PTP vulnerability and exploitation (checkpoint CVE-2019-5994 etc) - General Discussion and Assistance - CHDK Forum supplierdeeply

PTP vulnerability and exploitation (checkpoint CVE-2019-5994 etc)

  • 12 Replies
  • 5169 Views
*

Offline reyalp

  • ******
  • 14118
Advertisements
Continuing from: https://chdk.setepontos.com/index.php?topic=4338.msg140923#msg140923
I didn't split the posts since they are mixed in with other discussion

Article describing the research: https://research.checkpoint.com/say-cheese-ransomware-ing-a-dslr-camera/

ML forum link: https://www.magiclantern.fm/forum/index.php?topic=24385.0

srsa_4c post:

Not completely off-topic as it is about PTP, taken from here.
https://www.usa.canon.com/internet/portal/us/home/support/product-advisories/detail/the-vulnerability-in-canon-digital-cameras
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5994
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5998
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5999
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6000
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6001

Plus (off-topic), firmware update related vulnerability in both EOS and PowerShot firmwares...
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5995

Hmm. I've always operated on the assumption that it's game over if the PTP host is compromised.  CHDK is obviously vulnerable: PTP_CHDK_CallFunction PTP_CHDK_SetMemory, Lua poke and likely a lot of vulnerable Lua functions are all readily available. These could all be executed over PTP/IP too.

I would be very surprised if there aren't more vulnerabilities in the Canon PTP code too.

We could offer an option to disable CHDK PTP functionality, checking a conf setting and returning an error in handle_ptp would be easy.

Quote
We could, although I'm not sure if it's worth it. The cameras only activate their wireless interface when the user enters the Wifi related dialogs. I find it hard to imagine that anyone (other than some 3-letter agencies and the like) will spend their time exploiting these firmware bugs. And only a very low percentage of cameras run CHDK.
Yeah, this doesn't seem a high risk. OTOH, someone making a stink about "CHDK undoes Canon security fix" could be unfortunate.

Thinking about it more, we could check the USB bit (in physw_status, not the hardware state) and only allow CHDK operations if its set. Since there's no working PTP/IP client for CHDK, having it off when USB is not present shouldn't be a problem (unless there's threading issues that make it drop out momentarily when kbd_task runs  :-[). This could also be an option: CHDK PTP: [USB only, USB+wifi, off]

If there's exposure when the camera is paired with a phone, that could be a bigger risk, but my impression is that's totally separate.

Quote
I posted the links because the descriptions mention the problematic PTP handlers by name. And that we'll get to see the fixes (M3 and M10 are on the list).
That could be interesting.
« Last Edit: 12 / August / 2019, 17:06:19 by reyalp »
Don't forget what the H stands for.

*

Offline koshy

  • *****
  • 1096
Re: PTP vulnerability and exploitation (checkpoint CVE-2019-5994 etc)
« Reply #1 on: 12 / August / 2019, 17:46:47 »
OTOH, someone making a stink about "CHDK undoes Canon security fix" could be unfortunate.
If that is the main worry a PTP option with default "off" would take care of it. CHDK then does nothing. CHDK allows the user to undo the Canon security fix. Subtle but substantial difference. If the other options (USB required etc.) work out great, if not a plain on/off may be enough.
Koshy had a little ELPH which wasn't white as snow but everywhere that Koshy went the ELPH was sure to go. (actually an SD, but that detail ruins the rhyme...)


*

Offline srsa_4c

  • ******
  • 4451
Re: PTP vulnerability and exploitation (checkpoint CVE-2019-5994 etc)
« Reply #3 on: 13 / February / 2020, 14:15:19 »
Firmware updates are out now for PowerShot-based EOS M cameras.
Version numbers from the Canon USA advisory page:
EOS M3, 1.2.1 (121a)
EOS M10, 1.1.1 (111a)
EOS M5, 1.0.2 (102a)
EOS M6, 1.0.1 (101a)
EOS M100, 1.0.1 (101a)

I'm not rushing to upgrade.

edit:
added CHDK-style complete version numbers
« Last Edit: 15 / February / 2020, 08:43:44 by srsa_4c »


*

Offline c_joerg

  • *****
  • 1251
Re: PTP vulnerability and exploitation (checkpoint CVE-2019-5994 etc)
« Reply #4 on: 14 / February / 2020, 03:44:43 »
I'm not rushing to upgrade.
Do you think this update makes working with CHDK more difficult?
M100 100a, M3 121a, G9x II (1.00c), 2*G1x (101a,100e), S110 (103a), SX50 (100c), SX230 (101a), S45,
Flickr https://www.flickr.com/photos/136329431@N06/albums
YouTube https://www.youtube.com/channel/UCrTH0tHy9OYTVDzWIvXEMlw/videos?shelf_id=0&view=0&sort=dd

*

Offline srsa_4c

  • ******
  • 4451
Re: PTP vulnerability and exploitation (checkpoint CVE-2019-5994 etc)
« Reply #5 on: 14 / February / 2020, 13:23:35 »
Do you think this update makes working with CHDK more difficult?
Certainly, as CHDK is not ported to the new firmwares.  ;)

As I have read, some or all EOS (DSLR) models no longer allow firmware downgrade once upgraded to those PTP fix releases. I guess we'll find out when somebody turns up with an updated camera.

*

Offline c_joerg

  • *****
  • 1251
Re: PTP vulnerability and exploitation (checkpoint CVE-2019-5994 etc)
« Reply #6 on: 14 / February / 2020, 16:26:22 »
 
I guess we'll find out when somebody turns up with an updated camera.
So you want a firmware dump from 1.0.1?
I wouldn't dare at the moment.
In the German DSLR Forum just wrote one that the camera went off while updating. 
Now, he can’t switch on. :(
M100 100a, M3 121a, G9x II (1.00c), 2*G1x (101a,100e), S110 (103a), SX50 (100c), SX230 (101a), S45,
Flickr https://www.flickr.com/photos/136329431@N06/albums
YouTube https://www.youtube.com/channel/UCrTH0tHy9OYTVDzWIvXEMlw/videos?shelf_id=0&view=0&sort=dd

*

Offline srsa_4c

  • ******
  • 4451
Re: PTP vulnerability and exploitation (checkpoint CVE-2019-5994 etc)
« Reply #7 on: 14 / February / 2020, 17:00:22 »
So you want a firmware dump from 1.0.1?
No. I can extract the updated parts from the .fi2 and eventually analyze them.
But I guess sooner or later we'll get somebody with an updated M3, M10, M100 - or the rest.
Quote
In the German DSLR Forum just wrote one that the camera went off while updating. 
Now, he can’t switch on. :(
Can't comment on that. If the update is at fault, Canon will probably revoke it.


*

Offline Ant

  • *****
  • 509
Re: PTP vulnerability and exploitation (checkpoint CVE-2019-5994 etc)
« Reply #8 on: 15 / February / 2020, 08:47:19 »
I was dare to check and now I can confirm that downgrade from 1.2.1 to 1.0.1 is still available on EOS M3

*

Offline srsa_4c

  • ******
  • 4451
Re: PTP vulnerability and exploitation (checkpoint CVE-2019-5994 etc)
« Reply #9 on: 15 / February / 2020, 08:53:15 »
I was dare to check and now I can confirm that downgrade from 1.2.1 to 1.0.1 is still available on EOS M3
Thanks, that's good news. Hopefully the other models behave the same.

 

Related Topics


SimplePortal 2.3.6 © 2008-2014, SimplePortal