"Unless you've been living under a rock for the past 30 years or so, you probably know what a fax machine is. For decades, fax machines were used worldwide as the main way of electronic document delivery. But this happened in the 1980s. Humanity has since developed far more advanced ways to send digital content, and fax machines are all in the past, right? After all, they should now be nothing more than a glorified museum item. Who on earth is still using fax machines?
The answer, to our great horror, is EVERYONE. State authorities, banks, service providers and many others are still using fax machines, despite their debatable quality and almost non-existent security. In fact, using fax machines is often mandatory and considered a solid and trustworthy method of delivering information.
What the Fax?! We embarked on a journey with the singular goal of disrupting this insane state of affairs. We went to work, determined to show that the common fax machine could be compromised via mere access to its fully exposed and unprotected telephone line -- thus completely bypassing all perimeter security protections and shattering to pieces all modern-day security concepts.
Join us as we take you through the strange world of embedded operating systems, 30-year-old protocols, museum grade compression algorithms, weird extensions and undebuggable environments. See for yourself first-hand as we give a live demonstration of the first ever full fax exploitation, leading to complete control over the entire device as well as the network, using nothing but a standard telephone line.
This talk is intended to be the canary in the coal mine. The technology community cannot sit idly by while this ongoing madness is allowed to continue. The world must stop using FAX!"
2. WhoAreWe?
Yaniv Balmas
“This should theoretically work”
Security Researcher
Check Point Software Technologies
@ynvb
Eyal Itkin
“That’s cool.”
Security Researcher
Check Point Software Technologies
@eyalitkin
3. 1860
Caselli
Invents
Machine
Similar to
Today’s FAX
1923
Enter the
RadioFAX.
Used by
Navies
1966
XEROX
Introduces
the First
Commercial
FAX Machine
1980
Group III
ITU-T Fax
Standards
T.30, T.4, T.6
GammaFAX
Brings
Computers
Into FAX
Network
1985
1846
Alexaner
Bain Sends
An Image
Over a Wire
FAXHistory
11. • Modern FAX is no longer a simple “FAX
Machines”
• The same old FAX technology is now
wrapped inside newer technologies
• ALL-IN-ONE printers are EVERYWHERE
FaxToday
31. Let'sTakeALook
FF 20 72 66 63 75 72 73 69 EF 76 65 6C 79 AE E0
6E 6F 6E DF 70 6F 73 69 74 FE 30 20 73 F7 69 7A
65 0E 32 76 61 72 69 FF 61 62 6C 65 2D 6C 65 6E
F7 67 74 68 AD 33 00 00 56 4C FF 6A 70 65 67 2E
r e c u r s i v e l y
n o n p o s i t s i z
e v a r i a b l e - l e n
g t h V L j p e g .
32. FF 20 72 66 63 75 72 73 69 EF 76 65 6C 79 AE E0
6E 6F 6E DF 70 6F 73 69 74 FE 30 20 73 F7 69 7A
65 0E 32 76 61 72 69 FF 61 62 6C 65 2D 6C 65 6E
F7 67 74 68 AD 33 00 00 56 4C FF 6A 70 65 67 2E
r e c u r s i v e l y
n o n p o s i t s i z
e v a r i a b l e - l e n
g t h V L j p e g .
Let'sTakeALook
33. FF EF AE E0
DF FE 30 F7
0E 32 FF
F7 AD 33 FF
APattern?!
56. JSOnAPrinter?!
• JavaScript is used in a module called PAC.
• PAC - Proxy Auto Configuration
• Used by a URL linking to a JS file in DHCP settings
• Top layer functionality was designed by HP
59. T30
• aka “ITU-T Recommendation T.30”
• Procedures for document facsimile transmission in the
general switched telephone network
• Defined the “heavy lifting” procedures relevant for all fax
sending functionality
• Designed at 1985
• Last update at 2005
61. TheUndebuggable
• How do we debug this hostile environment?
• There are no native debugging facilities
• We have no control over the execution flow
• Hardware watch-dog is a serious problem
62. LuckyBreak
• Luck is a fundamental part of every research project
• At July 19, SENRIO published an exploit dubbed “Devil’s
Ivy”
• CVE-2017-9765 - RCE in gSOAP 2.7 - 2.8.47
• And it seems our printer is vulnerable!
64. DebuggingChallenges
• Need to read/write memory
• Need to Execute code
• Create a network tunnel between debugger/debuggee
65. DebuggingChallenges
• We have control over execution flow
• Need to load our own code
• Bypass memory protection
• Embed debugging stub into current firmware
66. Scout
• We created our own instruction based debugger
• Called - ‘Scout’
• Supports x86, x64, ARM (ARM and Thumb mode)
• Embedded mode for firmware
• Linux kernel mode
75. Vulnerability
• All the layers we showed can contain possible
vulnerabilities.
• The most convenient layer is the application one.
• We started by inspecting the JPEG parsing capabilities.
76. JPEG
FF D8 FF E0 00 10 4A 46 49 46 00 01 02 00 00 64
00 64 00 00 FF C4 0A 02 34 D3 2A 78 80 42 6D 2B
FF DA 12 28 2A 6F 2B 81 6A 16 0F C8 9A 13 FF D9
. . . . . . . J F I F . . . . d
. d . . . . . . 4 . * x . Bm+
. . . ( * 0 + . j . . . . . . .
EOI - End Of Image
DHT - Define Huffman Table
APP0 - Application Specific
SOI - Start Of Image
SOS - Start Of Scan
Data
Size
Data
Size
Data
78. DHT
FF C4 20 00 01 00 00 00 00 02 00 01 02 00 00 00
00 00 00 FF FF C4 0A 02 34 D3 2A 78 80 42 6D 2B
∑(
)=6
• 4X4 Matrix values are summed
• The product is used as a size value for data bytes
• The data bytes are copied into a 256 bytes array located
on the stack
83. ExploitChain
• Trivial stack overflow
• No constraints (“forbidden bytes”)
• ~4,000 user controlled bytes
• The file contains even more information we control…
85. Conclusions
• PSTN is still a valid attack surface in 2018!
• FAX can be used as a gateway to internal networks
• Old outdated protocols are not good for you…
86. WhatCanIDo?
• Patch your printers
• Don't connect FAX where not needed
• Segregate your printers from the rest of the network