HP implemented a JPEG parser for handling colorful fax documents in their all-in-one printers.
The JPEG parser has a classic stack based Buffer-Overflow when handling the DHT JPEG marker, resulting in a remote code execution.
- The length field is created by accumulating 16 controllable bytes: 0 <= length <= 4080
- The length is used (without checks) to read data from our controlled file, and into a stack buffer of size 256 bytes
- The stored return address is right at the end of this buffer
A PoC was presented live at DEFCON 26 - “What The FAX?!”: https://www.youtube.com/watch?v=qLCE8spVX9Q