Genymobile Scrcpy Global Buffer Overflow Vulnerability in Message Processing

A global buffer overflow vulnerability has been identified in Genymobile Scrcpy versions through 3.3.3, prior to commit 3e40b24. The vulnerability resides in the function sc_read32be, which is called by sc_device_msg_deserialize() and process_msgs(). When processing crafted device messages, the vulnerability allows for reading beyond the bounds of a global buffer, leading to memory corruption or crashes. This issue can cause a denial-of-service and, under certain conditions, may be exploited further depending on the execution environment and available mitigations.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition by causing crashes, along with memory corruption. Additionally, since this is a global buffer overflow, there is potential for further exploitation by corrupting adjacent global data, which could impact control flow.

Reproduction

The vulnerability can be reproduced by sending a crafted device message that exploits the buffer overflow in the sc_read32be function. This can be done using a modified version of the Scrcpy application that includes the payload in the DeviceMessageWriter class. The message should be sent over the HID control channel while Scrcpy is running.

Remediation

Users should upgrade to Genymobile Scrcpy version 3.3.4 or later, which includes the patch for this vulnerability.