CVE-2019-14339

Content Provider URI Injection on Canon PRINT 2.5.5 (CVE-2019-14339). Proof of concept by @0x48piraj

The ContentProvider in the Canon PRINT 2.5.5 application for Android does not properly restrict data access. This allows an attacker's malicious application to obtain sensitive information including factory passwords for administrator web-interface and WPA2-PSK key.

Impact

This bug can leak data from every printer which Canon PRINT 2.5.5 supports, i.e.

• PIXMA TS Series
• TR Series, MG Series, PRO Series, MP Series, iP Series, iX Series
• MAXIFY MB Series, iB Series
• ImagePROGRAF PRO Series, TM Series
• SELPHY CP900 Series, CP1200, CP1300

App downloads : 1,00,00,000 +

Coverage

• MITRE
• National Vulnerability Database
• exploit-db
• Packet Storm Security
• offensive-security/exploitdb
• CX Security
• Vulners
• exploit-database.net
• Hackernews Blog
• security-db
• media.cert.europa.eu
• cnnvd.org.cn

The bug

The mobile application contains unprotected exported content providers ('IJPrinterCapabilityProvider'in android/AndroidManifest.xml) that discloses sensitive application’s data under certain conditions.

To securely export the content provider, one should restrict access to it by setting up android:protectionLevel or android:grantUriPermissions attributes in Android Manifest file.

What do you need?

• Canon PRINT 2.5.5 (latest) Android app installed.
• A Canon printer supported by the application

How do I run it?

There are two ways to test this vulnerability.

• Over ADB
• Via malicious Android app

Over ADB

Setup ADB, clone the repository, goto /poc-scripts and run leak.py

git clone https://github.com/0x48piraj/CVE-2019-14339
cd CVE-2019-14339/poc-scripts
python leak.py

Via malicious Android app

Method #1

Clone the repository, build the source.

Method #2

Use pre-built app by going under /release and downloading cannon-pwn.apk or via releases

NOTE: Disable Play Protect or it'll throw "App Not Installed" error, (within Google Play)> Menu> Play Protect> Scan device for security threats (disable).

Demo

Leak Script Demo

Malicious Android app

Issues (?)

Issues have been disabled on this repository. It is a simple proof of concept I wanted to share with the community.

References

• Standards Mapping - Common Weakness Enumeration CWE ID 89
• Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
• Standards Mapping - FIPS200 SI
• Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
• Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
• Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
• Standards Mapping - OWASP Top 10 2017 A1 Injection Flaws
• Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 089
• Standards Mapping - Web Application Security Consortium Version 2.00 SQL Injection (WASC-19)