{"id":14041,"date":"2025-12-08T10:54:19","date_gmt":"2025-12-08T07:54:19","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=14041"},"modified":"2025-12-08T10:54:19","modified_gmt":"2025-12-08T07:54:19","slug":"canon-ttf-vulnerability-printer-risk","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/canon-ttf-vulnerability-printer-risk\/14041\/","title":{"rendered":"Yaz\u0131c\u0131lar sald\u0131r\u0131ya u\u011frad\u0131… Hem de yaz\u0131 tipleri taraf\u0131ndan"},"content":{"rendered":"

G\u00fcn\u00fcm\u00fczde, bir kurulu\u015fun altyap\u0131s\u0131n\u0131 ara\u015ft\u0131ran sald\u0131rganlar, EDR ajan\u0131<\/a> bulunmayan bir i\u015f istasyonuna nadiren rastlamaktad\u0131r. Bu nedenle, k\u00f6t\u00fc niyetli akt\u00f6rler, olduk\u00e7a geni\u015f eri\u015fim ayr\u0131cal\u0131klar\u0131na sahiptirler ancak EDR korumas\u0131 ve hatta \u00e7o\u011fu zaman g\u00fcnl\u00fck kay\u0131t yeteneklerinden yoksun olan sunucular\u0131 veya a\u011fa ba\u011fl\u0131 \u00e7e\u015fitli \u00f6zel cihazlar\u0131 ele ge\u00e7irmeye odaklanmaktad\u0131rlar. Daha \u00f6nce, savunmas\u0131z ofis cihazlar\u0131n\u0131n t\u00fcrleri<\/a> hakk\u0131nda ayr\u0131nt\u0131l\u0131 bir yaz\u0131 yay\u0131nlam\u0131\u015ft\u0131k. 2025 y\u0131l\u0131nda ger\u00e7ek d\u00fcnyada ger\u00e7ekle\u015fen sald\u0131r\u0131lar; a\u011f cihazlar\u0131 (VPN a\u011f ge\u00e7itleri, g\u00fcvenlik duvarlar\u0131 ve y\u00f6nlendiriciler gibi), video g\u00f6zetim sistemleri ve sunucular\u0131n kendilerine odaklanmaktad\u0131r. Ancak, ba\u011f\u0131ms\u0131z ara\u015ft\u0131rmac\u0131 Peter Geissler\u2019in Security Analyst Summit 2025<\/a>\u2018te dinleyicilere hat\u0131rlatt\u0131\u011f\u0131 gibi, yaz\u0131c\u0131lar da g\u00f6z ard\u0131 edilmemelidir. Geissler konu\u015fmas\u0131nda, Canon yaz\u0131c\u0131larda buldu\u011fu bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131 (CVE-2024-12649<\/a>, CVSS 9.8) a\u00e7\u0131klad\u0131. Bu g\u00fcvenlik a\u00e7\u0131\u011f\u0131, bu cihazlarda k\u00f6t\u00fc ama\u00e7l\u0131 kodlar\u0131n \u00e7al\u0131\u015ft\u0131r\u0131lmas\u0131na olanak tan\u0131yor. Bu g\u00fcvenlik a\u00e7\u0131\u011f\u0131yla ilgili en ilgin\u00e7 y\u00f6n\u00fc ise, onu istismar etmek i\u00e7in sadece masum g\u00f6r\u00fcn\u00fcml\u00fc bir dosyay\u0131 yazd\u0131rmaya g\u00f6ndermenin yeterli olmas\u0131.<\/p>\n

Trojan Tipi Yaz\u0131 Tipi: CVE-2024-12649 arac\u0131l\u0131\u011f\u0131yla yap\u0131lan sald\u0131r\u0131<\/h2>\n

Sald\u0131r\u0131, bir XPS dosyas\u0131n\u0131n yazd\u0131r\u0131lmas\u0131yla ba\u015flar. Microsoft taraf\u0131ndan olu\u015fturulan bu format, ba\u015far\u0131l\u0131 belge yazd\u0131rma i\u00e7in gerekli t\u00fcm \u00f6nko\u015fullar\u0131 i\u00e7erir ve PDF\u2019ye alternatif olarak kullan\u0131l\u0131r. XPS, esasen belgenin ayr\u0131nt\u0131lar a\u00e7\u0131klamas\u0131n\u0131, t\u00fcm resimlerini ve kullan\u0131lan yaz\u0131 tiplerini i\u00e7eren bir ZIP ar\u015fividir. Yaz\u0131 tipleri genellikle Apple taraf\u0131ndan icat edilen pop\u00fcler TTF (TrueType Font) format\u0131nda saklan\u0131r. K\u00f6t\u00fc ama\u00e7l\u0131 kodu i\u00e7eren \u015fey, genellikle tehlikeli olarak alg\u0131lanmayan yaz\u0131 tipinin kendisidir.<\/p>\n

TTF format\u0131, harflerin her t\u00fcrl\u00fc ortamda ayn\u0131 g\u00f6r\u00fcnmesini ve ekran \u00fczerindeki en k\u00fc\u00e7\u00fck karakterden bas\u0131l\u0131 poster \u00fczerindeki en b\u00fcy\u00fck karaktere kadar her boyuta do\u011fru \u015fekilde \u00f6l\u00e7eklenmesini sa\u011flamak i\u00e7in tasarlanm\u0131\u015ft\u0131r. Bu hedefe ula\u015fmak i\u00e7in, her harf i\u00e7in k\u00fc\u00e7\u00fck boyutlu harflerin g\u00f6r\u00fcnt\u00fclenmesindeki n\u00fcanslar\u0131 a\u00e7\u0131klayan yaz\u0131 tipi ipucu talimatlar\u0131<\/a> yaz\u0131labilir. \u0130pucu talimatlar\u0131, basitli\u011fine ra\u011fmen programlaman\u0131n t\u00fcm temel yap\u0131 ta\u015flar\u0131n\u0131 (bellek y\u00f6netimi, atlamalar ve dallanma) destekleyen kompakt bir sanal makine i\u00e7in komutlard\u0131r. Geissler ve arkada\u015flar\u0131, bu sanal makinenin Canon yaz\u0131c\u0131larda nas\u0131l uyguland\u0131\u011f\u0131n\u0131 incelediler ve baz\u0131 TTF ipucu talimatlar\u0131n\u0131n g\u00fcvenli olmayan bir \u015fekilde y\u00fcr\u00fct\u00fcld\u00fc\u011f\u00fcn\u00fc ke\u015ffettiler<\/a>. \u00d6rne\u011fin, y\u0131\u011f\u0131n\u0131 y\u00f6neten sanal makine komutlar\u0131 ta\u015fma olup olmad\u0131\u011f\u0131n\u0131 kontrol etmez.<\/p>\n

Sonu\u00e7 olarak, k\u00f6t\u00fc ama\u00e7l\u0131 bir yaz\u0131 tipi olu\u015fturmay\u0131 ba\u015fard\u0131lar. Bunu i\u00e7eren bir belge belirli Canon yaz\u0131c\u0131larda yazd\u0131r\u0131ld\u0131\u011f\u0131nda, y\u0131\u011f\u0131n arabellek ta\u015fmas\u0131na neden olur, sanal makinenin arabelleklerinin \u00f6tesine veri yazar ve nihayetinde yaz\u0131c\u0131n\u0131n i\u015flemcisinde kod y\u00fcr\u00fct\u00fclmesini sa\u011flar. Sald\u0131r\u0131n\u0131n tamam\u0131 TTF dosyas\u0131 arac\u0131l\u0131\u011f\u0131yla ger\u00e7ekle\u015ftirilir; XPS dosyas\u0131n\u0131n geri kalan i\u00e7eri\u011fi zarars\u0131zd\u0131r. Asl\u0131nda, TTF dosyas\u0131n\u0131n i\u00e7indeki k\u00f6t\u00fc ama\u00e7l\u0131 kodu tespit etmek olduk\u00e7a zordur: Kod \u00e7ok uzun de\u011fildir, ilk k\u0131sm\u0131 TTF sanal makine komutlar\u0131ndan olu\u015fur ve ikinci k\u0131sm\u0131 egzotik, tescilli Canon i\u015fletim sistemi (DryOS) \u00fczerinde \u00e7al\u0131\u015f\u0131r.<\/p>\n

Son y\u0131llarda Canon\u2019un yaz\u0131c\u0131 ayg\u0131t yaz\u0131l\u0131m\u0131n\u0131n g\u00fcvenli\u011fini sa\u011flamaya odakland\u0131\u011f\u0131na dikkat edilmelidir. \u00d6rne\u011fin, sistem kodunu de\u011fi\u015ftirme veya yaln\u0131zca veri depolama ama\u00e7l\u0131 bellek par\u00e7alar\u0131nda kod y\u00fcr\u00fctme yetene\u011fini s\u0131n\u0131rlamak i\u00e7in ARM i\u015flemcilerde desteklenen DACR<\/a> kay\u0131tlar\u0131 ve NX (y\u00fcr\u00fctme engelleme) bayraklar\u0131n\u0131 kullan\u0131r. Bu \u00e7abalara ra\u011fmen, DryOS mimarisi genel olarak, daha b\u00fcy\u00fck modern i\u015fletim sistemlerinde yayg\u0131n olarak kullan\u0131lan ASLR<\/a> veya stack canary<\/a> gibi bellek koruma mekanizmalar\u0131n\u0131n etkili bir \u015fekilde uygulanmas\u0131na izin vermemektedir. Bu nedenle ara\u015ft\u0131rmac\u0131lar zaman zaman mevcut korumay\u0131 atlatman\u0131n yollar\u0131n\u0131 bulurlar. \u00d6rne\u011fin, bahsetti\u011fimiz sald\u0131r\u0131da, k\u00f6t\u00fc ama\u00e7l\u0131 kod, TTF hilesi kullan\u0131larak farkl\u0131 bir yazd\u0131rma protokol\u00fc olan IPP i\u00e7in tasarlanm\u0131\u015f bir bellek tamponuna yerle\u015ftirilerek ba\u015far\u0131yla \u00e7al\u0131\u015ft\u0131r\u0131ld\u0131.<\/p>\n

Ger\u00e7ek\u00e7i istismar senaryosu<\/h2>\n

Canon, bu g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131 a\u00e7\u0131klayan b\u00fclteninde<\/a>, yaz\u0131c\u0131ya internet \u00fczerinden eri\u015filebiliyorsa, bu g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131n uzaktan istismar edilebilece\u011fini belirtmekte ve bu nedenle yaz\u0131c\u0131n\u0131n yaln\u0131zca i\u00e7 ofis a\u011f\u0131ndan kullan\u0131labilmesi i\u00e7in bir g\u00fcvenlik duvar\u0131 yap\u0131land\u0131r\u0131lmas\u0131n\u0131 \u00f6nermektedir. Bu iyi bir tavsiyedir ve yaz\u0131c\u0131 ger\u00e7ekten de kamu eri\u015fiminden kald\u0131r\u0131lmal\u0131d\u0131r, ancak bu tek sald\u0131r\u0131 senaryosu de\u011fildir.<\/p>\n

Peter Geissler raporunda, sald\u0131rgan\u0131n bir \u00e7al\u0131\u015fana e-posta veya mesajla\u015fma uygulamas\u0131 arac\u0131l\u0131\u011f\u0131yla bir ek g\u00f6nderdi\u011fi ve \u00e7e\u015fitli bahanelerle bunu yazd\u0131rmas\u0131n\u0131 \u00f6nerdi\u011fi \u00e7ok daha ger\u00e7ek\u00e7i, karma bir senaryoya dikkat \u00e7ekti. Kurban belgeyi yazd\u0131rmak i\u00e7in g\u00f6nderirse (kurum i\u00e7i a\u011f i\u00e7inde ve internet ba\u011flant\u0131s\u0131 olmadan), k\u00f6t\u00fc ama\u00e7l\u0131 kod yaz\u0131c\u0131da \u00e7al\u0131\u015ft\u0131r\u0131l\u0131r. Do\u011fal olarak, yaz\u0131c\u0131da \u00e7al\u0131\u015fan k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131n yetenekleri, tam donan\u0131ml\u0131 bir bilgisayara bula\u015fan k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131mlara k\u0131yasla s\u0131n\u0131rl\u0131 olacakt\u0131r. Ancak, \u00f6rne\u011fin sald\u0131rgan\u0131n sunucusuna ba\u011flant\u0131 kurarak bir t\u00fcnel olu\u015fturabilir ve sald\u0131rganlar\u0131n kurulu\u015f i\u00e7indeki di\u011fer bilgisayarlar\u0131 hedef almas\u0131na olanak tan\u0131yabilir. Bu k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131n yaz\u0131c\u0131da kullan\u0131lmas\u0131n\u0131n bir ba\u015fka olas\u0131 senaryosu, \u015firkette yazd\u0131r\u0131lan t\u00fcm bilgilerin do\u011frudan sald\u0131rgan\u0131n sunucusuna iletilmesine neden olabilir. Hukuk firmalar\u0131 gibi belirli kurulu\u015flarda bu durum kritik bir veri ihlaline yol a\u00e7abilir.<\/p>\n

Bu yaz\u0131c\u0131 tehdidini nas\u0131l \u00f6nleyebilirim?<\/h2>\n

CVE-2024-12649 g\u00fcvenlik a\u00e7\u0131\u011f\u0131 ve bununla yak\u0131ndan ili\u015fkili birka\u00e7 kusur, Canon\u2019un talimatlar\u0131na g\u00f6re<\/a> yaz\u0131c\u0131 cihaz yaz\u0131l\u0131m\u0131 g\u00fcncellemesini y\u00fckleyerek ortadan kald\u0131r\u0131labilir. Ne yaz\u0131k ki, bir\u00e7ok kurulu\u015f (bilgisayar ve sunuculardaki yaz\u0131l\u0131mlar\u0131 \u00f6zenle g\u00fcncelleyenler bile) yaz\u0131c\u0131 ayg\u0131t yaz\u0131l\u0131m\u0131n\u0131 g\u00fcncellemek i\u00e7in sistematik bir s\u00fcrece sahip de\u011fildir. Bu i\u015flem, bilgisayar a\u011f\u0131na ba\u011fl\u0131 t\u00fcm ekipmanlar i\u00e7in uygulanmal\u0131d\u0131r.<\/p>\n

Ancak g\u00fcvenlik ara\u015ft\u0131rmac\u0131lar\u0131, \u00f6zel ekipmanlar\u0131 hedef alan \u00e7ok say\u0131da sald\u0131r\u0131 vekt\u00f6r\u00fc oldu\u011funu vurguluyor. Bu nedenle sald\u0131rganlar\u0131n yar\u0131n, yaz\u0131c\u0131 \u00fcreticileri veya m\u00fc\u015fterileri taraf\u0131ndan bilinmeyen benzer bir istismar ile kendilerini silahland\u0131rmayacaklar\u0131n\u0131n garantisi yoktur. S\u00f6m\u00fcr\u00fc riskini en aza indirmek i\u00e7in:<\/p>\n