Content Provider URI Injection on Canon PRINT 2.5.5 (CVE-2019-14339). Proof of concept by @0x48piraj
The ContentProvider in the Canon PRINT 2.5.5 application for Android does not properly restrict data access. This allows an attacker's malicious application to obtain sensitive information including factory passwords for administrator web-interface and WPA2-PSK key.
This bug can leak data from every printer which Canon PRINT 2.5.5 supports, i.e.
- PIXMA TS Series
- TR Series, MG Series, PRO Series, MP Series, iP Series, iX Series
- MAXIFY MB Series, iB Series
- ImagePROGRAF PRO Series, TM Series
- SELPHY CP900 Series, CP1200, CP1300
- MITRE
- National Vulnerability Database
- exploit-db
- Packet Storm Security
- offensive-security/exploitdb
- CX Security
- Vulners
- exploit-database.net
- Hackernews Blog
- security-db
- media.cert.europa.eu
- cnnvd.org.cn
The mobile application contains unprotected exported content providers ('IJPrinterCapabilityProvider'in android/AndroidManifest.xml) that discloses sensitive application’s data under certain conditions.
To securely export the content provider, one should restrict access to it by setting up android:protectionLevel or android:grantUriPermissions attributes in Android Manifest file.
- Canon PRINT 2.5.5 (latest) Android app installed.
- A Canon printer supported by the application
There are two ways to test this vulnerability.
- Over ADB
- Via malicious Android app
Setup ADB, clone the repository, goto /poc-scripts and run leak.py
git clone https://github.com/0x48piraj/CVE-2019-14339
cd CVE-2019-14339/poc-scripts
python leak.py
Clone the repository, build the source.
Use pre-built app by going under /release and downloading cannon-pwn.apk or via releases
NOTE: Disable Play Protect or it'll throw "App Not Installed" error, (within Google Play)> Menu> Play Protect> Scan device for security threats (disable).
Issues have been disabled on this repository. It is a simple proof of concept I wanted to share with the community.
- Standards Mapping - Common Weakness Enumeration CWE ID 89
- Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
- Standards Mapping - FIPS200 SI
- Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
- Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
- Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
- Standards Mapping - OWASP Top 10 2017 A1 Injection Flaws
- Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 089
- Standards Mapping - Web Application Security Consortium Version 2.00 SQL Injection (WASC-19)