SSD Advisory – HTC Sync Remote Code Execution

Credit to Author: SSD / Research Team| Date: Mon, 27 Feb 2017 10:19:14 +0000

Vulnerabilities Summary
The following advisory describes a remote code execution (RCE) found in HTC Sync version v3.3.63.

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
The vulnerability was not reported to the vendor because the product has reached end of life on 31 August 2016 and was replaced by HTC Sync Manager which is not vulnerable to this vulnerability.

Vulnerability Details

HTC sync contains a remotely exploitable vulnerability within the latest HTC Sync (v3.3.63) software. During startup or if explicitly triggered by the user, HTC Sync checks for latest versions by sending an HTTP request to htc.com and then parses its reply (XML format).

In particular, the application first requests:

Which contains a link to the download URI which is available in:

By modifying e.g. the “version” field in the XML document an attacker can inject arbitrary code that gets executed on the victims machine.

Proof of Concept

An attacker that can place himself man-in-the-middle, either through ARP spoofing or DNS poisoning can intercept traffic and provide an overly long XML parameter which leads to remote code execution on the victims machine.

We used Kali Linux to set up man in the middle attack:

  1. Enable arp spoofing
  2. Enable IP forwarding
  3. Add ip tables rule for mitm proxy:
  4. Start mitmproxy
  5. Intercept and modify traffic by hand

The “version” string for popping up calc.exe is:

Print Friendly, PDF & Email

https://blogs.securiteam.com/index.php/feed

Leave a Reply