Skip to content

POC for CVE-2019-14339 Canon PRINT 2.5.5

Notifications You must be signed in to change notification settings


Repository files navigation


Content Provider URI Injection on Canon PRINT 2.5.5 (CVE-2019-14339). Proof of concept by @0x48piraj

The ContentProvider in the Canon PRINT 2.5.5 application for Android does not properly restrict data access. This allows an attacker's malicious application to obtain sensitive information including factory passwords for administrator web-interface and WPA2-PSK key.


This bug can leak data from every printer which Canon PRINT 2.5.5 supports, i.e.

  • PIXMA TS Series
  • TR Series, MG Series, PRO Series, MP Series, iP Series, iX Series
  • MAXIFY MB Series, iB Series
  • ImagePROGRAF PRO Series, TM Series
  • SELPHY CP900 Series, CP1200, CP1300

App downloads : 1,00,00,000 +


The bug

The mobile application contains unprotected exported content providers ('IJPrinterCapabilityProvider'in android/AndroidManifest.xml) that discloses sensitive application’s data under certain conditions.

To securely export the content provider, one should restrict access to it by setting up android:protectionLevel or android:grantUriPermissions attributes in Android Manifest file.

What do you need?

  • Canon PRINT 2.5.5 (latest) Android app installed.
  • A Canon printer supported by the application

How do I run it?

There are two ways to test this vulnerability.

  • Over ADB
  • Via malicious Android app

Over ADB

Setup ADB, clone the repository, goto /poc-scripts and run

git clone
cd CVE-2019-14339/poc-scripts

Via malicious Android app

Method #1

Clone the repository, build the source.

Method #2

Use pre-built app by going under /release and downloading cannon-pwn.apk or via releases

NOTE: Disable Play Protect or it'll throw "App Not Installed" error, (within Google Play)> Menu> Play Protect> Scan device for security threats (disable).


Leak Script Demo


Malicious Android app


Issues (?)

Issues have been disabled on this repository. It is a simple proof of concept I wanted to share with the community.


  • Standards Mapping - Common Weakness Enumeration CWE ID 89
  • Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
  • Standards Mapping - FIPS200 SI
  • Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
  • Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
  • Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
  • Standards Mapping - OWASP Top 10 2017 A1 Injection Flaws
  • Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 089
  • Standards Mapping - Web Application Security Consortium Version 2.00 SQL Injection (WASC-19)