In December 2022, I participated and got a success in Pwn2Own Toronto 2022 targeting Canon Printer category. Check it out here
The Canon imageClass MF743Cdw’s IPP service is vulnerable to a stack-based buffer overflow using the
number-up attribute. This allows an unauthenticated attacker to execute arbitrary code on the device.
There is a function at address
sub_41BD138C. This function is called when printer handles IPP request packet that has an attribute named
As we can see, this function takes a word from IPP request packet. This word is used as a length parameter without checking to copy data to stack-based variable
dest. This variable
dest’s size is just 4 bytes. This leads to stack buffer overflow and we can redirect the PC register to our code.
Based on Synacktiv’s past research, we know that on real device, stack and heap region memory has read, write and executable right. So we can alloc a region at a fixed address, push our shellcode to this region and redirect PC register to this to get our shellcode run.
The complete attack scenario will include these steps:
- Send a BNJP request containing shellcode which will download an image and display it on the printer
- Exploit the overflow and redirect the program register to shellcode buffer
- Printer will display our image on monitor