Fat Rodzianko

This fat Rodzianko has written me lots of nonsense again. I deign to even reply

Privilege Escalation with Canon MX490 Printer Drivers

Posted on Author jmurphy5277Posted in exploit, redteam, tutorial

As part of my “research” I created a tool called “Get-Writable” that will search for .exe and .dll files that are world writable. You pass Get-Writable a directory path, and it will recursively look through every directory to find files. I had Get-Writable start at the “C:\” root to try and find all writable .exe’s and .dll’s I had on my system.

Get-Writable "C:\\"

This found a few hundred writable files on my personal system. Most of it was related to video games I had installed, but there were also quite a few results from my printer and Nvida.

These piqued my interest as I thought maybe my video card or printer drivers might be loading libraries or other executables from these directories during system or service startup. To see if this was happening, I enabled “boot logging” on Process Monitor.

Discovering Library Load

After boot logging was enabled in Process Monitor, I rebooted my system. When you first start Process Monitor, it will ask you to save the data it collected during boot up. Save this wherever you like. It may be a few gigabytes in size.

I then set a filter in Process Monitor that looked for any “Load Image” operations that loaded a .dll or .exe outside of C:\Windows\*, C:\Program Files\*, and C:\Program Files (x86)\*. The reason I filtered these out was to ignore any system libraries that were loaded, as well as libraries that would be in the applications current working directory (the Program Files directories). These directories are not typically writable by non administrator users, and that was “out-of-scope” for my current search.

Note: Some applications will make their working directory in Program Files world writable. Get-Writable should tell you this. You may find interesting things there!

Unfortunately, I didn’t see anything loading images from the Nvidia directories, but I did see some loads from my printer directories by spoolsv.exe and PrintIsolationHost.exe.

And, even better, these processes were running with SYSTEM privileges!

I confirmed that the DLLs that were being loaded were world writable using icacls.

Creating Malicious DLL

To test if I could get spoolsv.exe and PrintIsolationHost.exe to execute a DLL of mine, I wanted to create a simple DLL that would start a new process when loaded. The below C++ code will start a new cmd.exe process when it is loaded. I stole this code from somewhere a long time ago but don’t remember where from…

#include "pch.h"
#include <Windows.h>
#include <winternl.h>
#include <map>
#include <string>

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
	if (ul_reason_for_call != DLL_PROCESS_ATTACH)
		return TRUE;


	//Sleep(120000);
	//_tmain();
	system("start cmd.exe");

	return TRUE;
}

The important bit here is system(“start cmd.exe”); which will launch the new cmd.exe process. The _tmain(); function that is commented out is a function I created for other testing that will inject shellcode using CreateRemoteThread, but that isn’t important for now…

You should be able to paste the above code into Visual Studio 2019 and build as a library. Make sure you have the necessary SDKs installed on your system.

I built my new DLL as a x64 release and copied it to the following locations:

spoolsv.exe
C:\ProgramData\CanonIJFAX\Canon MX490 series FAX\LanguageModules\0409\CNCARCK.DLL
PrintIsolationHost.exe
C:\ProgramData\CanonBJ\IJPrinter\CNMWindows\Canon MX490 series Printer\LanguageModules\0409\CNMurCK.dll

Exploitation

Once the DLLs have been copied over, the next thing to do was to restart the system. I enabled boot logging on Process Monitor again before restarting my system for trouble shooting purposes. When my system was back up and running, I could see in Process Monitor that spoolsv.exe had started a cmd.exe process.

I only copied two DLLs, but spoolsv.exe and PrintIsolationHost.exe loaded them a lot. Task Manager showed I had a few cmd.exe processes running as SYSTEM after startup.

This printer appears to be an older model from Canon. The latest drivers and software available for the printer are from 2016. Based on quick Google searches, it doesn’t look like my printer model (PIXMA MX492) is available new anywhere. It can still be purchased used from various places such as Amazon sellers, though.

I did attempt to install the drivers for the PIXMA TS9100 printer series, which last received new drivers in 2019. The installation couldn’t complete because the installer could never find the printer on the network, and I am unsure how to “fake” the printer being connected. I did see that the C:\ProgramData\CanonIJFAX\ and C:\ProgramData\CanonBJ\IJPrinter\ directories were created for the TS9100 drivers. These directories also ad DLL files that were world writable. However, because the driver installation never completed and the TS9100 printer was never “Added” to my machine, the DLLs were not loaded at startup by spoolsv.exe or PrintIsolationHost.exe. I imagine if I had the printer and completed the driver installation process this would work, but I am unable to confirm that and i am not looking to purchase a new printer at this time.

Disclosures

Date format is YYYY/MM/DD

  • 2020/04/12 – Email sent to product-security@canon-europe.com. I’m based in the US but I couldn’t find anywhere else to sent vulnerability reports to
  • 2020/4/17 – No response from product-security@canon-europe.com. Follow-up email sent
  • 2020/4/17 – Twitter post with @CanonUSA tagged asking about a security contact. @CanonUSA does not allow for direct messages. They responded saying I should call their technical support team at 1-800-652-2666
  • 2020/4/17 – Called Technical Support. I was unable to speak to anyone because I did not have a “MyCanon” account and my printer was not registered. I was unable to register my printer for support because I didn’t have all the information required from when I purchased the printer
  • 2020/04/20 – CEL-Product-Security (product-security@canon-europe.com) responded to my emails asking for additional details. I responded back with a similar write-up to this blog post. Though this was the EU product security team, they said they would also forward this to the relevant US team
  • 2020/04/22 – Canon responded back with “It is a known issue and it has been fixed in the newer range of machines. Whilst the issue does present a risk, access to the device is required in order to enable the escalation to be carried out and for this reason a decision was taken not to create a retrospective fix for older machines.”