The document discusses the evolution and security vulnerabilities of fax technology, particularly emphasizing modern all-in-one printers that incorporate fax functionalities. It outlines various attacks, exploits, and debugging challenges related to these devices, highlighting a recent exploit named 'devil’s ivy' which affects certain printer models. The document concludes with recommendations for securing fax systems and contexts where they should still be avoided.

1. Fax?!
What The
To:
Date:
Subject:
Check Point Research
DEFCON 26
Aug-12 2018
Received OK?

2. WhoAreWe?
Yaniv Balmas
“This should theoretically work”
Security Researcher
Check Point Software Technologies
@ynvb
Eyal Itkin
“That’s cool.”
Security Researcher
Check Point Software Technologies
@eyalitkin

3. 1860
Caselli
Invents
Machine
Similar to
Today’s FAX
1923
Enter the
RadioFAX.
Used by
Navies
1966
XEROX
Introduces
the First
Commercial
FAX Machine
1980
Group III
ITU-T Fax
Standards
T.30, T.4, T.6
GammaFAX
Brings
Computers
Into FAX
Network
1985
1846
Alexaner
Bain Sends
An Image
Over a Wire
FAXHistory

4. Quality
Accessibility
Reliability
Authenticity ?
BackToTheFuture

5. BackToTheFuture

6. BackToTheFuture

7. BackToTheFuture

8. BackToTheFuture

9. BackToTheFuture

10. WTF?!

11. • Modern FAX is no longer a simple “FAX
Machines”
• The same old FAX technology is now
wrapped inside newer technologies
• ALL-IN-ONE printers are EVERYWHERE
FaxToday

12. The Security View
ALL-IN-ONE Printers

13. ALL-IN-ONE Printers
FAX Attack

14. ALL-IN-ONE Printers
FAX Attack

15. Challenge
Accepted

16. What is the
Target?
How to Obtain
the Code?
What is The
OS?
How Does FAX
Even Work?
How can we
Debug it?
Where to look for
vulns?

17. AndTheWinnerIs

18. BreakingHW
Flash ROM
SRAMs
(e.g Some More Memory)

19. BreakingHW
USB
WiFi
SRAM
Electricity
Main
CPU
FAX
Modem
Battery

20. ShowMeYourFirmware!
SERIAL
DEBUG
JTAG

21. TooEasy?

22. FirmwareUpgrade

23. How do you
upgrade a printer
firmware?!
You Print it!

24. How do you
upgrade a printer
firmware?!
You Print it!

25. PrintingTheFirmware

26. PrintingTheFirmware
NULL Decoder
TIFF Decoder
Delta Raw Decoder

27. WhenYou’reaHammer…

28. Sections
Loading Address Section Name Location in Binary

29. IDon’tUnderstand
…

30. WhatISThis?!
• Probably a compression algorithm
• A very bad one …
• Some mathematics

31. Let'sTakeALook
FF 20 72 66 63 75 72 73 69 EF 76 65 6C 79 AE E0
6E 6F 6E DF 70 6F 73 69 74 FE 30 20 73 F7 69 7A
65 0E 32 76 61 72 69 FF 61 62 6C 65 2D 6C 65 6E
F7 67 74 68 AD 33 00 00 56 4C FF 6A 70 65 67 2E
r e c u r s i v e l y
n o n p o s i t s i z
e v a r i a b l e - l e n
g t h V L j p e g .

32. FF 20 72 66 63 75 72 73 69 EF 76 65 6C 79 AE E0
6E 6F 6E DF 70 6F 73 69 74 FE 30 20 73 F7 69 7A
65 0E 32 76 61 72 69 FF 61 62 6C 65 2D 6C 65 6E
F7 67 74 68 AD 33 00 00 56 4C FF 6A 70 65 67 2E
r e c u r s i v e l y
n o n p o s i t s i z
e v a r i a b l e - l e n
g t h V L j p e g .
Let'sTakeALook

33. FF EF AE E0
DF FE 30 F7
0E 32 FF
F7 AD 33 FF
APattern?!

34. FF EF
DF F7
FF
F7 FF
8 Bytes 9 Bytes
9 Bytes
9 Bytes 8 Bytes
9 Bytes 8 Bytes
APattern?!

35. FF
EF
DF
F7
FF
F7
F
11111111
F
1 1 1 1 1 1 1
F E
1 1 1 1
11111111
F
1 1 1
1 1 1 1 1 1 1
1 1 1 1 1 1 1
0
0
0
0
D
F7
FF
F7
DifferentAngle

36. F7 AD 33
Forward / Backward Pointer
Dictionary
Sliding Window
?
??
?
TheMissingLink

37. Softdisk

39. TheMissingLink
AD 33
1 0 1 0 1 1 0 1 0 0 1 1 0 0 1 1
A D 3 3
2771 3
Window
Location
Data
Length

40. A BCDABEF
Input Text
Sliding Window
G
Output Text
MysterySolved

41. A BCDABEF
Input Text
Sliding Window
A
G
Output Text
A
MysterySolved

42. A BCDABEF
Input Text
Sliding Window
A B
G
Output Text
A B
MysterySolved

43. A BCDABEF
Input Text
Sliding Window
A B C
G
Output Text
A B C
MysterySolved

44. A BCDABEF
Input Text
Sliding Window
A B C D
G
Output Text
A B C D
MysterySolved

45. A BCDABEF
Input Text
Sliding Window
A B C D
G
Output Text
A B C D
MysterySolved

46. A BCDABEF
Input Text
Sliding Window
A B C D
G
Output Text
A B C D
MysterySolved

47. A BCDABEF
Input Text
Sliding Window
A B C D
G
Output Text
A B C D 00 02
MysterySolved

48. A BCDABEF
Input Text
Sliding Window
A B C D E
G
Output Text
A B C D E00 02
MysterySolved

49. A BCDABEF
Input Text
Sliding Window
A B C D E F
G
Output Text
A B C D E F00 02
MysterySolved

50. A BCDABEF
Input Text
Sliding Window
A B C D E F
G
G
Output Text
A B C D E F G00 02
MysterySolved

51. A BCDABEF
Input Text
Output Text
Sliding Window
A
A
B
B
C
C
D
D
E
E
F
F
G
G
G
00 02
1 1 1 1 1 1 10
MysterySolved

52. A BCDABEF
Input Text
Output Text
Sliding Window
A
A
B
B
C
C
D
D
E
E
F
F
G
G
G
EF 00 02
MysterySolved

53. ThePrintingBeast
• 64,709 Functions
• Most of the code not parsed by IDA
• Indirect Calls, Dynamic Tables, BootLoader Functions

54. ThreadX
- ARM9/
Green
Hills
Treck (IP, TCP/UDP, DNS, HTTP, …)
libpng 1.2.29 (2008) tTB, tHTML, …
gSOAP 2.7
OpenSSL 1.0.1j (2014)
Spidermonkey
mDNSResponder
2 Staged Boot Loader
tModem
tFaxLog
tT30
tPrintFax
Common Libraries Tasks
System n’ Stuff
MakingSomeSense

55. ThreadX
- ARM9/
Green
Hills
Treck (IP, TCP/UDP, DNS, HTTP, …)
libpng 1.2.29 (2008) tTB, tHTML, …
gSOAP 2.7
OpenSSL 1.0.1j (2014)
mDNSResponder
2 Staged Boot Loader
tModem
tFaxLog
tT30
tPrintFax
Common Libraries Tasks
System n’ Stuff
Spidermonkey
MakingSomeSense

56. JSOnAPrinter?!
• JavaScript is used in a module called PAC.
• PAC - Proxy Auto Configuration
• Used by a URL linking to a JS file in DHCP settings
• Top layer functionality was designed by HP

57. FakeURL

58. Yep…

59. T30
• aka “ITU-T Recommendation T.30”
• Procedures for document facsimile transmission in the
general switched telephone network
• Defined the “heavy lifting” procedures relevant for all fax
sending functionality
• Designed at 1985
• Last update at 2005

60. DynamicHell

61. TheUndebuggable
• How do we debug this hostile environment?
• There are no native debugging facilities
• We have no control over the execution flow
• Hardware watch-dog is a serious problem

62. LuckyBreak
• Luck is a fundamental part of every research project
• At July 19, SENRIO published an exploit dubbed “Devil’s
Ivy”
• CVE-2017-9765 - RCE in gSOAP 2.7 - 2.8.47
• And it seems our printer is vulnerable!

63. Devil’sIvy

64. DebuggingChallenges
• Need to read/write memory
• Need to Execute code
• Create a network tunnel between debugger/debuggee

65. DebuggingChallenges
• We have control over execution flow
• Need to load our own code
• Bypass memory protection
• Embed debugging stub into current firmware

66. Scout
• We created our own instruction based debugger
• Called - ‘Scout’
• Supports x86, x64, ARM (ARM and Thumb mode)
• Embedded mode for firmware
• Linux kernel mode

67. HowDoesAFAX?

68. PHASE 1
Network
Interaction
PHASE 2
Probing/
Ranging
Equalizer
and
Echo
Canceller
Training
PHASE 3
Training
Phase
PHASE 4
HowDoesAFAX?

69. CallerID
PHASE A
SenderCaps
(DIS)
ReceiverCaps
(DTC)
PHASE B
Tunnel
HDLC
Endofpage
(EOP)
MsgConfirm
(MCF)
PHASE D
DataTransfer
PHASE C
HowDoesAFAX?

70. PHASEA
PHASEB
PHASEC
PHASED
Tunnel
T.30
HDLC
HowDoesAFAX?

71. PHASEA
PHASEB
PHASEC
PHASED
Tunnel
FAX
T.30
HDLC
HowDoesAFAX?

72. PHASEA
PHASEB
PHASEC
PHASED
Tunnel
TIFF
Body
TIFF
Header
T.30
HDLC
G.3/G.4
HowDoesAFAX?

73. PHASEA
PHASEB
PHASEC
PHASED
Tunnel
FAX
T.30
Color Extension
HDLC
HowDoesAFAX?

74. PHASEA
PHASEB
PHASEC
PHASED
Tunnel JPEG
Header
and
Body
Color Extension
T.30
HDLC
HowDoesAFAX?

75. Vulnerability
• All the layers we showed can contain possible
vulnerabilities.
• The most convenient layer is the application one.
• We started by inspecting the JPEG parsing capabilities.

76. JPEG
FF D8 FF E0 00 10 4A 46 49 46 00 01 02 00 00 64
00 64 00 00 FF C4 0A 02 34 D3 2A 78 80 42 6D 2B
FF DA 12 28 2A 6F 2B 81 6A 16 0F C8 9A 13 FF D9
. . . . . . . J F I F . . . . d
. d . . . . . . 4 . * x . Bm+
. . . ( * 0 + . j . . . . . . .
EOI - End Of Image
DHT - Define Huffman Table
APP0 - Application Specific
SOI - Start Of Image
SOS - Start Of Scan
Data
Size
Data
Size
Data

77. DHT
FF C4 20 00 01 00 00 00 00 02 00 01 02 00 00 00
00 00 00 FF FF C4 0A 02 34 D3 2A 78 80 42 6D 2B
• Define Huffman Table
• Defines 4X4 comparison matrix for the JPEG Image
HEADER SIZE 4X4 MATRIX DATA

78. DHT
FF C4 20 00 01 00 00 00 00 02 00 01 02 00 00 00
00 00 00 FF FF C4 0A 02 34 D3 2A 78 80 42 6D 2B
∑(
)=6
• 4X4 Matrix values are summed
• The product is used as a size value for data bytes
• The data bytes are copied into a 256 bytes array located
on the stack

79. Stack
FF FF C4 0A 02 34
DHT
256
6
FF C4 20 00 01 00 00 00 00 02 00 01 02 00 00 00
00 00 00 FF FF C4 0A 02 34 D3 2A 78 80 42 6D 2B

80. CanYouSpotIt?

81. FF C4 20 FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF C4 0A 02 34 D3 2A 78 80 42 … 2B
DHT
Stack
256

82. Stack
FF FF C4 0A 02 34 D3 2A 78 80 42 … 2B
DHT
4000
256
Overflow!!
FF C4 20 FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF C4 0A 02 34 D3 2A 78 80 42 … 2B

83. ExploitChain
• Trivial stack overflow
• No constraints (“forbidden bytes”)
• ~4,000 user controlled bytes
• The file contains even more information we control…

84. Demo Time

85. Conclusions
• PSTN is still a valid attack surface in 2018!
• FAX can be used as a gateway to internal networks
• Old outdated protocols are not good for you…

86. WhatCanIDo?
• Patch your printers
• Don't connect FAX where not needed
• Segregate your printers from the rest of the network

87. STOP
USING
FAX

88. LittleHelpFromMyFriends
Lior
Oppenheim
Yannay
Livneh
Yoav
Alon
Tamir
Bahar
oppenheim1
tmr232
Yannayli
yoavalon

89. fin.
ynvb
EyalItkin