PostScript Danger Ahead
Andrei Costin ltandreiandreicostincomgt
Affiliation - PhD student
PHDAYS2012
whoami in-between SWHW hacker
1
Mifare Classic MFCUK
Hacking MFPs (for fun amp profit) Holistic
Security
Interest
httpandreicostincompapers
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
2
PHDAYS2012
MFPs carry large abuse potential
3
PHDAYS2012
MFP hacking goes back to the 1960rsquos
4
ldquoSpies in the Xerox machinerdquo
The ldquomicrordquo-film camera marked X
Patent drawing 1967
Electronicshardware hacking
PHDAYS2012
Modern printer hacking goes back almost a decade
5
Broader amp deeper printer hacking (irongeek)
Initial printer hacks (FXpH)
2002 2006
Revived printer hacking interest
This talk focuses mainly on remote code execution inside MFPsprinters
2010-2012
PHDAYS2012
In 2010 demorsquod mapping public MFPs
6
httpwwwyoutubecomwatchv=t44GibiCoCM
PHDAYS2012
hellip and generic MFP payload delivery using Word
7
httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims on this discovery)
PHDAYS2012
hellip and generic MFP payload delivery using Java
8
httpwwwyoutubecomwatchv=JcfxvZml6-Y
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
9
PHDAYS2012
PostScript who Itrsquos Adobersquos PDF big brother
10
PHDAYS2012
PS is build to handle complex processing tasks
11
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
PHDAYS2012
Then what exactly is PostScript
12
PostScript IS NOT just a static data stream like
PostScript IS a
Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly
PHDAYS2012
What happens when printing PS
13
User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN
User Opens a PS file from emailhdd
PC-based PS interpreter processes it PS data stream executes on PC
In both cases PS data stream IS A PS program
Program = static data
PHDAYS2012
Demo1 ldquoProgramming languagerdquo aspect
14
Programming languages 101
Control statements ifelse loop while
Simplest DoS attack is an ldquoinfinite looprdquo
loop
PHDAYS2012
Demo2 ldquoDynamically typed concatenative aspect
15
You wonder why your smart IDSIPS rules stopped working
Here is why
ps_dynamic_statement_construction_and_executionps Obfuscation at its best built-into the language
Solution
Bad news Need dynamic execution sandbox Good news Itrsquos coming up ndash see sandbox slides below
PHDAYS2012
Demo3 Real world application ndash MSOffice PS crash
16
Submitted to MS
Apparently this is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Officehellip
PHDAYS2012
Demo4 Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Sends a print-job stream directly by just opening the file
Requires more investigation but perspective is interestinghellip
PHDAYS2012
Dynamic document forginggeneration + SocEng
18
User computer User printout
PHDAYS2012
Dynamic document forginggeneration + SocEng
19
Computer side ndash SocEng bait PrinterMFP side ndash PS virus
PHDAYS2012
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
PHDAYS2012
Where is PostScript (Role-wise view)
21
PHDAYS2012
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows and what-nothellip More details to comehellip
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
PHDAYS2012
A PS-based firmware upload was required
24
PHDAYS2012
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
PHDAYS2012
Memory dumping reveals computing secrets
26
SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common
PHDAYS2012
Admin restriction fail to prevent memory dumping
27
PHDAYS2012
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
PHDAYS2012
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
PHDAYS2012
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
PHDAYS2012
Attacker has access to printed document details
31
PHDAYS2012
Attacker has access to network topology ndash no-scan
32
PHDAYS2012
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
whoami in-between SWHW hacker
1
Mifare Classic MFCUK
Hacking MFPs (for fun amp profit) Holistic
Security
Interest
httpandreicostincompapers
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
2
PHDAYS2012
MFPs carry large abuse potential
3
PHDAYS2012
MFP hacking goes back to the 1960rsquos
4
ldquoSpies in the Xerox machinerdquo
The ldquomicrordquo-film camera marked X
Patent drawing 1967
Electronicshardware hacking
PHDAYS2012
Modern printer hacking goes back almost a decade
5
Broader amp deeper printer hacking (irongeek)
Initial printer hacks (FXpH)
2002 2006
Revived printer hacking interest
This talk focuses mainly on remote code execution inside MFPsprinters
2010-2012
PHDAYS2012
In 2010 demorsquod mapping public MFPs
6
httpwwwyoutubecomwatchv=t44GibiCoCM
PHDAYS2012
hellip and generic MFP payload delivery using Word
7
httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims on this discovery)
PHDAYS2012
hellip and generic MFP payload delivery using Java
8
httpwwwyoutubecomwatchv=JcfxvZml6-Y
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
9
PHDAYS2012
PostScript who Itrsquos Adobersquos PDF big brother
10
PHDAYS2012
PS is build to handle complex processing tasks
11
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
PHDAYS2012
Then what exactly is PostScript
12
PostScript IS NOT just a static data stream like
PostScript IS a
Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly
PHDAYS2012
What happens when printing PS
13
User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN
User Opens a PS file from emailhdd
PC-based PS interpreter processes it PS data stream executes on PC
In both cases PS data stream IS A PS program
Program = static data
PHDAYS2012
Demo1 ldquoProgramming languagerdquo aspect
14
Programming languages 101
Control statements ifelse loop while
Simplest DoS attack is an ldquoinfinite looprdquo
loop
PHDAYS2012
Demo2 ldquoDynamically typed concatenative aspect
15
You wonder why your smart IDSIPS rules stopped working
Here is why
ps_dynamic_statement_construction_and_executionps Obfuscation at its best built-into the language
Solution
Bad news Need dynamic execution sandbox Good news Itrsquos coming up ndash see sandbox slides below
PHDAYS2012
Demo3 Real world application ndash MSOffice PS crash
16
Submitted to MS
Apparently this is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Officehellip
PHDAYS2012
Demo4 Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Sends a print-job stream directly by just opening the file
Requires more investigation but perspective is interestinghellip
PHDAYS2012
Dynamic document forginggeneration + SocEng
18
User computer User printout
PHDAYS2012
Dynamic document forginggeneration + SocEng
19
Computer side ndash SocEng bait PrinterMFP side ndash PS virus
PHDAYS2012
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
PHDAYS2012
Where is PostScript (Role-wise view)
21
PHDAYS2012
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows and what-nothellip More details to comehellip
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
PHDAYS2012
A PS-based firmware upload was required
24
PHDAYS2012
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
PHDAYS2012
Memory dumping reveals computing secrets
26
SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common
PHDAYS2012
Admin restriction fail to prevent memory dumping
27
PHDAYS2012
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
PHDAYS2012
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
PHDAYS2012
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
PHDAYS2012
Attacker has access to printed document details
31
PHDAYS2012
Attacker has access to network topology ndash no-scan
32
PHDAYS2012
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
2
PHDAYS2012
MFPs carry large abuse potential
3
PHDAYS2012
MFP hacking goes back to the 1960rsquos
4
ldquoSpies in the Xerox machinerdquo
The ldquomicrordquo-film camera marked X
Patent drawing 1967
Electronicshardware hacking
PHDAYS2012
Modern printer hacking goes back almost a decade
5
Broader amp deeper printer hacking (irongeek)
Initial printer hacks (FXpH)
2002 2006
Revived printer hacking interest
This talk focuses mainly on remote code execution inside MFPsprinters
2010-2012
PHDAYS2012
In 2010 demorsquod mapping public MFPs
6
httpwwwyoutubecomwatchv=t44GibiCoCM
PHDAYS2012
hellip and generic MFP payload delivery using Word
7
httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims on this discovery)
PHDAYS2012
hellip and generic MFP payload delivery using Java
8
httpwwwyoutubecomwatchv=JcfxvZml6-Y
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
9
PHDAYS2012
PostScript who Itrsquos Adobersquos PDF big brother
10
PHDAYS2012
PS is build to handle complex processing tasks
11
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
PHDAYS2012
Then what exactly is PostScript
12
PostScript IS NOT just a static data stream like
PostScript IS a
Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly
PHDAYS2012
What happens when printing PS
13
User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN
User Opens a PS file from emailhdd
PC-based PS interpreter processes it PS data stream executes on PC
In both cases PS data stream IS A PS program
Program = static data
PHDAYS2012
Demo1 ldquoProgramming languagerdquo aspect
14
Programming languages 101
Control statements ifelse loop while
Simplest DoS attack is an ldquoinfinite looprdquo
loop
PHDAYS2012
Demo2 ldquoDynamically typed concatenative aspect
15
You wonder why your smart IDSIPS rules stopped working
Here is why
ps_dynamic_statement_construction_and_executionps Obfuscation at its best built-into the language
Solution
Bad news Need dynamic execution sandbox Good news Itrsquos coming up ndash see sandbox slides below
PHDAYS2012
Demo3 Real world application ndash MSOffice PS crash
16
Submitted to MS
Apparently this is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Officehellip
PHDAYS2012
Demo4 Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Sends a print-job stream directly by just opening the file
Requires more investigation but perspective is interestinghellip
PHDAYS2012
Dynamic document forginggeneration + SocEng
18
User computer User printout
PHDAYS2012
Dynamic document forginggeneration + SocEng
19
Computer side ndash SocEng bait PrinterMFP side ndash PS virus
PHDAYS2012
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
PHDAYS2012
Where is PostScript (Role-wise view)
21
PHDAYS2012
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows and what-nothellip More details to comehellip
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
PHDAYS2012
A PS-based firmware upload was required
24
PHDAYS2012
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
PHDAYS2012
Memory dumping reveals computing secrets
26
SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common
PHDAYS2012
Admin restriction fail to prevent memory dumping
27
PHDAYS2012
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
PHDAYS2012
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
PHDAYS2012
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
PHDAYS2012
Attacker has access to printed document details
31
PHDAYS2012
Attacker has access to network topology ndash no-scan
32
PHDAYS2012
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
MFPs carry large abuse potential
3
PHDAYS2012
MFP hacking goes back to the 1960rsquos
4
ldquoSpies in the Xerox machinerdquo
The ldquomicrordquo-film camera marked X
Patent drawing 1967
Electronicshardware hacking
PHDAYS2012
Modern printer hacking goes back almost a decade
5
Broader amp deeper printer hacking (irongeek)
Initial printer hacks (FXpH)
2002 2006
Revived printer hacking interest
This talk focuses mainly on remote code execution inside MFPsprinters
2010-2012
PHDAYS2012
In 2010 demorsquod mapping public MFPs
6
httpwwwyoutubecomwatchv=t44GibiCoCM
PHDAYS2012
hellip and generic MFP payload delivery using Word
7
httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims on this discovery)
PHDAYS2012
hellip and generic MFP payload delivery using Java
8
httpwwwyoutubecomwatchv=JcfxvZml6-Y
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
9
PHDAYS2012
PostScript who Itrsquos Adobersquos PDF big brother
10
PHDAYS2012
PS is build to handle complex processing tasks
11
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
PHDAYS2012
Then what exactly is PostScript
12
PostScript IS NOT just a static data stream like
PostScript IS a
Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly
PHDAYS2012
What happens when printing PS
13
User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN
User Opens a PS file from emailhdd
PC-based PS interpreter processes it PS data stream executes on PC
In both cases PS data stream IS A PS program
Program = static data
PHDAYS2012
Demo1 ldquoProgramming languagerdquo aspect
14
Programming languages 101
Control statements ifelse loop while
Simplest DoS attack is an ldquoinfinite looprdquo
loop
PHDAYS2012
Demo2 ldquoDynamically typed concatenative aspect
15
You wonder why your smart IDSIPS rules stopped working
Here is why
ps_dynamic_statement_construction_and_executionps Obfuscation at its best built-into the language
Solution
Bad news Need dynamic execution sandbox Good news Itrsquos coming up ndash see sandbox slides below
PHDAYS2012
Demo3 Real world application ndash MSOffice PS crash
16
Submitted to MS
Apparently this is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Officehellip
PHDAYS2012
Demo4 Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Sends a print-job stream directly by just opening the file
Requires more investigation but perspective is interestinghellip
PHDAYS2012
Dynamic document forginggeneration + SocEng
18
User computer User printout
PHDAYS2012
Dynamic document forginggeneration + SocEng
19
Computer side ndash SocEng bait PrinterMFP side ndash PS virus
PHDAYS2012
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
PHDAYS2012
Where is PostScript (Role-wise view)
21
PHDAYS2012
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows and what-nothellip More details to comehellip
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
PHDAYS2012
A PS-based firmware upload was required
24
PHDAYS2012
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
PHDAYS2012
Memory dumping reveals computing secrets
26
SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common
PHDAYS2012
Admin restriction fail to prevent memory dumping
27
PHDAYS2012
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
PHDAYS2012
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
PHDAYS2012
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
PHDAYS2012
Attacker has access to printed document details
31
PHDAYS2012
Attacker has access to network topology ndash no-scan
32
PHDAYS2012
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
MFP hacking goes back to the 1960rsquos
4
ldquoSpies in the Xerox machinerdquo
The ldquomicrordquo-film camera marked X
Patent drawing 1967
Electronicshardware hacking
PHDAYS2012
Modern printer hacking goes back almost a decade
5
Broader amp deeper printer hacking (irongeek)
Initial printer hacks (FXpH)
2002 2006
Revived printer hacking interest
This talk focuses mainly on remote code execution inside MFPsprinters
2010-2012
PHDAYS2012
In 2010 demorsquod mapping public MFPs
6
httpwwwyoutubecomwatchv=t44GibiCoCM
PHDAYS2012
hellip and generic MFP payload delivery using Word
7
httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims on this discovery)
PHDAYS2012
hellip and generic MFP payload delivery using Java
8
httpwwwyoutubecomwatchv=JcfxvZml6-Y
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
9
PHDAYS2012
PostScript who Itrsquos Adobersquos PDF big brother
10
PHDAYS2012
PS is build to handle complex processing tasks
11
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
PHDAYS2012
Then what exactly is PostScript
12
PostScript IS NOT just a static data stream like
PostScript IS a
Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly
PHDAYS2012
What happens when printing PS
13
User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN
User Opens a PS file from emailhdd
PC-based PS interpreter processes it PS data stream executes on PC
In both cases PS data stream IS A PS program
Program = static data
PHDAYS2012
Demo1 ldquoProgramming languagerdquo aspect
14
Programming languages 101
Control statements ifelse loop while
Simplest DoS attack is an ldquoinfinite looprdquo
loop
PHDAYS2012
Demo2 ldquoDynamically typed concatenative aspect
15
You wonder why your smart IDSIPS rules stopped working
Here is why
ps_dynamic_statement_construction_and_executionps Obfuscation at its best built-into the language
Solution
Bad news Need dynamic execution sandbox Good news Itrsquos coming up ndash see sandbox slides below
PHDAYS2012
Demo3 Real world application ndash MSOffice PS crash
16
Submitted to MS
Apparently this is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Officehellip
PHDAYS2012
Demo4 Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Sends a print-job stream directly by just opening the file
Requires more investigation but perspective is interestinghellip
PHDAYS2012
Dynamic document forginggeneration + SocEng
18
User computer User printout
PHDAYS2012
Dynamic document forginggeneration + SocEng
19
Computer side ndash SocEng bait PrinterMFP side ndash PS virus
PHDAYS2012
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
PHDAYS2012
Where is PostScript (Role-wise view)
21
PHDAYS2012
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows and what-nothellip More details to comehellip
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
PHDAYS2012
A PS-based firmware upload was required
24
PHDAYS2012
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
PHDAYS2012
Memory dumping reveals computing secrets
26
SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common
PHDAYS2012
Admin restriction fail to prevent memory dumping
27
PHDAYS2012
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
PHDAYS2012
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
PHDAYS2012
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
PHDAYS2012
Attacker has access to printed document details
31
PHDAYS2012
Attacker has access to network topology ndash no-scan
32
PHDAYS2012
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
Modern printer hacking goes back almost a decade
5
Broader amp deeper printer hacking (irongeek)
Initial printer hacks (FXpH)
2002 2006
Revived printer hacking interest
This talk focuses mainly on remote code execution inside MFPsprinters
2010-2012
PHDAYS2012
In 2010 demorsquod mapping public MFPs
6
httpwwwyoutubecomwatchv=t44GibiCoCM
PHDAYS2012
hellip and generic MFP payload delivery using Word
7
httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims on this discovery)
PHDAYS2012
hellip and generic MFP payload delivery using Java
8
httpwwwyoutubecomwatchv=JcfxvZml6-Y
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
9
PHDAYS2012
PostScript who Itrsquos Adobersquos PDF big brother
10
PHDAYS2012
PS is build to handle complex processing tasks
11
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
PHDAYS2012
Then what exactly is PostScript
12
PostScript IS NOT just a static data stream like
PostScript IS a
Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly
PHDAYS2012
What happens when printing PS
13
User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN
User Opens a PS file from emailhdd
PC-based PS interpreter processes it PS data stream executes on PC
In both cases PS data stream IS A PS program
Program = static data
PHDAYS2012
Demo1 ldquoProgramming languagerdquo aspect
14
Programming languages 101
Control statements ifelse loop while
Simplest DoS attack is an ldquoinfinite looprdquo
loop
PHDAYS2012
Demo2 ldquoDynamically typed concatenative aspect
15
You wonder why your smart IDSIPS rules stopped working
Here is why
ps_dynamic_statement_construction_and_executionps Obfuscation at its best built-into the language
Solution
Bad news Need dynamic execution sandbox Good news Itrsquos coming up ndash see sandbox slides below
PHDAYS2012
Demo3 Real world application ndash MSOffice PS crash
16
Submitted to MS
Apparently this is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Officehellip
PHDAYS2012
Demo4 Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Sends a print-job stream directly by just opening the file
Requires more investigation but perspective is interestinghellip
PHDAYS2012
Dynamic document forginggeneration + SocEng
18
User computer User printout
PHDAYS2012
Dynamic document forginggeneration + SocEng
19
Computer side ndash SocEng bait PrinterMFP side ndash PS virus
PHDAYS2012
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
PHDAYS2012
Where is PostScript (Role-wise view)
21
PHDAYS2012
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows and what-nothellip More details to comehellip
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
PHDAYS2012
A PS-based firmware upload was required
24
PHDAYS2012
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
PHDAYS2012
Memory dumping reveals computing secrets
26
SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common
PHDAYS2012
Admin restriction fail to prevent memory dumping
27
PHDAYS2012
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
PHDAYS2012
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
PHDAYS2012
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
PHDAYS2012
Attacker has access to printed document details
31
PHDAYS2012
Attacker has access to network topology ndash no-scan
32
PHDAYS2012
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
In 2010 demorsquod mapping public MFPs
6
httpwwwyoutubecomwatchv=t44GibiCoCM
PHDAYS2012
hellip and generic MFP payload delivery using Word
7
httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims on this discovery)
PHDAYS2012
hellip and generic MFP payload delivery using Java
8
httpwwwyoutubecomwatchv=JcfxvZml6-Y
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
9
PHDAYS2012
PostScript who Itrsquos Adobersquos PDF big brother
10
PHDAYS2012
PS is build to handle complex processing tasks
11
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
PHDAYS2012
Then what exactly is PostScript
12
PostScript IS NOT just a static data stream like
PostScript IS a
Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly
PHDAYS2012
What happens when printing PS
13
User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN
User Opens a PS file from emailhdd
PC-based PS interpreter processes it PS data stream executes on PC
In both cases PS data stream IS A PS program
Program = static data
PHDAYS2012
Demo1 ldquoProgramming languagerdquo aspect
14
Programming languages 101
Control statements ifelse loop while
Simplest DoS attack is an ldquoinfinite looprdquo
loop
PHDAYS2012
Demo2 ldquoDynamically typed concatenative aspect
15
You wonder why your smart IDSIPS rules stopped working
Here is why
ps_dynamic_statement_construction_and_executionps Obfuscation at its best built-into the language
Solution
Bad news Need dynamic execution sandbox Good news Itrsquos coming up ndash see sandbox slides below
PHDAYS2012
Demo3 Real world application ndash MSOffice PS crash
16
Submitted to MS
Apparently this is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Officehellip
PHDAYS2012
Demo4 Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Sends a print-job stream directly by just opening the file
Requires more investigation but perspective is interestinghellip
PHDAYS2012
Dynamic document forginggeneration + SocEng
18
User computer User printout
PHDAYS2012
Dynamic document forginggeneration + SocEng
19
Computer side ndash SocEng bait PrinterMFP side ndash PS virus
PHDAYS2012
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
PHDAYS2012
Where is PostScript (Role-wise view)
21
PHDAYS2012
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows and what-nothellip More details to comehellip
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
PHDAYS2012
A PS-based firmware upload was required
24
PHDAYS2012
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
PHDAYS2012
Memory dumping reveals computing secrets
26
SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common
PHDAYS2012
Admin restriction fail to prevent memory dumping
27
PHDAYS2012
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
PHDAYS2012
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
PHDAYS2012
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
PHDAYS2012
Attacker has access to printed document details
31
PHDAYS2012
Attacker has access to network topology ndash no-scan
32
PHDAYS2012
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
hellip and generic MFP payload delivery using Word
7
httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims on this discovery)
PHDAYS2012
hellip and generic MFP payload delivery using Java
8
httpwwwyoutubecomwatchv=JcfxvZml6-Y
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
9
PHDAYS2012
PostScript who Itrsquos Adobersquos PDF big brother
10
PHDAYS2012
PS is build to handle complex processing tasks
11
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
PHDAYS2012
Then what exactly is PostScript
12
PostScript IS NOT just a static data stream like
PostScript IS a
Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly
PHDAYS2012
What happens when printing PS
13
User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN
User Opens a PS file from emailhdd
PC-based PS interpreter processes it PS data stream executes on PC
In both cases PS data stream IS A PS program
Program = static data
PHDAYS2012
Demo1 ldquoProgramming languagerdquo aspect
14
Programming languages 101
Control statements ifelse loop while
Simplest DoS attack is an ldquoinfinite looprdquo
loop
PHDAYS2012
Demo2 ldquoDynamically typed concatenative aspect
15
You wonder why your smart IDSIPS rules stopped working
Here is why
ps_dynamic_statement_construction_and_executionps Obfuscation at its best built-into the language
Solution
Bad news Need dynamic execution sandbox Good news Itrsquos coming up ndash see sandbox slides below
PHDAYS2012
Demo3 Real world application ndash MSOffice PS crash
16
Submitted to MS
Apparently this is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Officehellip
PHDAYS2012
Demo4 Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Sends a print-job stream directly by just opening the file
Requires more investigation but perspective is interestinghellip
PHDAYS2012
Dynamic document forginggeneration + SocEng
18
User computer User printout
PHDAYS2012
Dynamic document forginggeneration + SocEng
19
Computer side ndash SocEng bait PrinterMFP side ndash PS virus
PHDAYS2012
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
PHDAYS2012
Where is PostScript (Role-wise view)
21
PHDAYS2012
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows and what-nothellip More details to comehellip
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
PHDAYS2012
A PS-based firmware upload was required
24
PHDAYS2012
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
PHDAYS2012
Memory dumping reveals computing secrets
26
SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common
PHDAYS2012
Admin restriction fail to prevent memory dumping
27
PHDAYS2012
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
PHDAYS2012
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
PHDAYS2012
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
PHDAYS2012
Attacker has access to printed document details
31
PHDAYS2012
Attacker has access to network topology ndash no-scan
32
PHDAYS2012
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
hellip and generic MFP payload delivery using Java
8
httpwwwyoutubecomwatchv=JcfxvZml6-Y
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
9
PHDAYS2012
PostScript who Itrsquos Adobersquos PDF big brother
10
PHDAYS2012
PS is build to handle complex processing tasks
11
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
PHDAYS2012
Then what exactly is PostScript
12
PostScript IS NOT just a static data stream like
PostScript IS a
Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly
PHDAYS2012
What happens when printing PS
13
User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN
User Opens a PS file from emailhdd
PC-based PS interpreter processes it PS data stream executes on PC
In both cases PS data stream IS A PS program
Program = static data
PHDAYS2012
Demo1 ldquoProgramming languagerdquo aspect
14
Programming languages 101
Control statements ifelse loop while
Simplest DoS attack is an ldquoinfinite looprdquo
loop
PHDAYS2012
Demo2 ldquoDynamically typed concatenative aspect
15
You wonder why your smart IDSIPS rules stopped working
Here is why
ps_dynamic_statement_construction_and_executionps Obfuscation at its best built-into the language
Solution
Bad news Need dynamic execution sandbox Good news Itrsquos coming up ndash see sandbox slides below
PHDAYS2012
Demo3 Real world application ndash MSOffice PS crash
16
Submitted to MS
Apparently this is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Officehellip
PHDAYS2012
Demo4 Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Sends a print-job stream directly by just opening the file
Requires more investigation but perspective is interestinghellip
PHDAYS2012
Dynamic document forginggeneration + SocEng
18
User computer User printout
PHDAYS2012
Dynamic document forginggeneration + SocEng
19
Computer side ndash SocEng bait PrinterMFP side ndash PS virus
PHDAYS2012
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
PHDAYS2012
Where is PostScript (Role-wise view)
21
PHDAYS2012
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows and what-nothellip More details to comehellip
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
PHDAYS2012
A PS-based firmware upload was required
24
PHDAYS2012
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
PHDAYS2012
Memory dumping reveals computing secrets
26
SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common
PHDAYS2012
Admin restriction fail to prevent memory dumping
27
PHDAYS2012
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
PHDAYS2012
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
PHDAYS2012
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
PHDAYS2012
Attacker has access to printed document details
31
PHDAYS2012
Attacker has access to network topology ndash no-scan
32
PHDAYS2012
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
9
PHDAYS2012
PostScript who Itrsquos Adobersquos PDF big brother
10
PHDAYS2012
PS is build to handle complex processing tasks
11
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
PHDAYS2012
Then what exactly is PostScript
12
PostScript IS NOT just a static data stream like
PostScript IS a
Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly
PHDAYS2012
What happens when printing PS
13
User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN
User Opens a PS file from emailhdd
PC-based PS interpreter processes it PS data stream executes on PC
In both cases PS data stream IS A PS program
Program = static data
PHDAYS2012
Demo1 ldquoProgramming languagerdquo aspect
14
Programming languages 101
Control statements ifelse loop while
Simplest DoS attack is an ldquoinfinite looprdquo
loop
PHDAYS2012
Demo2 ldquoDynamically typed concatenative aspect
15
You wonder why your smart IDSIPS rules stopped working
Here is why
ps_dynamic_statement_construction_and_executionps Obfuscation at its best built-into the language
Solution
Bad news Need dynamic execution sandbox Good news Itrsquos coming up ndash see sandbox slides below
PHDAYS2012
Demo3 Real world application ndash MSOffice PS crash
16
Submitted to MS
Apparently this is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Officehellip
PHDAYS2012
Demo4 Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Sends a print-job stream directly by just opening the file
Requires more investigation but perspective is interestinghellip
PHDAYS2012
Dynamic document forginggeneration + SocEng
18
User computer User printout
PHDAYS2012
Dynamic document forginggeneration + SocEng
19
Computer side ndash SocEng bait PrinterMFP side ndash PS virus
PHDAYS2012
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
PHDAYS2012
Where is PostScript (Role-wise view)
21
PHDAYS2012
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows and what-nothellip More details to comehellip
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
PHDAYS2012
A PS-based firmware upload was required
24
PHDAYS2012
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
PHDAYS2012
Memory dumping reveals computing secrets
26
SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common
PHDAYS2012
Admin restriction fail to prevent memory dumping
27
PHDAYS2012
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
PHDAYS2012
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
PHDAYS2012
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
PHDAYS2012
Attacker has access to printed document details
31
PHDAYS2012
Attacker has access to network topology ndash no-scan
32
PHDAYS2012
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
PostScript who Itrsquos Adobersquos PDF big brother
10
PHDAYS2012
PS is build to handle complex processing tasks
11
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
PHDAYS2012
Then what exactly is PostScript
12
PostScript IS NOT just a static data stream like
PostScript IS a
Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly
PHDAYS2012
What happens when printing PS
13
User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN
User Opens a PS file from emailhdd
PC-based PS interpreter processes it PS data stream executes on PC
In both cases PS data stream IS A PS program
Program = static data
PHDAYS2012
Demo1 ldquoProgramming languagerdquo aspect
14
Programming languages 101
Control statements ifelse loop while
Simplest DoS attack is an ldquoinfinite looprdquo
loop
PHDAYS2012
Demo2 ldquoDynamically typed concatenative aspect
15
You wonder why your smart IDSIPS rules stopped working
Here is why
ps_dynamic_statement_construction_and_executionps Obfuscation at its best built-into the language
Solution
Bad news Need dynamic execution sandbox Good news Itrsquos coming up ndash see sandbox slides below
PHDAYS2012
Demo3 Real world application ndash MSOffice PS crash
16
Submitted to MS
Apparently this is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Officehellip
PHDAYS2012
Demo4 Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Sends a print-job stream directly by just opening the file
Requires more investigation but perspective is interestinghellip
PHDAYS2012
Dynamic document forginggeneration + SocEng
18
User computer User printout
PHDAYS2012
Dynamic document forginggeneration + SocEng
19
Computer side ndash SocEng bait PrinterMFP side ndash PS virus
PHDAYS2012
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
PHDAYS2012
Where is PostScript (Role-wise view)
21
PHDAYS2012
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows and what-nothellip More details to comehellip
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
PHDAYS2012
A PS-based firmware upload was required
24
PHDAYS2012
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
PHDAYS2012
Memory dumping reveals computing secrets
26
SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common
PHDAYS2012
Admin restriction fail to prevent memory dumping
27
PHDAYS2012
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
PHDAYS2012
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
PHDAYS2012
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
PHDAYS2012
Attacker has access to printed document details
31
PHDAYS2012
Attacker has access to network topology ndash no-scan
32
PHDAYS2012
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
PS is build to handle complex processing tasks
11
Graphics amp patterns Complex math Web servers
Ray-tracing OpenGL Milling machine XML Parsers
PHDAYS2012
Then what exactly is PostScript
12
PostScript IS NOT just a static data stream like
PostScript IS a
Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly
PHDAYS2012
What happens when printing PS
13
User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN
User Opens a PS file from emailhdd
PC-based PS interpreter processes it PS data stream executes on PC
In both cases PS data stream IS A PS program
Program = static data
PHDAYS2012
Demo1 ldquoProgramming languagerdquo aspect
14
Programming languages 101
Control statements ifelse loop while
Simplest DoS attack is an ldquoinfinite looprdquo
loop
PHDAYS2012
Demo2 ldquoDynamically typed concatenative aspect
15
You wonder why your smart IDSIPS rules stopped working
Here is why
ps_dynamic_statement_construction_and_executionps Obfuscation at its best built-into the language
Solution
Bad news Need dynamic execution sandbox Good news Itrsquos coming up ndash see sandbox slides below
PHDAYS2012
Demo3 Real world application ndash MSOffice PS crash
16
Submitted to MS
Apparently this is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Officehellip
PHDAYS2012
Demo4 Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Sends a print-job stream directly by just opening the file
Requires more investigation but perspective is interestinghellip
PHDAYS2012
Dynamic document forginggeneration + SocEng
18
User computer User printout
PHDAYS2012
Dynamic document forginggeneration + SocEng
19
Computer side ndash SocEng bait PrinterMFP side ndash PS virus
PHDAYS2012
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
PHDAYS2012
Where is PostScript (Role-wise view)
21
PHDAYS2012
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows and what-nothellip More details to comehellip
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
PHDAYS2012
A PS-based firmware upload was required
24
PHDAYS2012
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
PHDAYS2012
Memory dumping reveals computing secrets
26
SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common
PHDAYS2012
Admin restriction fail to prevent memory dumping
27
PHDAYS2012
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
PHDAYS2012
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
PHDAYS2012
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
PHDAYS2012
Attacker has access to printed document details
31
PHDAYS2012
Attacker has access to network topology ndash no-scan
32
PHDAYS2012
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
Then what exactly is PostScript
12
PostScript IS NOT just a static data stream like
PostScript IS a
Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly
PHDAYS2012
What happens when printing PS
13
User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN
User Opens a PS file from emailhdd
PC-based PS interpreter processes it PS data stream executes on PC
In both cases PS data stream IS A PS program
Program = static data
PHDAYS2012
Demo1 ldquoProgramming languagerdquo aspect
14
Programming languages 101
Control statements ifelse loop while
Simplest DoS attack is an ldquoinfinite looprdquo
loop
PHDAYS2012
Demo2 ldquoDynamically typed concatenative aspect
15
You wonder why your smart IDSIPS rules stopped working
Here is why
ps_dynamic_statement_construction_and_executionps Obfuscation at its best built-into the language
Solution
Bad news Need dynamic execution sandbox Good news Itrsquos coming up ndash see sandbox slides below
PHDAYS2012
Demo3 Real world application ndash MSOffice PS crash
16
Submitted to MS
Apparently this is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Officehellip
PHDAYS2012
Demo4 Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Sends a print-job stream directly by just opening the file
Requires more investigation but perspective is interestinghellip
PHDAYS2012
Dynamic document forginggeneration + SocEng
18
User computer User printout
PHDAYS2012
Dynamic document forginggeneration + SocEng
19
Computer side ndash SocEng bait PrinterMFP side ndash PS virus
PHDAYS2012
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
PHDAYS2012
Where is PostScript (Role-wise view)
21
PHDAYS2012
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows and what-nothellip More details to comehellip
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
PHDAYS2012
A PS-based firmware upload was required
24
PHDAYS2012
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
PHDAYS2012
Memory dumping reveals computing secrets
26
SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common
PHDAYS2012
Admin restriction fail to prevent memory dumping
27
PHDAYS2012
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
PHDAYS2012
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
PHDAYS2012
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
PHDAYS2012
Attacker has access to printed document details
31
PHDAYS2012
Attacker has access to network topology ndash no-scan
32
PHDAYS2012
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
What happens when printing PS
13
User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN
User Opens a PS file from emailhdd
PC-based PS interpreter processes it PS data stream executes on PC
In both cases PS data stream IS A PS program
Program = static data
PHDAYS2012
Demo1 ldquoProgramming languagerdquo aspect
14
Programming languages 101
Control statements ifelse loop while
Simplest DoS attack is an ldquoinfinite looprdquo
loop
PHDAYS2012
Demo2 ldquoDynamically typed concatenative aspect
15
You wonder why your smart IDSIPS rules stopped working
Here is why
ps_dynamic_statement_construction_and_executionps Obfuscation at its best built-into the language
Solution
Bad news Need dynamic execution sandbox Good news Itrsquos coming up ndash see sandbox slides below
PHDAYS2012
Demo3 Real world application ndash MSOffice PS crash
16
Submitted to MS
Apparently this is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Officehellip
PHDAYS2012
Demo4 Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Sends a print-job stream directly by just opening the file
Requires more investigation but perspective is interestinghellip
PHDAYS2012
Dynamic document forginggeneration + SocEng
18
User computer User printout
PHDAYS2012
Dynamic document forginggeneration + SocEng
19
Computer side ndash SocEng bait PrinterMFP side ndash PS virus
PHDAYS2012
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
PHDAYS2012
Where is PostScript (Role-wise view)
21
PHDAYS2012
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows and what-nothellip More details to comehellip
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
PHDAYS2012
A PS-based firmware upload was required
24
PHDAYS2012
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
PHDAYS2012
Memory dumping reveals computing secrets
26
SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common
PHDAYS2012
Admin restriction fail to prevent memory dumping
27
PHDAYS2012
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
PHDAYS2012
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
PHDAYS2012
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
PHDAYS2012
Attacker has access to printed document details
31
PHDAYS2012
Attacker has access to network topology ndash no-scan
32
PHDAYS2012
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
Demo1 ldquoProgramming languagerdquo aspect
14
Programming languages 101
Control statements ifelse loop while
Simplest DoS attack is an ldquoinfinite looprdquo
loop
PHDAYS2012
Demo2 ldquoDynamically typed concatenative aspect
15
You wonder why your smart IDSIPS rules stopped working
Here is why
ps_dynamic_statement_construction_and_executionps Obfuscation at its best built-into the language
Solution
Bad news Need dynamic execution sandbox Good news Itrsquos coming up ndash see sandbox slides below
PHDAYS2012
Demo3 Real world application ndash MSOffice PS crash
16
Submitted to MS
Apparently this is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Officehellip
PHDAYS2012
Demo4 Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Sends a print-job stream directly by just opening the file
Requires more investigation but perspective is interestinghellip
PHDAYS2012
Dynamic document forginggeneration + SocEng
18
User computer User printout
PHDAYS2012
Dynamic document forginggeneration + SocEng
19
Computer side ndash SocEng bait PrinterMFP side ndash PS virus
PHDAYS2012
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
PHDAYS2012
Where is PostScript (Role-wise view)
21
PHDAYS2012
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows and what-nothellip More details to comehellip
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
PHDAYS2012
A PS-based firmware upload was required
24
PHDAYS2012
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
PHDAYS2012
Memory dumping reveals computing secrets
26
SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common
PHDAYS2012
Admin restriction fail to prevent memory dumping
27
PHDAYS2012
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
PHDAYS2012
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
PHDAYS2012
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
PHDAYS2012
Attacker has access to printed document details
31
PHDAYS2012
Attacker has access to network topology ndash no-scan
32
PHDAYS2012
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
Demo2 ldquoDynamically typed concatenative aspect
15
You wonder why your smart IDSIPS rules stopped working
Here is why
ps_dynamic_statement_construction_and_executionps Obfuscation at its best built-into the language
Solution
Bad news Need dynamic execution sandbox Good news Itrsquos coming up ndash see sandbox slides below
PHDAYS2012
Demo3 Real world application ndash MSOffice PS crash
16
Submitted to MS
Apparently this is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Officehellip
PHDAYS2012
Demo4 Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Sends a print-job stream directly by just opening the file
Requires more investigation but perspective is interestinghellip
PHDAYS2012
Dynamic document forginggeneration + SocEng
18
User computer User printout
PHDAYS2012
Dynamic document forginggeneration + SocEng
19
Computer side ndash SocEng bait PrinterMFP side ndash PS virus
PHDAYS2012
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
PHDAYS2012
Where is PostScript (Role-wise view)
21
PHDAYS2012
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows and what-nothellip More details to comehellip
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
PHDAYS2012
A PS-based firmware upload was required
24
PHDAYS2012
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
PHDAYS2012
Memory dumping reveals computing secrets
26
SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common
PHDAYS2012
Admin restriction fail to prevent memory dumping
27
PHDAYS2012
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
PHDAYS2012
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
PHDAYS2012
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
PHDAYS2012
Attacker has access to printed document details
31
PHDAYS2012
Attacker has access to network topology ndash no-scan
32
PHDAYS2012
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
Demo3 Real world application ndash MSOffice PS crash
16
Submitted to MS
Apparently this is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Officehellip
PHDAYS2012
Demo4 Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Sends a print-job stream directly by just opening the file
Requires more investigation but perspective is interestinghellip
PHDAYS2012
Dynamic document forginggeneration + SocEng
18
User computer User printout
PHDAYS2012
Dynamic document forginggeneration + SocEng
19
Computer side ndash SocEng bait PrinterMFP side ndash PS virus
PHDAYS2012
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
PHDAYS2012
Where is PostScript (Role-wise view)
21
PHDAYS2012
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows and what-nothellip More details to comehellip
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
PHDAYS2012
A PS-based firmware upload was required
24
PHDAYS2012
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
PHDAYS2012
Memory dumping reveals computing secrets
26
SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common
PHDAYS2012
Admin restriction fail to prevent memory dumping
27
PHDAYS2012
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
PHDAYS2012
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
PHDAYS2012
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
PHDAYS2012
Attacker has access to printed document details
31
PHDAYS2012
Attacker has access to network topology ndash no-scan
32
PHDAYS2012
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
Demo4 Real world application ndash GhostScript autoprn
17
One got to love custom extensions
Sends a print-job stream directly by just opening the file
Requires more investigation but perspective is interestinghellip
PHDAYS2012
Dynamic document forginggeneration + SocEng
18
User computer User printout
PHDAYS2012
Dynamic document forginggeneration + SocEng
19
Computer side ndash SocEng bait PrinterMFP side ndash PS virus
PHDAYS2012
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
PHDAYS2012
Where is PostScript (Role-wise view)
21
PHDAYS2012
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows and what-nothellip More details to comehellip
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
PHDAYS2012
A PS-based firmware upload was required
24
PHDAYS2012
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
PHDAYS2012
Memory dumping reveals computing secrets
26
SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common
PHDAYS2012
Admin restriction fail to prevent memory dumping
27
PHDAYS2012
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
PHDAYS2012
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
PHDAYS2012
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
PHDAYS2012
Attacker has access to printed document details
31
PHDAYS2012
Attacker has access to network topology ndash no-scan
32
PHDAYS2012
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
Dynamic document forginggeneration + SocEng
18
User computer User printout
PHDAYS2012
Dynamic document forginggeneration + SocEng
19
Computer side ndash SocEng bait PrinterMFP side ndash PS virus
PHDAYS2012
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
PHDAYS2012
Where is PostScript (Role-wise view)
21
PHDAYS2012
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows and what-nothellip More details to comehellip
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
PHDAYS2012
A PS-based firmware upload was required
24
PHDAYS2012
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
PHDAYS2012
Memory dumping reveals computing secrets
26
SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common
PHDAYS2012
Admin restriction fail to prevent memory dumping
27
PHDAYS2012
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
PHDAYS2012
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
PHDAYS2012
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
PHDAYS2012
Attacker has access to printed document details
31
PHDAYS2012
Attacker has access to network topology ndash no-scan
32
PHDAYS2012
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
Dynamic document forginggeneration + SocEng
19
Computer side ndash SocEng bait PrinterMFP side ndash PS virus
PHDAYS2012
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
PHDAYS2012
Where is PostScript (Role-wise view)
21
PHDAYS2012
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows and what-nothellip More details to comehellip
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
PHDAYS2012
A PS-based firmware upload was required
24
PHDAYS2012
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
PHDAYS2012
Memory dumping reveals computing secrets
26
SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common
PHDAYS2012
Admin restriction fail to prevent memory dumping
27
PHDAYS2012
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
PHDAYS2012
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
PHDAYS2012
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
PHDAYS2012
Attacker has access to printed document details
31
PHDAYS2012
Attacker has access to network topology ndash no-scan
32
PHDAYS2012
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
Where is PostScript (Vendor-wise view)
20
Applications incorporating the PS interpreter
Applicationsvendors producing the PS interpreter
The PS interpreter specifications and standards
PHDAYS2012
Where is PostScript (Role-wise view)
21
PHDAYS2012
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows and what-nothellip More details to comehellip
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
PHDAYS2012
A PS-based firmware upload was required
24
PHDAYS2012
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
PHDAYS2012
Memory dumping reveals computing secrets
26
SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common
PHDAYS2012
Admin restriction fail to prevent memory dumping
27
PHDAYS2012
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
PHDAYS2012
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
PHDAYS2012
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
PHDAYS2012
Attacker has access to printed document details
31
PHDAYS2012
Attacker has access to network topology ndash no-scan
32
PHDAYS2012
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
Where is PostScript (Role-wise view)
21
PHDAYS2012
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows and what-nothellip More details to comehellip
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
PHDAYS2012
A PS-based firmware upload was required
24
PHDAYS2012
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
PHDAYS2012
Memory dumping reveals computing secrets
26
SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common
PHDAYS2012
Admin restriction fail to prevent memory dumping
27
PHDAYS2012
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
PHDAYS2012
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
PHDAYS2012
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
PHDAYS2012
Attacker has access to printed document details
31
PHDAYS2012
Attacker has access to network topology ndash no-scan
32
PHDAYS2012
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
PostScript Web 20 Style
22
PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees
Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts
Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions
Heap and stack overflows and what-nothellip More details to comehellip
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
PHDAYS2012
A PS-based firmware upload was required
24
PHDAYS2012
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
PHDAYS2012
Memory dumping reveals computing secrets
26
SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common
PHDAYS2012
Admin restriction fail to prevent memory dumping
27
PHDAYS2012
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
PHDAYS2012
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
PHDAYS2012
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
PHDAYS2012
Attacker has access to printed document details
31
PHDAYS2012
Attacker has access to network topology ndash no-scan
32
PHDAYS2012
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 What else was found
4 Attacks in a nutshell
5 Solutions and conclusions
23
PHDAYS2012
A PS-based firmware upload was required
24
PHDAYS2012
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
PHDAYS2012
Memory dumping reveals computing secrets
26
SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common
PHDAYS2012
Admin restriction fail to prevent memory dumping
27
PHDAYS2012
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
PHDAYS2012
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
PHDAYS2012
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
PHDAYS2012
Attacker has access to printed document details
31
PHDAYS2012
Attacker has access to network topology ndash no-scan
32
PHDAYS2012
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
A PS-based firmware upload was required
24
PHDAYS2012
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
PHDAYS2012
Memory dumping reveals computing secrets
26
SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common
PHDAYS2012
Admin restriction fail to prevent memory dumping
27
PHDAYS2012
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
PHDAYS2012
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
PHDAYS2012
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
PHDAYS2012
Attacker has access to printed document details
31
PHDAYS2012
Attacker has access to network topology ndash no-scan
32
PHDAYS2012
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
This is too good to be truehellip
25
VxWorks API vx
DebugQA API QA
Logging API EventLog
BillingMeters API meter
Pump PWM pumppwm
RAMdisk API ramdisk
RAM API ram
Flash API flash
PHDAYS2012
Memory dumping reveals computing secrets
26
SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common
PHDAYS2012
Admin restriction fail to prevent memory dumping
27
PHDAYS2012
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
PHDAYS2012
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
PHDAYS2012
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
PHDAYS2012
Attacker has access to printed document details
31
PHDAYS2012
Attacker has access to network topology ndash no-scan
32
PHDAYS2012
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
Memory dumping reveals computing secrets
26
SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common
PHDAYS2012
Admin restriction fail to prevent memory dumping
27
PHDAYS2012
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
PHDAYS2012
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
PHDAYS2012
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
PHDAYS2012
Attacker has access to printed document details
31
PHDAYS2012
Attacker has access to network topology ndash no-scan
32
PHDAYS2012
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
Admin restriction fail to prevent memory dumping
27
PHDAYS2012
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
PHDAYS2012
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
PHDAYS2012
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
PHDAYS2012
Attacker has access to printed document details
31
PHDAYS2012
Attacker has access to network topology ndash no-scan
32
PHDAYS2012
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
Password setup is sniffed by the attacker
28
1) HTTP GET request ndash password clear text
2) HTTP reply
PHDAYS2012
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
PHDAYS2012
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
PHDAYS2012
Attacker has access to printed document details
31
PHDAYS2012
Attacker has access to network topology ndash no-scan
32
PHDAYS2012
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
Basic auth password can be dumped
29
1) Authorization Basic YWRtaW4yOhellip
2) HTTP11 200 OK
PHDAYS2012
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
PHDAYS2012
Attacker has access to printed document details
31
PHDAYS2012
Attacker has access to network topology ndash no-scan
32
PHDAYS2012
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo
30
0x66306630663066306630663066302222
PHDAYS2012
Attacker has access to printed document details
31
PHDAYS2012
Attacker has access to network topology ndash no-scan
32
PHDAYS2012
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
Attacker has access to printed document details
31
PHDAYS2012
Attacker has access to network topology ndash no-scan
32
PHDAYS2012
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
Attacker has access to network topology ndash no-scan
32
PHDAYS2012
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
Attacker has access to BSD-style socketshellip
33
Two-way BSD-style sockets communication
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
Analyzed MFP cannot protect effectively
34
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
Protection measures Fail warn ok
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
Plenty of Xerox printers share affected PS firmware update mechanism
35
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Solutions and conclusions
36
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
Remote attacks can be used to extract data
37
Sent
by
Drive-
by
Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying
attachment
from
web
Malware exploits
internal netw or
extracts data
Spool
malicious
byte
stream
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
Agenda
1 Quick refresher
2 What about PostScript
3 So what and how did you find
4 Attacks in a nutshell
5 Whatrsquos next solutions conclusions
38
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
Network-wise mitigation solution
39
VLAN1 PCs
VLAN2 PRNs
Print Server PSPJL-sandboxed
VLAN networks Unsafe print jobs Safe print jobs
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
Protocol-wise mitigation solution PostScriptPJL sandbox
40
Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
Whatrsquos next PS + MSF + FS + Sockets = PWN
41
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
Solutions
42
Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle
Users bull Do not print from untrusted sources bull Be suspicious on PostScript files
Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs
Actor Suggested actions
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
Acknowledgements
43
The Xerox-related PostScript work amp research done under support of
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
Acknowledgements
44
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
Thanksresources
45
Personal thanks
Igor Marinescu MihaiSa Great logistic support and friendly help
Xerox Security Team Positive responses active mitigation
wwwtinajacom Insanely large free postscript resources dir
wwwanastigmatixnet Very good postscript resources
wwwacumentrainingcom Very good postscript resources
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom
PHDAYS2012
Take aways
46
Questions Andrei Costin andreiandreicostincom httpandreicostincompapers
Upcoming MFP attack could include viruses in Office and PS documents that extract organization data
Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching
MFPs are badly secured computing platforms with large abuse potential
Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom