Older Canon Pixma TR150 Driver Vulnerable to Privilege Escalation

  • Canon Pixma TR150 could lead to your computer getting pwned depending on which driver you’re using.
  • A researcher has found a way to carry out a time-sensitive attack that involves replacing a DLL to achieve privilege escalation.
  • There’s a fixing patch available from Canon, so using the latest driver when adding the printer is imperative.

The Canon Pixma TR150 compact printer could enable a local attacker to run code on the target system as admin, due to a nasty vulnerability (CVE-2021-38085) existing in the printer’s driver versions 3.71.2.10 and older. The privilege escalation opportunity opens up during the “add printer” step, during which a local attacker could overwrite the “CNMurGE.dll” into the CanonBJ %PROGRAMDATA% location, and then run code as NT AUTHORITY\SYSTEM - which is a case of escalation of privilege.

There’s already a Metasploit example for the above, released by researcher Jacob Baines, who provides the details of this on GitHub. The researcher also presented a patch from a low-privileged Windows user to SYSTEM during the recent DEF CON, so if you’re interested in the full details of the exploit you can watch the following video.

Having someone time the attack exactly as needed and being in range to carry out the exploit may appear far-fetched, but the particular printer model is actually ideal for this. Pixma TR150 is a compact portable printer that is meant to be carried around in various locations, including public places like cafes and libraries where opportunistic hackers could be lurking. It works on battery and it supports both WiFi and direct wireless connections with smartphones, tablets, and laptops.

Obviously, the researcher has shared his findings with Canon prior to the publication of all that, so the Japanese company had the time to release a fixing patch in the meantime. Unfortunately, a version naming change has been introduced, marking the vulnerable driver as “version 1.00”, and the fixing patch as “version 1.0.1”. As such, if you download the latest available driver from Canon's site, earlier this year, you should be safe.

This is an example of why printers shouldn’t come with drivers on CDs, as these are vulnerable to exploitation. Those who bought the printer when it came out may be reusing that medium again and again out of convenience, unaware of the fact that they are exposing themselves to exploitation. Instead, you should already visit the vendor’s official drivers repository every time you need to install a new device on a new computer, and also update the existing drivers as soon as a new version becomes available.

REVIEW OVERVIEW

Latest

Why Is Demon Slayer So Popular?

In August 2019, the world suddenly started talking about an anime series that had just released its nineteenth episode. Fast forward to...

F1 Live Stream 2022: How to Watch Formula 1 Without Cable

There's not much time until the 2022 Formula 1 World Championship gets underway - the first race is scheduled for late March,...

Disney+ Announces Basketball Series Inspired By Award-Winning Book The Crossover

Disney Plus announced a new basketball-themed drama series that is set to land on the streaming platform, drawing inspiration from the critically...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari