PTP vulnerability and exploitation (checkpoint CVE-2019-5994 etc) - General Discussion and Assistance - CHDK Forum supplierdeeply

PTP vulnerability and exploitation (checkpoint CVE-2019-5994 etc)

  • 2 Replies
  • 131 Views
*

Offline reyalp

  • ******
  • 11998
Advertisements
Continuing from: https://chdk.setepontos.com/index.php?topic=4338.msg140923#msg140923
I didn't split the posts since they are mixed in with other discussion

Article describing the research: https://research.checkpoint.com/say-cheese-ransomware-ing-a-dslr-camera/

ML forum link: https://www.magiclantern.fm/forum/index.php?topic=24385.0

srsa_4c post:

Not completely off-topic as it is about PTP, taken from here.
https://www.usa.canon.com/internet/portal/us/home/support/product-advisories/detail/the-vulnerability-in-canon-digital-cameras
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5994
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5998
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5999
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6000
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6001

Plus (off-topic), firmware update related vulnerability in both EOS and PowerShot firmwares...
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5995

Hmm. I've always operated on the assumption that it's game over if the PTP host is compromised.  CHDK is obviously vulnerable: PTP_CHDK_CallFunction PTP_CHDK_SetMemory, Lua poke and likely a lot of vulnerable Lua functions are all readily available. These could all be executed over PTP/IP too.

I would be very surprised if there aren't more vulnerabilities in the Canon PTP code too.

We could offer an option to disable CHDK PTP functionality, checking a conf setting and returning an error in handle_ptp would be easy.

Quote
We could, although I'm not sure if it's worth it. The cameras only activate their wireless interface when the user enters the Wifi related dialogs. I find it hard to imagine that anyone (other than some 3-letter agencies and the like) will spend their time exploiting these firmware bugs. And only a very low percentage of cameras run CHDK.
Yeah, this doesn't seem a high risk. OTOH, someone making a stink about "CHDK undoes Canon security fix" could be unfortunate.

Thinking about it more, we could check the USB bit (in physw_status, not the hardware state) and only allow CHDK operations if its set. Since there's no working PTP/IP client for CHDK, having it off when USB is not present shouldn't be a problem (unless there's threading issues that make it drop out momentarily when kbd_task runs  :-[). This could also be an option: CHDK PTP: [USB only, USB+wifi, off]

If there's exposure when the camera is paired with a phone, that could be a bigger risk, but my impression is that's totally separate.

Quote
I posted the links because the descriptions mention the problematic PTP handlers by name. And that we'll get to see the fixes (M3 and M10 are on the list).
That could be interesting.
« Last Edit: 12 / August / 2019, 17:06:19 by reyalp »
Don't forget what the H stands for.

*

Offline koshy

  • *****
  • 841
Re: PTP vulnerability and exploitation (checkpoint CVE-2019-5994 etc)
« Reply #1 on: 12 / August / 2019, 17:46:47 »
OTOH, someone making a stink about "CHDK undoes Canon security fix" could be unfortunate.
If that is the main worry a PTP option with default "off" would take care of it. CHDK then does nothing. CHDK allows the user to undo the Canon security fix. Subtle but substantial difference. If the other options (USB required etc.) work out great, if not a plain on/off may be enough.


 

Related Topics