HP implemented a JPEG parser for handling colorful fax documents in their all-in-one printers.
The JPEG parser has a classic stack based Buffer-Overflow when handling the DHT JPEG marker, resulting in a remote code execution.

Technical Details

  1. The length field is created by accumulating 16 controllable bytes: 0 <= length <= 4080
  2. The length is used (without checks) to read data from our controlled file, and into a stack buffer of size 256 bytes
  3. The stored return address is right at the end of this buffer


A PoC was presented live at DEFCON 26 - “What The FAX?!”: