Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-14339 PoC — Canon PRINT 信息泄露漏洞

Source
https://github.com/0x48piraj/CVE-2019-14339
Associated Vulnerability
Title:Canon PRINT 信息泄露漏洞 (CVE-2019-14339)
Description:The ContentProvider in the Canon PRINT jp.co.canon.bsd.ad.pixmaprint 2.5.5 application for Android does not properly restrict canon.ij.printer.capability.data data access. This allows an attacker's malicious application to obtain sensitive information including factory passwords for the administrator web interface and WPA2-PSK key.
Description
POC for CVE-2019-14339 Canon PRINT 2.5.5
Readme
# CVE-2019-14339

Content Provider URI Injection on Canon PRINT 2.5.5 (CVE-2019-14339). Proof of concept by [@0x48piraj](https://twitter.com/0x48piraj)

The **ContentProvider** in the **Canon PRINT 2.5.5** application for Android does not properly restrict data access. This allows an attacker's malicious application to obtain sensitive information including factory passwords for administrator web-interface and WPA2-PSK key.


## Impact

This bug can leak data from every printer which Canon PRINT 2.5.5 supports, i.e.

- PIXMA TS Series
- TR Series, MG Series, PRO Series, MP Series, iP Series, iX Series
- MAXIFY MB Series, iB Series
- ImagePROGRAF PRO Series, TM Series
- SELPHY CP900 Series, CP1200, CP1300

#### App downloads : 1,00,00,000 +


## Coverage

- [MITRE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14339)
- [National Vulnerability Database](https://nvd.nist.gov/vuln/detail/CVE-2019-14339)
- [exploit-db](https://www.exploit-db.com/exploits/47321)
- [Packet Storm Security](https://packetstormsecurity.com/files/cve/CVE-2019-14339)
- [offensive-security/exploitdb](https://github.com/offensive-security/exploitdb/blob/master/exploits/android/local/47321.txt)
- [CX Security](https://cxsecurity.com/issue/WLB-2019090010)
- [Vulners](https://vulners.com/packetstorm/PACKETSTORM:154266)
- [exploit-database.net](https://www.exploit-database.net/?id=101915)
- [Hackernews Blog](https://hackernews.blog/canon-print-2-5-5-information-disclosure/)
- [security-db](http://www.security-db.com/vulnerabilites.html)
- [media.cert.europa.eu](https://media.cert.europa.eu/cert/filteredition/en/VulnerabilitiesCrypto.htm)
- [cnnvd.org.cn](http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201908-2263)


## The bug

The mobile application contains unprotected exported content providers ('IJPrinterCapabilityProvider'in `android/AndroidManifest.xml`) that discloses sensitive application’s data under certain conditions.

To securely export the content provider, one should restrict access to it by setting up `android:protectionLevel` or `android:grantUriPermissions` attributes in **Android Manifest** file.

## What do you need?

- Canon PRINT 2.5.5 (latest) Android app installed.
- A Canon printer supported by the application

## How do I run it?

There are two ways to test this vulnerability.

- Over ADB
- Via malicious Android app

### Over ADB

Setup ADB, clone the repository, goto `/poc-scripts` and run `leak.py`

```
git clone https://github.com/0x48piraj/CVE-2019-14339
cd CVE-2019-14339/poc-scripts
python leak.py
```

### Via malicious Android app

#### Method #1

Clone the repository, build the source.

#### Method #2

Use pre-built app by going under `/release` and downloading [cannon-pwn.apk](/release/cannon-pwn.apk) or via [releases](https://github.com/0x48piraj/CVE-2019-14339/releases)

> **NOTE:** Disable Play Protect or it'll throw "App Not Installed" error, (within Google Play)> Menu> Play Protect> Scan device for security threats (disable).

## Demo

#### Leak Script Demo

![leak-script](/demo/demo-script.gif)

#### Malicious Android app

![malicious-app](/demo/demo-malicious-app.gif)

## Issues (?)

Issues have been disabled on this repository. It is a simple proof of concept I wanted to share with the community.

## References

- Standards Mapping - Common Weakness Enumeration CWE ID 89
- Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
- Standards Mapping - FIPS200 SI
- Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
- Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
- Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
- Standards Mapping - OWASP Top 10 2017 A1 Injection Flaws
- Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 089
- Standards Mapping - Web Application Security Consortium Version 2.00 SQL Injection (WASC-19)
File Snapshot

 [4.0K]  /data/pocs/d6c63ed09064b40bb863a5c581e83120760d5b75
├── [4.0K]  app
│   ├── [1.1K]  build.gradle
│   ├── [ 751]  proguard-rules.pro
│   └── [4.0K]  src
│       ├── [4.0K]  androidTest
│       │   └── [4.0K]  java
│       │       └── [4.0K]  cannon
│       │           └── [4.0K]  print
│       │               └── [4.0K]  pwn
│       │                   └── [ 716]  ExampleInstrumentedTest.java
│       ├── [4.0K]  main
│       │   ├── [ 710]  AndroidManifest.xml
│       │   ├── [4.0K]  java
│       │   │   └── [4.0K]  cannon
│       │   │       └── [4.0K]  print
│       │   │           └── [4.0K]  pwn
│       │   │               └── [3.2K]  MainActivity.java
│       │   └── [4.0K]  res
│       │       ├── [4.0K]  drawable
│       │       │   └── [5.5K]  ic_launcher_background.xml
│       │       ├── [4.0K]  drawable-v24
│       │       │   └── [1.8K]  ic_launcher_foreground.xml
│       │       ├── [4.0K]  layout
│       │       │   └── [1006]  activity_main.xml
│       │       ├── [4.0K]  mipmap-anydpi-v26
│       │       │   ├── [ 272]  ic_launcher_round.xml
│       │       │   └── [ 272]  ic_launcher.xml
│       │       ├── [4.0K]  mipmap-hdpi
│       │       │   ├── [2.9K]  ic_launcher.png
│       │       │   └── [4.8K]  ic_launcher_round.png
│       │       ├── [4.0K]  mipmap-mdpi
│       │       │   ├── [2.0K]  ic_launcher.png
│       │       │   └── [2.7K]  ic_launcher_round.png
│       │       ├── [4.0K]  mipmap-xhdpi
│       │       │   ├── [4.4K]  ic_launcher.png
│       │       │   └── [6.7K]  ic_launcher_round.png
│       │       ├── [4.0K]  mipmap-xxhdpi
│       │       │   ├── [6.2K]  ic_launcher.png
│       │       │   └── [ 10K]  ic_launcher_round.png
│       │       ├── [4.0K]  mipmap-xxxhdpi
│       │       │   ├── [8.9K]  ic_launcher.png
│       │       │   └── [ 15K]  ic_launcher_round.png
│       │       └── [4.0K]  values
│       │           ├── [ 208]  colors.xml
│       │           ├── [  73]  strings.xml
│       │           └── [ 383]  styles.xml
│       └── [4.0K]  test
│           └── [4.0K]  java
│               └── [4.0K]  cannon
│                   └── [4.0K]  print
│                       └── [4.0K]  pwn
│                           └── [ 377]  ExampleUnitTest.java
├── [ 546]  build.gradle
├── [4.0K]  demo
│   ├── [2.6M]  demo-malicious-app.gif
│   └── [185K]  demo-script.gif
├── [4.0K]  gradle
│   └── [4.0K]  wrapper
│       ├── [ 53K]  gradle-wrapper.jar
│       └── [ 200]  gradle-wrapper.properties
├── [ 728]  gradle.properties
├── [5.2K]  gradlew
├── [2.1K]  gradlew.bat
├── [4.0K]  poc-scripts
│   ├── [ 321]  dos.sh
│   └── [ 948]  leak.py
├── [3.9K]  README.md
├── [4.0K]  release
│   ├── [1.8M]  cannon-pwn.apk
│   └── [ 226]  output.json
└── [  15]  settings.gradle

33 directories, 38 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →