Older Canon Pixma TR150 Driver Vulnerable to Privilege Escalation

  • Canon Pixma TR150 could lead to your computer getting pwned depending on which driver you’re using.
  • A researcher has found a way to carry out a time-sensitive attack that involves replacing a DLL to achieve privilege escalation.
  • There’s a fixing patch available from Canon, so using the latest driver when adding the printer is imperative.

The Canon Pixma TR150 compact printer could enable a local attacker to run code on the target system as admin, due to a nasty vulnerability (CVE-2021-38085) existing in the printer’s driver versions and older. The privilege escalation opportunity opens up during the “add printer” step, during which a local attacker could overwrite the “CNMurGE.dll” into the CanonBJ %PROGRAMDATA% location, and then run code as NT AUTHORITY\SYSTEM - which is a case of escalation of privilege.

There’s already a Metasploit example for the above, released by researcher Jacob Baines, who provides the details of this on GitHub. The researcher also presented a patch from a low-privileged Windows user to SYSTEM during the recent DEF CON, so if you’re interested in the full details of the exploit you can watch the following video.

Having someone time the attack exactly as needed and being in range to carry out the exploit may appear far-fetched, but the particular printer model is actually ideal for this. Pixma TR150 is a compact portable printer that is meant to be carried around in various locations, including public places like cafes and libraries where opportunistic hackers could be lurking. It works on battery and it supports both WiFi and direct wireless connections with smartphones, tablets, and laptops.

Obviously, the researcher has shared his findings with Canon prior to the publication of all that, so the Japanese company had the time to release a fixing patch in the meantime. Unfortunately, a version naming change has been introduced, marking the vulnerable driver as “version 1.00”, and the fixing patch as “version 1.0.1”. As such, if you download the latest available driver from Canon's site, earlier this year, you should be safe.

This is an example of why printers shouldn’t come with drivers on CDs, as these are vulnerable to exploitation. Those who bought the printer when it came out may be reusing that medium again and again out of convenience, unaware of the fact that they are exposing themselves to exploitation. Instead, you should already visit the vendor’s official drivers repository every time you need to install a new device on a new computer, and also update the existing drivers as soon as a new version becomes available.

How to Watch Joe Pickett Season 2 Online: Stream the Western Crime Drama from Anywhere
Joe Pickett, the series based on characters created by novelist C.J. Box, has a second season coming, and below are all the...
How to Watch Danger Below Deck Online from Anywhere
Are you a die-hard fan of crime dramas? Do you love heart-pounding suspense, gripping tension, and a captivating plot that leaves you...
How to Watch Gods of Tennis Online Free: Stream the Tennis Docuseries from Anywhere
Gods of Tennis is a new documentary series on “the golden age of tennis” in the 1970s and 1980s, and we have...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari