PostScript Danger Ahead

Andrei Costin ltandreiandreicostincomgt

Affiliation - PhD student

HITB2012AMS

whoami in-between SWHW hacker

1

Mifare Classic MFCUK

Hacking MFPs (for fun amp profit) Holistic

Security

Interest

httpandreicostincompapers

HITB2012AMS

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

2

HITB2012AMS

MFPs carry large abuse potential

3

HITB2012AMS

MFP hacking goes back to the 1960rsquos

4

ldquoSpies in the Xerox machinerdquo

The ldquomicrordquo-film camera marked X

Patent drawing 1967

Electronicshardware hacking

HITB2012AMS

Modern printer hacking goes back almost a decade

5

Broader amp deeper printer hacking (irongeek)

Initial printer hacks (FXpH)

2002 2006

Revived printer hacking interest

This talk focuses mainly on remote code execution inside MFPsprinters

2010-2012

HITB2012AMS

In 2010 we demorsquod mapping public MFPs

6

httpwwwyoutubecomwatchv=t44GibiCoCM

HITB2012AMS

hellip and generic MFP payload delivery using Word

7

httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims on this discovery)

HITB2012AMS

hellip and generic MFP payload delivery using Java

8

httpwwwyoutubecomwatchv=JcfxvZml6-Y

HITB2012AMS

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

9

HITB2012AMS

PostScript who Itrsquos Adobersquos PDF big brother

10

HITB2012AMS

PS is build to handle complex processing tasks

11

Graphics amp patterns Complex math Web servers

Ray-tracing OpenGL Milling machine XML Parsers

HITB2012AMS

Then what exactly is PostScript

12

PostScript IS NOT just a static data stream like

PostScript IS a

Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly

HITB2012AMS

What happens when printing PS

13

User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN

User Opens a PS file from emailhdd

PC-based PS interpreter processes it PS data stream executes on PC

In both cases PS data stream IS A PS program

Program = static data

HITB2012AMS

Demo ldquoProgramming languagerdquo aspect

14

Programming languages 101

Control statements ifelse loop while

Simplest DoS attack is an ldquoinfinite looprdquo

loop

HITB2012AMS

Demo ldquoDynamically typed concatenative aspect

15

You wonder why your smart IDSIPS rules stopped working

Here is why

ps_dynamic_statement_construction_and_executionps Solution

Bad news Need dynamic execution sandbox Good news Itrsquos coming in upcoming weeks

HITB2012AMS

Demo Real world application ndash MSOffice PS crash

16

Submitted to MS

Apparently this one is not exploitable as in smash stack attacks

But it opens an interesting perspective on MS Officehellip

HITB2012AMS

Demo Real world application ndash GhostScript autoprn

17

One got to love custom extensions

Send a print-job stream directly by mere opening the file

Requires more investigation but perspective is interestinghellip

HITB2012AMS

Dynamic document forginggeneration + SocEng

18

Computer side PrinterMFP side

HITB2012AMS

Dynamic document forginggeneration + SocEng

19

User computer User printout

HITB2012AMS

Where is PostScript (Vendor-wise view)

20

Applications incorporating the PS interpreter

Applicationsvendors producing the PS interpreter

The PS interpreter specifications and standards

HITB2012AMS

Where is PostScript (Role-wise view)

21

HITB2012AMS

PostScript Web 20 Style

22

PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees

Google was one them -gt Bounty reward Some fun facts

Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions

Heap and stack overflows More details to comehellip

HITB2012AMS

Agenda

1 Quick refresher

2 What about PostScript

3 What else was found

4 Attacks in a nutshell

5 Solutions and conclusions

23

HITB2012AMS

A PS-based firmware upload was required

24

HITB2012AMS

This is too good to be truehellip

25

VxWorks API vx

DebugQA API QA

Logging API EventLog

BillingMeters API meter

Pump PWM pumppwm

RAMdisk API ramdisk

RAM API ram

Flash API flash

HITB2012AMS

Memory dumping reveals computing secrets

26

HITB2012AMS

Admin restriction fail to prevent memory dumping

27

HITB2012AMS

Password setup is sniffed by the attacker

28

1) HTTP GET request ndash password clear text

2) HTTP reply

HITB2012AMS

Basic auth password can be dumped

29

1) Authorization Basic YWRtaW4yOhellip

2) HTTP11 200 OK

HITB2012AMS

HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo

30

0x66306630663066306630663066302222

HITB2012AMS

Attacker has access to printed document details

31

HITB2012AMS

Attacker has access to network topology ndash no-scan

32

HITB2012AMS

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

HITB2012AMS

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

HITB2012AMS

Plenty of Xerox printers share affected PS firmware update mechanism

35

HITB2012AMS

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

HITB2012AMS

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

HITB2012AMS

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

HITB2012AMS

Whatrsquos next Upcoming weeks

39

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Perhaps have it partalong of IDSIPSAVPrintServer data-flows

HITB2012AMS

Whatrsquos next PS + MSF + FS + Sockets = PWN

40

HITB2012AMS

Solutions

41

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

HITB2012AMS

Acknowledgements

42

The Xerox-related PostScript work amp research done under support of

HITB2012AMS

Thanksresources

43

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

HITB2012AMS

Take aways

44

Questions

Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu