CPR-Zero: CVE-2018-5925

Information

HP implemented a JPEG parser for handling colorful fax documents in their all-in-one printers.
The JPEG parser has a Buffer-Overflow over the globals when handling the COM (String Comment) JPEG marker, resulting in a remote code execution.

Technical Details

The length field is a controlled 2 byte field
The length is used (without checks) to read data from our controlled file, and into a global struct of size ~2100 bytes

References:
https://research.checkpoint.com/sending-fax-back-to-the-dark-ages/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5925
https://support.hp.com/us-en/document/c06097712

Share this: