28c3: Print Me If You Dare
Loading...
Uploaded by 28c3 on Dec 30, 2011
Download high quality version: http://bit.ly/slWnU7
Description: http://events.ccc.de/congress/2011/Fahrplan/events/4780.en.html
Ang Cui, Jonathan Voris: Print Me If You Dare
Firmware Modification Attacks and the Rise of Printer Malware
Network printers are ubiquitous fixtures within the modern IT infrastructure. Residing within sensitive networks and lacking in security, these devices represent high-value targets that can theoretically be used not only to manipulate and exfiltrate the sensitive information such as network credentials and sensitive documents, but also as fully functional general-purpose bot-nodes which give attackers a stealthy, persistent foothold inside the victim network for further recognizance, exploitation and exfiltration.
We first present several generic firmware modification attacks against HP printers. Weaknesses within the firmware update process allows the attacker to make arbitrary modifications to the NVRAM contents of the device. The attacks we present exploit a functional vulnerability common to all HP printers, and do not depend on any specific code vulnerability. These attacks cannot be prevented by any authentication mechanism on the printer, and can be delivered over the network, either directly or through a print server (active attack) and as hidden payloads within documents (reflexive attack).
In order to demonstrate these firmware modification attacks, we present a detailed description of several common HP firmware RFU (remote firmware update) formats, including the general file format, along with the compression and checksum algorithms used. Furthermore, we will release a tool (HPacker), which can unpack existing RFUs and create/pack arbitrary RFUs. This information was obtained by analysis of publicly available RFUs as well as reverse engineering the SPI BootRom contents of several printers.
Next, we describe the design and operation a sophisticated piece of malware for HP (P2050) printers. Essentially a VxWorks rootkit, this malware is equipped with: port scanner, covert reverse-IP proxy, print-job snooper that can monitor, intercept, manipulate and exfiltrate incoming print-jobs, a live code update mechanism, and more (see presentation outline below). Lastly, we will demonstrate a self-propagation mechanism, turning this malware into a full-blown printer worm.
Using HPacker, we demonstrate the injection of our malware into arbitrary P2050 RFUs, and show how similar malware can be created for other popular HP printer types. Next, we demonstrate the delivery of this modified firmware update over the network to a fully locked-down printer.
Lastly, we present an accurate distribution of all HP printers vulnerable to our attack, as determined by our global embedded device vulnerability scanner (see [1]). Our scan is still incomplete, but extrapolating from available data, we estimate that there exist at least 100,000 HP printers that can be compromised through an active attack, and several million devices that can be compromised through reflexive attacks. We will present a detailed breakdown of the geographical and organizational distribution of observable vulnerable printers in the world.
*We have also unpacked several engine-control processor firmwares (different from the main SoC) and are currently attempting to locate code related to tracking dots. Perhaps we will have some results by December. In any case, HPacker will help the community to do further research in this direction, possibly allowing us to spoof / disable these yellow dots of burden.
- 217 likes, 2 dislikes
-
Top Comments
All Comments (15)
-
ส็็็็็็็็็็็็็็็็็็็็็ส็็็็็็็
็็็็็็็็็็็็็็ส็็็็็็็็็็็็็็็ ็็็็็็ส็็็็็็็็็็็็็็็็็็็็็ส็ ็็็็็็็็็็็็็็็็็็็็ส็็็็็็็็็ ็็็็็็็็็็็็ SPLOITT
1 month ago 6
-
HP also planted a Trojan to capture passwords in the ProLiant Servers and Integrity servers. I have proof . HP sucks
-
HP also planted a key logger in the ProLiant Servers and Integrity servers. I have proof . HP sucks
-
"pwn your entire network" lol
-
@greventlv It's an allusion to many old, and some new text adventure games.
-
Hacks a printer.... Can't work powerpoint.
2 months ago 3
- 2:03
Mythbusters banned from talking about RFID chip by Visa and Mastercardby littletammy20377,503 views
- 0:37
World's Greatest News Anchorby kapishViral22,057,205 views
- 16:09
Feminism and the Disposable Maleby girlwriteswhat211,423 views
- 0:36
Girl with a funny talent. [original video]by theinternetisaweird30,813,475 views
- 18:19
LPS Part 1- men have an equal responsibility?by girlwriteswhat11,404 views
- 2:11
The Strongest Material Known to Manby bigthink666,303 views
- 19:35
Penn Jillette: An Atheist's Guide to the 2012 Electionby bigthink318,075 views
- 0:12
Cop Pwned FAILby javitrevi79516,720 views
- 6:52
28c3 LT Day 3: Ultimate File Sharing Networkby 28c33,560 views
- 54:47
28c3: Datamining for Hackersby 28c33,659 views
- 0:50
3D-printer Reprap Mendel Prusa at work on 28C3by johannesboeck459 views
- 1:25:40
28c3: How governments have tried to block Torby 28c343,199 views
- 1:06:11
28c3: Black Ops of TCP/IP 2011by 28c37,666 views
- 3:13
BBC News: Secret Underground City For Saleby nettledenunderground63,285 views
- 1:25:40
How governments have tried to block Tor [28C3]by CCCen8,291 views
- 51:19
28c3: Apple vs. Google Client Platformsby 28c36,254 views
- 53:13
28c3: Building a Distributed Satellite Ground Station Network - A Call To Armsby 28c316,168 views
- 48:00
28c3: String Oriented Programmingby 28c33,136 views
- 25:53
28c3: Security Log Visualization with a Correlation Engineby 28c31,463 views
- 57:19
28c3: 802.11 Packets in Packetsby 28c33,921 views
LOL! I don't want to eat the microphone, okay! 59:14
jackdeath 2 months ago 31
31:40 - Super Secret Bypass of Crypto-Key enabled.
bjohndick 2 months ago 18