Embed Size (px)
Citation preview
Hacking MFPs PostScript(umndashyoursquove been hacked)
Andrei Costin ltandreisrlabsdegt
Andrei Hardware hacker amp coder
1
Mifare Classic MFCUK
Hacking MFPs (for fun amp profit) General
ITAPGSM
security
httpandreicostincompapers
Quick Quiz
2
Which vendor do you think this talk is about
(ie Whose MFPs do you think are least secure)
Participating audience results
5 70 20
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
3
MFPs carry large abuse potential
4
MFP hacking goes back to the 1960rsquos
5
ldquoSpies in the Xerox machinerdquo
The ldquomicrordquo-film camera marked X
Patent drawing 1967
Electronicshardware hacking
Modern printer hacking goes back almost a decade
6
Broader amp deeper printer hacking (irongeek)
Initial printer hacks (FXpH)
2002 2006
Revived printer hacking interest
This talk focuses mainly on remote code execution inside MFPsprinters
2011
In 2010 we demorsquod mapping public MFPs
7
httpwwwyoutubecomwatchv=t44GibiCoCM
hellip and generic MFP payload delivery using Word
8
httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims of some guys)
hellip and generic MFP payload delivery using Java
9
httpwwwyoutubecomwatchv=JcfxvZml6-Y
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
10
PostScript who Itrsquos Adobersquos PDF big brother
11
Adobe is the dominant PS implementation
12
Adobe PS interpreters
Other PS interpreters
Distribution of Postscript interpreters
Source Adobe specification supplement note
PS is build to handle complex processing tasks
13
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
File systems IO subsystems
PSgt ldquoshellrdquo ndash where
14
From the official Postscript specification ldquo244 Using the Interpreter Interactivelyrdquo
Debugging is enabled on most PS instances
15
PS-executive
debug enabled
PS-executive
debug disabledNA
PSgt ldquoshellrdquo ndash how
16
Code demo ndash telnet 19216801 9100 and dump this
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
Andrei Hardware hacker amp coder
1
Mifare Classic MFCUK
Hacking MFPs (for fun amp profit) General
ITAPGSM
security
httpandreicostincompapers
Quick Quiz
2
Which vendor do you think this talk is about
(ie Whose MFPs do you think are least secure)
Participating audience results
5 70 20
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
3
MFPs carry large abuse potential
4
MFP hacking goes back to the 1960rsquos
5
ldquoSpies in the Xerox machinerdquo
The ldquomicrordquo-film camera marked X
Patent drawing 1967
Electronicshardware hacking
Modern printer hacking goes back almost a decade
6
Broader amp deeper printer hacking (irongeek)
Initial printer hacks (FXpH)
2002 2006
Revived printer hacking interest
This talk focuses mainly on remote code execution inside MFPsprinters
2011
In 2010 we demorsquod mapping public MFPs
7
httpwwwyoutubecomwatchv=t44GibiCoCM
hellip and generic MFP payload delivery using Word
8
httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims of some guys)
hellip and generic MFP payload delivery using Java
9
httpwwwyoutubecomwatchv=JcfxvZml6-Y
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
10
PostScript who Itrsquos Adobersquos PDF big brother
11
Adobe is the dominant PS implementation
12
Adobe PS interpreters
Other PS interpreters
Distribution of Postscript interpreters
Source Adobe specification supplement note
PS is build to handle complex processing tasks
13
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
File systems IO subsystems
PSgt ldquoshellrdquo ndash where
14
From the official Postscript specification ldquo244 Using the Interpreter Interactivelyrdquo
Debugging is enabled on most PS instances
15
PS-executive
debug enabled
PS-executive
debug disabledNA
PSgt ldquoshellrdquo ndash how
16
Code demo ndash telnet 19216801 9100 and dump this
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
Quick Quiz
2
Which vendor do you think this talk is about
(ie Whose MFPs do you think are least secure)
Participating audience results
5 70 20
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
3
MFPs carry large abuse potential
4
MFP hacking goes back to the 1960rsquos
5
ldquoSpies in the Xerox machinerdquo
The ldquomicrordquo-film camera marked X
Patent drawing 1967
Electronicshardware hacking
Modern printer hacking goes back almost a decade
6
Broader amp deeper printer hacking (irongeek)
Initial printer hacks (FXpH)
2002 2006
Revived printer hacking interest
This talk focuses mainly on remote code execution inside MFPsprinters
2011
In 2010 we demorsquod mapping public MFPs
7
httpwwwyoutubecomwatchv=t44GibiCoCM
hellip and generic MFP payload delivery using Word
8
httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims of some guys)
hellip and generic MFP payload delivery using Java
9
httpwwwyoutubecomwatchv=JcfxvZml6-Y
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
10
PostScript who Itrsquos Adobersquos PDF big brother
11
Adobe is the dominant PS implementation
12
Adobe PS interpreters
Other PS interpreters
Distribution of Postscript interpreters
Source Adobe specification supplement note
PS is build to handle complex processing tasks
13
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
File systems IO subsystems
PSgt ldquoshellrdquo ndash where
14
From the official Postscript specification ldquo244 Using the Interpreter Interactivelyrdquo
Debugging is enabled on most PS instances
15
PS-executive
debug enabled
PS-executive
debug disabledNA
PSgt ldquoshellrdquo ndash how
16
Code demo ndash telnet 19216801 9100 and dump this
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
3
MFPs carry large abuse potential
4
MFP hacking goes back to the 1960rsquos
5
ldquoSpies in the Xerox machinerdquo
The ldquomicrordquo-film camera marked X
Patent drawing 1967
Electronicshardware hacking
Modern printer hacking goes back almost a decade
6
Broader amp deeper printer hacking (irongeek)
Initial printer hacks (FXpH)
2002 2006
Revived printer hacking interest
This talk focuses mainly on remote code execution inside MFPsprinters
2011
In 2010 we demorsquod mapping public MFPs
7
httpwwwyoutubecomwatchv=t44GibiCoCM
hellip and generic MFP payload delivery using Word
8
httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims of some guys)
hellip and generic MFP payload delivery using Java
9
httpwwwyoutubecomwatchv=JcfxvZml6-Y
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
10
PostScript who Itrsquos Adobersquos PDF big brother
11
Adobe is the dominant PS implementation
12
Adobe PS interpreters
Other PS interpreters
Distribution of Postscript interpreters
Source Adobe specification supplement note
PS is build to handle complex processing tasks
13
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
File systems IO subsystems
PSgt ldquoshellrdquo ndash where
14
From the official Postscript specification ldquo244 Using the Interpreter Interactivelyrdquo
Debugging is enabled on most PS instances
15
PS-executive
debug enabled
PS-executive
debug disabledNA
PSgt ldquoshellrdquo ndash how
16
Code demo ndash telnet 19216801 9100 and dump this
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
MFPs carry large abuse potential
4
MFP hacking goes back to the 1960rsquos
5
ldquoSpies in the Xerox machinerdquo
The ldquomicrordquo-film camera marked X
Patent drawing 1967
Electronicshardware hacking
Modern printer hacking goes back almost a decade
6
Broader amp deeper printer hacking (irongeek)
Initial printer hacks (FXpH)
2002 2006
Revived printer hacking interest
This talk focuses mainly on remote code execution inside MFPsprinters
2011
In 2010 we demorsquod mapping public MFPs
7
httpwwwyoutubecomwatchv=t44GibiCoCM
hellip and generic MFP payload delivery using Word
8
httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims of some guys)
hellip and generic MFP payload delivery using Java
9
httpwwwyoutubecomwatchv=JcfxvZml6-Y
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
10
PostScript who Itrsquos Adobersquos PDF big brother
11
Adobe is the dominant PS implementation
12
Adobe PS interpreters
Other PS interpreters
Distribution of Postscript interpreters
Source Adobe specification supplement note
PS is build to handle complex processing tasks
13
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
File systems IO subsystems
PSgt ldquoshellrdquo ndash where
14
From the official Postscript specification ldquo244 Using the Interpreter Interactivelyrdquo
Debugging is enabled on most PS instances
15
PS-executive
debug enabled
PS-executive
debug disabledNA
PSgt ldquoshellrdquo ndash how
16
Code demo ndash telnet 19216801 9100 and dump this
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
MFP hacking goes back to the 1960rsquos
5
ldquoSpies in the Xerox machinerdquo
The ldquomicrordquo-film camera marked X
Patent drawing 1967
Electronicshardware hacking
Modern printer hacking goes back almost a decade
6
Broader amp deeper printer hacking (irongeek)
Initial printer hacks (FXpH)
2002 2006
Revived printer hacking interest
This talk focuses mainly on remote code execution inside MFPsprinters
2011
In 2010 we demorsquod mapping public MFPs
7
httpwwwyoutubecomwatchv=t44GibiCoCM
hellip and generic MFP payload delivery using Word
8
httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims of some guys)
hellip and generic MFP payload delivery using Java
9
httpwwwyoutubecomwatchv=JcfxvZml6-Y
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
10
PostScript who Itrsquos Adobersquos PDF big brother
11
Adobe is the dominant PS implementation
12
Adobe PS interpreters
Other PS interpreters
Distribution of Postscript interpreters
Source Adobe specification supplement note
PS is build to handle complex processing tasks
13
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
File systems IO subsystems
PSgt ldquoshellrdquo ndash where
14
From the official Postscript specification ldquo244 Using the Interpreter Interactivelyrdquo
Debugging is enabled on most PS instances
15
PS-executive
debug enabled
PS-executive
debug disabledNA
PSgt ldquoshellrdquo ndash how
16
Code demo ndash telnet 19216801 9100 and dump this
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
Modern printer hacking goes back almost a decade
6
Broader amp deeper printer hacking (irongeek)
Initial printer hacks (FXpH)
2002 2006
Revived printer hacking interest
This talk focuses mainly on remote code execution inside MFPsprinters
2011
In 2010 we demorsquod mapping public MFPs
7
httpwwwyoutubecomwatchv=t44GibiCoCM
hellip and generic MFP payload delivery using Word
8
httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims of some guys)
hellip and generic MFP payload delivery using Java
9
httpwwwyoutubecomwatchv=JcfxvZml6-Y
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
10
PostScript who Itrsquos Adobersquos PDF big brother
11
Adobe is the dominant PS implementation
12
Adobe PS interpreters
Other PS interpreters
Distribution of Postscript interpreters
Source Adobe specification supplement note
PS is build to handle complex processing tasks
13
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
File systems IO subsystems
PSgt ldquoshellrdquo ndash where
14
From the official Postscript specification ldquo244 Using the Interpreter Interactivelyrdquo
Debugging is enabled on most PS instances
15
PS-executive
debug enabled
PS-executive
debug disabledNA
PSgt ldquoshellrdquo ndash how
16
Code demo ndash telnet 19216801 9100 and dump this
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
In 2010 we demorsquod mapping public MFPs
7
httpwwwyoutubecomwatchv=t44GibiCoCM
hellip and generic MFP payload delivery using Word
8
httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims of some guys)
hellip and generic MFP payload delivery using Java
9
httpwwwyoutubecomwatchv=JcfxvZml6-Y
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
10
PostScript who Itrsquos Adobersquos PDF big brother
11
Adobe is the dominant PS implementation
12
Adobe PS interpreters
Other PS interpreters
Distribution of Postscript interpreters
Source Adobe specification supplement note
PS is build to handle complex processing tasks
13
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
File systems IO subsystems
PSgt ldquoshellrdquo ndash where
14
From the official Postscript specification ldquo244 Using the Interpreter Interactivelyrdquo
Debugging is enabled on most PS instances
15
PS-executive
debug enabled
PS-executive
debug disabledNA
PSgt ldquoshellrdquo ndash how
16
Code demo ndash telnet 19216801 9100 and dump this
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
hellip and generic MFP payload delivery using Word
8
httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims of some guys)
hellip and generic MFP payload delivery using Java
9
httpwwwyoutubecomwatchv=JcfxvZml6-Y
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
10
PostScript who Itrsquos Adobersquos PDF big brother
11
Adobe is the dominant PS implementation
12
Adobe PS interpreters
Other PS interpreters
Distribution of Postscript interpreters
Source Adobe specification supplement note
PS is build to handle complex processing tasks
13
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
File systems IO subsystems
PSgt ldquoshellrdquo ndash where
14
From the official Postscript specification ldquo244 Using the Interpreter Interactivelyrdquo
Debugging is enabled on most PS instances
15
PS-executive
debug enabled
PS-executive
debug disabledNA
PSgt ldquoshellrdquo ndash how
16
Code demo ndash telnet 19216801 9100 and dump this
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
hellip and generic MFP payload delivery using Java
9
httpwwwyoutubecomwatchv=JcfxvZml6-Y
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
10
PostScript who Itrsquos Adobersquos PDF big brother
11
Adobe is the dominant PS implementation
12
Adobe PS interpreters
Other PS interpreters
Distribution of Postscript interpreters
Source Adobe specification supplement note
PS is build to handle complex processing tasks
13
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
File systems IO subsystems
PSgt ldquoshellrdquo ndash where
14
From the official Postscript specification ldquo244 Using the Interpreter Interactivelyrdquo
Debugging is enabled on most PS instances
15
PS-executive
debug enabled
PS-executive
debug disabledNA
PSgt ldquoshellrdquo ndash how
16
Code demo ndash telnet 19216801 9100 and dump this
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
10
PostScript who Itrsquos Adobersquos PDF big brother
11
Adobe is the dominant PS implementation
12
Adobe PS interpreters
Other PS interpreters
Distribution of Postscript interpreters
Source Adobe specification supplement note
PS is build to handle complex processing tasks
13
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
File systems IO subsystems
PSgt ldquoshellrdquo ndash where
14
From the official Postscript specification ldquo244 Using the Interpreter Interactivelyrdquo
Debugging is enabled on most PS instances
15
PS-executive
debug enabled
PS-executive
debug disabledNA
PSgt ldquoshellrdquo ndash how
16
Code demo ndash telnet 19216801 9100 and dump this
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
PostScript who Itrsquos Adobersquos PDF big brother
11
Adobe is the dominant PS implementation
12
Adobe PS interpreters
Other PS interpreters
Distribution of Postscript interpreters
Source Adobe specification supplement note
PS is build to handle complex processing tasks
13
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
File systems IO subsystems
PSgt ldquoshellrdquo ndash where
14
From the official Postscript specification ldquo244 Using the Interpreter Interactivelyrdquo
Debugging is enabled on most PS instances
15
PS-executive
debug enabled
PS-executive
debug disabledNA
PSgt ldquoshellrdquo ndash how
16
Code demo ndash telnet 19216801 9100 and dump this
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
Adobe is the dominant PS implementation
12
Adobe PS interpreters
Other PS interpreters
Distribution of Postscript interpreters
Source Adobe specification supplement note
PS is build to handle complex processing tasks
13
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
File systems IO subsystems
PSgt ldquoshellrdquo ndash where
14
From the official Postscript specification ldquo244 Using the Interpreter Interactivelyrdquo
Debugging is enabled on most PS instances
15
PS-executive
debug enabled
PS-executive
debug disabledNA
PSgt ldquoshellrdquo ndash how
16
Code demo ndash telnet 19216801 9100 and dump this
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
PS is build to handle complex processing tasks
13
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
File systems IO subsystems
PSgt ldquoshellrdquo ndash where
14
From the official Postscript specification ldquo244 Using the Interpreter Interactivelyrdquo
Debugging is enabled on most PS instances
15
PS-executive
debug enabled
PS-executive
debug disabledNA
PSgt ldquoshellrdquo ndash how
16
Code demo ndash telnet 19216801 9100 and dump this
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
PSgt ldquoshellrdquo ndash where
14
From the official Postscript specification ldquo244 Using the Interpreter Interactivelyrdquo
Debugging is enabled on most PS instances
15
PS-executive
debug enabled
PS-executive
debug disabledNA
PSgt ldquoshellrdquo ndash how
16
Code demo ndash telnet 19216801 9100 and dump this
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
Debugging is enabled on most PS instances
15
PS-executive
debug enabled
PS-executive
debug disabledNA
PSgt ldquoshellrdquo ndash how
16
Code demo ndash telnet 19216801 9100 and dump this
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
PSgt ldquoshellrdquo ndash how
16
Code demo ndash telnet 19216801 9100 and dump this
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
Demo
42
Attacker has access to network topology ndash no-scan
43
Attacker has access to network topology ndash no-scan
43
