PostScript: Danger Ahead?!               Andrei Costin <andrei@andreicostin.com>     Affiliation - PhD student
whoami: in-between SW/HW hacker                  Hacking MFPs (for fun & profit)                                          ...
Agenda         1. Quick refresher         2. What about PostScript?         3. So, what and how did you find?         4. A...
MFPs carry large abuse potential                     PHDAYS2012    3
MFP hacking goes back to the 1960’s                                             The “micro”-film camera, marked XPatent dr...
Modern printer hacking goes back almost adecade2002                    2006                2010-2012Initial printer hacks ...
In 2010 demo’d : mapping public MFPshttp://www.youtube.com/watch?v=t44GibiCoCM                                     PHDAYS2...
… and generic MFP payload delivery using Wordhttp://www.youtube.com/watch?v=KrWFOo2RAnk (there are false claims on this di...
… and generic MFP payload delivery using Javahttp://www.youtube.com/watch?v=JcfxvZml6-Y                                   ...
Agenda         1. Quick refresher         2. What about PostScript?         3. So, what and how did you find?         4. A...
PostScript who? It’s Adobe’s PDF big brother                     PHDAYS2012                10
PS is build to handle complex processing tasksGraphics & patterns   Complex math         Web serversRay-tracing, OpenGL   ...
Then, what exactly is PostScript? PostScript IS NOT just a static data stream like PostScript IS a     Dynamically type...
What happens when printing PS? User writes the doc and hits Print     PS printer driver transforms it to PS stream for s...
Demo1“Programming language” aspect Programming languages 101:     Control statements         if/else         loop     ...
Demo2“Dynamically typed concatenative" aspect You wonder why your smart IDS/IPS rules stopped working? Here is why:    ...
Demo3Real world application – MSOffice PS crash Submitted to MS Apparently this is not exploitable as in smash stack att...
Demo4Real world application – GhostScript autoprn One got to love custom extensions Sends a print-job stream directly by...
Dynamic document forging/generation + SocEng      User computer                User printout                      PHDAYS20...
Dynamic document forging/generation + SocEng Computer side – SocEng bait      Printer/MFP side – PS virus                 ...
Where is PostScript? (Vendor-wise view)       Applications incorporating the PS interpreter      Applications/vendors prod...
Where is PostScript? (Role-wise view)                     PHDAYS2012         21
PostScript Web 2.0 Style PostScript made it into the web as well Around 20+ services found to be vulnerable to various d...
Agenda         1. Quick refresher         2. What about PostScript?         3. What else was found?         4. Attacks in ...
A PS-based firmware upload was required                    PHDAYS2012            24
This is too good to be true….      VxWorks API     Debug/QA API     Logging API        /vx***           /QA***       /***E...
Memory dumping reveals computing secrets SANS Security Predictions 2012/2013 - The Emerging Security Threat     Memory S...
Admin restriction fail to prevent memory dumping                    PHDAYS2012                 27
Password setup is sniffed by the attacker                  1) HTTP GET request – password clear text                      ...
Basic auth password can be dumped                  1) Authorization: Basic YWRtaW4yO…                         2) HTTP/1.1 ...
HTTPS / IPsec secrets are “defaulty” & “leaky”            0x66306630663066306630663066302222                        PHDAYS...
Attacker has access to printed document details                     PHDAYS2012                   31
Attacker has access to network topology – no-scan                     PHDAYS2012                 32
Attacker has access to BSD-style sockets…                 Two-way BSD-style sockets communication                      PHD...
Analyzed MFP cannot protect effectivelyProtection measures                        Fail / warn / okPrivilege level separati...
Plenty of Xerox printers share affected PS firmwareupdate mechanism                     PHDAYS2012                   35
Agenda         1. Quick refresher         2. What about PostScript?         3. So, what and how did you find?         4. A...
Remote attacks can be used to extract dataStage 1 – SocEng   Stage 2 - Printing   Stage 3 – Exploiting/spying Sent by     ...
Agenda         1. Quick refresher         2. What about PostScript?         3. So, what and how did you find?         4. A...
Network-wise mitigation solutionVLAN1 PCs                                       Print Server                              ...
Protocol-wise mitigation solutionPostScript/PJL sandbox Secure PostScript Execution/Interpreter Sandbox Set of online/of...
What’s next? PS + MSF + FS + Sockets = PWN!                    PHDAYS2012                41
SolutionsActor       Suggested actionsAdmins      •   Disable PS processing on printers            •   Route print-jobs th...
AcknowledgementsThe Xerox-related PostScript work & research done under support of                            PHDAYS2012  ...
AcknowledgementsThanks to EURECOM for great advise and support for this topic                            PHDAYS2012       ...
Thanks/resourcesXerox Security Team             Positive responses, active mitigationwww.tinaja.com                  Insan...
Take aways              MFPs are badly secured computing              platforms with large abuse potential              ...
Upcoming SlideShare
Loading in …5
×

PostScript: Danger Ahead?!

1,341 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,341
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
44
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

PostScript: Danger Ahead?!

  1. 1. PostScript: Danger Ahead?! Andrei Costin <andrei@andreicostin.com> Affiliation - PhD student
  2. 2. whoami: in-between SW/HW hacker Hacking MFPs (for fun & profit) Holistic SecurityMifare Classic MFCUK Interest http://andreicostin.com/papers/ PHDAYS2012 1
  3. 3. Agenda 1. Quick refresher 2. What about PostScript? 3. So, what and how did you find? 4. Attacks in a nutshell 5. Solutions and conclusions PHDAYS2012 2
  4. 4. MFPs carry large abuse potential PHDAYS2012 3
  5. 5. MFP hacking goes back to the 1960’s The “micro”-film camera, marked XPatent drawing, 1967 Electronics/hardware hacking“Spies in the Xerox machine” PHDAYS2012 4
  6. 6. Modern printer hacking goes back almost adecade2002 2006 2010-2012Initial printer hacks Broader & deeper Revived printer hacking(FX/pH) printer hacking interest (irongeek) This talk focuses mainly on remote code execution inside MFPs/printers PHDAYS2012 5
  7. 7. In 2010 demo’d : mapping public MFPshttp://www.youtube.com/watch?v=t44GibiCoCM PHDAYS2012 6
  8. 8. … and generic MFP payload delivery using Wordhttp://www.youtube.com/watch?v=KrWFOo2RAnk (there are false claims on this discovery) PHDAYS2012 7
  9. 9. … and generic MFP payload delivery using Javahttp://www.youtube.com/watch?v=JcfxvZml6-Y PHDAYS2012 8
  10. 10. Agenda 1. Quick refresher 2. What about PostScript? 3. So, what and how did you find? 4. Attacks in a nutshell 5. Solutions and conclusions PHDAYS2012 9
  11. 11. PostScript who? It’s Adobe’s PDF big brother PHDAYS2012 10
  12. 12. PS is build to handle complex processing tasksGraphics & patterns Complex math Web serversRay-tracing, OpenGL Milling machine XML Parsers PHDAYS2012 11
  13. 13. Then, what exactly is PostScript? PostScript IS NOT just a static data stream like PostScript IS a  Dynamically typed & concatenative  Stack-based  Turing-complete  Programming language  What does it all mean? Exactly! PHDAYS2012 12
  14. 14. What happens when printing PS? User writes the doc and hits Print  PS printer driver transforms it to PS stream for specific device  PS data stream on PRN User Opens a PS file from email/hdd  PC-based PS interpreter processes it  PS data stream executes on PC In both cases, PS data stream IS A PS program  Program != static data PHDAYS2012 13
  15. 15. Demo1“Programming language” aspect Programming languages 101:  Control statements  if/else  loop  while Simplest DoS attack is an “infinite loop”  !%  {} loop PHDAYS2012 14
  16. 16. Demo2“Dynamically typed concatenative" aspect You wonder why your smart IDS/IPS rules stopped working? Here is why:  ps_dynamic_statement_construction_and_execution.ps  Obfuscation at its best built-into the language! Solution:  Bad news: Need dynamic execution sandbox  Good news: It’s coming up – see sandbox slides below PHDAYS2012 15
  17. 17. Demo3Real world application – MSOffice PS crash Submitted to MS Apparently this is not exploitable as in smash stack attacks  But it opens an interesting perspective on MS Office… PHDAYS2012 16
  18. 18. Demo4Real world application – GhostScript autoprn One got to love custom extensions Sends a print-job stream directly by just opening the file Requires more investigation, but perspective is interesting… PHDAYS2012 17
  19. 19. Dynamic document forging/generation + SocEng User computer User printout PHDAYS2012 18
  20. 20. Dynamic document forging/generation + SocEng Computer side – SocEng bait Printer/MFP side – PS virus PHDAYS2012 19
  21. 21. Where is PostScript? (Vendor-wise view) Applications incorporating the PS interpreter Applications/vendors producing the PS interpreter The PS interpreter specifications and standards PHDAYS2012 20
  22. 22. Where is PostScript? (Role-wise view) PHDAYS2012 21
  23. 23. PostScript Web 2.0 Style PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees  Google was one them -> Got a “hall of fame” reward  Some fun facts  Effective for host exploitation and information gathering  Some ran GS as root user  Some ran GS without –dSAFER  All of them ran vulnerable GS versions  Heap and stack overflows and what-not… More details to come… PHDAYS2012 22
  24. 24. Agenda 1. Quick refresher 2. What about PostScript? 3. What else was found? 4. Attacks in a nutshell 5. Solutions and conclusions PHDAYS2012 23
  25. 25. A PS-based firmware upload was required PHDAYS2012 24
  26. 26. This is too good to be true…. VxWorks API Debug/QA API Logging API /vx*** /QA*** /***EventLog Pump PWM BillingMeters API /***pumppwm /***meter*** RAMdisk API RAM API Flash API /***ramdisk /***ram*** /***flash*** PHDAYS2012 25
  27. 27. Memory dumping reveals computing secrets SANS Security Predictions 2012/2013 - The Emerging Security Threat  Memory Scraping Will Become More Common PHDAYS2012 26
  28. 28. Admin restriction fail to prevent memory dumping PHDAYS2012 27
  29. 29. Password setup is sniffed by the attacker 1) HTTP GET request – password clear text 2) HTTP reply PHDAYS2012 28
  30. 30. Basic auth password can be dumped 1) Authorization: Basic YWRtaW4yO… 2) HTTP/1.1 200 OK PHDAYS2012 29
  31. 31. HTTPS / IPsec secrets are “defaulty” & “leaky” 0x66306630663066306630663066302222 PHDAYS2012 30
  32. 32. Attacker has access to printed document details PHDAYS2012 31
  33. 33. Attacker has access to network topology – no-scan PHDAYS2012 32
  34. 34. Attacker has access to BSD-style sockets… Two-way BSD-style sockets communication PHDAYS2012 33
  35. 35. Analyzed MFP cannot protect effectivelyProtection measures Fail / warn / okPrivilege level separationSecure password setupSecure (basic) authHTTPS, IPSEC secrets protectionNetwork topology protectionIn-memory document protectionRestrict sockets on unprivileged modules PHDAYS2012 34
  36. 36. Plenty of Xerox printers share affected PS firmwareupdate mechanism PHDAYS2012 35
  37. 37. Agenda 1. Quick refresher 2. What about PostScript? 3. So, what and how did you find? 4. Attacks in a nutshell 5. Solutions and conclusions PHDAYS2012 36
  38. 38. Remote attacks can be used to extract dataStage 1 – SocEng Stage 2 - Printing Stage 3 – Exploiting/spying Sent by Print email attachment Malware exploits internal netw. or extracts data Spool malicious byte stream Drive- by Print print from web PHDAYS2012 37
  39. 39. Agenda 1. Quick refresher 2. What about PostScript? 3. So, what and how did you find? 4. Attacks in a nutshell 5. What’s next, solutions, conclusions PHDAYS2012 38
  40. 40. Network-wise mitigation solutionVLAN1 PCs Print Server PS/PJL-sandboxed VLAN networksVLAN2 Unsafe print jobs PRNs Safe print jobs PHDAYS2012 39
  41. 41. Protocol-wise mitigation solutionPostScript/PJL sandbox Secure PostScript Execution/Interpreter Sandbox Set of online/offline tools for analysis & reporting Wepawet-like, but for PostScript related data Subscribe for updates: postscript-sec@andreicostin.com PHDAYS2012 40
  42. 42. What’s next? PS + MSF + FS + Sockets = PWN! PHDAYS2012 41
  43. 43. SolutionsActor Suggested actionsAdmins • Disable PS processing on printers • Route print-jobs thru sandboxed print-servers • Replace PS drivers with PCL ones (well…) • Disable Language Operator Authorization • Look for security bulletins and patch • Sandbox printers in your network • Include MFPs in security audit lifecycleUsers • Do not print from untrusted sources • Be suspicious on PostScript filesVendors • Create realistic MFP threat models • Do not enable/expose super-APIs PHDAYS2012 42
  44. 44. AcknowledgementsThe Xerox-related PostScript work & research done under support of PHDAYS2012 43
  45. 45. AcknowledgementsThanks to EURECOM for great advise and support for this topic PHDAYS2012 44
  46. 46. Thanks/resourcesXerox Security Team Positive responses, active mitigationwww.tinaja.com Insanely large free postscript resources dirwww.anastigmatix.net Very good postscript resourceswww.acumentraining.com Very good postscript resourcesPersonal thanksIgor Marinescu, MihaiSa Great logistic support and friendly help PHDAYS2012 45
  47. 47. Take aways  MFPs are badly secured computing platforms with large abuse potential  Upcoming MFP attack could include viruses in Office and PS documents that extract organization data  Securing the MFP infrastructure requires better segmentation, strong credentials, and continious vulnerability patching  Check upcoming research papers  Check www.youtube.com/user/zveriu  Join: postscript-sec@andreicostin.com Andrei Costin andrei@andreicostin.comQuestions? http://andreicostin.com/papers PHDAYS2012 46

×