Sync Breeze v9.5.16 - Buffer Overflow Vulnerabilities

2017-03-29T00:00:00
ID VULNERLAB:2045
Type vulnerlab
Reporter Vulnerability Laboratory [Core Research Team] - SaifAllah benMassaoud (http://www.vulnerability-lab.com/show.php?user=SaifAllahbenMassaoud)
Modified 2017-03-29T00:00:00

Description

                                        
                                            Document Title:
===============
Sync Breeze v9.5.16 - Buffer Overflow Vulnerabilities


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2045

Video: https://www.vulnerability-lab.com/get_content.php?id=2049


Release Date:
=============
2017-03-29


Vulnerability Laboratory ID (VL-ID):
====================================
2045


Common Vulnerability Scoring System:
====================================
5.2


Vulnerability Class:
====================
Buffer Overflow


Product & Service Introduction:
===============================
SyncBreeze is a fast, powerful and reliable file synchronization solution for local disks, network shares, NAS storage devices and enterprise 
storage systems. Users are provided with multiple one-way and two-way file synchronization modes, periodic file synchronization, real-time 
file synchronization, bit-level file synchronization, multi-stream file synchronization, background file synchronization and much more. 
SyncBreeze is developed and supported by Flexense Ltd. - an independent software vendor specialized in data management software products 
for automated disk space analysis, file classification, file synchronization, rule-based file management, server monitoring, file delete 
and data wiping operations. Flexense Ltd. sells its software products to more than 75 countries around the world and provides full support 
for all types of customers including consumers, small businesses, large enterprises, educational institutions and governments.

(Copy of the Vendor Homepage: http://www.syncbreeze.com/about.html)


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a multiple local buffer overflow vulnerabilities in the official Sync Breeze v9.5.16 software.



Vulnerability Disclosure Timeline:
==================================
2017-03-29: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Syncbreeze
Product: Sync Breeze - Desktop GUI (Web-Application) 9.5.16


Exploitation Technique:
=======================
Local


Severity Level:
===============
Medium


Technical Details & Description:
================================
Multiple local buffer overflow vulnerabilities are detected in the official Sync Breeze v9.5.16 software.
The vulnerabilities allows local attackers to escalate out of the affected vulnerable software modules with system process privileges. 


1.1
The first local buffer overflow vulnerability is located in the Synchronize Directories & Dirs modules. Attackers are able to execute 
arbitrary large unicode payload [AAAAAAAAAAAAAAAA...+] in Source Directory & Destination Directory  Directories with the privileges of 
the software process when processing Extended or Expert / Configuration mode (buffer). The result is a local exploitable buffer overflow 
via the main executable syncbr.exe file of the software.

Vulnerable Module(s):
[+] Synchronize Directories & Dirs

Vulnerable Directory (s):
[+] Source Directory
[+] Destination Directory


1.2
The second vulnerability is located in the Synchronize Directories & Rules & Advanced File Search Criteria modules. Attackers are able to 
execute arbitrary large unicode payload [AAAAAAAAAAAAAAAA...+] by usage of the search functions. TheExifTag, fileExtension & DirectoryName 
fields are not filtered or sanitized when process to save large inputs via add to the synchronize files matching criteria (buffer). The result 
is a local exploitable buffer overflow via the main executable syncbr.exe file of the software.

[+] Search JPEG Images with Exif Tag
[+] Search Files With the file Extension 
[+] Search Files With the Directory Name


1.3
The third vulnerability is located in the `Add` function of the `Synchronize Directories & Exclude` module. Local attackers are able to load 
special crafted arbitrary large unicode payloads like [AAAAAAAAAAAAAAAA...+] to overwrite the eip register to compromise the local system 
process of the software. An attacker can manipulate the EIP register to execute the next instruction of their choice. Attackers are able to 
execute arbitrary code with the privileges of the software process. The `ADD` Exclude Directory is are not filtered or sanitized when process 
to save large inputs. The result is a local exploitable buffer overflow via the main executable syncbr.exe file of the software.

Vulnerable Module(s):
[+] Synchronize Directories & Exclude

Vulnerable Function(s):
[+] Add


Proof of Concept (PoC):
=======================
1.1
The buffer overflow vulnerability can be exploited by local attackers with local privileged system user account and without required user inter action.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.


--- Debug Error Exception Log ---
(25d8.15c4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=00000000 ecx=00000000 edx=00113e1c esi=01eb9838 edi=02078b48
eip=34783134 esp=00114e34 ebp=00114e88 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010212
34783134 ??              ???
- 
00114e7c: 34783134
Invalid exception stack at 78313478


--- Debug Logs [00114e7c] --- 
00114e7c  78 34 31 78 34 31 78 34-31 78 34 31 78 34 31 78  x41x41x41x41x41x
00114e8c  34 31 78 34 31 78 34 31-78 34 31 78 34 31 78 34  41x41x41x41x41x4
00114e9c  31 78 34 31 78 34 31 78-34 31 78 34 31 78 34 31  1x41x41x41x41x41
00114eac  78 34 31 78 34 31 78 34-31 78 34 31 78 34 31 78  x41x41x41x41x41x
00114ebc  34 31 78 34 31 78 34 31-78 34 31 78 34 31 78 34  41x41x41x41x41x4
00114ecc  31 78 34 31 78 34 31 78-34 31 78 34 31 78 34 31  1x41x41x41x41x41
00114edc  78 34 31 78 34 31 78 34-31 78 34 31 78 34 31 78  x41x41x41x41x41x
00114eec  34 31 78 34 31 78 34 31-78 34 31 78 34 31 78 34  41x41x41x41x41x4


--- Debug Logs [Exception Analysis] ---
FAULTING_IP: 
+34783134
34783134 ??              ???

EXCEPTION_RECORD:  ffffffff -- (.exr ffffffffffffffff)
ExceptionAddress: 34783134
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 34783134
Attempt to read from address 34783134
FAULTING_THREAD:  000015c4
PROCESS_NAME:  syncbr.exe
FAULTING_MODULE: 77030000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP:  0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
READ_ADDRESS:  34783134 
BUGCHECK_STR:  ACCESS_VIOLATION
IP_ON_HEAP:  78313478
The fault address in not in any loaded module, please check your build's rebase
log at <releasedir>binbuild_logstimebuildntrebase.log for module which may
contain the address if it were loaded.
IP_IN_FREE_BLOCK: 8001080000004
FRAME ONE INVALID: 1800200000000a
LAST_CONTROL_TRANSFER:  from 78313478 to 34783134

FAILED_INSTRUCTION_ADDRESS: 
+34783134
34783134 ??              ???

STACK_TEXT:  
00114e30 78313478 34783134 31347831 78313478 0x34783134
00114e88 34783134 31347831 78313478 34783134 0x78313478
00114e8c 31347831 78313478 34783134 31347831 0x34783134
00114e90 78313478 34783134 31347831 78313478 0x31347831
00114e94 34783134 31347831 78313478 34783134 0x78313478
00114e98 31347831 78313478 34783134 31347831 0x34783134
00114e9c 78313478 34783134 31347831 78313478 0x31347831
00114ea0 34783134 31347831 78313478 34783134 0x78313478
00114ea4 31347831 78313478 34783134 31347831 0x34783134
00114ea8 78313478 34783134 31347831 78313478 0x31347831
00114eac 34783134 31347831 78313478 34783134 0x78313478
00114eb0 31347831 78313478 34783134 31347831 0x34783134
00114eb4 78313478 34783134 31347831 78313478 0x31347831
00114eb8 34783134 31347831 78313478 34783134 0x78313478
00114ebc 31347831 78313478 34783134 31347831 0x34783134
00114ec0 78313478 34783134 31347831 78313478 0x31347831
00114ec4 34783134 31347831 78313478 34783134 0x78313478
00114ec8 31347831 78313478 34783134 31347831 0x34783134
00114ecc 78313478 34783134 31347831 78313478 0x31347831
00114ed0 34783134 31347831 78313478 34783134 0x78313478
00114ed4 31347831 78313478 34783134 31347831 0x34783134
00114ed8 78313478 34783134 31347831 78313478 0x31347831
00114edc 34783134 31347831 78313478 34783134 0x78313478
00114ee0 31347831 78313478 34783134 31347831 0x34783134
00114ee4 78313478 34783134 31347831 78313478 0x31347831
00114ee8 34783134 31347831 78313478 34783134 0x78313478
00114eec 31347831 78313478 34783134 31347831 0x34783134
00114ef0 78313478 34783134 31347831 78313478 0x31347831
00114ef4 34783134 31347831 78313478 34783134 0x78313478
00114ef8 31347831 78313478 34783134 31347831 0x34783134
00114efc 78313478 34783134 31347831 78313478 0x31347831
00114f00 34783134 31347831 78313478 34783134 0x78313478
00114f04 31347831 78313478 34783134 31347831 0x34783134
00114f08 78313478 34783134 31347831 78313478 0x31347831
00114f0c 34783134 31347831 78313478 34783134 0x78313478
00114f10 31347831 78313478 34783134 31347831 0x34783134
00114f14 78313478 34783134 31347831 78313478 0x31347831
00114f18 34783134 31347831 78313478 34783134 0x78313478
00114f1c 31347831 78313478 34783134 31347831 0x34783134
00114f20 78313478 34783134 31347831 78313478 0x31347831
00114f24 34783134 31347831 78313478 34783134 0x78313478
00114f28 31347831 78313478 34783134 31347831 0x34783134
00114f2c 78313478 34783134 31347831 78313478 0x31347831
00114f30 34783134 31347831 78313478 34783134 0x78313478
00114f34 31347831 78313478 34783134 31347831 0x34783134
00114f38 78313478 34783134 31347831 78313478 0x31347831
00114f3c 34783134 31347831 78313478 34783134 0x78313478
00114f40 31347831 78313478 34783134 31347831 0x34783134
00114f44 78313478 34783134 31347831 78313478 0x31347831
00114f48 34783134 31347831 78313478 34783134 0x78313478
00114f4c 31347831 78313478 34783134 31347831 0x34783134
00114f50 78313478 34783134 31347831 78313478 0x31347831
00114f54 34783134 31347831 78313478 34783134 0x78313478
00114f58 31347831 78313478 34783134 31347831 0x34783134
00114f5c 78313478 34783134 31347831 78313478 0x31347831
00114f60 34783134 31347831 78313478 34783134 0x78313478
00114f64 31347831 78313478 34783134 31347831 0x34783134
00114f68 78313478 34783134 31347831 78313478 0x31347831
00114f6c 34783134 31347831 78313478 34783134 0x78313478
00114f70 31347831 78313478 34783134 31347831 0x34783134
00114f74 78313478 34783134 31347831 78313478 0x31347831
00114f78 34783134 31347831 78313478 34783134 0x78313478
00114f7c 31347831 78313478 34783134 31347831 0x34783134
00114f80 78313478 34783134 31347831 78313478 0x31347831
00114f84 34783134 31347831 78313478 34783134 0x78313478
00114f88 31347831 78313478 34783134 31347831 0x34783134
00114f8c 78313478 34783134 31347831 78313478 0x31347831
00114f90 34783134 31347831 78313478 34783134 0x78313478
00114f94 31347831 78313478 34783134 31347831 0x34783134
00114f98 78313478 34783134 31347831 78313478 0x31347831
00114f9c 34783134 31347831 78313478 34783134 0x78313478
00114fa0 31347831 78313478 34783134 31347831 0x34783134
00114fa4 78313478 34783134 31347831 78313478 0x31347831
00114fa8 34783134 31347831 78313478 34783134 0x78313478
00114fac 31347831 78313478 34783134 31347831 0x34783134


DEFAULT_BUCKET_ID:  WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS:  STACK_CORRUPTION
SYMBOL_NAME:  ANALYSIS_INCONCLUSIVE
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: Unknown_Module
IMAGE_NAME:  Unknown_Image
STACK_COMMAND:  ~0s ; k
BUCKET_ID:  WRONG_SYMBOLS

Note: The access violation with the exception and followup offsets shows that the ecx & eip was overwritten.



1.2
The second vulnerability is located in the "Synchronize Directories & Rules & Advanced File Search Criteria" module .
The module allows an local user to execute arbitrary large unicode payload in :

[+] Search JPEG Images with Exif Tag
[+] Search Files With the file Extension 
[+] Search Files With the Directory Name

--- Exception Log ---
(24c8.17dc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=00000000 edx=00114ce0 esi=31347831 edi=02075bd8
eip=100c8396 esp=00114cd0 ebp=00114e1c iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010212
*** WARNING: Unable to verify checksum for C:Program FilesSync Breezebinlibspg.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:Program FilesSync Breezebinlibspg.dll - 
libspg!SCA_SearchRuleDialog::qt_metacall+0xac86:
100c8396 89465c          mov     dword ptr [esi+5Ch],eax ds:0023:3134788d=????????

00114e0c  31 78 34 31 78 34 31 78-ff ff ff ff 31 78 34 31  1x41x41x....1x41
00114e1c  78 34 31 78 34 31 78 34-31 78 34 31 78 34 31 78  x41x41x41x41x41x
00114e2c  34 31 78 34 31 78 34 31-78 34 31 78 34 31 78 34  41x41x41x41x41x4
00114e3c  31 78 34 31 78 34 31 78-34 31 78 34 31 78 34 31  1x41x41x41x41x41
00114e4c  78 34 31 78 34 31 78 34-31 78 34 31 78 34 31 78  x41x41x41x41x41x
00114e5c  34 31 78 34 31 78 34 31-78 34 31 78 34 31 78 34  41x41x41x41x41x4
00114e6c  31 78 34 31 78 34 31 78-34 31 78 34 31 78 34 31  1x41x41x41x41x41
00114e7c  78 34 31 78 34 31 78 34-31 78 34 31 78 34 31 78  x41x41x41x41x41x

Note: The access violation with the exception and followup offsets shows that the ecx & eip was overwritten.



1.3
The third vulnerability is located in the `Add` function of the `Synchronize Directories & Exclude` module.


--- Exception Log ---
(1e70.1448): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=01ed61b0 ebx=00000000 ecx=34783134 edx=01ed61b0 esi=00000001 edi=01eb0780
eip=34783134 esp=00114ee4 ebp=00115384 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010212
34783134 ??    


--- [Crash handler - syncbr.exe] ---
  Problem Event Name:	APPCRASH
  Application Name:	syncbr.exe
  Application Version:	0.0.0.0
  Application Timestamp:	58ca8a9a
  Fault Module Name:	StackHash_e98d
  Fault Module Version:	0.0.0.0
  Fault Module Timestamp:	00000000
  Exception Code:	c0000005
  Exception Offset:	34783134
  OS Version:	6.1.7600.2.0.0.256.1
  Locale ID:	1033
  Additional Information 1:	e98d
  Additional Information 2:	e98dfca8bcf81bc1740adb135579ad53
  Additional Information 3:	6eab
  Additional Information 4:	6eabdd9e0dc94904be3b39a1c0583635


Note: The access violation with the exception and followup offsets shows that the ecx & eip was overwritten.


Security Risk:
==============
The security risk of the multiple local buffer overflow vulnerabilities in the official Sync Breeze v9.5.16 software is estimated as medium. (CVSS 5.2)


Credits & Authors:
==================
Vulnerability Laboratory [Core Research Team] - SaifAllah benMassaoud (http://www.vulnerability-lab.com/show.php?user=SaifAllahbenMassaoud)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its 
suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories 
or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, 
phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. 

Domains:    www.vulnerability-lab.com		- www.vulnerability-db.com					- www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php
Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission.

				    Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™