Document Title: =============== Sync Breeze v9.5.16 - Buffer Overflow Vulnerabilities Date: ===== 2017-03-28 References: =========== https://www.vulnerability-lab.com/get_content.php?id=2045 Video: https://www.vulnerability-lab.com/get_content.php?id=2049 VL-ID: ===== 2045 Common Vulnerability Scoring System: ==================================== 5.2 Vulnerability Class: ==================== Buffer Overflow Introduction: ============= SyncBreeze is a fast, powerful and reliable file synchronization solution for local disks, network shares, NAS storage devices and enterprise storage systems. Users are provided with multiple one-way and two-way file synchronization modes, periodic file synchronization, real-time file synchronization, bit-level file synchronization, multi-stream file synchronization, background file synchronization and much more. SyncBreeze is developed and supported by Flexense Ltd. - an independent software vendor specialized in data management software products for automated disk space analysis, file classification, file synchronization, rule-based file management, server monitoring, file delete and data wiping operations. Flexense Ltd. sells its software products to more than 75 countries around the world and provides full support for all types of customers including consumers, small businesses, large enterprises, educational institutions and governments. (Copy of the Vendor Homepage: http://www.syncbreeze.com/about.html) Abstract: ========= The vulnerability laboratory core research team discovered a multiple local buffer overflow vulnerabilities in the official Sync Breeze v9.5.16 software. Report-Timeline: ================ 2017-03-29: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== Syncbreeze Product: Sync Breeze - Desktop GUI (Web-Application) v9.5.16 Exploitation-Technique: ======================= Local Severity: ========= Medium Details: ======== Multiple local buffer overflow vulnerabilities are detected in the official Sync Breeze v9.5.16 software. The vulnerabilities allows local attackers to escalate out of the affected vulnerable software modules with system process privileges. 1.1 The first local buffer overflow vulnerability is located in the Synchronize Directories & Dirs modules. Attackers are able to execute arbitrary large unicode payload [AAAAAAAAAAAAAAAA...+] in Source Directory & Destination Directory Directories with the privileges of the software process when processing Extended or Expert / Configuration mode (buffer). The result is a local exploitable buffer overflow via the main executable syncbr.exe file of the software. Vulnerable Module(s): [+] Synchronize Directories & Dirs Vulnerable Directory (s): [+] Source Directory [+] Destination Directory 1.2 The second vulnerability is located in the Synchronize Directories & Rules & Advanced File Search Criteria modules. Attackers are able to execute arbitrary large unicode payload [AAAAAAAAAAAAAAAA...+] by usage of the search functions. TheExifTag, fileExtension & DirectoryName fields are not filtered or sanitized when process to save large inputs via add to the synchronize files matching criteria (buffer). The result is a local exploitable buffer overflow via the main executable syncbr.exe file of the software. [+] Search JPEG Images with Exif Tag [+] Search Files With the file Extension [+] Search Files With the Directory Name 1.3 The third vulnerability is located in the `Add` function of the `Synchronize Directories & Exclude` module. Local attackers are able to load special crafted arbitrary large unicode payloads like [AAAAAAAAAAAAAAAA...+] to overwrite the eip register to compromise the local system process of the software. An attacker can manipulate the EIP register to execute the next instruction of their choice. Attackers are able to execute arbitrary code with the privileges of the software process. The `ADD` Exclude Directory is are not filtered or sanitized when process to save large inputs. The result is a local exploitable buffer overflow via the main executable syncbr.exe file of the software. Vulnerable Module(s): [+] Synchronize Directories & Exclude Vulnerable Function(s): [+] Add Proof of Concept: ================= 1.1 The buffer overflow vulnerability can be exploited by local attackers with local privileged system user account and without required user inter action. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. --- Debug Error Exception Log --- (25d8.15c4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000001 ebx=00000000 ecx=00000000 edx=00113e1c esi=01eb9838 edi=02078b48 eip=34783134 esp=00114e34 ebp=00114e88 iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212 34783134 ?? ??? - 00114e7c: 34783134 Invalid exception stack at 78313478 --- Debug Logs [00114e7c] --- 00114e7c 78 34 31 78 34 31 78 34-31 78 34 31 78 34 31 78 x41x41x41x41x41x 00114e8c 34 31 78 34 31 78 34 31-78 34 31 78 34 31 78 34 41x41x41x41x41x4 00114e9c 31 78 34 31 78 34 31 78-34 31 78 34 31 78 34 31 1x41x41x41x41x41 00114eac 78 34 31 78 34 31 78 34-31 78 34 31 78 34 31 78 x41x41x41x41x41x 00114ebc 34 31 78 34 31 78 34 31-78 34 31 78 34 31 78 34 41x41x41x41x41x4 00114ecc 31 78 34 31 78 34 31 78-34 31 78 34 31 78 34 31 1x41x41x41x41x41 00114edc 78 34 31 78 34 31 78 34-31 78 34 31 78 34 31 78 x41x41x41x41x41x 00114eec 34 31 78 34 31 78 34 31-78 34 31 78 34 31 78 34 41x41x41x41x41x4 --- Debug Logs [Exception Analysis] --- FAULTING_IP: +34783134 34783134 ?? ??? EXCEPTION_RECORD: ffffffff -- (.exr ffffffffffffffff) ExceptionAddress: 34783134 ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 34783134 Attempt to read from address 34783134 FAULTING_THREAD: 000015c4 PROCESS_NAME: syncbr.exe FAULTING_MODULE: 77030000 ntdll DEBUG_FLR_IMAGE_TIMESTAMP: 0 ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. READ_ADDRESS: 34783134 BUGCHECK_STR: ACCESS_VIOLATION IP_ON_HEAP: 78313478 The fault address in not in any loaded module, please check your build's rebase log at binbuild_logstimebuildntrebase.log for module which may contain the address if it were loaded. IP_IN_FREE_BLOCK: 8001080000004 FRAME ONE INVALID: 1800200000000a LAST_CONTROL_TRANSFER: from 78313478 to 34783134 FAILED_INSTRUCTION_ADDRESS: +34783134 34783134 ?? ??? STACK_TEXT: 00114e30 78313478 34783134 31347831 78313478 0x34783134 00114e88 34783134 31347831 78313478 34783134 0x78313478 00114e8c 31347831 78313478 34783134 31347831 0x34783134 00114e90 78313478 34783134 31347831 78313478 0x31347831 00114e94 34783134 31347831 78313478 34783134 0x78313478 00114e98 31347831 78313478 34783134 31347831 0x34783134 00114e9c 78313478 34783134 31347831 78313478 0x31347831 00114ea0 34783134 31347831 78313478 34783134 0x78313478 00114ea4 31347831 78313478 34783134 31347831 0x34783134 00114ea8 78313478 34783134 31347831 78313478 0x31347831 00114eac 34783134 31347831 78313478 34783134 0x78313478 00114eb0 31347831 78313478 34783134 31347831 0x34783134 00114eb4 78313478 34783134 31347831 78313478 0x31347831 00114eb8 34783134 31347831 78313478 34783134 0x78313478 00114ebc 31347831 78313478 34783134 31347831 0x34783134 00114ec0 78313478 34783134 31347831 78313478 0x31347831 00114ec4 34783134 31347831 78313478 34783134 0x78313478 00114ec8 31347831 78313478 34783134 31347831 0x34783134 00114ecc 78313478 34783134 31347831 78313478 0x31347831 00114ed0 34783134 31347831 78313478 34783134 0x78313478 00114ed4 31347831 78313478 34783134 31347831 0x34783134 00114ed8 78313478 34783134 31347831 78313478 0x31347831 00114edc 34783134 31347831 78313478 34783134 0x78313478 00114ee0 31347831 78313478 34783134 31347831 0x34783134 00114ee4 78313478 34783134 31347831 78313478 0x31347831 00114ee8 34783134 31347831 78313478 34783134 0x78313478 00114eec 31347831 78313478 34783134 31347831 0x34783134 00114ef0 78313478 34783134 31347831 78313478 0x31347831 00114ef4 34783134 31347831 78313478 34783134 0x78313478 00114ef8 31347831 78313478 34783134 31347831 0x34783134 00114efc 78313478 34783134 31347831 78313478 0x31347831 00114f00 34783134 31347831 78313478 34783134 0x78313478 00114f04 31347831 78313478 34783134 31347831 0x34783134 00114f08 78313478 34783134 31347831 78313478 0x31347831 00114f0c 34783134 31347831 78313478 34783134 0x78313478 00114f10 31347831 78313478 34783134 31347831 0x34783134 00114f14 78313478 34783134 31347831 78313478 0x31347831 00114f18 34783134 31347831 78313478 34783134 0x78313478 00114f1c 31347831 78313478 34783134 31347831 0x34783134 00114f20 78313478 34783134 31347831 78313478 0x31347831 00114f24 34783134 31347831 78313478 34783134 0x78313478 00114f28 31347831 78313478 34783134 31347831 0x34783134 00114f2c 78313478 34783134 31347831 78313478 0x31347831 00114f30 34783134 31347831 78313478 34783134 0x78313478 00114f34 31347831 78313478 34783134 31347831 0x34783134 00114f38 78313478 34783134 31347831 78313478 0x31347831 00114f3c 34783134 31347831 78313478 34783134 0x78313478 00114f40 31347831 78313478 34783134 31347831 0x34783134 00114f44 78313478 34783134 31347831 78313478 0x31347831 00114f48 34783134 31347831 78313478 34783134 0x78313478 00114f4c 31347831 78313478 34783134 31347831 0x34783134 00114f50 78313478 34783134 31347831 78313478 0x31347831 00114f54 34783134 31347831 78313478 34783134 0x78313478 00114f58 31347831 78313478 34783134 31347831 0x34783134 00114f5c 78313478 34783134 31347831 78313478 0x31347831 00114f60 34783134 31347831 78313478 34783134 0x78313478 00114f64 31347831 78313478 34783134 31347831 0x34783134 00114f68 78313478 34783134 31347831 78313478 0x31347831 00114f6c 34783134 31347831 78313478 34783134 0x78313478 00114f70 31347831 78313478 34783134 31347831 0x34783134 00114f74 78313478 34783134 31347831 78313478 0x31347831 00114f78 34783134 31347831 78313478 34783134 0x78313478 00114f7c 31347831 78313478 34783134 31347831 0x34783134 00114f80 78313478 34783134 31347831 78313478 0x31347831 00114f84 34783134 31347831 78313478 34783134 0x78313478 00114f88 31347831 78313478 34783134 31347831 0x34783134 00114f8c 78313478 34783134 31347831 78313478 0x31347831 00114f90 34783134 31347831 78313478 34783134 0x78313478 00114f94 31347831 78313478 34783134 31347831 0x34783134 00114f98 78313478 34783134 31347831 78313478 0x31347831 00114f9c 34783134 31347831 78313478 34783134 0x78313478 00114fa0 31347831 78313478 34783134 31347831 0x34783134 00114fa4 78313478 34783134 31347831 78313478 0x31347831 00114fa8 34783134 31347831 78313478 34783134 0x78313478 00114fac 31347831 78313478 34783134 31347831 0x34783134 DEFAULT_BUCKET_ID: WRONG_SYMBOLS PRIMARY_PROBLEM_CLASS: STACK_CORRUPTION SYMBOL_NAME: ANALYSIS_INCONCLUSIVE FOLLOWUP_NAME: MachineOwner MODULE_NAME: Unknown_Module IMAGE_NAME: Unknown_Image STACK_COMMAND: ~0s ; k BUCKET_ID: WRONG_SYMBOLS Note: The access violation with the exception and followup offsets shows that the ecx & eip was overwritten. 1.2 The second vulnerability is located in the "Synchronize Directories & Rules & Advanced File Search Criteria" module . The module allows an local user to execute arbitrary large unicode payload in : [+] Search JPEG Images with Exif Tag [+] Search Files With the file Extension [+] Search Files With the Directory Name --- Exception Log --- (24c8.17dc): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=00000000 edx=00114ce0 esi=31347831 edi=02075bd8 eip=100c8396 esp=00114cd0 ebp=00114e1c iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212 *** WARNING: Unable to verify checksum for C:Program FilesSync Breezebinlibspg.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:Program FilesSync Breezebinlibspg.dll - libspg!SCA_SearchRuleDialog::qt_metacall+0xac86: 100c8396 89465c mov dword ptr [esi+5Ch],eax ds:0023:3134788d=???????? 00114e0c 31 78 34 31 78 34 31 78-ff ff ff ff 31 78 34 31 1x41x41x....1x41 00114e1c 78 34 31 78 34 31 78 34-31 78 34 31 78 34 31 78 x41x41x41x41x41x 00114e2c 34 31 78 34 31 78 34 31-78 34 31 78 34 31 78 34 41x41x41x41x41x4 00114e3c 31 78 34 31 78 34 31 78-34 31 78 34 31 78 34 31 1x41x41x41x41x41 00114e4c 78 34 31 78 34 31 78 34-31 78 34 31 78 34 31 78 x41x41x41x41x41x 00114e5c 34 31 78 34 31 78 34 31-78 34 31 78 34 31 78 34 41x41x41x41x41x4 00114e6c 31 78 34 31 78 34 31 78-34 31 78 34 31 78 34 31 1x41x41x41x41x41 00114e7c 78 34 31 78 34 31 78 34-31 78 34 31 78 34 31 78 x41x41x41x41x41x Note: The access violation with the exception and followup offsets shows that the ecx & eip was overwritten. 1.3 The third vulnerability is located in the `Add` function of the `Synchronize Directories & Exclude` module. --- Exception Log --- (1e70.1448): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=01ed61b0 ebx=00000000 ecx=34783134 edx=01ed61b0 esi=00000001 edi=01eb0780 eip=34783134 esp=00114ee4 ebp=00115384 iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212 34783134 ?? --- [Crash handler - syncbr.exe] --- Problem Event Name: APPCRASH Application Name: syncbr.exe Application Version: 0.0.0.0 Application Timestamp: 58ca8a9a Fault Module Name: StackHash_e98d Fault Module Version: 0.0.0.0 Fault Module Timestamp: 00000000 Exception Code: c0000005 Exception Offset: 34783134 OS Version: 6.1.7600.2.0.0.256.1 Locale ID: 1033 Additional Information 1: e98d Additional Information 2: e98dfca8bcf81bc1740adb135579ad53 Additional Information 3: 6eab Additional Information 4: 6eabdd9e0dc94904be3b39a1c0583635 Note: The access violation with the exception and followup offsets shows that the ecx & eip was overwritten. Risk: ===== The security risk of the multiple local buffer overflow vulnerabilities in the official Sync Breeze v9.5.16 software is estimated as medium. (CVSS 5.2) Credits: ======== Vulnerability Laboratory [Core Research Team] - SaifAllah benMassaoud (http://www.vulnerability-lab.com/show.php?user=SaifAllahbenMassaoud) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains: www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™