CanSecWest 2022

Network printers are good target candidates from an attacker perspective since they are rarely reinstalled or supervised and thus constitute a perfect place to hide on a network. Moreover they provide the attackers with persistent access to sensitive documents that may be scanned or printed.

This kind of device has been featured for the first time at Pwn2Own competition in Austin 2021. Three popular LaserJet printers were included in the competition: HP, Lexmark and Canon. During the event, we (Synacktiv) managed to compromise all of them, which among other targets allowed us to win the whole competition. In this talk, we will focus on how we achieved code execution on the Canon printer.

The primary step was to obtain the firmware to start reverse analysis. These are distributed through custom packages that are obfuscated. In this research, we will dissect the package format. Specifically, we will present how the primary analysis of the bootloader that we extracted from the flash memory allowed us to identify the deobfuscation routine, enabling us to decode further package updates available from Canon's website. The firmware is based on DryOs, a real-time OS powering several Canon products including cameras and printers.

The Canon printer exposes several network services that we have analysed. In particular, we will present the CADM service as part of the attack surface and how we identified a heap-based overflow in one of the numerous operations handled by that protocol. The exploitation of the vulnerability requires an understanding of the DryOs allocator which will also be presented to the audience. Thanks to the DryOS console available via UART, we were able to dump the heap state and to elaborate a generic scenario to attack the allocator. We will present our exploitation strategy and how one could reuse it to exploit similar heap-based overflows. We will finally showcase how we managed to display an arbitrary image on the printer's LCD screen thanks to a shellcode that directly encodes pixel values in the framebuffer.