QNX phrelay/phindows/phditto Multiple Exploits
The information has been provided by Luigi Auriemma.
* QNX phrelay/phindows/phditto
A] bpe_decompress stack overflow
The BPE (byte pair encoding) compression uses two stack buffers of 256 bytes called ‘left’ and ‘right’. The bpe_decompress function used in all the client/server programs of this protocol is affected by a stack based buffer-overflow caused by the lack of checks on the data sequentially stored in these two buffers.
A] Photon Session buffer overflow
Buffer-overflow affecting phrelay in the handling of the device file specified by the client as existing Photon session.
Note: considering that phrelay is not enabled by default and allows to connect without authentication directly to /dev/photon (the screen
visible phisically on the machine) and phindows/phditto must be manually pointed to the malicious host for exploiting bug A, this advisory must be considered only a case study and nothing more.
at the moment I don’t know how to call bpe_decompress on phrelay but I have verified that the bpe_decompress function is vulnerable at 100%. The following test works only on phindows/phditto (the proof-of-concept acts as a server):
udpsz -C ‘a5 00 00 01 0000 ffff’ -b A -l 0 -T -1 0 4868 1+7+0xffff
udpsz -C ‘a5 10 00 00 0000 ffff 1400000008040100000000008002e0010000000000000000000000000000’ -b A -T SERVER 4868 1+7+0xffff