postscript: danger ahead?! · 2017. 10. 15. · modern printer hacking goes back almost a decade 5...
Post on 25-Aug-2020
4 Views
Preview:
TRANSCRIPT
PostScript Danger Ahead
Andrei Costin ltandreiandreicostincomgt
Affiliation - PhD student
HITB2012AMS
whoami in-between SWHW hacker
1
Mifare Classic MFCUK
Hacking MFPs (for fun amp profit) Holistic
Security
Interest
httpandreicostincompapers
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
2
HITB2012AMS
MFPs carry large abuse potential
3
HITB2012AMS
MFP hacking goes back to the 1960rsquos
4
ldquoSpies in the Xerox machinerdquo
The ldquomicrordquo-film camera marked X
Patent drawing 1967
Electronicshardware hacking
HITB2012AMS
Modern printer hacking goes back almost a decade
5
Broader amp deeper printer hacking (irongeek)
Initial printer hacks (FXpH)
2002 2006
Revived printer hacking interest
This talk focuses mainly on remote code execution inside MFPsprinters
2010-2012
HITB2012AMS
In 2010 we demorsquod mapping public MFPs
6
httpwwwyoutubecomwatchv=t44GibiCoCM
HITB2012AMS
hellip and generic MFP payload delivery using Word
7
httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims on this discovery)
HITB2012AMS
hellip and generic MFP payload delivery using Java
8
httpwwwyoutubecomwatchv=JcfxvZml6-Y
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
9
HITB2012AMS
PostScript who Itrsquos Adobersquos PDF big brother
10
HITB2012AMS
PS is build to handle complex processing tasks
11
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
HITB2012AMS
Then what exactly is PostScript
12
PostScript IS NOT just a static data stream like
PostScript IS a
Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly
HITB2012AMS
What happens when printing PS
13
User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN
User Opens a PS file from emailhdd
PC-based PS interpreter processes it PS data stream executes on PC
In both cases PS data stream IS A PS program
Program = static data
HITB2012AMS
Demo ldquoProgramming languagerdquo aspect
14
Programming languages 101
Control statements ifelse loop while
Simplest DoS attack is an ldquoinfinite looprdquo
loop
HITB2012AMS
Demo ldquoDynamically typed concatenative aspect
15
You wonder why your smart IDSIPS rules stopped working
Here is why
ps_dynamic_statement_construction_and_executionps Solution
Bad news Need dynamic execution sandbox Good news Itrsquos coming in upcoming weeks
HITB2012AMS
Demo Real world application ndash MSOffice PS crash
16
Submitted to MS
Apparently this one is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Officehellip
HITB2012AMS
Demo Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Send a print-job stream directly by mere opening the file
Requires more investigation but perspective is interestinghellip
HITB2012AMS
Dynamic document forginggeneration + SocEng
18
Computer side PrinterMFP side
HITB2012AMS
Dynamic document forginggeneration + SocEng
19
User computer User printout
HITB2012AMS
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
HITB2012AMS
Where is PostScript (Role-wise view)
21
HITB2012AMS
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Bounty reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows More details to comehellip
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
HITB2012AMS
A PS-based firmware upload was required
24
HITB2012AMS
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
HITB2012AMS
Memory dumping reveals computing secrets
26
HITB2012AMS
Admin restriction fail to prevent memory dumping
27
HITB2012AMS
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
HITB2012AMS
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HITB2012AMS
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
HITB2012AMS
Attacker has access to printed document details
31
HITB2012AMS
Attacker has access to network topology ndash no-scan
32
HITB2012AMS
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
whoami in-between SWHW hacker
1
Mifare Classic MFCUK
Hacking MFPs (for fun amp profit) Holistic
Security
Interest
httpandreicostincompapers
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
2
HITB2012AMS
MFPs carry large abuse potential
3
HITB2012AMS
MFP hacking goes back to the 1960rsquos
4
ldquoSpies in the Xerox machinerdquo
The ldquomicrordquo-film camera marked X
Patent drawing 1967
Electronicshardware hacking
HITB2012AMS
Modern printer hacking goes back almost a decade
5
Broader amp deeper printer hacking (irongeek)
Initial printer hacks (FXpH)
2002 2006
Revived printer hacking interest
This talk focuses mainly on remote code execution inside MFPsprinters
2010-2012
HITB2012AMS
In 2010 we demorsquod mapping public MFPs
6
httpwwwyoutubecomwatchv=t44GibiCoCM
HITB2012AMS
hellip and generic MFP payload delivery using Word
7
httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims on this discovery)
HITB2012AMS
hellip and generic MFP payload delivery using Java
8
httpwwwyoutubecomwatchv=JcfxvZml6-Y
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
9
HITB2012AMS
PostScript who Itrsquos Adobersquos PDF big brother
10
HITB2012AMS
PS is build to handle complex processing tasks
11
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
HITB2012AMS
Then what exactly is PostScript
12
PostScript IS NOT just a static data stream like
PostScript IS a
Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly
HITB2012AMS
What happens when printing PS
13
User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN
User Opens a PS file from emailhdd
PC-based PS interpreter processes it PS data stream executes on PC
In both cases PS data stream IS A PS program
Program = static data
HITB2012AMS
Demo ldquoProgramming languagerdquo aspect
14
Programming languages 101
Control statements ifelse loop while
Simplest DoS attack is an ldquoinfinite looprdquo
loop
HITB2012AMS
Demo ldquoDynamically typed concatenative aspect
15
You wonder why your smart IDSIPS rules stopped working
Here is why
ps_dynamic_statement_construction_and_executionps Solution
Bad news Need dynamic execution sandbox Good news Itrsquos coming in upcoming weeks
HITB2012AMS
Demo Real world application ndash MSOffice PS crash
16
Submitted to MS
Apparently this one is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Officehellip
HITB2012AMS
Demo Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Send a print-job stream directly by mere opening the file
Requires more investigation but perspective is interestinghellip
HITB2012AMS
Dynamic document forginggeneration + SocEng
18
Computer side PrinterMFP side
HITB2012AMS
Dynamic document forginggeneration + SocEng
19
User computer User printout
HITB2012AMS
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
HITB2012AMS
Where is PostScript (Role-wise view)
21
HITB2012AMS
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Bounty reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows More details to comehellip
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
HITB2012AMS
A PS-based firmware upload was required
24
HITB2012AMS
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
HITB2012AMS
Memory dumping reveals computing secrets
26
HITB2012AMS
Admin restriction fail to prevent memory dumping
27
HITB2012AMS
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
HITB2012AMS
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HITB2012AMS
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
HITB2012AMS
Attacker has access to printed document details
31
HITB2012AMS
Attacker has access to network topology ndash no-scan
32
HITB2012AMS
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
2
HITB2012AMS
MFPs carry large abuse potential
3
HITB2012AMS
MFP hacking goes back to the 1960rsquos
4
ldquoSpies in the Xerox machinerdquo
The ldquomicrordquo-film camera marked X
Patent drawing 1967
Electronicshardware hacking
HITB2012AMS
Modern printer hacking goes back almost a decade
5
Broader amp deeper printer hacking (irongeek)
Initial printer hacks (FXpH)
2002 2006
Revived printer hacking interest
This talk focuses mainly on remote code execution inside MFPsprinters
2010-2012
HITB2012AMS
In 2010 we demorsquod mapping public MFPs
6
httpwwwyoutubecomwatchv=t44GibiCoCM
HITB2012AMS
hellip and generic MFP payload delivery using Word
7
httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims on this discovery)
HITB2012AMS
hellip and generic MFP payload delivery using Java
8
httpwwwyoutubecomwatchv=JcfxvZml6-Y
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
9
HITB2012AMS
PostScript who Itrsquos Adobersquos PDF big brother
10
HITB2012AMS
PS is build to handle complex processing tasks
11
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
HITB2012AMS
Then what exactly is PostScript
12
PostScript IS NOT just a static data stream like
PostScript IS a
Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly
HITB2012AMS
What happens when printing PS
13
User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN
User Opens a PS file from emailhdd
PC-based PS interpreter processes it PS data stream executes on PC
In both cases PS data stream IS A PS program
Program = static data
HITB2012AMS
Demo ldquoProgramming languagerdquo aspect
14
Programming languages 101
Control statements ifelse loop while
Simplest DoS attack is an ldquoinfinite looprdquo
loop
HITB2012AMS
Demo ldquoDynamically typed concatenative aspect
15
You wonder why your smart IDSIPS rules stopped working
Here is why
ps_dynamic_statement_construction_and_executionps Solution
Bad news Need dynamic execution sandbox Good news Itrsquos coming in upcoming weeks
HITB2012AMS
Demo Real world application ndash MSOffice PS crash
16
Submitted to MS
Apparently this one is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Officehellip
HITB2012AMS
Demo Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Send a print-job stream directly by mere opening the file
Requires more investigation but perspective is interestinghellip
HITB2012AMS
Dynamic document forginggeneration + SocEng
18
Computer side PrinterMFP side
HITB2012AMS
Dynamic document forginggeneration + SocEng
19
User computer User printout
HITB2012AMS
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
HITB2012AMS
Where is PostScript (Role-wise view)
21
HITB2012AMS
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Bounty reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows More details to comehellip
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
HITB2012AMS
A PS-based firmware upload was required
24
HITB2012AMS
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
HITB2012AMS
Memory dumping reveals computing secrets
26
HITB2012AMS
Admin restriction fail to prevent memory dumping
27
HITB2012AMS
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
HITB2012AMS
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HITB2012AMS
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
HITB2012AMS
Attacker has access to printed document details
31
HITB2012AMS
Attacker has access to network topology ndash no-scan
32
HITB2012AMS
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
MFPs carry large abuse potential
3
HITB2012AMS
MFP hacking goes back to the 1960rsquos
4
ldquoSpies in the Xerox machinerdquo
The ldquomicrordquo-film camera marked X
Patent drawing 1967
Electronicshardware hacking
HITB2012AMS
Modern printer hacking goes back almost a decade
5
Broader amp deeper printer hacking (irongeek)
Initial printer hacks (FXpH)
2002 2006
Revived printer hacking interest
This talk focuses mainly on remote code execution inside MFPsprinters
2010-2012
HITB2012AMS
In 2010 we demorsquod mapping public MFPs
6
httpwwwyoutubecomwatchv=t44GibiCoCM
HITB2012AMS
hellip and generic MFP payload delivery using Word
7
httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims on this discovery)
HITB2012AMS
hellip and generic MFP payload delivery using Java
8
httpwwwyoutubecomwatchv=JcfxvZml6-Y
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
9
HITB2012AMS
PostScript who Itrsquos Adobersquos PDF big brother
10
HITB2012AMS
PS is build to handle complex processing tasks
11
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
HITB2012AMS
Then what exactly is PostScript
12
PostScript IS NOT just a static data stream like
PostScript IS a
Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly
HITB2012AMS
What happens when printing PS
13
User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN
User Opens a PS file from emailhdd
PC-based PS interpreter processes it PS data stream executes on PC
In both cases PS data stream IS A PS program
Program = static data
HITB2012AMS
Demo ldquoProgramming languagerdquo aspect
14
Programming languages 101
Control statements ifelse loop while
Simplest DoS attack is an ldquoinfinite looprdquo
loop
HITB2012AMS
Demo ldquoDynamically typed concatenative aspect
15
You wonder why your smart IDSIPS rules stopped working
Here is why
ps_dynamic_statement_construction_and_executionps Solution
Bad news Need dynamic execution sandbox Good news Itrsquos coming in upcoming weeks
HITB2012AMS
Demo Real world application ndash MSOffice PS crash
16
Submitted to MS
Apparently this one is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Officehellip
HITB2012AMS
Demo Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Send a print-job stream directly by mere opening the file
Requires more investigation but perspective is interestinghellip
HITB2012AMS
Dynamic document forginggeneration + SocEng
18
Computer side PrinterMFP side
HITB2012AMS
Dynamic document forginggeneration + SocEng
19
User computer User printout
HITB2012AMS
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
HITB2012AMS
Where is PostScript (Role-wise view)
21
HITB2012AMS
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Bounty reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows More details to comehellip
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
HITB2012AMS
A PS-based firmware upload was required
24
HITB2012AMS
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
HITB2012AMS
Memory dumping reveals computing secrets
26
HITB2012AMS
Admin restriction fail to prevent memory dumping
27
HITB2012AMS
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
HITB2012AMS
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HITB2012AMS
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
HITB2012AMS
Attacker has access to printed document details
31
HITB2012AMS
Attacker has access to network topology ndash no-scan
32
HITB2012AMS
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
MFP hacking goes back to the 1960rsquos
4
ldquoSpies in the Xerox machinerdquo
The ldquomicrordquo-film camera marked X
Patent drawing 1967
Electronicshardware hacking
HITB2012AMS
Modern printer hacking goes back almost a decade
5
Broader amp deeper printer hacking (irongeek)
Initial printer hacks (FXpH)
2002 2006
Revived printer hacking interest
This talk focuses mainly on remote code execution inside MFPsprinters
2010-2012
HITB2012AMS
In 2010 we demorsquod mapping public MFPs
6
httpwwwyoutubecomwatchv=t44GibiCoCM
HITB2012AMS
hellip and generic MFP payload delivery using Word
7
httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims on this discovery)
HITB2012AMS
hellip and generic MFP payload delivery using Java
8
httpwwwyoutubecomwatchv=JcfxvZml6-Y
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
9
HITB2012AMS
PostScript who Itrsquos Adobersquos PDF big brother
10
HITB2012AMS
PS is build to handle complex processing tasks
11
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
HITB2012AMS
Then what exactly is PostScript
12
PostScript IS NOT just a static data stream like
PostScript IS a
Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly
HITB2012AMS
What happens when printing PS
13
User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN
User Opens a PS file from emailhdd
PC-based PS interpreter processes it PS data stream executes on PC
In both cases PS data stream IS A PS program
Program = static data
HITB2012AMS
Demo ldquoProgramming languagerdquo aspect
14
Programming languages 101
Control statements ifelse loop while
Simplest DoS attack is an ldquoinfinite looprdquo
loop
HITB2012AMS
Demo ldquoDynamically typed concatenative aspect
15
You wonder why your smart IDSIPS rules stopped working
Here is why
ps_dynamic_statement_construction_and_executionps Solution
Bad news Need dynamic execution sandbox Good news Itrsquos coming in upcoming weeks
HITB2012AMS
Demo Real world application ndash MSOffice PS crash
16
Submitted to MS
Apparently this one is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Officehellip
HITB2012AMS
Demo Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Send a print-job stream directly by mere opening the file
Requires more investigation but perspective is interestinghellip
HITB2012AMS
Dynamic document forginggeneration + SocEng
18
Computer side PrinterMFP side
HITB2012AMS
Dynamic document forginggeneration + SocEng
19
User computer User printout
HITB2012AMS
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
HITB2012AMS
Where is PostScript (Role-wise view)
21
HITB2012AMS
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Bounty reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows More details to comehellip
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
HITB2012AMS
A PS-based firmware upload was required
24
HITB2012AMS
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
HITB2012AMS
Memory dumping reveals computing secrets
26
HITB2012AMS
Admin restriction fail to prevent memory dumping
27
HITB2012AMS
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
HITB2012AMS
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HITB2012AMS
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
HITB2012AMS
Attacker has access to printed document details
31
HITB2012AMS
Attacker has access to network topology ndash no-scan
32
HITB2012AMS
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
Modern printer hacking goes back almost a decade
5
Broader amp deeper printer hacking (irongeek)
Initial printer hacks (FXpH)
2002 2006
Revived printer hacking interest
This talk focuses mainly on remote code execution inside MFPsprinters
2010-2012
HITB2012AMS
In 2010 we demorsquod mapping public MFPs
6
httpwwwyoutubecomwatchv=t44GibiCoCM
HITB2012AMS
hellip and generic MFP payload delivery using Word
7
httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims on this discovery)
HITB2012AMS
hellip and generic MFP payload delivery using Java
8
httpwwwyoutubecomwatchv=JcfxvZml6-Y
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
9
HITB2012AMS
PostScript who Itrsquos Adobersquos PDF big brother
10
HITB2012AMS
PS is build to handle complex processing tasks
11
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
HITB2012AMS
Then what exactly is PostScript
12
PostScript IS NOT just a static data stream like
PostScript IS a
Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly
HITB2012AMS
What happens when printing PS
13
User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN
User Opens a PS file from emailhdd
PC-based PS interpreter processes it PS data stream executes on PC
In both cases PS data stream IS A PS program
Program = static data
HITB2012AMS
Demo ldquoProgramming languagerdquo aspect
14
Programming languages 101
Control statements ifelse loop while
Simplest DoS attack is an ldquoinfinite looprdquo
loop
HITB2012AMS
Demo ldquoDynamically typed concatenative aspect
15
You wonder why your smart IDSIPS rules stopped working
Here is why
ps_dynamic_statement_construction_and_executionps Solution
Bad news Need dynamic execution sandbox Good news Itrsquos coming in upcoming weeks
HITB2012AMS
Demo Real world application ndash MSOffice PS crash
16
Submitted to MS
Apparently this one is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Officehellip
HITB2012AMS
Demo Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Send a print-job stream directly by mere opening the file
Requires more investigation but perspective is interestinghellip
HITB2012AMS
Dynamic document forginggeneration + SocEng
18
Computer side PrinterMFP side
HITB2012AMS
Dynamic document forginggeneration + SocEng
19
User computer User printout
HITB2012AMS
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
HITB2012AMS
Where is PostScript (Role-wise view)
21
HITB2012AMS
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Bounty reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows More details to comehellip
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
HITB2012AMS
A PS-based firmware upload was required
24
HITB2012AMS
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
HITB2012AMS
Memory dumping reveals computing secrets
26
HITB2012AMS
Admin restriction fail to prevent memory dumping
27
HITB2012AMS
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
HITB2012AMS
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HITB2012AMS
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
HITB2012AMS
Attacker has access to printed document details
31
HITB2012AMS
Attacker has access to network topology ndash no-scan
32
HITB2012AMS
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
In 2010 we demorsquod mapping public MFPs
6
httpwwwyoutubecomwatchv=t44GibiCoCM
HITB2012AMS
hellip and generic MFP payload delivery using Word
7
httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims on this discovery)
HITB2012AMS
hellip and generic MFP payload delivery using Java
8
httpwwwyoutubecomwatchv=JcfxvZml6-Y
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
9
HITB2012AMS
PostScript who Itrsquos Adobersquos PDF big brother
10
HITB2012AMS
PS is build to handle complex processing tasks
11
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
HITB2012AMS
Then what exactly is PostScript
12
PostScript IS NOT just a static data stream like
PostScript IS a
Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly
HITB2012AMS
What happens when printing PS
13
User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN
User Opens a PS file from emailhdd
PC-based PS interpreter processes it PS data stream executes on PC
In both cases PS data stream IS A PS program
Program = static data
HITB2012AMS
Demo ldquoProgramming languagerdquo aspect
14
Programming languages 101
Control statements ifelse loop while
Simplest DoS attack is an ldquoinfinite looprdquo
loop
HITB2012AMS
Demo ldquoDynamically typed concatenative aspect
15
You wonder why your smart IDSIPS rules stopped working
Here is why
ps_dynamic_statement_construction_and_executionps Solution
Bad news Need dynamic execution sandbox Good news Itrsquos coming in upcoming weeks
HITB2012AMS
Demo Real world application ndash MSOffice PS crash
16
Submitted to MS
Apparently this one is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Officehellip
HITB2012AMS
Demo Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Send a print-job stream directly by mere opening the file
Requires more investigation but perspective is interestinghellip
HITB2012AMS
Dynamic document forginggeneration + SocEng
18
Computer side PrinterMFP side
HITB2012AMS
Dynamic document forginggeneration + SocEng
19
User computer User printout
HITB2012AMS
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
HITB2012AMS
Where is PostScript (Role-wise view)
21
HITB2012AMS
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Bounty reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows More details to comehellip
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
HITB2012AMS
A PS-based firmware upload was required
24
HITB2012AMS
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
HITB2012AMS
Memory dumping reveals computing secrets
26
HITB2012AMS
Admin restriction fail to prevent memory dumping
27
HITB2012AMS
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
HITB2012AMS
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HITB2012AMS
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
HITB2012AMS
Attacker has access to printed document details
31
HITB2012AMS
Attacker has access to network topology ndash no-scan
32
HITB2012AMS
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
hellip and generic MFP payload delivery using Word
7
httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims on this discovery)
HITB2012AMS
hellip and generic MFP payload delivery using Java
8
httpwwwyoutubecomwatchv=JcfxvZml6-Y
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
9
HITB2012AMS
PostScript who Itrsquos Adobersquos PDF big brother
10
HITB2012AMS
PS is build to handle complex processing tasks
11
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
HITB2012AMS
Then what exactly is PostScript
12
PostScript IS NOT just a static data stream like
PostScript IS a
Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly
HITB2012AMS
What happens when printing PS
13
User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN
User Opens a PS file from emailhdd
PC-based PS interpreter processes it PS data stream executes on PC
In both cases PS data stream IS A PS program
Program = static data
HITB2012AMS
Demo ldquoProgramming languagerdquo aspect
14
Programming languages 101
Control statements ifelse loop while
Simplest DoS attack is an ldquoinfinite looprdquo
loop
HITB2012AMS
Demo ldquoDynamically typed concatenative aspect
15
You wonder why your smart IDSIPS rules stopped working
Here is why
ps_dynamic_statement_construction_and_executionps Solution
Bad news Need dynamic execution sandbox Good news Itrsquos coming in upcoming weeks
HITB2012AMS
Demo Real world application ndash MSOffice PS crash
16
Submitted to MS
Apparently this one is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Officehellip
HITB2012AMS
Demo Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Send a print-job stream directly by mere opening the file
Requires more investigation but perspective is interestinghellip
HITB2012AMS
Dynamic document forginggeneration + SocEng
18
Computer side PrinterMFP side
HITB2012AMS
Dynamic document forginggeneration + SocEng
19
User computer User printout
HITB2012AMS
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
HITB2012AMS
Where is PostScript (Role-wise view)
21
HITB2012AMS
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Bounty reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows More details to comehellip
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
HITB2012AMS
A PS-based firmware upload was required
24
HITB2012AMS
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
HITB2012AMS
Memory dumping reveals computing secrets
26
HITB2012AMS
Admin restriction fail to prevent memory dumping
27
HITB2012AMS
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
HITB2012AMS
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HITB2012AMS
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
HITB2012AMS
Attacker has access to printed document details
31
HITB2012AMS
Attacker has access to network topology ndash no-scan
32
HITB2012AMS
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
hellip and generic MFP payload delivery using Java
8
httpwwwyoutubecomwatchv=JcfxvZml6-Y
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
9
HITB2012AMS
PostScript who Itrsquos Adobersquos PDF big brother
10
HITB2012AMS
PS is build to handle complex processing tasks
11
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
HITB2012AMS
Then what exactly is PostScript
12
PostScript IS NOT just a static data stream like
PostScript IS a
Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly
HITB2012AMS
What happens when printing PS
13
User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN
User Opens a PS file from emailhdd
PC-based PS interpreter processes it PS data stream executes on PC
In both cases PS data stream IS A PS program
Program = static data
HITB2012AMS
Demo ldquoProgramming languagerdquo aspect
14
Programming languages 101
Control statements ifelse loop while
Simplest DoS attack is an ldquoinfinite looprdquo
loop
HITB2012AMS
Demo ldquoDynamically typed concatenative aspect
15
You wonder why your smart IDSIPS rules stopped working
Here is why
ps_dynamic_statement_construction_and_executionps Solution
Bad news Need dynamic execution sandbox Good news Itrsquos coming in upcoming weeks
HITB2012AMS
Demo Real world application ndash MSOffice PS crash
16
Submitted to MS
Apparently this one is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Officehellip
HITB2012AMS
Demo Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Send a print-job stream directly by mere opening the file
Requires more investigation but perspective is interestinghellip
HITB2012AMS
Dynamic document forginggeneration + SocEng
18
Computer side PrinterMFP side
HITB2012AMS
Dynamic document forginggeneration + SocEng
19
User computer User printout
HITB2012AMS
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
HITB2012AMS
Where is PostScript (Role-wise view)
21
HITB2012AMS
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Bounty reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows More details to comehellip
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
HITB2012AMS
A PS-based firmware upload was required
24
HITB2012AMS
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
HITB2012AMS
Memory dumping reveals computing secrets
26
HITB2012AMS
Admin restriction fail to prevent memory dumping
27
HITB2012AMS
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
HITB2012AMS
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HITB2012AMS
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
HITB2012AMS
Attacker has access to printed document details
31
HITB2012AMS
Attacker has access to network topology ndash no-scan
32
HITB2012AMS
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
9
HITB2012AMS
PostScript who Itrsquos Adobersquos PDF big brother
10
HITB2012AMS
PS is build to handle complex processing tasks
11
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
HITB2012AMS
Then what exactly is PostScript
12
PostScript IS NOT just a static data stream like
PostScript IS a
Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly
HITB2012AMS
What happens when printing PS
13
User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN
User Opens a PS file from emailhdd
PC-based PS interpreter processes it PS data stream executes on PC
In both cases PS data stream IS A PS program
Program = static data
HITB2012AMS
Demo ldquoProgramming languagerdquo aspect
14
Programming languages 101
Control statements ifelse loop while
Simplest DoS attack is an ldquoinfinite looprdquo
loop
HITB2012AMS
Demo ldquoDynamically typed concatenative aspect
15
You wonder why your smart IDSIPS rules stopped working
Here is why
ps_dynamic_statement_construction_and_executionps Solution
Bad news Need dynamic execution sandbox Good news Itrsquos coming in upcoming weeks
HITB2012AMS
Demo Real world application ndash MSOffice PS crash
16
Submitted to MS
Apparently this one is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Officehellip
HITB2012AMS
Demo Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Send a print-job stream directly by mere opening the file
Requires more investigation but perspective is interestinghellip
HITB2012AMS
Dynamic document forginggeneration + SocEng
18
Computer side PrinterMFP side
HITB2012AMS
Dynamic document forginggeneration + SocEng
19
User computer User printout
HITB2012AMS
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
HITB2012AMS
Where is PostScript (Role-wise view)
21
HITB2012AMS
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Bounty reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows More details to comehellip
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
HITB2012AMS
A PS-based firmware upload was required
24
HITB2012AMS
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
HITB2012AMS
Memory dumping reveals computing secrets
26
HITB2012AMS
Admin restriction fail to prevent memory dumping
27
HITB2012AMS
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
HITB2012AMS
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HITB2012AMS
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
HITB2012AMS
Attacker has access to printed document details
31
HITB2012AMS
Attacker has access to network topology ndash no-scan
32
HITB2012AMS
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
PostScript who Itrsquos Adobersquos PDF big brother
10
HITB2012AMS
PS is build to handle complex processing tasks
11
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
HITB2012AMS
Then what exactly is PostScript
12
PostScript IS NOT just a static data stream like
PostScript IS a
Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly
HITB2012AMS
What happens when printing PS
13
User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN
User Opens a PS file from emailhdd
PC-based PS interpreter processes it PS data stream executes on PC
In both cases PS data stream IS A PS program
Program = static data
HITB2012AMS
Demo ldquoProgramming languagerdquo aspect
14
Programming languages 101
Control statements ifelse loop while
Simplest DoS attack is an ldquoinfinite looprdquo
loop
HITB2012AMS
Demo ldquoDynamically typed concatenative aspect
15
You wonder why your smart IDSIPS rules stopped working
Here is why
ps_dynamic_statement_construction_and_executionps Solution
Bad news Need dynamic execution sandbox Good news Itrsquos coming in upcoming weeks
HITB2012AMS
Demo Real world application ndash MSOffice PS crash
16
Submitted to MS
Apparently this one is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Officehellip
HITB2012AMS
Demo Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Send a print-job stream directly by mere opening the file
Requires more investigation but perspective is interestinghellip
HITB2012AMS
Dynamic document forginggeneration + SocEng
18
Computer side PrinterMFP side
HITB2012AMS
Dynamic document forginggeneration + SocEng
19
User computer User printout
HITB2012AMS
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
HITB2012AMS
Where is PostScript (Role-wise view)
21
HITB2012AMS
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Bounty reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows More details to comehellip
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
HITB2012AMS
A PS-based firmware upload was required
24
HITB2012AMS
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
HITB2012AMS
Memory dumping reveals computing secrets
26
HITB2012AMS
Admin restriction fail to prevent memory dumping
27
HITB2012AMS
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
HITB2012AMS
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HITB2012AMS
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
HITB2012AMS
Attacker has access to printed document details
31
HITB2012AMS
Attacker has access to network topology ndash no-scan
32
HITB2012AMS
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
PS is build to handle complex processing tasks
11
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
HITB2012AMS
Then what exactly is PostScript
12
PostScript IS NOT just a static data stream like
PostScript IS a
Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly
HITB2012AMS
What happens when printing PS
13
User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN
User Opens a PS file from emailhdd
PC-based PS interpreter processes it PS data stream executes on PC
In both cases PS data stream IS A PS program
Program = static data
HITB2012AMS
Demo ldquoProgramming languagerdquo aspect
14
Programming languages 101
Control statements ifelse loop while
Simplest DoS attack is an ldquoinfinite looprdquo
loop
HITB2012AMS
Demo ldquoDynamically typed concatenative aspect
15
You wonder why your smart IDSIPS rules stopped working
Here is why
ps_dynamic_statement_construction_and_executionps Solution
Bad news Need dynamic execution sandbox Good news Itrsquos coming in upcoming weeks
HITB2012AMS
Demo Real world application ndash MSOffice PS crash
16
Submitted to MS
Apparently this one is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Officehellip
HITB2012AMS
Demo Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Send a print-job stream directly by mere opening the file
Requires more investigation but perspective is interestinghellip
HITB2012AMS
Dynamic document forginggeneration + SocEng
18
Computer side PrinterMFP side
HITB2012AMS
Dynamic document forginggeneration + SocEng
19
User computer User printout
HITB2012AMS
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
HITB2012AMS
Where is PostScript (Role-wise view)
21
HITB2012AMS
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Bounty reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows More details to comehellip
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
HITB2012AMS
A PS-based firmware upload was required
24
HITB2012AMS
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
HITB2012AMS
Memory dumping reveals computing secrets
26
HITB2012AMS
Admin restriction fail to prevent memory dumping
27
HITB2012AMS
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
HITB2012AMS
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HITB2012AMS
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
HITB2012AMS
Attacker has access to printed document details
31
HITB2012AMS
Attacker has access to network topology ndash no-scan
32
HITB2012AMS
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
Then what exactly is PostScript
12
PostScript IS NOT just a static data stream like
PostScript IS a
Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly
HITB2012AMS
What happens when printing PS
13
User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN
User Opens a PS file from emailhdd
PC-based PS interpreter processes it PS data stream executes on PC
In both cases PS data stream IS A PS program
Program = static data
HITB2012AMS
Demo ldquoProgramming languagerdquo aspect
14
Programming languages 101
Control statements ifelse loop while
Simplest DoS attack is an ldquoinfinite looprdquo
loop
HITB2012AMS
Demo ldquoDynamically typed concatenative aspect
15
You wonder why your smart IDSIPS rules stopped working
Here is why
ps_dynamic_statement_construction_and_executionps Solution
Bad news Need dynamic execution sandbox Good news Itrsquos coming in upcoming weeks
HITB2012AMS
Demo Real world application ndash MSOffice PS crash
16
Submitted to MS
Apparently this one is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Officehellip
HITB2012AMS
Demo Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Send a print-job stream directly by mere opening the file
Requires more investigation but perspective is interestinghellip
HITB2012AMS
Dynamic document forginggeneration + SocEng
18
Computer side PrinterMFP side
HITB2012AMS
Dynamic document forginggeneration + SocEng
19
User computer User printout
HITB2012AMS
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
HITB2012AMS
Where is PostScript (Role-wise view)
21
HITB2012AMS
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Bounty reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows More details to comehellip
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
HITB2012AMS
A PS-based firmware upload was required
24
HITB2012AMS
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
HITB2012AMS
Memory dumping reveals computing secrets
26
HITB2012AMS
Admin restriction fail to prevent memory dumping
27
HITB2012AMS
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
HITB2012AMS
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HITB2012AMS
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
HITB2012AMS
Attacker has access to printed document details
31
HITB2012AMS
Attacker has access to network topology ndash no-scan
32
HITB2012AMS
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
What happens when printing PS
13
User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN
User Opens a PS file from emailhdd
PC-based PS interpreter processes it PS data stream executes on PC
In both cases PS data stream IS A PS program
Program = static data
HITB2012AMS
Demo ldquoProgramming languagerdquo aspect
14
Programming languages 101
Control statements ifelse loop while
Simplest DoS attack is an ldquoinfinite looprdquo
loop
HITB2012AMS
Demo ldquoDynamically typed concatenative aspect
15
You wonder why your smart IDSIPS rules stopped working
Here is why
ps_dynamic_statement_construction_and_executionps Solution
Bad news Need dynamic execution sandbox Good news Itrsquos coming in upcoming weeks
HITB2012AMS
Demo Real world application ndash MSOffice PS crash
16
Submitted to MS
Apparently this one is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Officehellip
HITB2012AMS
Demo Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Send a print-job stream directly by mere opening the file
Requires more investigation but perspective is interestinghellip
HITB2012AMS
Dynamic document forginggeneration + SocEng
18
Computer side PrinterMFP side
HITB2012AMS
Dynamic document forginggeneration + SocEng
19
User computer User printout
HITB2012AMS
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
HITB2012AMS
Where is PostScript (Role-wise view)
21
HITB2012AMS
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Bounty reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows More details to comehellip
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
HITB2012AMS
A PS-based firmware upload was required
24
HITB2012AMS
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
HITB2012AMS
Memory dumping reveals computing secrets
26
HITB2012AMS
Admin restriction fail to prevent memory dumping
27
HITB2012AMS
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
HITB2012AMS
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HITB2012AMS
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
HITB2012AMS
Attacker has access to printed document details
31
HITB2012AMS
Attacker has access to network topology ndash no-scan
32
HITB2012AMS
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
Demo ldquoProgramming languagerdquo aspect
14
Programming languages 101
Control statements ifelse loop while
Simplest DoS attack is an ldquoinfinite looprdquo
loop
HITB2012AMS
Demo ldquoDynamically typed concatenative aspect
15
You wonder why your smart IDSIPS rules stopped working
Here is why
ps_dynamic_statement_construction_and_executionps Solution
Bad news Need dynamic execution sandbox Good news Itrsquos coming in upcoming weeks
HITB2012AMS
Demo Real world application ndash MSOffice PS crash
16
Submitted to MS
Apparently this one is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Officehellip
HITB2012AMS
Demo Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Send a print-job stream directly by mere opening the file
Requires more investigation but perspective is interestinghellip
HITB2012AMS
Dynamic document forginggeneration + SocEng
18
Computer side PrinterMFP side
HITB2012AMS
Dynamic document forginggeneration + SocEng
19
User computer User printout
HITB2012AMS
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
HITB2012AMS
Where is PostScript (Role-wise view)
21
HITB2012AMS
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Bounty reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows More details to comehellip
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
HITB2012AMS
A PS-based firmware upload was required
24
HITB2012AMS
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
HITB2012AMS
Memory dumping reveals computing secrets
26
HITB2012AMS
Admin restriction fail to prevent memory dumping
27
HITB2012AMS
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
HITB2012AMS
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HITB2012AMS
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
HITB2012AMS
Attacker has access to printed document details
31
HITB2012AMS
Attacker has access to network topology ndash no-scan
32
HITB2012AMS
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
Demo ldquoDynamically typed concatenative aspect
15
You wonder why your smart IDSIPS rules stopped working
Here is why
ps_dynamic_statement_construction_and_executionps Solution
Bad news Need dynamic execution sandbox Good news Itrsquos coming in upcoming weeks
HITB2012AMS
Demo Real world application ndash MSOffice PS crash
16
Submitted to MS
Apparently this one is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Officehellip
HITB2012AMS
Demo Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Send a print-job stream directly by mere opening the file
Requires more investigation but perspective is interestinghellip
HITB2012AMS
Dynamic document forginggeneration + SocEng
18
Computer side PrinterMFP side
HITB2012AMS
Dynamic document forginggeneration + SocEng
19
User computer User printout
HITB2012AMS
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
HITB2012AMS
Where is PostScript (Role-wise view)
21
HITB2012AMS
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Bounty reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows More details to comehellip
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
HITB2012AMS
A PS-based firmware upload was required
24
HITB2012AMS
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
HITB2012AMS
Memory dumping reveals computing secrets
26
HITB2012AMS
Admin restriction fail to prevent memory dumping
27
HITB2012AMS
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
HITB2012AMS
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HITB2012AMS
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
HITB2012AMS
Attacker has access to printed document details
31
HITB2012AMS
Attacker has access to network topology ndash no-scan
32
HITB2012AMS
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
Demo Real world application ndash MSOffice PS crash
16
Submitted to MS
Apparently this one is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Officehellip
HITB2012AMS
Demo Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Send a print-job stream directly by mere opening the file
Requires more investigation but perspective is interestinghellip
HITB2012AMS
Dynamic document forginggeneration + SocEng
18
Computer side PrinterMFP side
HITB2012AMS
Dynamic document forginggeneration + SocEng
19
User computer User printout
HITB2012AMS
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
HITB2012AMS
Where is PostScript (Role-wise view)
21
HITB2012AMS
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Bounty reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows More details to comehellip
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
HITB2012AMS
A PS-based firmware upload was required
24
HITB2012AMS
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
HITB2012AMS
Memory dumping reveals computing secrets
26
HITB2012AMS
Admin restriction fail to prevent memory dumping
27
HITB2012AMS
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
HITB2012AMS
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HITB2012AMS
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
HITB2012AMS
Attacker has access to printed document details
31
HITB2012AMS
Attacker has access to network topology ndash no-scan
32
HITB2012AMS
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
Demo Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Send a print-job stream directly by mere opening the file
Requires more investigation but perspective is interestinghellip
HITB2012AMS
Dynamic document forginggeneration + SocEng
18
Computer side PrinterMFP side
HITB2012AMS
Dynamic document forginggeneration + SocEng
19
User computer User printout
HITB2012AMS
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
HITB2012AMS
Where is PostScript (Role-wise view)
21
HITB2012AMS
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Bounty reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows More details to comehellip
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
HITB2012AMS
A PS-based firmware upload was required
24
HITB2012AMS
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
HITB2012AMS
Memory dumping reveals computing secrets
26
HITB2012AMS
Admin restriction fail to prevent memory dumping
27
HITB2012AMS
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
HITB2012AMS
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HITB2012AMS
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
HITB2012AMS
Attacker has access to printed document details
31
HITB2012AMS
Attacker has access to network topology ndash no-scan
32
HITB2012AMS
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
Dynamic document forginggeneration + SocEng
18
Computer side PrinterMFP side
HITB2012AMS
Dynamic document forginggeneration + SocEng
19
User computer User printout
HITB2012AMS
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
HITB2012AMS
Where is PostScript (Role-wise view)
21
HITB2012AMS
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Bounty reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows More details to comehellip
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
HITB2012AMS
A PS-based firmware upload was required
24
HITB2012AMS
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
HITB2012AMS
Memory dumping reveals computing secrets
26
HITB2012AMS
Admin restriction fail to prevent memory dumping
27
HITB2012AMS
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
HITB2012AMS
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HITB2012AMS
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
HITB2012AMS
Attacker has access to printed document details
31
HITB2012AMS
Attacker has access to network topology ndash no-scan
32
HITB2012AMS
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
Dynamic document forginggeneration + SocEng
19
User computer User printout
HITB2012AMS
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
HITB2012AMS
Where is PostScript (Role-wise view)
21
HITB2012AMS
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Bounty reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows More details to comehellip
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
HITB2012AMS
A PS-based firmware upload was required
24
HITB2012AMS
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
HITB2012AMS
Memory dumping reveals computing secrets
26
HITB2012AMS
Admin restriction fail to prevent memory dumping
27
HITB2012AMS
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
HITB2012AMS
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HITB2012AMS
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
HITB2012AMS
Attacker has access to printed document details
31
HITB2012AMS
Attacker has access to network topology ndash no-scan
32
HITB2012AMS
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
HITB2012AMS
Where is PostScript (Role-wise view)
21
HITB2012AMS
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Bounty reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows More details to comehellip
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
HITB2012AMS
A PS-based firmware upload was required
24
HITB2012AMS
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
HITB2012AMS
Memory dumping reveals computing secrets
26
HITB2012AMS
Admin restriction fail to prevent memory dumping
27
HITB2012AMS
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
HITB2012AMS
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HITB2012AMS
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
HITB2012AMS
Attacker has access to printed document details
31
HITB2012AMS
Attacker has access to network topology ndash no-scan
32
HITB2012AMS
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
Where is PostScript (Role-wise view)
21
HITB2012AMS
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Bounty reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows More details to comehellip
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
HITB2012AMS
A PS-based firmware upload was required
24
HITB2012AMS
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
HITB2012AMS
Memory dumping reveals computing secrets
26
HITB2012AMS
Admin restriction fail to prevent memory dumping
27
HITB2012AMS
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
HITB2012AMS
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HITB2012AMS
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
HITB2012AMS
Attacker has access to printed document details
31
HITB2012AMS
Attacker has access to network topology ndash no-scan
32
HITB2012AMS
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Bounty reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows More details to comehellip
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
HITB2012AMS
A PS-based firmware upload was required
24
HITB2012AMS
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
HITB2012AMS
Memory dumping reveals computing secrets
26
HITB2012AMS
Admin restriction fail to prevent memory dumping
27
HITB2012AMS
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
HITB2012AMS
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HITB2012AMS
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
HITB2012AMS
Attacker has access to printed document details
31
HITB2012AMS
Attacker has access to network topology ndash no-scan
32
HITB2012AMS
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
HITB2012AMS
A PS-based firmware upload was required
24
HITB2012AMS
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
HITB2012AMS
Memory dumping reveals computing secrets
26
HITB2012AMS
Admin restriction fail to prevent memory dumping
27
HITB2012AMS
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
HITB2012AMS
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HITB2012AMS
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
HITB2012AMS
Attacker has access to printed document details
31
HITB2012AMS
Attacker has access to network topology ndash no-scan
32
HITB2012AMS
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
A PS-based firmware upload was required
24
HITB2012AMS
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
HITB2012AMS
Memory dumping reveals computing secrets
26
HITB2012AMS
Admin restriction fail to prevent memory dumping
27
HITB2012AMS
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
HITB2012AMS
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HITB2012AMS
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
HITB2012AMS
Attacker has access to printed document details
31
HITB2012AMS
Attacker has access to network topology ndash no-scan
32
HITB2012AMS
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
HITB2012AMS
Memory dumping reveals computing secrets
26
HITB2012AMS
Admin restriction fail to prevent memory dumping
27
HITB2012AMS
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
HITB2012AMS
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HITB2012AMS
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
HITB2012AMS
Attacker has access to printed document details
31
HITB2012AMS
Attacker has access to network topology ndash no-scan
32
HITB2012AMS
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
Memory dumping reveals computing secrets
26
HITB2012AMS
Admin restriction fail to prevent memory dumping
27
HITB2012AMS
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
HITB2012AMS
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HITB2012AMS
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
HITB2012AMS
Attacker has access to printed document details
31
HITB2012AMS
Attacker has access to network topology ndash no-scan
32
HITB2012AMS
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
Admin restriction fail to prevent memory dumping
27
HITB2012AMS
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
HITB2012AMS
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HITB2012AMS
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
HITB2012AMS
Attacker has access to printed document details
31
HITB2012AMS
Attacker has access to network topology ndash no-scan
32
HITB2012AMS
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
HITB2012AMS
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HITB2012AMS
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
HITB2012AMS
Attacker has access to printed document details
31
HITB2012AMS
Attacker has access to network topology ndash no-scan
32
HITB2012AMS
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
HITB2012AMS
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
HITB2012AMS
Attacker has access to printed document details
31
HITB2012AMS
Attacker has access to network topology ndash no-scan
32
HITB2012AMS
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
HITB2012AMS
Attacker has access to printed document details
31
HITB2012AMS
Attacker has access to network topology ndash no-scan
32
HITB2012AMS
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
Attacker has access to printed document details
31
HITB2012AMS
Attacker has access to network topology ndash no-scan
32
HITB2012AMS
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
Attacker has access to network topology ndash no-scan
32
HITB2012AMS
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
Plenty of Xerox printers share affected PS firmware update mechanism
35
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
Whatrsquos next Upcoming weeks
39
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
Whatrsquos next PS + MSF + FS + Sockets = PWN
40
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
Solutions
41
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
Acknowledgements
42
The Xerox-related PostScript work amp research done under support of
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
Thanksresources
43
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
HITB2012AMS
Take aways
44
Questions
Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu
top related