PTP vulnerability and exploitation (checkpoint CVE-2019-5994 etc) - General Discussion and Assistance - CHDK Forum supplierdeeply

PTP vulnerability and exploitation (checkpoint CVE-2019-5994 etc)

  • 2 Replies

Offline reyalp

  • ******
  • 12209
Continuing from:
I didn't split the posts since they are mixed in with other discussion

Article describing the research:

ML forum link:

srsa_4c post:

Not completely off-topic as it is about PTP, taken from here.

Plus (off-topic), firmware update related vulnerability in both EOS and PowerShot firmwares...

Hmm. I've always operated on the assumption that it's game over if the PTP host is compromised.  CHDK is obviously vulnerable: PTP_CHDK_CallFunction PTP_CHDK_SetMemory, Lua poke and likely a lot of vulnerable Lua functions are all readily available. These could all be executed over PTP/IP too.

I would be very surprised if there aren't more vulnerabilities in the Canon PTP code too.

We could offer an option to disable CHDK PTP functionality, checking a conf setting and returning an error in handle_ptp would be easy.

We could, although I'm not sure if it's worth it. The cameras only activate their wireless interface when the user enters the Wifi related dialogs. I find it hard to imagine that anyone (other than some 3-letter agencies and the like) will spend their time exploiting these firmware bugs. And only a very low percentage of cameras run CHDK.
Yeah, this doesn't seem a high risk. OTOH, someone making a stink about "CHDK undoes Canon security fix" could be unfortunate.

Thinking about it more, we could check the USB bit (in physw_status, not the hardware state) and only allow CHDK operations if its set. Since there's no working PTP/IP client for CHDK, having it off when USB is not present shouldn't be a problem (unless there's threading issues that make it drop out momentarily when kbd_task runs  :-[). This could also be an option: CHDK PTP: [USB only, USB+wifi, off]

If there's exposure when the camera is paired with a phone, that could be a bigger risk, but my impression is that's totally separate.

I posted the links because the descriptions mention the problematic PTP handlers by name. And that we'll get to see the fixes (M3 and M10 are on the list).
That could be interesting.
« Last Edit: 12 / August / 2019, 17:06:19 by reyalp »
Don't forget what the H stands for.


Offline koshy

  • *****
  • 1001
Re: PTP vulnerability and exploitation (checkpoint CVE-2019-5994 etc)
« Reply #1 on: 12 / August / 2019, 17:46:47 »
OTOH, someone making a stink about "CHDK undoes Canon security fix" could be unfortunate.
If that is the main worry a PTP option with default "off" would take care of it. CHDK then does nothing. CHDK allows the user to undo the Canon security fix. Subtle but substantial difference. If the other options (USB required etc.) work out great, if not a plain on/off may be enough.
Koshy had a little ELPH which wasn't white as snow but everywhere that Koshy went the ELPH was sure to go. (actually an SD, but that detail ruins the rhyme...)


Related Topics