28c3 - hacking mfps (part2)
TRANSCRIPT
![Page 1: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/1.jpg)
Hacking MFPs PostScript(umndashyoursquove been hacked)
Andrei Costin ltandreisrlabsdegt
Andrei Hardware hacker amp coder
1
Mifare Classic MFCUK
Hacking MFPs (for fun amp profit) General
ITAPGSM
security
httpandreicostincompapers
Quick Quiz
2
Which vendor do you think this talk is about
(ie Whose MFPs do you think are least secure)
Participating audience results
5 70 20
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
3
MFPs carry large abuse potential
4
MFP hacking goes back to the 1960rsquos
5
ldquoSpies in the Xerox machinerdquo
The ldquomicrordquo-film camera marked X
Patent drawing 1967
Electronicshardware hacking
Modern printer hacking goes back almost a decade
6
Broader amp deeper printer hacking (irongeek)
Initial printer hacks (FXpH)
2002 2006
Revived printer hacking interest
This talk focuses mainly on remote code execution inside MFPsprinters
2011
In 2010 we demorsquod mapping public MFPs
7
httpwwwyoutubecomwatchv=t44GibiCoCM
hellip and generic MFP payload delivery using Word
8
httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims of some guys)
hellip and generic MFP payload delivery using Java
9
httpwwwyoutubecomwatchv=JcfxvZml6-Y
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
10
PostScript who Itrsquos Adobersquos PDF big brother
11
Adobe is the dominant PS implementation
12
Adobe PS interpreters
Other PS interpreters
Distribution of Postscript interpreters
Source Adobe specification supplement note
PS is build to handle complex processing tasks
13
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
File systems IO subsystems
PSgt ldquoshellrdquo ndash where
14
From the official Postscript specification ldquo244 Using the Interpreter Interactivelyrdquo
Debugging is enabled on most PS instances
15
PS-executive
debug enabled
PS-executive
debug disabledNA
PSgt ldquoshellrdquo ndash how
16
Code demo ndash telnet 19216801 9100 and dump this
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 2: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/2.jpg)
Andrei Hardware hacker amp coder
1
Mifare Classic MFCUK
Hacking MFPs (for fun amp profit) General
ITAPGSM
security
httpandreicostincompapers
Quick Quiz
2
Which vendor do you think this talk is about
(ie Whose MFPs do you think are least secure)
Participating audience results
5 70 20
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
3
MFPs carry large abuse potential
4
MFP hacking goes back to the 1960rsquos
5
ldquoSpies in the Xerox machinerdquo
The ldquomicrordquo-film camera marked X
Patent drawing 1967
Electronicshardware hacking
Modern printer hacking goes back almost a decade
6
Broader amp deeper printer hacking (irongeek)
Initial printer hacks (FXpH)
2002 2006
Revived printer hacking interest
This talk focuses mainly on remote code execution inside MFPsprinters
2011
In 2010 we demorsquod mapping public MFPs
7
httpwwwyoutubecomwatchv=t44GibiCoCM
hellip and generic MFP payload delivery using Word
8
httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims of some guys)
hellip and generic MFP payload delivery using Java
9
httpwwwyoutubecomwatchv=JcfxvZml6-Y
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
10
PostScript who Itrsquos Adobersquos PDF big brother
11
Adobe is the dominant PS implementation
12
Adobe PS interpreters
Other PS interpreters
Distribution of Postscript interpreters
Source Adobe specification supplement note
PS is build to handle complex processing tasks
13
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
File systems IO subsystems
PSgt ldquoshellrdquo ndash where
14
From the official Postscript specification ldquo244 Using the Interpreter Interactivelyrdquo
Debugging is enabled on most PS instances
15
PS-executive
debug enabled
PS-executive
debug disabledNA
PSgt ldquoshellrdquo ndash how
16
Code demo ndash telnet 19216801 9100 and dump this
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 3: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/3.jpg)
Quick Quiz
2
Which vendor do you think this talk is about
(ie Whose MFPs do you think are least secure)
Participating audience results
5 70 20
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
3
MFPs carry large abuse potential
4
MFP hacking goes back to the 1960rsquos
5
ldquoSpies in the Xerox machinerdquo
The ldquomicrordquo-film camera marked X
Patent drawing 1967
Electronicshardware hacking
Modern printer hacking goes back almost a decade
6
Broader amp deeper printer hacking (irongeek)
Initial printer hacks (FXpH)
2002 2006
Revived printer hacking interest
This talk focuses mainly on remote code execution inside MFPsprinters
2011
In 2010 we demorsquod mapping public MFPs
7
httpwwwyoutubecomwatchv=t44GibiCoCM
hellip and generic MFP payload delivery using Word
8
httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims of some guys)
hellip and generic MFP payload delivery using Java
9
httpwwwyoutubecomwatchv=JcfxvZml6-Y
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
10
PostScript who Itrsquos Adobersquos PDF big brother
11
Adobe is the dominant PS implementation
12
Adobe PS interpreters
Other PS interpreters
Distribution of Postscript interpreters
Source Adobe specification supplement note
PS is build to handle complex processing tasks
13
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
File systems IO subsystems
PSgt ldquoshellrdquo ndash where
14
From the official Postscript specification ldquo244 Using the Interpreter Interactivelyrdquo
Debugging is enabled on most PS instances
15
PS-executive
debug enabled
PS-executive
debug disabledNA
PSgt ldquoshellrdquo ndash how
16
Code demo ndash telnet 19216801 9100 and dump this
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 4: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/4.jpg)
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
3
MFPs carry large abuse potential
4
MFP hacking goes back to the 1960rsquos
5
ldquoSpies in the Xerox machinerdquo
The ldquomicrordquo-film camera marked X
Patent drawing 1967
Electronicshardware hacking
Modern printer hacking goes back almost a decade
6
Broader amp deeper printer hacking (irongeek)
Initial printer hacks (FXpH)
2002 2006
Revived printer hacking interest
This talk focuses mainly on remote code execution inside MFPsprinters
2011
In 2010 we demorsquod mapping public MFPs
7
httpwwwyoutubecomwatchv=t44GibiCoCM
hellip and generic MFP payload delivery using Word
8
httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims of some guys)
hellip and generic MFP payload delivery using Java
9
httpwwwyoutubecomwatchv=JcfxvZml6-Y
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
10
PostScript who Itrsquos Adobersquos PDF big brother
11
Adobe is the dominant PS implementation
12
Adobe PS interpreters
Other PS interpreters
Distribution of Postscript interpreters
Source Adobe specification supplement note
PS is build to handle complex processing tasks
13
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
File systems IO subsystems
PSgt ldquoshellrdquo ndash where
14
From the official Postscript specification ldquo244 Using the Interpreter Interactivelyrdquo
Debugging is enabled on most PS instances
15
PS-executive
debug enabled
PS-executive
debug disabledNA
PSgt ldquoshellrdquo ndash how
16
Code demo ndash telnet 19216801 9100 and dump this
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 5: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/5.jpg)
MFPs carry large abuse potential
4
MFP hacking goes back to the 1960rsquos
5
ldquoSpies in the Xerox machinerdquo
The ldquomicrordquo-film camera marked X
Patent drawing 1967
Electronicshardware hacking
Modern printer hacking goes back almost a decade
6
Broader amp deeper printer hacking (irongeek)
Initial printer hacks (FXpH)
2002 2006
Revived printer hacking interest
This talk focuses mainly on remote code execution inside MFPsprinters
2011
In 2010 we demorsquod mapping public MFPs
7
httpwwwyoutubecomwatchv=t44GibiCoCM
hellip and generic MFP payload delivery using Word
8
httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims of some guys)
hellip and generic MFP payload delivery using Java
9
httpwwwyoutubecomwatchv=JcfxvZml6-Y
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
10
PostScript who Itrsquos Adobersquos PDF big brother
11
Adobe is the dominant PS implementation
12
Adobe PS interpreters
Other PS interpreters
Distribution of Postscript interpreters
Source Adobe specification supplement note
PS is build to handle complex processing tasks
13
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
File systems IO subsystems
PSgt ldquoshellrdquo ndash where
14
From the official Postscript specification ldquo244 Using the Interpreter Interactivelyrdquo
Debugging is enabled on most PS instances
15
PS-executive
debug enabled
PS-executive
debug disabledNA
PSgt ldquoshellrdquo ndash how
16
Code demo ndash telnet 19216801 9100 and dump this
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 6: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/6.jpg)
MFP hacking goes back to the 1960rsquos
5
ldquoSpies in the Xerox machinerdquo
The ldquomicrordquo-film camera marked X
Patent drawing 1967
Electronicshardware hacking
Modern printer hacking goes back almost a decade
6
Broader amp deeper printer hacking (irongeek)
Initial printer hacks (FXpH)
2002 2006
Revived printer hacking interest
This talk focuses mainly on remote code execution inside MFPsprinters
2011
In 2010 we demorsquod mapping public MFPs
7
httpwwwyoutubecomwatchv=t44GibiCoCM
hellip and generic MFP payload delivery using Word
8
httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims of some guys)
hellip and generic MFP payload delivery using Java
9
httpwwwyoutubecomwatchv=JcfxvZml6-Y
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
10
PostScript who Itrsquos Adobersquos PDF big brother
11
Adobe is the dominant PS implementation
12
Adobe PS interpreters
Other PS interpreters
Distribution of Postscript interpreters
Source Adobe specification supplement note
PS is build to handle complex processing tasks
13
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
File systems IO subsystems
PSgt ldquoshellrdquo ndash where
14
From the official Postscript specification ldquo244 Using the Interpreter Interactivelyrdquo
Debugging is enabled on most PS instances
15
PS-executive
debug enabled
PS-executive
debug disabledNA
PSgt ldquoshellrdquo ndash how
16
Code demo ndash telnet 19216801 9100 and dump this
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 7: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/7.jpg)
Modern printer hacking goes back almost a decade
6
Broader amp deeper printer hacking (irongeek)
Initial printer hacks (FXpH)
2002 2006
Revived printer hacking interest
This talk focuses mainly on remote code execution inside MFPsprinters
2011
In 2010 we demorsquod mapping public MFPs
7
httpwwwyoutubecomwatchv=t44GibiCoCM
hellip and generic MFP payload delivery using Word
8
httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims of some guys)
hellip and generic MFP payload delivery using Java
9
httpwwwyoutubecomwatchv=JcfxvZml6-Y
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
10
PostScript who Itrsquos Adobersquos PDF big brother
11
Adobe is the dominant PS implementation
12
Adobe PS interpreters
Other PS interpreters
Distribution of Postscript interpreters
Source Adobe specification supplement note
PS is build to handle complex processing tasks
13
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
File systems IO subsystems
PSgt ldquoshellrdquo ndash where
14
From the official Postscript specification ldquo244 Using the Interpreter Interactivelyrdquo
Debugging is enabled on most PS instances
15
PS-executive
debug enabled
PS-executive
debug disabledNA
PSgt ldquoshellrdquo ndash how
16
Code demo ndash telnet 19216801 9100 and dump this
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 8: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/8.jpg)
In 2010 we demorsquod mapping public MFPs
7
httpwwwyoutubecomwatchv=t44GibiCoCM
hellip and generic MFP payload delivery using Word
8
httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims of some guys)
hellip and generic MFP payload delivery using Java
9
httpwwwyoutubecomwatchv=JcfxvZml6-Y
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
10
PostScript who Itrsquos Adobersquos PDF big brother
11
Adobe is the dominant PS implementation
12
Adobe PS interpreters
Other PS interpreters
Distribution of Postscript interpreters
Source Adobe specification supplement note
PS is build to handle complex processing tasks
13
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
File systems IO subsystems
PSgt ldquoshellrdquo ndash where
14
From the official Postscript specification ldquo244 Using the Interpreter Interactivelyrdquo
Debugging is enabled on most PS instances
15
PS-executive
debug enabled
PS-executive
debug disabledNA
PSgt ldquoshellrdquo ndash how
16
Code demo ndash telnet 19216801 9100 and dump this
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 9: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/9.jpg)
hellip and generic MFP payload delivery using Word
8
httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims of some guys)
hellip and generic MFP payload delivery using Java
9
httpwwwyoutubecomwatchv=JcfxvZml6-Y
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
10
PostScript who Itrsquos Adobersquos PDF big brother
11
Adobe is the dominant PS implementation
12
Adobe PS interpreters
Other PS interpreters
Distribution of Postscript interpreters
Source Adobe specification supplement note
PS is build to handle complex processing tasks
13
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
File systems IO subsystems
PSgt ldquoshellrdquo ndash where
14
From the official Postscript specification ldquo244 Using the Interpreter Interactivelyrdquo
Debugging is enabled on most PS instances
15
PS-executive
debug enabled
PS-executive
debug disabledNA
PSgt ldquoshellrdquo ndash how
16
Code demo ndash telnet 19216801 9100 and dump this
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 10: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/10.jpg)
hellip and generic MFP payload delivery using Java
9
httpwwwyoutubecomwatchv=JcfxvZml6-Y
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
10
PostScript who Itrsquos Adobersquos PDF big brother
11
Adobe is the dominant PS implementation
12
Adobe PS interpreters
Other PS interpreters
Distribution of Postscript interpreters
Source Adobe specification supplement note
PS is build to handle complex processing tasks
13
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
File systems IO subsystems
PSgt ldquoshellrdquo ndash where
14
From the official Postscript specification ldquo244 Using the Interpreter Interactivelyrdquo
Debugging is enabled on most PS instances
15
PS-executive
debug enabled
PS-executive
debug disabledNA
PSgt ldquoshellrdquo ndash how
16
Code demo ndash telnet 19216801 9100 and dump this
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 11: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/11.jpg)
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
10
PostScript who Itrsquos Adobersquos PDF big brother
11
Adobe is the dominant PS implementation
12
Adobe PS interpreters
Other PS interpreters
Distribution of Postscript interpreters
Source Adobe specification supplement note
PS is build to handle complex processing tasks
13
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
File systems IO subsystems
PSgt ldquoshellrdquo ndash where
14
From the official Postscript specification ldquo244 Using the Interpreter Interactivelyrdquo
Debugging is enabled on most PS instances
15
PS-executive
debug enabled
PS-executive
debug disabledNA
PSgt ldquoshellrdquo ndash how
16
Code demo ndash telnet 19216801 9100 and dump this
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 12: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/12.jpg)
PostScript who Itrsquos Adobersquos PDF big brother
11
Adobe is the dominant PS implementation
12
Adobe PS interpreters
Other PS interpreters
Distribution of Postscript interpreters
Source Adobe specification supplement note
PS is build to handle complex processing tasks
13
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
File systems IO subsystems
PSgt ldquoshellrdquo ndash where
14
From the official Postscript specification ldquo244 Using the Interpreter Interactivelyrdquo
Debugging is enabled on most PS instances
15
PS-executive
debug enabled
PS-executive
debug disabledNA
PSgt ldquoshellrdquo ndash how
16
Code demo ndash telnet 19216801 9100 and dump this
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 13: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/13.jpg)
Adobe is the dominant PS implementation
12
Adobe PS interpreters
Other PS interpreters
Distribution of Postscript interpreters
Source Adobe specification supplement note
PS is build to handle complex processing tasks
13
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
File systems IO subsystems
PSgt ldquoshellrdquo ndash where
14
From the official Postscript specification ldquo244 Using the Interpreter Interactivelyrdquo
Debugging is enabled on most PS instances
15
PS-executive
debug enabled
PS-executive
debug disabledNA
PSgt ldquoshellrdquo ndash how
16
Code demo ndash telnet 19216801 9100 and dump this
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 14: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/14.jpg)
PS is build to handle complex processing tasks
13
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
File systems IO subsystems
PSgt ldquoshellrdquo ndash where
14
From the official Postscript specification ldquo244 Using the Interpreter Interactivelyrdquo
Debugging is enabled on most PS instances
15
PS-executive
debug enabled
PS-executive
debug disabledNA
PSgt ldquoshellrdquo ndash how
16
Code demo ndash telnet 19216801 9100 and dump this
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 15: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/15.jpg)
PSgt ldquoshellrdquo ndash where
14
From the official Postscript specification ldquo244 Using the Interpreter Interactivelyrdquo
Debugging is enabled on most PS instances
15
PS-executive
debug enabled
PS-executive
debug disabledNA
PSgt ldquoshellrdquo ndash how
16
Code demo ndash telnet 19216801 9100 and dump this
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 16: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/16.jpg)
Debugging is enabled on most PS instances
15
PS-executive
debug enabled
PS-executive
debug disabledNA
PSgt ldquoshellrdquo ndash how
16
Code demo ndash telnet 19216801 9100 and dump this
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 17: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/17.jpg)
PSgt ldquoshellrdquo ndash how
16
Code demo ndash telnet 19216801 9100 and dump this
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 18: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/18.jpg)
PSgt ldquoshellrdquo ndash how
17
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 19: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/19.jpg)
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
18
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 20: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/20.jpg)
We needed a PS-based firmware upload
19
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 21: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/21.jpg)
This is too good to be truehellip
20
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 22: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/22.jpg)
Memory dumping reveals computing secrets
21
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 23: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/23.jpg)
Demo
22
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 24: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/24.jpg)
Admin restriction fail to prevent memory dumping
23
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 25: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/25.jpg)
Demo
24
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 26: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/26.jpg)
Basic auth password can be dumped
25
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 27: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/27.jpg)
HTTPS IPsec secrets are ldquoleakyrdquo as wellhellip
26
0x66306630663066306630663066302222
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 28: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/28.jpg)
Demo
27
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 29: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/29.jpg)
Attacker has access to printed document details
28
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 30: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/30.jpg)
Demo
29
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 31: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/31.jpg)
Attacker has access to BSD-style socketshellip
30
Two-way BSD-style sockets communication
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 32: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/32.jpg)
Analyzed MFP cannot protect effectively
31
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 33: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/33.jpg)
Plenty of Xerox printers share affected PS firmware update mechanism
32
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 34: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/34.jpg)
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
33
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 35: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/35.jpg)
Remote attacks can be used to extract data
34
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 36: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/36.jpg)
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
35
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 37: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/37.jpg)
Whatrsquos next PS + MSF + FS + Sockets = PWN
36
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 38: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/38.jpg)
Solutions
37
Admins bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sanbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 39: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/39.jpg)
Thanksresources
38
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 40: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/40.jpg)
Take aways
39
Questions
Andrei Costin andreisrlabsde httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 41: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/41.jpg)
Demo
40
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 42: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/42.jpg)
Password setup is sniffed by the attacker
41
1) HTTP request ndash password clear text
2) HTTP reply
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 43: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/43.jpg)
Demo
42
Attacker has access to network topology ndash no-scan
43
![Page 44: 28C3 - Hacking MFPs (part2)](https://reader035.vdocument.in/reader035/viewer/2022071602/613d6526736caf36b75cd2a1/html5/thumbnails/44.jpg)
Attacker has access to network topology ndash no-scan
43