Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12085
HistoryApr 05, 2006 - 12:00 a.m.

SMART Technologies SynchronEyes Remote Denial of Services

2006-04-0500:00:00
vulners.com
9
JSON
        Title: SMART Technologies SynchronEyes Remote Denial of Services
 Release Date: 04. April 2006
       Author: Dennis Elser (dennis backtrace de)

       Vendor: SMART Technologies Inc. (http://www.smarttech.com)
Vendor Status: Notified, fixes scheduled for May
      Product: SynchronEyes Student and Teacher

Affected Version: 6.0 (and probably versions below)

     Platform: Microsoft Windows
 Architecture: IA32

Vulnerability: Multiple denial of services
    Discovery: 05. February 2006

       Impact: 1.) a remote attacker can disable connections
                   between SynchronEyes client and server.
               2.) a remote attacker can cause high
                   memory consumption and cause system
                   instability.

Background:

SynchronEyes is a classroom management software which enables you
to monitor student screens and control any student computer.
Moreover, SynchronEyes can block applications and websites,
transfer files or lock all student computers, show any screen to
the whole class, create chat groups or take a vote.

Bug Description:

1.) Thread termination DoS

The bug causes the SynchronEyes software not to process network
traffic anymore. This prevents the teacher part of the software
from connecting to the student part and vice versa.

2.) High memory consumption DoS

A remote attacker can cause high memory consumption on computers
running the SynchronEyes software. This can lead the SynchronEyes
software and the operating system not to work as expected anymore.

Technical Description:

1.) Thread termination DoS

Due to a logical programming mistake, a thread processing datagrams from
udp port 5496 can be terminated. SynchronEyes will then stop processing
packets sent to this port and can't communicate with other SynchronEyes
clients anymore. This can be caused by sending an oversized packet.
The size of the packet varies and depends on the version of SynchronEyes
in use.

2.) High memory consumption DoS

By sending a specific packet to udp port 5496, the SynchronEyes
software can be caused to repeatedly try to connect back to tcp port 5461 of
the attacker. Once a connection on this port has been established (for

example
with netcat listening on tcp port 5461), the attacker can send a tcp packet
which contains the size (size_t) parameter for a malloc() call. The size
parameter is not being sanitized by the SynchronEyes software. This can
cause
very high memory consumption and lead to system instability.

Excerpt of the buggy code:
--------------------------

mov     edx, [ebp+controlled_buffer]    ; this is the buffer under control
push    edx             ; netlong
call    ds:ntohl                        ; little-endian conversion
mov     [ebp+controlled_buffer], eax    ; store result
[..snip..]
cmp     [ebp+controlled_buffer], 0      ; > 0 ?
ja      short loc_48886E
[..snip..]

loc_48886E:
mov [ebp+malloced_buf], 0
mov [ebp+var_4], 0
mov ecx, [ebp+controlled_buffer] ; the size which is under control
push ecx ; is being passed to a malloc
wrapper
call mallocwrapper ; without being sanitized

got control?

Dennis Elser, 01.April.2006
http://dennis.backtrace.de

JSON