A] bpe_decompress stack overflow
The BPE (byte pair encoding) compression uses two stack buffers of 256 bytes called "left" and "right". The bpe_decompress function used in all the client/server programs of this protocol is affected by a stack based buffer-overflow caused by the lack of checks on the data sequentially stored in these two buffers.
A] Photon Session buffer overflow
Buffer-overflow affecting phrelay in the handling of the device file specified by the client as existing Photon session.
Note: considering that phrelay is not enabled by default and allows to connect without authentication directly to /dev/photon (the screen
visible phisically on the machine) and phindows/phditto must be manually pointed to the malicious host for exploiting bug A, this advisory must be considered only a case study and nothing more.
The Code
http://aluigi.org/testz/udpsz.zip
http://www.exploit-db.com/sploits/18864.zip
A]
at the moment I don't know how to call bpe_decompress on phrelay but I have verified that the bpe_decompress function is vulnerable at 100%. The following test works only on phindows/phditto (the proof-of-concept acts as a server):
