<<< Date Index >>>     <<< Thread Index >>>

SMART Technologies SynchronEyes Remote Denial of Services



            Title: SMART Technologies SynchronEyes Remote Denial of Services
     Release Date: 04. April 2006
           Author: Dennis Elser (dennis backtrace de)

           Vendor: SMART Technologies Inc. (http://www.smarttech.com)
    Vendor Status: Notified, fixes scheduled for May
          Product: SynchronEyes Student and Teacher
 Affected Version: 6.0 (and probably versions below)

         Platform: Microsoft Windows
     Architecture: IA32

    Vulnerability: Multiple denial of services
        Discovery: 05. February 2006

           Impact: 1.) a remote attacker can disable connections
                       between SynchronEyes client and server.
                   2.) a remote attacker can cause high
                       memory consumption and cause system
                       instability.


--------------------------------------------------------------------------

Background:
-----------

SynchronEyes is a classroom management software which enables you
to monitor student screens and control any student computer.
Moreover, SynchronEyes can block applications and websites,
transfer files or lock all student computers, show any screen to
the whole class, create chat groups or take a vote.



Bug Description:
----------------

1.) Thread termination DoS

    The bug causes the SynchronEyes software not to process network
    traffic anymore. This prevents the teacher part of the software
    from connecting to the student part and vice versa.

2.) High memory consumption DoS

    A remote attacker can cause high memory consumption on computers
    running the SynchronEyes software. This can lead the SynchronEyes
    software and the operating system not to work as expected anymore.



Technical Description:
----------------------

1.) Thread termination DoS

    Due to a logical programming mistake, a thread processing datagrams from
    udp port 5496 can be terminated. SynchronEyes will then stop processing
    packets sent to this port and can't communicate with other SynchronEyes
    clients anymore. This can be caused by sending an oversized packet.
    The size of the packet varies and depends on the version of SynchronEyes
    in use.


2.) High memory consumption DoS

    By sending a specific packet to udp port 5496, the SynchronEyes
    software can be caused to repeatedly try to connect back to tcp port 5461 of
    the attacker. Once a connection on this port has been established (for
example
    with netcat listening on tcp port 5461), the attacker can send a tcp packet
    which contains the size (size_t) parameter for a malloc() call. The size
    parameter is not being sanitized by the SynchronEyes software. This can
cause
    very high memory consumption and lead to system instability.


    Excerpt of the buggy code:
    --------------------------

    mov     edx, [ebp+controlled_buffer]    ; this is the buffer under control
    push    edx             ; netlong
    call    ds:ntohl                        ; little-endian conversion
    mov     [ebp+controlled_buffer], eax    ; store result
    [..snip..]
    cmp     [ebp+controlled_buffer], 0      ; > 0 ?
    ja      short loc_48886E
    [..snip..]

loc_48886E:
    mov     [ebp+malloced_buf], 0
    mov     [ebp+var_4], 0
    mov     ecx, [ebp+controlled_buffer]    ; the size which is under control
    push    ecx                             ; is being passed to a malloc
wrapper
    call    mallocwrapper                   ; without being sanitized



--------------------------------------------------------------------------

got control?

Dennis Elser, 01.April.2006
http://dennis.backtrace.de