whoami - Reyboz Blog€¦ · Created Date: 10/27/2018 12:12:53 PM
PostScript: Danger Ahead?! - InfoCon In Paris/Hack In Paris 2012... · 2019. 10. 1. · whoami:...
Transcript of PostScript: Danger Ahead?! - InfoCon In Paris/Hack In Paris 2012... · 2019. 10. 1. · whoami:...
-
PostScript: Danger Ahead?!
Andrei Costin
Affiliation - PhD student
http://eurecom.fr/
-
Hack In Paris 2012
whoami: in-between SW/HW hacker
1
Mifare Classic MFCUK
Hacking MFPs (for fun & profit) Holistic
Security
Interest
http://andreicostin.com/papers/
http://andreicostin.com/secadv/
http://andreicostin.com/http://code.google.com/p/mfcuk/http://andreicostin.com/papers/http://andreicostin.com/papers/http://andreicostin.com/papers/http://andreicostin.com/papers/http://andreicostin.com/secadv/
-
Hack In Paris 2012
Agenda
1. Quick refresher
2. What about PostScript?
3. So, what and how did you find?
4. Attacks in a nutshell
5. Solutions and conclusions
2
http://andreicostin.com/
-
Hack In Paris 2012
MFPs carry large abuse potential
3
http://andreicostin.com/
-
Hack In Paris 2012
MFP hacking goes back to the 1960’s
4
“Spies in the Xerox machine”
The “micro”-film camera, marked X
Patent drawing, 1967
Electronics/hardware hacking
http://andreicostin.com/http://books.google.com/books?id=KIEIX2X-na8C&lpg=PA68&ots=2im-APXCTH&dq="Spies in the Xerox Machine"&pg=PA68
-
Hack In Paris 2012
More recent news flashes for printer hacking
5
Oct 2010 – “Printer cartride bomb” A presumably bomb attack (i.e. physical security)
2010 – “US Chamber of Commerce printer hack”
The nature of hack/communication unclear
http://andreicostin.com/http://www.foxnews.com/scitech/2010/10/29/used-toner-cartridge-used-bombs-expert-says/http://www.foxnews.com/scitech/2010/10/29/used-toner-cartridge-used-bombs-expert-says/http://www.foxnews.com/scitech/2010/10/29/used-toner-cartridge-used-bombs-expert-says/http://www.foxnews.com/scitech/2010/10/29/used-toner-cartridge-used-bombs-expert-says/http://www.nytimes.com/2012/02/11/technology/electronic-security-a-worry-in-an-age-of-digital-espionage.html?pagewanted=all
-
Hack In Paris 2012
More recent news flashes for printer hacking
6
June 2012 – “Printer Virus” Most probably, side effect of a PC malware However, shows HOW UNPROTECTED are MFPs in most orgs
http://andreicostin.com/http://about-threats.trendmicro.com/RelatedThreats.aspx?language=us&name=Understanding+the+Printer+Virushttp://www.symantec.com/business/support/index?page=content&id=TECH190982
-
Hack In Paris 2012
Modern printer hacking goes back almost a decade
7
Broader & deeper printer hacking (irongeek)
Initial printer hacks (FX/pH)
2002 2006
Revived printer hacking interest
This talk focuses mainly on remote code execution inside MFPs/printers
2010-2012
http://andreicostin.com/
-
Hack In Paris 2012
In 2010 demo’d : mapping public MFPs
8
http://www.youtube.com/watch?v=t44GibiCoCM
http://andreicostin.com/http://www.youtube.com/watch?v=t44GibiCoCM
-
Hack In Paris 2012
… and generic MFP payload delivery using Word
9
http://www.youtube.com/watch?v=KrWFOo2RAnk (there are false claims on this discovery)
http://andreicostin.com/http://www.youtube.com/watch?v=KrWFOo2RAnkhttp://www.youtube.com/watch?v=njVv7J2azY8
-
Hack In Paris 2012
… and generic MFP payload delivery using Java
10
http://www.youtube.com/watch?v=JcfxvZml6-Y
http://andreicostin.com/http://www.youtube.com/watch?v=JcfxvZml6-Yhttp://www.youtube.com/watch?v=JcfxvZml6-Yhttp://www.youtube.com/watch?v=JcfxvZml6-Y
-
Hack In Paris 2012
Agenda
1. Quick refresher
2. What about PostScript?
3. So, what and how did you find?
4. Attacks in a nutshell
5. Solutions and conclusions
11
http://andreicostin.com/
-
Hack In Paris 2012
PostScript who? It’s Adobe’s PDF big brother
12
http://andreicostin.com/http://www.adobe.com/products/postscript/pdfs/psprintprime.pdfhttp://www.adobe.com/products/postscript/pdfs/psprintprime.pdf
-
Hack In Paris 2012
PS is build to handle complex processing tasks
13
Graphics & patterns Complex math Web servers
Ray-tracing, OpenGL Milling machine XML Parsers
http://andreicostin.com/
-
Hack In Paris 2012
Then, what exactly is PostScript?
14
PostScript IS NOT just a static data stream like
PostScript IS a
Dynamically typed & concatenative Stack-based Turing-complete Programming language What does it all mean? Exactly!
http://andreicostin.com/
-
Hack In Paris 2012
What happens when printing PS?
15
User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN
User Opens a PS file from email/hdd
PC-based PS interpreter processes it PS data stream executes on PC
In both cases, PS data stream IS A PS program
Program != static data
http://andreicostin.com/
-
Hack In Paris 2012
Demo1 “Programming language” aspect
16
Programming languages 101:
Control statements if/else loop while
Simplest DoS attack is an “infinite loop”
!% {} loop
http://andreicostin.com/
-
Hack In Paris 2012
Demo2 “Dynamically typed concatenative" aspect
17
You wonder why your smart IDS/IPS rules stopped working?
Here is why:
ps_dynamic_statement_construction_and_execution.ps Obfuscation at its best built-into the language!
Solution:
Bad news: Need dynamic execution sandbox Good news: It’s coming up – see sandbox slides below
http://andreicostin.com/
-
Hack In Paris 2012
Dynamic document forging/generation + SocEng
18
User computer User printout
http://andreicostin.com/
-
Hack In Paris 2012
Dynamic document forging/generation + SocEng
19
Computer side – SocEng bait Printer/MFP side – mal-PS
http://andreicostin.com/
-
Hack In Paris 2012
Where is PostScript? (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applications/vendors producing the PS interpreter
The PS interpreter specifications and standards
http://andreicostin.com/http://partners.adobe.com/public/developer/ps/sdk/index_archive.htmlhttp://www.accesssoftek.com/http://office.microsoft.com/http://partners.adobe.com/public/developer/ps/sdk/index_archive.htmlhttp://partners.adobe.com/public/developer/ps/sdk/index_archive.htmlhttp://www.adobe.com/http://partners.adobe.com/public/developer/ps/sdk/index_archive.htmlhttp://office.microsoft.com/http://partners.adobe.com/public/developer/ps/sdk/index_archive.htmlhttp://partners.adobe.com/public/developer/ps/sdk/index_archive.htmlhttp://partners.adobe.com/public/developer/ps/sdk/index_archive.htmlhttp://www.ghostscript.com/http://www.ghostscript.com/http://www.ghostscript.com/http://www.cups.org/http://www.gimp.org/http://www.irfanview.com/http://partners.adobe.com/public/developer/ps/sdk/index_archive.htmlhttp://www.ghostscript.com/
-
Hack In Paris 2012
Where is PostScript? (Role-wise view)
21
http://andreicostin.com/http://www.data-connect.com/Print_Servers.htmhttp://www.ghostscript.com/http://partners.adobe.com/public/developer/ps/sdk/index_archive.htmlhttp://www.cups.org/http://partners.adobe.com/public/developer/ps/sdk/index_archive.htmlhttp://www.cups.org/
-
Hack In Paris 2012
Agenda
1. Quick refresher
2. What about PostScript?
3. What else was found?
4. Attacks in a nutshell
5. Solutions and conclusions
22
http://andreicostin.com/
-
Hack In Paris 2012
A PS-based firmware upload was required
23
http://andreicostin.com/
-
Hack In Paris 2012
This is too good to be true….
24
VxWorks API /vx***
Debug/QA API /QA***
Logging API /***EventLog
BillingMeters API /***meter***
Pump PWM /***pumppwm
RAMdisk API /***ramdisk
RAM API /***ram***
Flash API /***flash***
http://andreicostin.com/
-
Hack In Paris 2012
Memory dumping reveals computing secrets
25
SANS Security Predictions 2012/2013 - The Emerging Security Threat Memory Scraping Will Become More Common
http://andreicostin.com/http://www.sans.edu/research/security-laboratory/article/security-predict2011http://www.sans.edu/research/security-laboratory/article/security-predict2011http://www.sans.edu/research/security-laboratory/article/security-predict2011http://www.sans.edu/research/security-laboratory/article/security-predict2011
-
Hack In Paris 2012
Admin restriction fail to prevent memory dumping
26
http://andreicostin.com/
-
Hack In Paris 2012
Password setup is sniffed by the attacker
27
1) HTTP GET request – password clear text
2) HTTP reply
http://andreicostin.com/
-
Hack In Paris 2012
Basic auth password can be dumped
28
1) Authorization: Basic YWRtaW4yO…
2) HTTP/1.1 200 OK
http://andreicostin.com/
-
Hack In Paris 2012
HTTPS / IPsec secrets are “defaulty” & “leaky”
29
0x66306630663066306630663066302222
http://andreicostin.com/http://osdir.com/ml/network.freeswan.user/2003-08/msg00451.html
-
Hack In Paris 2012
Attacker has access to printed document details
30
http://andreicostin.com/
-
Hack In Paris 2012
Attacker has access to network topology – no-scan
31
http://andreicostin.com/
-
Hack In Paris 2012
Attacker has access to BSD-style sockets…
32
Two-way BSD-style sockets communication
http://andreicostin.com/
-
Hack In Paris 2012
Analyzed MFP cannot protect effectively
33
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS, IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail / warn / ok
http://andreicostin.com/
-
Hack In Paris 2012
Plenty of Xerox printers share affected PS firmware update mechanism
34
http://andreicostin.com/
-
Hack In Paris 2012
PSYkit – source code release time
35
http://andreicostin.com/
-
Hack In Paris 2012
Agenda
1. Quick refresher
2. What about PostScript?
3. So, what and how did you find?
4. Attacks in a nutshell
5. Solutions and conclusions
36
http://andreicostin.com/
-
Hack In Paris 2012
Remote attacks can be used to extract data
37
Sent
by
email
Drive-
by
print
Stage 1 – SocEng Stage 2 - Printing Stage 3 – Exploiting/spying
Print
attachment
Print
from
web
Malware exploits
internal netw. or
extracts data
Spool
malicious
byte
stream
http://andreicostin.com/
-
Hack In Paris 2012
Agenda
1. Quick refresher
2. What about PostScript?
3. So, what and how did you find?
4. Attacks in a nutshell
5. What’s next, solutions, conclusions
38
http://andreicostin.com/
-
Hack In Paris 2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PS/PJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
http://andreicostin.com/
-
Hack In Paris 2012
Protocol-wise mitigation solution PostScript/PJL sandbox
40
Secure PostScript Execution/Interpreter Sandbox Set of online/offline tools for analysis & reporting Wepawet-like, but for PostScript related data Subscribe for updates: [email protected]
http://andreicostin.com/mailto:[email protected]:[email protected]:[email protected]
-
Hack In Paris 2012
What’s next? PS + MSF + FS + Sockets = PWN!
41
http://andreicostin.com/
-
Hack In Paris 2012
Solutions
42
Admins • Disable PS processing on printers • Route print-jobs thru sandboxed print-servers • Replace PS drivers with PCL ones (well…) • Disable Language Operator Authorization • Look for security bulletins and patch • Sandbox printers in your network • Include MFPs in security audit lifecycle
Users • Do not print from untrusted sources • Be suspicious on PostScript files
Vendors • Create realistic MFP threat models • Do not enable/expose super-APIs
Actor Suggested actions
http://andreicostin.com/video & code/28c3_video9_ps_SOLUTION_language_operator_authorization_disable.avi
-
Hack In Paris 2012
Acknowledgements
43
The Xerox-related PostScript work & research done under support of
http://andreicostin.com/http://srlabs.de/
-
Hack In Paris 2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
http://andreicostin.com/http://eurecom.fr/
-
Hack In Paris 2012
Thanks/resources
45
Personal thanks
Igor Marinescu, MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses, active mitigation
www.tinaja.com Insanely large free postscript resources dir
www.anastigmatix.net Very good postscript resources
www.acumentraining.com Very good postscript resources
http://andreicostin.com/https://picasaweb.google.com/igor.marinescuhttps://picasaweb.google.com/igor.marinescuhttp://www.xerox.com/securityhttp://www.tinaja.com/post01.asphttp://www.anastigmatix.net/postscript/resource.htmlhttp://www.acumentraining.com/resources.html
-
Hack In Paris 2012
Take aways
46
Questions? Andrei Costin [email protected] http://andreicostin.com/papers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation, strong credentials, and continuous vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check www.youtube.com/user/zveriu Join: [email protected]
http://andreicostin.com/mailto:[email protected]://andreicostin.com/papershttp://www.youtube.com/user/zveriumailto:[email protected]:[email protected]:[email protected]