 I present to you your speakers Daniel Romero and Mario Rivas can you hear me yeah okay well Hi everyone and thanks for coming to our talk why you should fear Then office green men where we're going to present on the price printer research. Okay, thanks also to the Scon for giving us this great opportunity Okay. Yes. First of all, just a brief introduction about who we are. This is Mario Rivas and I'm Daniel Romero And both work at a security consultant and researchers at NCC group in the Madrid office. Okay Here you have our twitter account and emails, but if you want to know us better we'll always for a beer. So just ping us Okay, this is agenda. This is a really classical agenda first an introduction about our reset and the tech tool space that we have caught The test analogy Mario will present the testing methodology and some fashions that we have developed and our way across the different possibilities That we have found and after that we will show you some exploit that we have developed and just final brief conclusions Let's go with the introduction Okay The main goal of this research was testing enterprise devices. Okay and figure out the current state of security of them For this reason we thought that printer would be a good target. Okay We selected six different medium-sized enterprise printers And we decided to focus this research in a great teaming approach. Okay. So we did vulnerability research Exploitation and post-exploitation Keep in mind that it was another assessment. So we only need one vulnerability that provides remote code execution We don't need to find all the vulnerabilities that the printers have. Okay And why printers these are really good questions printers have been really well extended same many years ago around the the the companies And they are usually connected to the different networks different bilan so we can use them in order to Pivoting so the different department that company could have okay and obviously information that could be managed by A company is really sensitive. We have corporate information personal financial customers I don't forget information which was include or is included within the configuration. We can have Domain accounts creation password and etc. Okay, and well usually printers are considered low-risk target so probably they are not included within the patch cycle and They probably are not configured securely or properly. Okay, and then we have uncontrolled devices managing really sensitive information and Connected to the most of the company's networks This is an example of this week where Microsoft catches Russian state hackers using printers in order to attack companies for example And why not some better some vendors decided to make a statement like this one. So it is a challenge for us The most important probably Okay, let's go with the tax your face first of all just command that we identify two different operation system within our Printers the real-time operation system or TOS and linux and also we identify many Difference attacks or phases like web applications and web servers web services, sorry mobile applications file parses update and free one analysis Print the languages and services standard services like the Google crowd print or a print management services telnet SNMP and others Precinct approximate attacks like Wi-Fi USB and free and etc. And we also decided to include all the two tasks Postsploitation and hardware analysis. Okay, but obviously we didn't have enough time to cover all these attacks or phases And we finally decided to include the following ones those painted in grays because we didn't include them in all the printers test, okay This is a more detailed picture about our texture phase where you can see the difference elements that we caught during this In this research for example for the printer languages and file formats We decided to include the PGL PGL PCL and PS language formats. Okay Let's go with the testing and methodology So this is the methodology that we mainly use during the research. We started with the state of the art on Setting up our printers and then we chose an scope of four attacks or phases We just saw and then in a cycling process We started searching for vulnerabilities Facing different protocols and findings on crushes then analyzing them and then trying to exploit them in order to gain more knowledge of the device All these while also analyzing the firmware in the cases. We were able to obtain it and also Using the hardware to get some more useful information Talking about fasting we started with dump fosters which are very quick to launch, but also Well, and we continue developing smarter ones which require more time but give better results both techniques gave us great results But we also felt that we were Spending more time that we should So we decided to create our own fuzzer While looking at the state of the art we found two amazing tools Sally and buffas by the way You should operate the the maintainer of buffas and Carl Pearson were here yesterday These two tools have great Modules and great functionalities But we were changing a lot of the code. So we decided to to fork buffas and After Sally and boo and the next one was was ski. So we call this fuzzer ski We wrote it in Python 3 and we changed improve some of the modules like the strong string fuzzing libraries and We also made faster modules to keep oral protocol fuzzers under a single program with a similar behavior Between the rest of the changes we wanted to solve some difficulties that we were having different implementations of the same protocol behave different in different targets and when the device crashes it can go totally down or maybe the The service may stop answering or maybe it just print a stack tracing some debugging the face for this We made a main program with a lot of arguments to avoid touching the code For different targets and we made monitor modules to constantly check the target Then when the device crush it a lot of times we will need to reboot it manually. So we made restart the modules To for example turn off and on a smart plug and adapt to any necessity we were having and then to give usability to the To the fuzzer we made a nice console where we can pause and control the fuzzing session and Do things like retest a suspect packet a suspect this case of crashing a device and Do other things like printing human-readable format the packets that we are sending and We can also save standalone scripts that we can for example send to a manufacturer So let's go with a very quick demo And before that you can see here a typical buffers test case printing and below The our console with the test case the number of test cases or target and some more information about the actual test case Let's go for the demo That's it okay, so we can see below a pink to the Target and We can see above The help with a lot of the common the options that we have The different modules the faster modules that we have developed the restarted modules the monitor modules and other options We are going now to launch the faster to our target the printer one in the port six three one using the internet printing protocol Faster and they get printer attributes command of the IPP protocol And we are also using a restarted module that turns off an on and a smart plug when the device goes down We can see here our cool logo and the console Where with a lot of the commands that we implemented? We are going now to just test the connection sending a non-fast packet to a printer And after checking that the connection is okay Like we are going to go to a different test case and we are going to continue the execution from from there We can see here the different test cases that we are sending like in very similar to buffers and After sending two of them we will see below that we will stop receiving ICMP messages The printer has gone down and now we cannot connect to the target And we are going to use the restarted module to restart the target after that it will wait for it to recover and It will continue the execution automatically and but we don't want to do that We can control see go to the console and we can for example print the suspects Where you can see the five phone and one? And we can also print this test case in a human real format You can see all the Decoded packet and the longest line is you can see we are sending 10,000 C's instead of the default value, which was Ian And we can also say See a proof of concept that we can copy and paste into a script and for example sending to a manufacturer or use it in an exploit Then after these recovers We will retest it to see if it was this test case Which was causing the crash or it was any other reason for that we can use the fast command and We are going to launch the fast command for the five phone and one we will just test this test case And after that we stopped receiving ICMPs again. We have a bug in this case. It was hip buffer flow And we can also save the standard on a script into a file with the crash command and Disable this element to not test it anymore because we already know it's vulnerable and we don't want to spend more time with this so that was the The main demo We we can find all the code after the talk in our external github And let's go for just a bit of hardware We took a very good look at the hardware mainly searching for things that bull help us with the exploitation of things Like the back in their faces like serial ports. You are to a date. I know their information that bull allow us to damn the firmware or other useful information from the memory and While doing that We also were having too much fun playing with the hardware. We did something that we shouldn't and One of the printers will never print again because of that We could say maybe Kill a printer safe a tree. I don't know So one of the first things that we did was looking for exposed memories like in this case where We used a bus pirate which was connected to one of the chips and through the SPI protocol We downloaded the firmware from the from the from that memory We also found serial ports in three of the six printer tested Which also we found some JTAG ports that seem to be disabled and The serial ports were extremely useful as they gave us a lot of information the bug information Errors and the stack traces and this was of course very useful to exploit some of the vulnerabilities that we found also one of them had a Interactive shell that allowed to write and read memory And also execute from arbitrary position. So we decided to make a hardware backdoor with this Which could be implanted with by someone with physical access to the printer in two or three minutes For this we used a Raspberry Pi as you can see in the picture, which was connected to the to the serial port And was also powered by it. So whenever the printer is on or Raspberry Pi will be on And then this Raspberry Pi will connect to an access point and from there we could just Access to this console and have this these capabilities That was a very quick look at the hardware and let's go for some of the most common flows found in most of the printers We started with the web applications and we found really weak default configuration exposing all most services of ILO in the printers more than 20 some cases and we also found that It was giving access to the management panel with the folder without credentials We got the feeling that it was like the pro security of 20 years ago And of course we found a lot of the typical issues in our web like cross-execution, lack of access controls in some functionalities like One that allowed us to do a lot of full backup of the configuration including passwords in clear text of course and Other things like cross-executing issues like one two three and four and a bit more interesting path traversal which allowed us to To download some files, but unfortunately we were only able to download some specific extensions And we are not able to further exploit this to Get closer to our objective which was to get remote connection execution So this is not bad, but we are looking for something that may allow us to get full control of the device So looking at the firmware's we found a few slightly more interesting functionalities like this one You can see there are a lot of information a lot of the back information like authorization and security logs including session cookies And also more information like active directory logs Carver's logs the full list of processors running in the machine and more information about the underlying operating system a Linux in this case In this second case was very similar to the first one with different functionalities and their different URLs and This was very useful to exploit one of the vulnerabilities that we will see later And this third one was even better because it Dily allowed us to download the full memory of the device containing any secret passwords Anything in that at that moment We also use this as a memory leak issue to defeat ASLR when when exploiting one of the issues We will see also that later And of course all this was accessible without any authentication because It's not even in the menus or anything so So going for the memory corruption issues we found a lot of them in a lot of services not only in the web but also in In other services like printer protocols IPP or LPD or SNMP in the Google cloud print implementations Basically a lot more than we could handle or investigate. So we really stopped searching for more We we had basically vulnerabilities everywhere Which lead to crashes everywhere and also some useful extract traces in some of the debug interfaces that we found like this one Where you can see that the PC is overwritten and this is from a exploit that we won't Show you today, but don't worry that is now going to to explain to others that are nice Okay, let's go with a couple of office points example I'm sorry a couple of exploiting samples that we we've we developed for this research This is the first one. This is the easy case and it was formed by one of web application Fosters, okay, as you can see in in the image after sending a crafted HTTP request and we With a long cookie value. We were able to crash the print. So probably this is a basic or stuck buffer from okay But looking into the framework we identified that developers forgot to include boundary checks in the whole code. So probably This is track. So this string and copy here Which is copying the cookie value into a stack array could lead to a stack buffer from Okay, and an important and also important point here is the comb variable the comb variable This is the is the cookie size including the cookie name the equal symbol and the Cookie value, okay, and it for it is for example used in some parts within the within the string copy function like within the the size argument where A Facing bike were subtracted from this for this variable. Okay question here Will be do you really think that there is only one back here? Answer obvious is no imagine that we replace the equal symbol by a semicolon symbol, okay The comb variable will resume in 14 and 14 minus 15 is a negative number So the string copy function will copy a really huge space in memory into the local array So we have two different varieties in the same line Here you have two parts of a concept the first one just send sending a really long cookie value And the second one just replacing the equal symbol by a by a semicolon symbol, okay And thinking about exploitation So it looks looks like that we are going back to the 90s point which scares Let's go to check the different difficulties that we came across the first one is we identify SLR within the stack and the heap we didn't have Software at the back and we are trying to exploit our real-time operation system We saw we need to reverse engineering the firmware in order to identify some potential functionalities for example and Use that that functionalities in or shell code because we don't have a shell here Okay, help us only we have a direct PC overgreet them a potential read write an execute table In the whole space of memory and we have the stack executable Okay, and finally as my committee before in the same printer went if I memory will leak vulnerability That provide that allow us to get the full memory So what what what what we're going to do here is try to use this memory leak in order to bypass the Okay, so the exploitation change should be We're going to send a shell code to the printer between patterns Okay, we're going to use the memory leak vulnerability in order to dump the The memory we're going to try to identify in that memory or shall code and where and try to look into Into where or shall code was located? We're going to try to Trigger the buffer flow and after that jump into or shall code. Okay Okay, but for Our redeeming tools we wanted something more and but so what is the one of the most important data managed by a printer of the The documents and so why don't create a shell code that the steal all documents into the printer and send them throw a reverse shell Which sounds like a good plan. Okay, let's go with the demo for this demo We are going to have two different machines. The first one is the attacker machine Which is going to execute exploit and exploit harder that we will receive the the data from the printer Okay, and the second machine Is a victim machine that we are going to send the the document to the printer Okay, let me check the Video this the Sorry I can say And Okay, here you have the demo sorry for this Okay, uh, this is the the demo Here you have the the attacker machine with uh, with the ip address and below you can see the exploit This point needs three different arguments. The first one is the target ip the target port and the reverse ip We are going to include here the the the attacker machine ip others So we are going to attack the printer one in the port 80 and after that they we are going to include the printer machine Before execute the exploit we are going to execute or exploit handler that we will receive or All data sent from the printer And the listening the pro in the port 137. Okay And after is a good exploit as you can see in the third line We are we are using the memory level activity in order to find All payload in memory. Okay So we have now received a connection from the printer with the sentence had the plan of freeing Because it was included within the shell code. Okay, this is now the The attacker machine the solid the victim machine With a different ip others are what what we're going to do now is sending this document to the printer. Okay We're going to send this document to the printer one Which is this one and after sending the comment You can see here. For example, how the exploit handler receives some data data from the printer Okay, so I'm now converting this data to a pdf and so on after three seconds You can see here how we were able to steal all data all documents and send to the printer. Okay And the printer continues printing normally and our exploit handler Also forward the all data sent to another printer controlled by the attacker So we were able to steal all data all documents and to our printer Thank you Okay, let's go with the second exploit. Uh, this was the easy case. This is going to be the tricky case Uh, as we didn't have software hardware the back and all the protections and difficulties Was implemented in this, uh, this printer So it's not going to be easy to explain Uh, but we will try to okay, so be passionate, please because it's a bit tricky. Okay We found uh, Simulating the same place but for this printer, but in this case we have two different parts in the cookie value Okay, the first part is the first part is something like a hash and the second part separated by a comma It's something like a base 64 string. Okay After reverse engineering the printer frameworks Quantified some potential that vulnerability that could contain this vulnerability Okay, but the most important function was the function that decode the base 64 decode value. Okay Uh, after analyzing this function we identified how a struct was based as argument to this To this function to the base 64 decode function And this has different elements included within this struct the first, uh, elements the source source pointer Which is the base 64 string the second is the destination pointer, which is the Result of the base 64 string that will this will be filled Within this this this function the source line and the destination line. Okay But this function the base 64 function was called by the code in the highlighted area as you can see here We are calling the base 64 decode function and we are passing a struct as argument Okay, and the buffer flow occurs because the destination pointer, which is here Was associated to a local array. So if we send a really long cookie value base 64 encode We are over um The the basis for the code function will overflow the stack. Okay So This was analyzed locally. So we need to corroborate this dynamically. Okay So we use the the unicom framework in order to emulate some some framework If you don't know the unicom framework, uh, this framework allows you to emulate different parts of code That's the the result for example the registers And we decided to create an script that Emulate the the function that get and check the second part of the cooking the string length the base 64 decode And other functions. Okay, and after executing this the Best script where we paste 100 100 ace as in base 64 as argument We were able to identify the the pc register the problem counter is it was over with them by by by ace Okay, we can also see how the stack pointer or all the all it included with the stack pointer We can control all this data And uh the r4 and the r4 and r5 register were also over with them by by ace Okay, this is because the last instruction execution execute before Before trigger all with this is a pop instruction which is popping the r4 r5 and the pop in the pc register Okay, so we have now all the information that we need in order to create official code But everything become inside here We identified that the stack wasn't executable We also identified that we try to to to use many finger addresses in order to create our shell code to our drop change But none of them work properly. Okay, and we also identified the this The printer was using a modified tkernel rtus But the most important point here is that this is a no monolithic operation system and different tasks could be executed at the same time So probably what the coordinate is doing here is take a code from the finger and execute this code in memory in a different address Okay, so this is the reason because we were not able to use Finger addresses to create all the all the shell code or drop change So therefore We didn't know where and how or shall code can be executed. We have something like a slayer or or nubsets We have an x and we didn't where We were not able to identify valid addresses To create all drop change, but we need to we need to identify valid addresses in order to do that. Okay So thinking about it we Thought about different approach that we can use for example reverse engineering the tkernel structure But obviously we didn't have enough time to do this because it could take weeks Reverse engineering the bullet other in order to identify potential static addresses identify static memory But we didn't know what permit like configuration for example But we didn't know what permission could be associated to that piece of code or memory. Sorry But first random addresses that we'll see now On looking for helpers. Okay helpers like this one This is an infinite loop that we found within the bullet other So and we thought that it could be a good option use this infinite loop In order to create a blind exploitation. Okay Imagine that we have a code that we don't know if it was executed or executed or not properly What we can do now is just after that code we're going to try to jump to our infinite loop Okay, if the printer reminds up that means that the code was executed properly If the printer crashes that means that the code was not executed properly So it's something like a blizzard injection but with memory corruptions. Okay Okay, we decided to mix the the infinite loop call helper with The following approach of brute forcing the pc register With potential firmware addresses and figure out what instruction were executed. Let me explain. Okay, the main goal here is We're going to Helping us with the code and go to the infinite loop call helper We're going to try to brute forcing the pc register. Okay And we're going to to try to guess identify what instruction was executing more in memory blindly. Okay So remember that we can control the pc register on all data included within the stack pointer. Okay Imagine that we we're forcing the pc register We finally jump into a popup instruction, but we don't know that this is a popup instruction. Okay And we're going to include some data within our step pocketing like three set of A's and after that the infinite loop address If we execute this code The pc the r0 register will be over grating by the first set of A's. Okay And the second The pc register we will be over grating by the second first of set second set of A's, sorry And so the printer will be down. The printer will crash. Okay But in order to solve this and try to guess what instruction was executed in memory We can change the formation including we included within the stack pointer This is a another example But for this case we're going to Just include one set of A's within the stack pointer and after that the infinite loop address If we execute the same code the same address After the execute this address the r0 register will be over grating by the first set of A's And the pc register will be over grating by the second. Oh, sorry by the second address Which is the infinite loop. So the printer will remind up. So using this methodology We were identified that in memory We are executing memory a pop register. Okay, which is popping a one register And after that the in the problem counter So using this methodology or approach we were able to identify three Instructions in memory the first one in the other's 12 which was an added instruction The second is in the other 14th sorry, which was a pop instruction and in a distance of 500 bytes We were able to identify another pop instruction. Okay, so Our main goal here is to identify the same pattern that we have found in memory in our firmware Okay And we finally were able to identify this pattern but in another address That means that when the kernel is executing this code the kernel is applying an offset to To these to this code and we now know the address that Exactly offset that the kernel is using. Okay This provides useful rope gadgets in order to create all our shell code And potential helpers to continue with the task execution Sorry for that, but this is the way that we found in order to create or exploit Okay, but it was not enough we need more gadgets in order to create or exploit and at this moment we remember That That's my recommended before we remember that another function I don't know everything which allow us what provides us some useful useful information was found in the same printer this Memo leak or information leak vulnerability provides where exactly Images and give were allocated in mobile so we can use this information in order to bypass the slr protection For example and why not we can also use this information in order to create a rope change Okay, we're going to do something like exploitation with images Okay, so we're going to download all the images and give to our laptop And we're going to use the drop gadget script in order to find some interesting drop gadgets Okay, obviously this is not current code current code because they are images But we've were able to identify some useful useful drop gadgets to create all full exploit Okay But we came across with another problem. This was the last problem. I promise you We identify we came across with caches. Okay, so we need to flush the caches. There are some options here like call RM instructions or different Functions like sleep main protectors and others or continue with the execution flow Which is probably the most harder the harder but the most professional option and we choose this option. Yes quickly In order to continue with execution flow we need that or shall code implement three different Parts the first one is or exploit. For example, we can use we can create something like for the previous Exploit where we're going to put the print functionality as still all data through reverse connection The second part Should change the address that we were able we were able to overwrite with the with the property In order to jump in a valid function and then we we want to continue with the execution So we need a valid function that we can create here. Okay, and the third the third part We should align the stack pointer again to a previous pointer because we have for example Execute or payload or change some addresses. So we need to align this stack pointer to a previous state Okay, and after that just trigger the vulnerability as many times as you want. Okay, let's go with the demo for the previous exploit we try to attack The documents of a printer, but for this demo we're going to try to try to attack all information included within the Within a printer data Uh, let me check the demo Okay for for this demo we implemented three different functionalities within the within our All exploit the first one is right So we can write bytes into the into the printer memory and after that jump into that to that memory For example, we can write a shell code and after that jump into our shell code The second is similar to the previous one, but we can write a file that we have in our computer For example in a piece of code and the last one is the read functionality This allow us to read some data from the printer memory But we need a way in order to allocate that memory or copy the memory. Okay, so what we Did here is we're going to try to copy the memory that we want to read in a known place We know where exactly images and give for allocated So we're going to use this piece of memory in order to read the information. Okay Uh What do you need the source address and after that the The the size and here you have the uh the image that we are going to use in order to to exploit this This function, uh here you have seen you can see how it is a normal png header Okay, so we are going to use the read functionality to read this address Reading 500 bytes and you can see here for example how we are reading the information the address that we have set I'm writing this information in another in another address, which is the image. Okay And after that we're going to download again the the image as you can see here The information the included within the image changes and it is now Certificate included within the our printer memory. Okay, so with this function We were able to read credentials to mine accounts Another sensitive information. Okay So let's go with the second The first functionality, which is the right we can write a shellcode for example But for this demo we are going to just write a sentence. So the high regard centers We're not to jump to this This code because it's a it's a sentence and after write this information If we download the game the image we can see for example how the high regard centers was Uh was right in the first In the first line of the image. Okay And let's go with the Third example, which is the right file. So what we're going to do here is we're going to try to overwrite an existing web portal image. Okay So we're going to select Logo that we have in memory are going we are going to try to overwrite an existing image in the in the memory It can take a bit So we are selected a logo and we are writing the information included within the logo in a known others Let's go to move this forward because it takes a bit And after seconds We're going to open the The the web portal image Which is this one that we are going to we're going to overwrite and if we refresh again this image We can see how the hdgl logo overwrite the image that we have in memory So we can control all the information that we have in the printer memory in order to read this or also write this Into into our printer. Okay Let's go with the last part the conclusions Okay, I hope you are all still alive after danie trying to explain this last exploit um Let's go with the responsible vulnerability disclosure. We started this process in february And we got a very mixed response from the vendors Some of them had a very mature procedure for this and we're really quick fixing the issues and publishing patches Especially mentioned to lexmart which response was great And on the other hand some others we could just say that It was easier to find the vulnerabilities than their security department So there is some work to do in that area We already published all the security advisories Most of them two days ago And as a quick overview as you just saw we found a lot of issues in a lot of places Which lead in most cases to remote code execution issues And let's go for the cv party We found uh, well we got 50, uh, cvs Most of them high hand critical risk ones and just don't take the number per manufacturer as an Indicative of their state of security because some of them grouped different vulnerabilities and they're the same entries um Just for a quick reference the full list I'm going for the main conclusions This research aimed to show how the state of security of Common office devices such as printers which are present in most if not all organizations is still Very mature and largely ignored. We found a large number of Critical and high risk issues in all the printers tested And we got Proof of concept for four of them. We show he we shopped here two of them One for documents and one for other data within the printer and we ran out of time to to Show to develop and exploit for the two others So but anyway, there were issues that cooled it easily to that Uh, a lot of cvs and we stopped searching for vulnerabilities So this was important. We think there is a lot more of issues waiting in there And we only checked a few services. Uh, there is a lot more things to research here And by what we saw, uh, the first one looking at this will probably find gold in there And we only checked these printers But we do not expect the same manufacturers having different implementations for some of the protocol sites such as ipp or Different web applications, etc. So probably the number of Devices affected by these issues is huge Much bigger than the number gave by some of the manufacturers We could also say To some vendors that less marketing and more security And the main recommendations for for manufacturers will be to simply invest in securities necessary in all the development Faces of a product For organizations, they should start Conceding these as the threats they are. They have a lot of sensitive information Not only documents, but also Important information in the configuration like passwords, domain credentials, etc And they are connected to their corporate networks. So they are really High risk and no low risk And finally for hackers This is a very mature field if you spend some time with embedded devices starting from the With the very basics you will probably find a lot of issues You will learn a lot and there is a lot of fun in here So you should give it a try And about internet as expected A quick short answer revealed a lot of these devices connected to the internet and we even saw that Some different vendors seem to be using the same code for some things like this Web application of two different ones, which as you can see is quite similar. So maybe we tested more vendors that than we thought And finally, acknowledgments Thanks to The Madrid office to Manly with some feeling most for all their help and support Also, thanks to maribel and chris, which suffered as the most And last but not least, thank you to alvaro Felipe Who was part of the research during the first days and also helped us with great ideas During the the exploitation phases So it was very difficult to put this talk in these months of research in just 45 minutes, but thank you for suffering us That's it