PTP vulnerability and exploitation (checkpoint CVE-2019-5994 etc) - page 2 - General Discussion and Assistance - CHDK Forum  

PTP vulnerability and exploitation (checkpoint CVE-2019-5994 etc)

  • 12 Replies
  • 1658 Views
*

Offline reyalp

  • ******
  • 13054
Re: PTP vulnerability and exploitation (checkpoint CVE-2019-5994 etc)
« Reply #10 on: 27 / March / 2021, 01:45:05 »
Advertisements
Here's a patch that adds an option the "CHDK settings" menu to control the PTP extension.

For cameras with wifi, the values are "Off", "USB", "Always". Default is "USB".
For cameras without, the options are "Off" and "On", default on.

On wifi cameras "USB" uses the USB bit in phsyw, as modified by remote settings and usb_force_active.

If the extension is disabled, the PTP handler returns PTP_RC_OperationNotSupported, as the camera would if CHDK were not installed.

My reason for adding this is that with PTP/IP becoming usable, I want to document that it's insecure, and I'd prefer to give people the option of doing something about it.

The contains a few additional changes to support this.

Added function get_usb_bit_physw_mod, which returns the USB bit as seen by the Canon firmware. This will be useful in a couple other places.

Some old vxworks cameras (ixus 30, 40, 50, and 700) have different kbd code, that doesn't end up with the USB bit in physw_status. I consolidated this and moved it to kbd_common.c, under the define KBD_USB_OVERRIDE_FUNC. This also adds support for usb_force_present on ixus30 and ixus40. Testing that PTP option and USB remote works on one or more of these cameras would be appreciated.

Added define CAM_HAS_WIFI, to identify cameras with wifi capability. Default is undef. Most cams are identified by the sigfinders (r5800) but there are complications: ixus132 and sx520 use identical firmware to the wifi capable ixus135 and sx530. Since they have separate platform trees, I just added a comment and undef to their respective platform_camera.h files. sx270 builds from the same source as sx280, so I made the define conditional on PLATFORMID.  Since ixus w is the only wifi capable vxworks cam (AFAIK), I just added the define without updating the sig finder. It's possible I missed other cameras that have wifi in the firmware but not hardware.

Comments and suggestions are welcome
Don't forget what the H stands for.

*

Offline srsa_4c

  • ******
  • 4382
Re: PTP vulnerability and exploitation (checkpoint CVE-2019-5994 etc)
« Reply #11 on: 27 / March / 2021, 15:24:01 »
Some old vxworks cameras (ixus 30, 40, 50, and 700) have different kbd code, that doesn't end up with the USB bit in physw_status. I consolidated this and moved it to kbd_common.c, under the define KBD_USB_OVERRIDE_FUNC. This also adds support for usb_force_present on ixus30 and ixus40. Testing that PTP option and USB remote works on one or more of these cameras would be appreciated.
Ixus40: both USB remote and the PTP option appear functional.

*

Offline reyalp

  • ******
  • 13054
Re: PTP vulnerability and exploitation (checkpoint CVE-2019-5994 etc)
« Reply #12 on: 27 / March / 2021, 15:30:38 »
Thinking about this more, I'm less convinced this option is justified.

My intention was that it would allow users to make CHDK only as vulnerable as the stock firmware, but it doesn't:

You can replace DISKBOOT.BIN with standard PTP. With CHDK, it's a complete RCE, where with the stock firmware it's not, because the card would need to be locked and bootable.

I would probably keep the define and get_usb_bit_physw_mod stuff though. (edit: checked in, trunk 5802)

In practice, I'd be expect there are plenty more vulnerabilities in the stock firmware.
« Last Edit: 27 / March / 2021, 18:02:43 by reyalp »
Don't forget what the H stands for.

 

Related Topics