Heap-based Overflow on Canon Network Printer

We discussed this vulnerability as part of our weekly podcast on 01 June 2022

Plenty of background regarding even getting to a place to start hunting for bugs on this printer, leading up two heap based overflows in pjcc_act_checkUserPassword2, and some discussion about exploiting the DryOS heap allocator.

The overflows were simple unchecked copies in fixed size buffers with the lengths (and buffer content) for salt and hash in the packet being attacker controlled and trusted without consideration for whether or not the target buffer could hold the supplied lengths. This provided a straight forward overflow and ability to corrupt heap-metadata.

They targeted a next pointer belonging a freed-block in memory. With an echo command, they could get this fake free block reallocated, and overwrite the data, giving them an semi-arbitrary write primitive. The main constraint appears to have been that the first few bytes would be interpreted as part of the chunk header for stuff like size. So if it was pointed somewhere with a small value it might not be reclaimed easily or with precision.

This primitive was used to corrupt some of the state information, and specifically the echo command handler function pointer, pointing it towards their shellcode.