QNX phrelay/phindows/phditto Multiple Vulnerabilities



EKU-ID: 2111 CVE: OSVDB-ID:
Author: Luigi Auriemma Published: 2012-05-14 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#######################################################################

                             Luigi Auriemma

Application:  QNX phrelay/phindows/phditto
              http://www.qnx.com
              http://www.qnx.com/developers/docs/6.5.0/topic/com.qnx.doc.phindows/topic/coverpage.html
              http://www.qnx.com/developers/docs/6.4.1/neutrino/utilities/p/phrelay.html
Versions:     current
Platforms:    QNX Neutrino RTOS and Windows
Bugs:         A] bpe_decompress stack overflow
              B] Photon Session buffer overflow
Exploitation: remote
              A] versus client and maybe server
              B] versus server
Date:         10 May 2012
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


phrelay and phindows/phditto are based on a private protocol that
allows to use the Photon graphical environment of the server (through
the phrelay inetd program) on another machine (phindows, phditto and
any other client).


#######################################################################

=======
2) Bugs
=======

--------------------------------
A] bpe_decompress stack overflow
--------------------------------

The BPE (byte pair encoding) compression uses two stack buffers of 256
bytes called "left" and "right".
The bpe_decompress function used in all the client/server programs of
this protocol is affected by a stack based buffer-overflow caused by
the lack of checks on the data sequentially stored in these two
buffers.


---------------------------------
B] Photon Session buffer overflow
---------------------------------

Buffer-overflow affecting phrelay in the handling of the device file
specified by the client as existing Photon session.


Note: considering that phrelay is not enabled by default and allows to
connect without authentication directly to /dev/photon (the screen
visible phisically on the machine) and phindows/phditto must be
manually pointed to the malicious host for exploiting bug A, this
advisory must be considered only a case study and nothing more.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/testz/udpsz.zip
http://www.exploit-db.com/sploits/18864.zip


A]
at the moment I don't know how to call bpe_decompress on phrelay but I
have verified that the bpe_decompress function is vulnerable at 100%.
the following test works only on phindows/phditto (the proof-of-concept
acts as a server):

  udpsz -C "a5 00 00 01 0000 ffff" -b A -l 0 -T -1 0 4868 1+7+0xffff

B]
  udpsz -C "a5 10 00 00 0000 ffff   1400000008040100000000008002e0010000000000000000000000000000" -b A -T SERVER 4868 1+7+0xffff


#######################################################################

======
4) Fix
======


No fix.


#######################################################################