SynCE: vdccm 0.10.1 released

The purpose of the SynCE project is to provide a means of communication with a Windows CE or Pocket PC device from a computer running Linux, *BSD or other unices.

vdccm 0.10.1 has been released. This is a point release mainly to fix a security vulnerability that was presented to us by Core Security Technologies. Many thanks for that report.

Changes since 0.10.0

* GCC 4.3 compile bug fixed.
* Fixed connection file write when passwordinvolved (Mark Ellis).
* Fixed a potential denial of service attack. (Volker Christian).

Security information

(The following comes from Core Security Technologies' report.)

The vdccm daemon (part of the SynCE package) is vulnerable to a remote command injection, which can be exploited by malicious remote attackers. The vulnerability is due to the vdccm daemon not properly sanitizing certain input before using it to invoke external scripts. This can be exploited to execute arbitrary commands with the privileges of the vdccm daemon by sending specially crafted requests.
Vulnerable packages Synce-dccm since version 0.92 Non-vulnerable
packages Synce-dccm 0.91 and earlier.

The vdccm daemon listens on port 5679 for incoming connections from a Windows CE device. The command injection exist on the name of the connected device. The code at src/utils.cpp, function Utils::runScripts contains the following code:

string command = string(path) + " " + action + " " + deviceName;
system(command.c_str());

The contents of the string variable “deviceName” is controlled by the attacker.

Posted by Jonny Lamb 2007-12-20