Older Canon Pixma TR150 Driver Vulnerable to Privilege Escalation

• Canon Pixma TR150 could lead to your computer getting pwned depending on which driver you’re using.
• A researcher has found a way to carry out a time-sensitive attack that involves replacing a DLL to achieve privilege escalation.
• There’s a fixing patch available from Canon, so using the latest driver when adding the printer is imperative.

The Canon Pixma TR150 compact printer could enable a local attacker to run code on the target system as admin, due to a nasty vulnerability (CVE-2021-38085) existing in the printer’s driver versions 3.71.2.10 and older. The privilege escalation opportunity opens up during the “add printer” step, during which a local attacker could overwrite the “CNMurGE.dll” into the CanonBJ %PROGRAMDATA% location, and then run code as NT AUTHORITY\SYSTEM - which is a case of escalation of privilege.

There’s already a Metasploit example for the above, released by researcher Jacob Baines, who provides the details of this on GitHub. The researcher also presented a patch from a low-privileged Windows user to SYSTEM during the recent DEF CON, so if you’re interested in the full details of the exploit you can watch the following video.

Having someone time the attack exactly as needed and being in range to carry out the exploit may appear far-fetched, but the particular printer model is actually ideal for this. Pixma TR150 is a compact portable printer that is meant to be carried around in various locations, including public places like cafes and libraries where opportunistic hackers could be lurking. It works on battery and it supports both WiFi and direct wireless connections with smartphones, tablets, and laptops.

Obviously, the researcher has shared his findings with Canon prior to the publication of all that, so the Japanese company had the time to release a fixing patch in the meantime. Unfortunately, a version naming change has been introduced, marking the vulnerable driver as “version 1.00”, and the fixing patch as “version 1.0.1”. As such, if you download the latest available driver from Canon's site, earlier this year, you should be safe.

This is an example of why printers shouldn’t come with drivers on CDs, as these are vulnerable to exploitation. Those who bought the printer when it came out may be reusing that medium again and again out of convenience, unaware of the fact that they are exposing themselves to exploitation. Instead, you should already visit the vendor’s official drivers repository every time you need to install a new device on a new computer, and also update the existing drivers as soon as a new version becomes available.