####################################################################### Luigi Auriemma Application: QNX phrelay/phindows/phditto http://www.qnx.com http://www.qnx.com/developers/docs/6.5.0/topic/com.qnx.doc.phindows/topic/coverpage.html http://www.qnx.com/developers/docs/6.4.1/neutrino/utilities/p/phrelay.html Versions: current Platforms: QNX Neutrino RTOS and Windows Bugs: A] bpe_decompress stack overflow B] Photon Session buffer overflow Exploitation: remote A] versus client and maybe server B] versus server Date: 10 May 2012 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== phrelay and phindows/phditto are based on a private protocol that allows to use the Photon graphical environment of the server (through the phrelay inetd program) on another machine (phindows, phditto and any other client). ####################################################################### ======= 2) Bugs ======= -------------------------------- A] bpe_decompress stack overflow -------------------------------- The BPE (byte pair encoding) compression uses two stack buffers of 256 bytes called "left" and "right". The bpe_decompress function used in all the client/server programs of this protocol is affected by a stack based buffer-overflow caused by the lack of checks on the data sequentially stored in these two buffers. --------------------------------- B] Photon Session buffer overflow --------------------------------- Buffer-overflow affecting phrelay in the handling of the device file specified by the client as existing Photon session. Note: considering that phrelay is not enabled by default and allows to connect without authentication directly to /dev/photon (the screen visible phisically on the machine) and phindows/phditto must be manually pointed to the malicious host for exploiting bug A, this advisory must be considered only a case study and nothing more. ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/udpsz.zip A] at the moment I don't know how to call bpe_decompress on phrelay but I have verified that the bpe_decompress function is vulnerable at 100%. the following test works only on phindows/phditto (the proof-of-concept acts as a server): udpsz -C "a5 00 00 01 0000 ffff" -b A -l 0 -T -1 0 4868 1+7+0xffff B] udpsz -C "a5 10 00 00 0000 ffff 1400000008040100000000008002e0010000000000000000000000000000" -b A -T SERVER 4868 1+7+0xffff ####################################################################### ====== 4) Fix ====== No fix. #######################################################################