CPR-Zero: CVE-2019-6001

Information

File: PtpMgr/PtpApp/PtpOperation.c (probably)
Function: PTP_SetAdapterBatteryReport()

The handler verifies that the length of the received message is exactly 28 bytes, and logs an error otherwise. However, after this error log it will continue on to copy the incoming message into the stack buffer, which is of size 0x12 bytes (28 bytes).
The incoming message has no byte constraints and can be way bigger than this fixed size.
Note: The vulnerability triggers over a USB connection, but raises an exception over a WiFi connection.

Decompiling the vulnerable code will look roughly like this:

input_size = ctx->get_data_size_ptr(ctx->handle);
// EI-DBG: "input_size" is checked to be exactly as expected
if ( input_size != 28 )
{
    dbg_printf(
      global_ptp_memory_context->some_mem_id,
      3,
      " PTP_SetAdapterBatteryReport ReceiveSizeError [%x]",
      input_size);
	// EI-DBG: Missing return statement after the error log
}
// EI-DBG: The attacker's data will always be copied into the buffer, even in the error log case
ctx->recv_data_ptr(ctx->handle, local_buffer, input_size);
handle_incoming_packet(&local_buffer[4]);
if ( PTP_SendResponse(ctx, &msg) < 0 )
{
    dbg_printf_FE3FC214(
      global_ptp_memory_context->some_mem_id,
      6,
      "PTP_SetAdapterBatteryReport USB Send Error");
}
return result;

References:
https://research.checkpoint.com/say-cheese-ransomware-ing-a-dslr-camera
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6001

Share this: