cbcvebase.
CVE-2017-7310
published 2017-03-29

CVE-2017-7310: A buffer overflow vulnerability in Import Command in SyncBreeze before 10.6, DiskSorter before 10.6, DiskBoss before 8.9, DiskPulse before 10.6, DiskSavvy…

PriorityP262high7.8CVSS 3.0
AVLACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
53.65%
98.9th percentile
A buffer overflow vulnerability in Import Command in SyncBreeze before 10.6, DiskSorter before 10.6, DiskBoss before 8.9, DiskPulse before 10.6, DiskSavvy before 10.6, DupScout before 10.6, and VX Search before 10.6 allows attackers to execute arbitrary code via a crafted XML file containing a long name attribute of a classify element.

Affected

3 ranges
VendorProductVersion rangeFixed in
flexensediskboss
flexensedisksorter
flexensesyncbreeze

Detection & IOCsextracted from sources · hover to see the quote

filenameExploit.xml
urlhttp://www.syncbreeze.com/setups/syncbreezeent_setup_v9.5.16.exe
urlhttp://www.diskpulse.com/setups/diskpulseent_setup_v10.4.18.exe
other0x10015FFE
bytes
\x7A\xB7\x1B\x65
bytes
\x8D\x44\x24\x4C
  • The exploit delivers a specially crafted XML file containing a long 'name' attribute of a 'classify' element to trigger the buffer overflow via the Import Command feature.
  • The exploit uses a JMP ESP gadget located in QtGui4.dll at address 0x10015FFE; monitor for ROP/SEH chains referencing this module in affected products.
  • The exploit payload uses bad characters \x00\x01\x02\x0a\x0b\x0c\x22\x27 and a stack adjustment of -3500; shellcode in XML imports for these products should be flagged.
  • The exploit uses SEH (Structured Exception Handler) overwrite technique (EXITFUNC=seh); monitor for SEH chain corruption in SyncBreeze, DiskPulse, DupScout, and related processes during XML import.
  • The initial junk buffer for SyncBreeze 9.5.16 is 1536 bytes of 'A', and for DiskPulse 10.4.18 is 1560 bytes; anomalously large 'name' attribute values in XML files imported by these products indicate exploitation attempts.
  • DiskPulse exploit uses 1560-byte junk buffer; monitor for XML files with oversized classify element name attributes submitted to DiskPulse Enterprise import functionality.
  • ·The JMP ESP gadget address (0x10015FFE in QtGui4.dll) is version-specific to SyncBreeze Enterprise 9.5.16 on Windows 7 SP1 x86; the offset and return address will differ across other affected product versions and OS configurations.
  • ·The exploit was tested on Windows 7 SP1 x86 only; behavior on other Windows versions or x64 architectures is not confirmed by the exploit author.
  • ·The vulnerability affects multiple products (SyncBreeze, DiskSorter, DiskBoss, DiskPulse, DiskSavvy, DupScout, VX Search) all before version 10.6; each product/version combination may require different offsets and gadget addresses.

CVSS provenance

nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.