CPR-Zero: CVE-2019-6000

Information

File: PtpMgr/PtpApp/PtpOperation.c (probably)
Function: PTP_SendHostInfo()

The handler verifies that the length of the received message is exactly 100 bytes, and logs an error otherwise. However, after this error log it will continue on to copy the incoming message into the stack buffer, which is of size 0x98 bytes (152 bytes).
The incoming message has no byte constraints and can be way bigger than this fixed size.

Decompiling the vulnerable code will look roughly like this:

input_size = ctx->get_data_size_ptr(ctx->handle);
// EI-DBG: "input_size" is checked to be exactly as expected
if ( input_size != 100 )
{
    dbg_printf(
      global_ptp_memory_context->some_mem_id,
      3,
      " PTP_SendHostInfo ReceiveSizeError [%x]",
      input_size);
	// EI-DBG: Missing return statement after the error log
}
// EI-DBG: The attacker's data will always be copied into the buffer, even in the error log case
ctx->recv_data_ptr(ctx->handle, local_msg_buffer, input_size);
handle_incoming_packet(local_buffer);
if ( PTP_SendResponse(ctx, &msg) < 0 )
{
    dbg_printf_FE3FC214(
      global_ptp_memory_context->some_mem_id,
      6,
      "PTP_SendHostInfo USB Send Error");
}
return result;

References:
https://research.checkpoint.com/say-cheese-ransomware-ing-a-dslr-camera
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6000

Share this: