SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   SynchronEyes Vendors:   SMART Technologies
SynchronEyes Packet Processing Bugs Let Remote Users Deny Service
SecurityTracker Alert ID:  1015869
SecurityTracker URL:  http://securitytracker.com/id/1015869
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 5 2006
Impact:   Denial of service via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 6.0
Description:   A vulnerability was reported in SynchronEyes. A remote user can cause denial of service conditions.

A remote user can send a specially crafted packet to the target system to cause SynchronEyes to stop processing network connections.

A remote user can send a specially crafted packet to UDP port 5496 on the target system to cause SynchronEyes to repeatedly attempt to connect back to TCP port 5461 of the remote user's system. A remote user can accept this connection and then send a specially crafted TCP packet over the connection to cause excessive memory consumption on the target system.

Dennis Elser discovered these vulnerabilities.

Impact:   A remote user can disable connections between SynchronEyes clients and servers.

A remote user can cause excessive memory consumption on the target system.

Solution:   No solution was available at the time of this entry. The vendor plans to issue a fix in May 2006.
Vendor URL:  www2.smarttech.com/st/en-US/Products/SynchronEyes+Classroom+Management+Software/Default.htm (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  SMART Technologies SynchronEyes Remote Denial of Services


            Title: SMART Technologies SynchronEyes Remote Denial of Services
     Release Date: 04. April 2006
           Author: Dennis Elser (dennis backtrace de)

           Vendor: SMART Technologies Inc. (http://www.smarttech.com)
    Vendor Status: Notified, fixes scheduled for May
          Product: SynchronEyes Student and Teacher
 Affected Version: 6.0 (and probably versions below)

         Platform: Microsoft Windows
     Architecture: IA32

    Vulnerability: Multiple denial of services
        Discovery: 05. February 2006

           Impact: 1.) a remote attacker can disable connections
                       between SynchronEyes client and server.
                   2.) a remote attacker can cause high
                       memory consumption and cause system
                       instability.


--------------------------------------------------------------------------

Background:
-----------

SynchronEyes is a classroom management software which enables you
to monitor student screens and control any student computer.
Moreover, SynchronEyes can block applications and websites,
transfer files or lock all student computers, show any screen to
the whole class, create chat groups or take a vote.



Bug Description:
----------------

1.) Thread termination DoS

    The bug causes the SynchronEyes software not to process network
    traffic anymore. This prevents the teacher part of the software
    from connecting to the student part and vice versa.

2.) High memory consumption DoS

    A remote attacker can cause high memory consumption on computers
    running the SynchronEyes software. This can lead the SynchronEyes
    software and the operating system not to work as expected anymore.



Technical Description:
----------------------

1.) Thread termination DoS

    Due to a logical programming mistake, a thread processing datagrams from
    udp port 5496 can be terminated. SynchronEyes will then stop processing
    packets sent to this port and can't communicate with other SynchronEyes
    clients anymore. This can be caused by sending an oversized packet.
    The size of the packet varies and depends on the version of SynchronEyes
    in use.


2.) High memory consumption DoS

    By sending a specific packet to udp port 5496, the SynchronEyes
    software can be caused to repeatedly try to connect back to tcp port 5461 of
    the attacker. Once a connection on this port has been established (for
example
    with netcat listening on tcp port 5461), the attacker can send a tcp packet
    which contains the size (size_t) parameter for a malloc() call. The size
    parameter is not being sanitized by the SynchronEyes software. This can
cause
    very high memory consumption and lead to system instability.


    Excerpt of the buggy code:
    --------------------------

    mov     edx, [ebp+controlled_buffer]    ; this is the buffer under control
    push    edx             ; netlong
    call    ds:ntohl                        ; little-endian conversion
    mov     [ebp+controlled_buffer], eax    ; store result
    [..snip..]
    cmp     [ebp+controlled_buffer], 0      ; > 0 ?
    ja      short loc_48886E
    [..snip..]

loc_48886E:
    mov     [ebp+malloced_buf], 0
    mov     [ebp+var_4], 0
    mov     ecx, [ebp+controlled_buffer]    ; the size which is under control
    push    ecx                             ; is being passed to a malloc
wrapper
    call    mallocwrapper                   ; without being sanitized



--------------------------------------------------------------------------

got control?

Dennis Elser, 01.April.2006
http://dennis.backtrace.de



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC