I tried to reverse engineer my favourite piano application and discovered a weird interaction which leads to a persistent crash. As the developer is still working on the patch, I will not disclose any exploit details for now.
CVE-2021-33897
Affected Versions
All versions prior to Synthesia 10.9.
| CVSS Base Score: 7.1 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H |
Fixed Firmware
Synthesia 10.9
Introduction
Synthesia is a popular piano software that helps users to learn via positioning of the piano keys instead of the traditional music sheets.
There are many parts of the application that takes user input, and it does not require privileged access to run. Hence, a non-privileged user e.g. Guest User can also run this application and use this bug to crash it, which causes denial of service at the very least. It might be possible to escalate it further, but I did not find a way.
Bug Discovery
I had been reverse-engineering Synthesia in IDA Pro out of curiosity about how the practice scoring worked, and along the way I noticed file-handling code reachable from the standard “open file” flow without any privilege check. That made it worth poking at — anything an unprivileged Guest User on a shared Windows box could reach is interesting to me.
After producing a handful of crafted MP3s, I found one whose contents — not the filename — sent the application into a state it could not recover from. Selecting it from the file picker terminated the process immediately. The crash was reliable on the affected versions but not persistent: with the offending file out of the way, the application launched fine. The vendor needed a while to reproduce, which is partly why the timeline below stretched the way it did — I ended up testing across multiple environments before the trigger was pinned down.
The Exploit
There isn’t much beyond what the bug discovery section already covers. Place the crafted MP3 on the machine, open it from Synthesia’s file picker, and the process dies. The application relaunches cleanly afterwards as long as the file isn’t selected again. I did not find a way to escalate beyond denial of service at the time, and I’m not going to speculate retroactively about whether contemporary fuzzing tooling would have surfaced an exploitable variant from the same primitive.
I’m writing this up five years on. The IDA database, the PoC MP3, and most of my working notes from this hunt are gone. MITRE classified the underlying weakness as improper path handling, which is consistent with the parser deriving a path from something inside the file contents and mishandling it — but the exact byte layout that triggered the crash and the precise sink offset in the binary are no longer in my notes, and I would rather flag that honestly than invent specifics.
Afterthoughts
As I have started my own consultancy while also working at my full-time job, I find that I have less and less time to write blog posts. That said, I am still doing security research every day and working on my OSEP with the Try Harder attitude.
Edit, five years on: the Bug Discovery and Exploit sections originally shipped redacted while the patch landed. This pass restores what I still remember; details I no longer have are flagged as such rather than reconstructed. The advisory page and CVE record are the authoritative artifacts.
Timeline
Both the Vendor and I had to do additional research which resulted in the late disclosure.
2021-06-06 06:18:13 JST - Reported to Vendor (support[at]synthesiagame.com)
2021-06-07 07:13:32 JST - CVE number assigned by MITRE
2021-06-07 17:01:06 JST - Sent Vendor additional details about other environments
2021-06-09 08:48:29 JST - Vendor replied that it cannot be reproduced
2021-06-09 08:53:22 JST - Additional reply from Vendor
2022-01-19 12:36:45 JST - Researched on various environments and sent to Vendor
2022-01-25 08:16:24 JST - Researched further and pinpointed the root cause
2022-04-22 03:27:11 JST - Acknowledgement from Vendor & Confirmation that it will be fixed
2022-11-01 03:33:33 JST - Blog post published