Hi EteSync maintainers,
I would like to report a potential denial-of-service issue affecting the Android sync adapter package com.etesync.syncadapter.
Tested environment
-
App package: com.etesync.syncadapter
-
App version: unknown from my current notes; tested APK identified by SHA-256 below
-
Tested APK SHA-256: 00a1d9a155d707ebdf8398fc4f41b67952d6745dedf7ac80db582adcdde2b6ab
-
Android environment: MuMu emulator, Android API 32
-
Test date: June 26
-
Attacker model: local third-party Android app, no root
Summary
During local Binder testing, I found that malformed requests to several exported SyncAdapter services can reliably crash the target EteSync sync process. The crash appears to occur in Android framework code under AbstractThreadedSyncAdapter.handleOnUnsyncableAccount, but EteSync exposes multiple affected SyncAdapter service entry points.
Confirmed affected services:
-
com.etesync.syncadapter.syncadapter.TasksSyncAdapterService
-
com.etesync.syncadapter.syncadapter.TasksOrgSyncAdapterService
-
com.etesync.syncadapter.syncadapter.ContactsSyncAdapterService
-
com.etesync.syncadapter.syncadapter.CalendarsSyncAdapterService
-
com.etesync.syncadapter.syncadapter.AddressBooksSyncAdapterService
Validation summary:
-
Bind-only control: 2/2 runs did not crash the target process
-
Malformed Binder request replay: 3/3 runs triggered TARGET_FATAL_EXCEPTION
-
The same issue was reproduced across all 5 services
-
Frida telemetry captured all 5 affected entries
Observed crash excerpt:
FATAL EXCEPTION: main
Process: com.etesync.syncadapter
java.lang.NullPointerException:
Attempt to invoke interface method
'void android.content.ISyncAdapterUnsyncableAccountCallback.onUnsyncableAccountDone(boolean)'
on a null object reference
at android.content.AbstractThreadedSyncAdapter.handleOnUnsyncableAccount(AbstractThreadedSyncAdapter.java:404)
at android.content.AbstractThreadedSyncAdapter$ISyncAdapterImpl.lambda$onUnsyncableAccount$0(AbstractThreadedSyncAdapter.java:177)
Impact:
A local app on the same Android device may be able to repeatedly crash the EteSync sync adapter process by interacting with exported SyncAdapter Binder services. This could temporarily disrupt background sync for tasks, contacts, calendars, and address books.
Expected behavior:
Malformed or incomplete Binder requests should be rejected safely without crashing the EteSync sync process.
Actual behavior:
The target process crashes with a NullPointerException in the SyncAdapter framework path.
Notes:
This may ultimately require a defensive fix or null-check in Android framework code, but because multiple EteSync SyncAdapter services expose the affected Binder surface, I wanted to report it here as well. I can share additional logs, APK metadata, and a minimized PoC privately if you have a preferred security contact.
Hi EteSync maintainers,
I would like to report a potential denial-of-service issue affecting the Android sync adapter package
com.etesync.syncadapter.Tested environment
App package:
com.etesync.syncadapterApp version: unknown from my current notes; tested APK identified by SHA-256 below
Tested APK SHA-256:
00a1d9a155d707ebdf8398fc4f41b67952d6745dedf7ac80db582adcdde2b6abAndroid environment: MuMu emulator, Android API 32
Test date: June 26
Attacker model: local third-party Android app, no root
Summary
During local Binder testing, I found that malformed requests to several exported SyncAdapter services can reliably crash the target EteSync sync process. The crash appears to occur in Android framework code under
AbstractThreadedSyncAdapter.handleOnUnsyncableAccount, but EteSync exposes multiple affected SyncAdapter service entry points.Confirmed affected services:
com.etesync.syncadapter.syncadapter.TasksSyncAdapterServicecom.etesync.syncadapter.syncadapter.TasksOrgSyncAdapterServicecom.etesync.syncadapter.syncadapter.ContactsSyncAdapterServicecom.etesync.syncadapter.syncadapter.CalendarsSyncAdapterServicecom.etesync.syncadapter.syncadapter.AddressBooksSyncAdapterServiceValidation summary:
Bind-only control: 2/2 runs did not crash the target process
Malformed Binder request replay: 3/3 runs triggered
TARGET_FATAL_EXCEPTIONThe same issue was reproduced across all 5 services
Frida telemetry captured all 5 affected entries
Observed crash excerpt:
Impact:
A local app on the same Android device may be able to repeatedly crash the EteSync sync adapter process by interacting with exported SyncAdapter Binder services. This could temporarily disrupt background sync for tasks, contacts, calendars, and address books.
Expected behavior:
Malformed or incomplete Binder requests should be rejected safely without crashing the EteSync sync process.
Actual behavior:
The target process crashes with a
NullPointerExceptionin the SyncAdapter framework path.Notes:
This may ultimately require a defensive fix or null-check in Android framework code, but because multiple EteSync SyncAdapter services expose the affected Binder surface, I wanted to report it here as well. I can share additional logs, APK metadata, and a minimized PoC privately if you have a preferred security contact.