#######################################################################
Luigi Auriemma
Application: QNX phrelay/phindows/phditto
http://www.qnx.com
http://www.qnx.com/developers/docs/6.5.0/topic/com.qnx.doc.phindows/topic/coverpage.html
http://www.qnx.com/developers/docs/6.4.1/neutrino/utilities/p/phrelay.html
Versions: current
Platforms: QNX Neutrino RTOS and Windows
Bugs: A] bpe_decompress stack overflow
B] Photon Session buffer overflow
Exploitation: remote
A] versus client and maybe server
B] versus server
Date: 10 May 2012
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
phrelay and phindows/phditto are based on a private protocol that
allows to use the Photon graphical environment of the server (through
the phrelay inetd program) on another machine (phindows, phditto and
any other client).
#######################################################################
=======
2) Bugs
=======
--------------------------------
A] bpe_decompress stack overflow
--------------------------------
The BPE (byte pair encoding) compression uses two stack buffers of 256
bytes called "left" and "right".
The bpe_decompress function used in all the client/server programs of
this protocol is affected by a stack based buffer-overflow caused by
the lack of checks on the data sequentially stored in these two
buffers.
---------------------------------
B] Photon Session buffer overflow
---------------------------------
Buffer-overflow affecting phrelay in the handling of the device file
specified by the client as existing Photon session.
Note: considering that phrelay is not enabled by default and allows to
connect without authentication directly to /dev/photon (the screen
visible phisically on the machine) and phindows/phditto must be
manually pointed to the malicious host for exploiting bug A, this
advisory must be considered only a case study and nothing more.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/testz/udpsz.zip
A]
at the moment I don't know how to call bpe_decompress on phrelay but I
have verified that the bpe_decompress function is vulnerable at 100%.
the following test works only on phindows/phditto (the proof-of-concept
acts as a server):
udpsz -C "a5 00 00 01 0000 ffff" -b A -l 0 -T -1 0 4868 1+7+0xffff
B]
udpsz -C "a5 10 00 00 0000 ffff 1400000008040100000000008002e0010000000000000000000000000000" -b A -T SERVER 4868 1+7+0xffff
#######################################################################
======
4) Fix
======
No fix.
#######################################################################