Synthesia Denial of Service due to Improper Path Handling (CVE-2021-33897)

Isopach · November 1, 2022

I tried to reverse engineer my favourite piano application and discovered a weird interaction which leads to a persistent crash. As the developer is still working on the patch, I will not disclose any exploit details for now.


CVE-2021-33897


Affected Versions

All versions prior to Synthesia 10.9.

CVSS Base Score: 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Fixed Firmware

Synthesia 10.9

Date Unreleased.
Release notes To be added.

Introduction

Synthesia is a popular piano software that helps users to learn via positioning of the piano keys instead of the traditional music sheets.

There are many parts of the application that takes user input, and it does not require privileged access to run. Hence, a non-privileged user e.g. Guest User can also run this application and use this bug to crash it, which causes denial of service at the very least. It might be possible to escalate it further, but I did not find a way.

Bug Discovery

This is redacted.

The Exploit

This is also redacted.

Afterthoughts

As I have started my own consultancy while also working at my full-time job, I find that I have less and less time to write blog posts. That said, I am still doing security research every day and working on my OSEP with the Try Harder attitude. Anyway, an advisory page is in the works, but for now please bear with the redacted sections.

Timeline

Both the Vendor and I had to do additional research which resulted in the late disclosure.

2021-06-06 06:18:13 JST - Reported to Vendor (support[at]synthesiagame.com)
2021-06-07 07:13:32 JST - CVE number assigned by MITRE
2021-06-07 17:01:06 JST - Sent Vendor additional details about other environments
2021-06-09 08:48:29 JST - Vendor replied that it cannot be reproduced
2021-06-09 08:53:22 JST - Additional reply from Vendor
2022-01-19 12:36:45 JST - Researched on various environments and sent to Vendor
2021-01-25 08:16:24 JST - Researched further and pinpointed the root cause
2022-04-22 03:27:11 JST - Acknowledgement from Vendor & Confirmation that it will be fixed
2022-11-01 03:33:33 JST - Blog post published


Twitter, Facebook