd8
eip=100c8396 esp=00114cd0 ebp=00114e1c iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212
*** WARNING: Unable to verify checksum for C:Program FilesSync Breezebinlibspg.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:Program FilesSync Breezebinlibspg.dll -
libspg!SCA_SearchRuleDialog::qt_metacall+0xac86:
100c8396 89465c mov dword ptr [esi+5Ch],eax ds:0023:3134788d=????????
00114e0c 31 78 34 31 78 34 31 78-ff ff ff ff 31 78 34 31 1x41x41x....1x41
00114e1c 78 34 31 78 34 31 78 34-31 78 34 31 78 34 31 78 x41x41x41x41x41x
00114e2c 34 31 78 34 31 78 34 31-78 34 31 78 34 31 78 34 41x41x41x41x41x4
00114e3c 31 78 34 31 78 34 31 78-34 31 78 34 31 78 34 31 1x41x41x41x41x41
00114e4c 78 34 31 78 34 31 78 34-31 78 34 31 78 34 31 78 x41x41x41x41x41x
00114e5c 34 31 78 34 31 78 34 31-78 34 31 78 34 31 78 34 41x41x41x41x41x4
00114e6c 31 78 34 31 78 34 31 78-34 31 78 34 31 78 34 31 1x41x41x41x41x41
00114e7c 78 34 31 78 34 31 78 34-31 78 34 31 78 34 31 78 x41x41x41x41x41x
Note: The access violation with the exception and followup offsets shows that the ecx & eip was overwritten.
1.3
The third vulnerability is located in the `Add` function of the `Synchronize Directories & Exclude` module.
--- Exception Log ---
(1e70.1448): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=01ed61b0 ebx=00000000 ecx=34783134 edx=01ed61b0 esi=00000001 edi=01eb0780
eip=34783134 esp=00114ee4 ebp=00115384 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212
34783134 ??
--- [Crash handler - syncbr.exe] ---
Problem Event Name: APPCRASH
Application Name: syncbr.exe
Application Version: 0.0.0.0
Application Timestamp: 58ca8a9a
Fault Module Name: StackHash_e98d
Fault Module Version: 0.0.0.0
Fault Module Timestamp: 00000000
Exception Code: c0000005
Exception Offset: 34783134
OS Version: 6.1.7600.2.0.0.256.1
Locale ID: 1033
Additional Information 1: e98d
Additional Information 2: e98dfca8bcf81bc1740adb135579ad53
Additional Information 3: 6eab
Additional Information 4: 6eabdd9e0dc94904be3b39a1c0583635
Note: The access violation with the exception and followup offsets shows that the ecx & eip was overwritten.
Security Risk:
==============
The security risk of the multiple local buffer overflow vulnerabilities in the official Sync Breeze v9.5.16 software is estimated as medium. (CVSS 5.2)
Credits & Authors:
==================
Vulnerability Laboratory [Core Research Team] - SaifAllah benMassaoud (http://www.vulnerability-lab.com/show.php?user=SaifAllahbenMassaoud)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or
implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its
suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface
websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories
or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails,
phone numbers, conversations or anything else to journalists, investigative authorities or private individuals.
Domains: www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission.
Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo