Vulnerabilities > CVE-2018-6892 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cloudme Sync 1.10.9

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
cloudme
CWE-119
exploit available
metasploit
NVD
Published: 2018-02-11
Updated: 2020-08-03

Summary

An issue was discovered in CloudMe before 1.11.0. An unauthenticated remote attacker that can connect to the "CloudMe Sync" client application listening on port 8888 can send a malicious payload causing a buffer overflow condition. This will result in an attacker controlling the program's execution flow and allowing arbitrary code execution.

Vulnerable Configurations

Part Description Count
Application
Cloudme
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Exploit-Db

  • fileexploits/windows_x86-64/remote/46250.py
    idEDB-ID:46250
    last seen2019-01-28
    modified2019-01-28
    platformwindows_x86-64
    port
    published2019-01-28
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/46250
    titleCloudMe Sync 1.11.2 Buffer Overflow - WoW64 - (DEP Bypass)
    typeremote
  • descriptionCloudMe Sync < 1.11.0 - Buffer Overflow. CVE-2018-6892. Remote exploit for Windows platform
    fileexploits/windows/remote/44027.py
    idEDB-ID:44027
    last seen2018-02-13
    modified2018-02-13
    platformwindows
    port
    published2018-02-13
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/44027/
    titleCloudMe Sync < 1.11.0 - Buffer Overflow
    typeremote
  • descriptionCloudme 1.9 - Buffer Overflow (DEP) (Metasploit). CVE-2018-6892. Remote exploit for Windows_x86-64 platform
    fileexploits/windows_x86-64/remote/45197.rb
    idEDB-ID:45197
    last seen2018-08-14
    modified2018-08-14
    platformwindows_x86-64
    port
    published2018-08-14
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/45197/
    titleCloudme 1.9 - Buffer Overflow (DEP) (Metasploit)
    typeremote
  • descriptionCloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit). CVE-2018-6892. Remote exploit for Windows platform. Tags: Metasploit Framework (MSF), Remote
    fileexploits/windows/remote/44175.rb
    idEDB-ID:44175
    last seen2018-02-26
    modified2018-02-26
    platformwindows
    port8888
    published2018-02-26
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/44175/
    titleCloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit)
    typeremote

Metasploit

descriptionThis module exploits a stack-based buffer overflow vulnerability in CloudMe Sync v1.10.9 client application. This module has been tested successfully on Windows 7 SP1 x86.
idMSF:EXPLOIT/WINDOWS/MISC/CLOUDME_SYNC
last seen2020-06-13
modified2018-02-20
published2018-02-20
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6892
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/cloudme_sync.rb
titleCloudMe Sync v1.10.9

Packetstorm

Seebug

bulletinFamilyexploit
descriptionThe following advisory describes one (1) vulnerability found in CloudMe. CloudMe is “a file storage service operated by CloudMe AB that offers cloud storage, file synchronization and client software. It features a blue folder that appears on all devices with the same content, all files are synchronized between devices.” The vulnerability found is a buffer overflow vulnerability, which when exploited can be used to cause the product to execute arbitrary code. ### Credit A security researcher from, hyp3rlinx, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program ### Vendor response The vendor has released CloudMe version 1.11.0 which addresses this vulnerability. CVE: CVE-2018-6892 ### Affected version CloudMe Sync version v1.10.9 and prior ### Vulnerability Details An unauthenticated remote attackers that can connect to the “CloudMe Sync” client application listening on port 8888, can send a malicious payload causing a buffer overflow condition. This will result in an attacker controlling the programs execution flow and allowing arbitrary code execution on the victims PC. CloudMe Sync client creates a socket listening on TCP Port 8888 (0x22B8) In Qt5Core: ``` 00564DF1 . C74424 04 B822>MOV DWORD PTR SS:[ESP+4],22B8 00564DF9 . 890424 MOV DWORD PTR SS:[ESP],EAX 00564DFC . FF15 B8738100 CALL DWORD PTR DS:[<&Qt5Network._ZN10QTc>; Qt5Netwo._ZN10QTcpServer6listenERK12QHostAddresst ``` ### Buffer overflow condition EIP register will be overwritten at about 1075 bytes. ``` EAX 00000001 ECX 76F698DA msvcrt.76F698DA EDX 00350000 EBX 41414141 ESP 0028D470 EBP 41414141 ESI 41414141 EDI 41414141 EIP 41414141 ``` ### Stack dump information ``` (508.524): Access violation - code c0000005 (first/second chance not available) *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - eax=00000000 ebx=00000000 ecx=41414141 edx=778f353d esi=00000000 edi=00000000 eip=41414141 esp=00091474 ebp=00091494 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 41414141 ?? ??? ``` Exploitation is very easy as ASLR SafeSEH are all set to false making the exploit portable and able to work across different operating systems. We will therefore use Structured Exceptional Handler overwrite for our exploit. e.g. ``` 6FE6909D 0x6fe6909d : pop ebx # pop esi # ret 0x20 | {PAGE_EXECUTE_READ} [libstdc++-6.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\libstdc++-6.dll) 00476795 0x00476795 : pop ebx # pop esi # ret 0x20 | startnull {PAGE_EXECUTE_READ} [CloudMe.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\CloudMe.exe) 61E7B7F6 0x61e7b7f6 : pop ebx # pop esi # ret 0x20 | {PAGE_EXECUTE_READ} [Qt5Gui.dll] ASLR: Fa ```
idSSV:97133
last seen2018-02-23
modified2018-02-23
published2018-02-23
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-97133
titleCloudMe Unauthenticated Remote Buffer Overflow(CVE-2018-6892)

References