SMART Technologies SynchronEyes Remote Denial of Services
Title: SMART Technologies SynchronEyes Remote Denial of Services
Release Date: 04. April 2006
Author: Dennis Elser (dennis backtrace de)
Vendor: SMART Technologies Inc. (http://www.smarttech.com)
Vendor Status: Notified, fixes scheduled for May
Product: SynchronEyes Student and Teacher
Affected Version: 6.0 (and probably versions below)
Platform: Microsoft Windows
Architecture: IA32
Vulnerability: Multiple denial of services
Discovery: 05. February 2006
Impact: 1.) a remote attacker can disable connections
between SynchronEyes client and server.
2.) a remote attacker can cause high
memory consumption and cause system
instability.
--------------------------------------------------------------------------
Background:
-----------
SynchronEyes is a classroom management software which enables you
to monitor student screens and control any student computer.
Moreover, SynchronEyes can block applications and websites,
transfer files or lock all student computers, show any screen to
the whole class, create chat groups or take a vote.
Bug Description:
----------------
1.) Thread termination DoS
The bug causes the SynchronEyes software not to process network
traffic anymore. This prevents the teacher part of the software
from connecting to the student part and vice versa.
2.) High memory consumption DoS
A remote attacker can cause high memory consumption on computers
running the SynchronEyes software. This can lead the SynchronEyes
software and the operating system not to work as expected anymore.
Technical Description:
----------------------
1.) Thread termination DoS
Due to a logical programming mistake, a thread processing datagrams from
udp port 5496 can be terminated. SynchronEyes will then stop processing
packets sent to this port and can't communicate with other SynchronEyes
clients anymore. This can be caused by sending an oversized packet.
The size of the packet varies and depends on the version of SynchronEyes
in use.
2.) High memory consumption DoS
By sending a specific packet to udp port 5496, the SynchronEyes
software can be caused to repeatedly try to connect back to tcp port 5461 of
the attacker. Once a connection on this port has been established (for
example
with netcat listening on tcp port 5461), the attacker can send a tcp packet
which contains the size (size_t) parameter for a malloc() call. The size
parameter is not being sanitized by the SynchronEyes software. This can
cause
very high memory consumption and lead to system instability.
Excerpt of the buggy code:
--------------------------
mov edx, [ebp+controlled_buffer] ; this is the buffer under control
push edx ; netlong
call ds:ntohl ; little-endian conversion
mov [ebp+controlled_buffer], eax ; store result
[..snip..]
cmp [ebp+controlled_buffer], 0 ; > 0 ?
ja short loc_48886E
[..snip..]
loc_48886E:
mov [ebp+malloced_buf], 0
mov [ebp+var_4], 0
mov ecx, [ebp+controlled_buffer] ; the size which is under control
push ecx ; is being passed to a malloc
wrapper
call mallocwrapper ; without being sanitized
--------------------------------------------------------------------------
got control?
Dennis Elser, 01.April.2006
http://dennis.backtrace.de