CPR-Zero: CVE-2018-5924

Information

HP implemented a JPEG parser for handling colorful fax documents in their all-in-one printers.
The JPEG parser has a classic stack based Buffer-Overflow when handling the DHT JPEG marker, resulting in a remote code execution.

Technical Details

The length field is created by accumulating 16 controllable bytes: 0 <= length <= 4080
The length is used (without checks) to read data from our controlled file, and into a stack buffer of size 256 bytes
The stored return address is right at the end of this buffer

PoC

A PoC was presented live at DEFCON 26 - “What The FAX?!”: https://www.youtube.com/watch?v=qLCE8spVX9Q

References:
https://research.checkpoint.com/sending-fax-back-to-the-dark-ages/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5924
https://support.hp.com/us-en/document/c06097712

Share this: