POC for CVE-2019-14339 Canon PRINT 2.5.5# CVE-2019-14339
Content Provider URI Injection on Canon PRINT 2.5.5 (CVE-2019-14339). Proof of concept by [@0x48piraj](https://twitter.com/0x48piraj)
The **ContentProvider** in the **Canon PRINT 2.5.5** application for Android does not properly restrict data access. This allows an attacker's malicious application to obtain sensitive information including factory passwords for administrator web-interface and WPA2-PSK key.
## Impact
This bug can leak data from every printer which Canon PRINT 2.5.5 supports, i.e.
- PIXMA TS Series
- TR Series, MG Series, PRO Series, MP Series, iP Series, iX Series
- MAXIFY MB Series, iB Series
- ImagePROGRAF PRO Series, TM Series
- SELPHY CP900 Series, CP1200, CP1300
#### App downloads : 1,00,00,000 +
## Coverage
- [MITRE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14339)
- [National Vulnerability Database](https://nvd.nist.gov/vuln/detail/CVE-2019-14339)
- [exploit-db](https://www.exploit-db.com/exploits/47321)
- [Packet Storm Security](https://packetstormsecurity.com/files/cve/CVE-2019-14339)
- [offensive-security/exploitdb](https://github.com/offensive-security/exploitdb/blob/master/exploits/android/local/47321.txt)
- [CX Security](https://cxsecurity.com/issue/WLB-2019090010)
- [Vulners](https://vulners.com/packetstorm/PACKETSTORM:154266)
- [exploit-database.net](https://www.exploit-database.net/?id=101915)
- [Hackernews Blog](https://hackernews.blog/canon-print-2-5-5-information-disclosure/)
- [security-db](http://www.security-db.com/vulnerabilites.html)
- [media.cert.europa.eu](https://media.cert.europa.eu/cert/filteredition/en/VulnerabilitiesCrypto.htm)
- [cnnvd.org.cn](http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201908-2263)
## The bug
The mobile application contains unprotected exported content providers ('IJPrinterCapabilityProvider'in `android/AndroidManifest.xml`) that discloses sensitive application’s data under certain conditions.
To securely export the content provider, one should restrict access to it by setting up `android:protectionLevel` or `android:grantUriPermissions` attributes in **Android Manifest** file.
## What do you need?
- Canon PRINT 2.5.5 (latest) Android app installed.
- A Canon printer supported by the application
## How do I run it?
There are two ways to test this vulnerability.
- Over ADB
- Via malicious Android app
### Over ADB
Setup ADB, clone the repository, goto `/poc-scripts` and run `leak.py`
```
git clone https://github.com/0x48piraj/CVE-2019-14339
cd CVE-2019-14339/poc-scripts
python leak.py
```
### Via malicious Android app
#### Method #1
Clone the repository, build the source.
#### Method #2
Use pre-built app by going under `/release` and downloading [cannon-pwn.apk](/release/cannon-pwn.apk) or via [releases](https://github.com/0x48piraj/CVE-2019-14339/releases)
> **NOTE:** Disable Play Protect or it'll throw "App Not Installed" error, (within Google Play)> Menu> Play Protect> Scan device for security threats (disable).
## Demo
#### Leak Script Demo
#### Malicious Android app
## Issues (?)
Issues have been disabled on this repository. It is a simple proof of concept I wanted to share with the community.
## References
- Standards Mapping - Common Weakness Enumeration CWE ID 89
- Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
- Standards Mapping - FIPS200 SI
- Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
- Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
- Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
- Standards Mapping - OWASP Top 10 2017 A1 Injection Flaws
- Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 089
- Standards Mapping - Web Application Security Consortium Version 2.00 SQL Injection (WASC-19)
[4.0K] /data/pocs/d6c63ed09064b40bb863a5c581e83120760d5b75
├── [4.0K] app
│ ├── [1.1K] build.gradle
│ ├── [ 751] proguard-rules.pro
│ └── [4.0K] src
│ ├── [4.0K] androidTest
│ │ └── [4.0K] java
│ │ └── [4.0K] cannon
│ │ └── [4.0K] print
│ │ └── [4.0K] pwn
│ │ └── [ 716] ExampleInstrumentedTest.java
│ ├── [4.0K] main
│ │ ├── [ 710] AndroidManifest.xml
│ │ ├── [4.0K] java
│ │ │ └── [4.0K] cannon
│ │ │ └── [4.0K] print
│ │ │ └── [4.0K] pwn
│ │ │ └── [3.2K] MainActivity.java
│ │ └── [4.0K] res
│ │ ├── [4.0K] drawable
│ │ │ └── [5.5K] ic_launcher_background.xml
│ │ ├── [4.0K] drawable-v24
│ │ │ └── [1.8K] ic_launcher_foreground.xml
│ │ ├── [4.0K] layout
│ │ │ └── [1006] activity_main.xml
│ │ ├── [4.0K] mipmap-anydpi-v26
│ │ │ ├── [ 272] ic_launcher_round.xml
│ │ │ └── [ 272] ic_launcher.xml
│ │ ├── [4.0K] mipmap-hdpi
│ │ │ ├── [2.9K] ic_launcher.png
│ │ │ └── [4.8K] ic_launcher_round.png
│ │ ├── [4.0K] mipmap-mdpi
│ │ │ ├── [2.0K] ic_launcher.png
│ │ │ └── [2.7K] ic_launcher_round.png
│ │ ├── [4.0K] mipmap-xhdpi
│ │ │ ├── [4.4K] ic_launcher.png
│ │ │ └── [6.7K] ic_launcher_round.png
│ │ ├── [4.0K] mipmap-xxhdpi
│ │ │ ├── [6.2K] ic_launcher.png
│ │ │ └── [ 10K] ic_launcher_round.png
│ │ ├── [4.0K] mipmap-xxxhdpi
│ │ │ ├── [8.9K] ic_launcher.png
│ │ │ └── [ 15K] ic_launcher_round.png
│ │ └── [4.0K] values
│ │ ├── [ 208] colors.xml
│ │ ├── [ 73] strings.xml
│ │ └── [ 383] styles.xml
│ └── [4.0K] test
│ └── [4.0K] java
│ └── [4.0K] cannon
│ └── [4.0K] print
│ └── [4.0K] pwn
│ └── [ 377] ExampleUnitTest.java
├── [ 546] build.gradle
├── [4.0K] demo
│ ├── [2.6M] demo-malicious-app.gif
│ └── [185K] demo-script.gif
├── [4.0K] gradle
│ └── [4.0K] wrapper
│ ├── [ 53K] gradle-wrapper.jar
│ └── [ 200] gradle-wrapper.properties
├── [ 728] gradle.properties
├── [5.2K] gradlew
├── [2.1K] gradlew.bat
├── [4.0K] poc-scripts
│ ├── [ 321] dos.sh
│ └── [ 948] leak.py
├── [3.9K] README.md
├── [4.0K] release
│ ├── [1.8M] cannon-pwn.apk
│ └── [ 226] output.json
└── [ 15] settings.gradle
33 directories, 38 files