Send Gawker Signature Service with airSlate SignNow

Send gawker signature service

no I thank you and and there's a reason for that I'm going to show you in a few slides why first a question how many printers do you think HP makes a year wait another question are there any HP folks in the audience if you're here you can't answer but for the rest of the people how many printers do you think HP ships a year just shout it out a billion okay that's awesome okay so it turned out it was very difficult to get this figure from a technical person at HP but if you just follow the money Wall Street knows exactly how many printers everyone ships out and if you look at the precision 879 I mean down to the single printer so this is how many units HP shipped second quarter of 2010 if you multiply that out that's about 40 million printers per year if you multiply that out you know since 2005 alright we're talking about hundreds of millions of these LaserJet printers um this light sensor answers why I chose HP printers for my project because they are 41 percent of the global market as far as printing goes right so they're the biggest player and they're everywhere so I'd like to read an excerpt I found after I finished my project I was looking through HP's security solutions white paper from 2006 a concerned citizen asks are occurring HP multifunction printers susceptible to worms and viruses and HP says no silly because most of the viruses and worms in the internet attack now windows-based operating systems and because a Chet hpm FPS use non-standard operating system ok these worms and viruses are not going to affect our products and as if this person didn't really believe that first answer you wrote a second question follow-up are you sure right does this mean that HP MFPs are completely safe from worms and viruses and HIV says well no okay but hackers are more likely to be interested in exploiting vulnerabilities and workstations and servers since they are more widespread and require less expertise ok so this is really my first light and I have about a hundred slides after this that's gonna make this first slide really funny before I do that I like to give a big thanks to jetan Correa my adviser selfs tofo and John Boras who helped a lot with this project and made this presentation possible a little bit of background history I finished most of the technical portion of this project at the end of August or now October right and you know I showed the vulnerability I showed the impact of the vulnerability to a few folks in Colombia and we actually sat down and realized that the impact was a little bit more dangerous than I even thought you know when I first started the project so we agreed that it wouldn't be responsible to come to a place like this and give out all the technical details about the exploit without doing two things right so first contacting HP and getting HP u s-- attention and ii really contacting HP and really getting their attention so we did one of two or we did two things we first you know got a hold of a few good people in the HP security group and you know we got to work explaining the vulnerability to them but we also reached out to a resource an MSNBC who came to the lab you know I showed him my demo I explained the impact of this vulnerability right I didn't tell him really any technical details so I couldn't count that as a disclosure of the vulnerability but you know he got enough of what was possible and he eventually went home and wrote a newspaper article and this was the headline right millions of printers opened to devastate hack-attack I was really excited you know I wanted to read this paper read this article when it came out so I said in an alarm for 7:30 in the morning all right I got up I read this article you know the title was a little pizzazzy but you know the article actually hit most of the points that I wanted to to get people to understand more or less satisfied I go to sleep right I don't wake up until 12:30 and I look at my phone and my phones blowing up just from random people you know messaging me saying oh I'm giong you're on Gawker right I think oh this can't be good so from 7:30 to about like 1:00 in the afternoon this story turned into this story okay could hackers [Music] and okay this is Gawker you would expect something like this but flaming death bomb is a little bit of a hyperbole and I found this one that I liked because it was it starts out really reasonable you know it says can hackers really use HP printers to steal your identity thinking yes this is what I'm talking about somebody's got it and then it goes to and blow up your house okay so that's that's how the first day ended it was it was a headache you know I'm just thinking like we're missing the point here and when you see the actual vulnerability you'll realize not only that fires not possible and I'm gonna tell you exactly why but if you had perfect control of this printer the last thing you would want to do is destroy it right it's a very valuable asset for you now that was the first day here's the second day okay and this this is when security gets really excited you had no idea that I could just there was a lot of smacking and spanking and ah I'm not gonna read all of it but it ends with HP memo spanks Columbia research you're over flaming printer flap you have to say that really fast so I'm thinking oh jeez I'm getting spanked it's awesome and then I just want to show you that one more this is my favorite one okay it's funny for two reasons HP hit with lawsuit over flaming printer hack turns out first reason why this is funny a lawyer had read all the articles from day one and day two okay without contacting any of us at columbia filed a class action lawsuit against HP just by reading Gawker and such that's funny but I actually read the class-action lawsuit that was filed and and really had nothing to do with flaming printer at all but it didn't prevent Wired from writing this article so you know there's that saying right don't let the truth get in the way of a good story and this is a good example of that to be fair there were some folks who did get the gist of what I was trying to say and they did write more or less level-headed articles about what the actual vulnerability is with these printers and you're gonna see for yourself we're gonna have live demonstrations of everything that I've done and hauling these printers from the United States is just pain in their arse and we're not gonna haul it back so I'm gonna donate these printers to the heart we're hiking area downstairs as my housewarming party to CCC so if you want to get your hands on some hardware and play with it come find us after the talk downstairs so this is why I need to thank you guys okay my original security disclosure was done on November 21st on December 23rd HP released 56 new firmwares I'm not talking about device drivers printer firmware for 56 of their printer models ranging from devices that are introduced on the market from 2005 to 2009 and I think you know this is a pretty speedy response and I think this quick turnaround probably had nothing to do with the fact that I'm standing here in front of you guys talking about the technical details about this vulnerability on December 29th so you know this happened in part because you guys are here you exist and you care so this is great here's a list of all the printers that are affected by this vulnerability at least according to HP and these are the printers that have new firmware released on the December 23rd so if you learn anything about what I'm saying today learning that go home check your printer update your firmware it's really important ok so let's talk a little bit about this research in context Who I am why I'm doing this and you know why this is all happening I'm a fourth-year PhD student in the intrusion detection systems lab at Columbia University and here are here's a list of my past publications in various academic conferences and if you read the titles of these these papers you can quickly see a pattern to what I'm doing right for the last three and a half four years I've been basically quantifying and qualifying the nature of embedded secure embedded in security on the quantification front I created this thing called the vulnerable embedded device scanner it basically continuously monitors IP v4 four things that I call trivially vulnerable embedded devices long story short there's about 1.4 million embedded system that ranges from backbone routers pop routers home routers and IP phones teleconferencing units printers etc that are publicly reachable on the Internet and are configured with their default route passwords right in other words one in five embedded device on the internet right now can be exploited without any exploitation you just log in with your default password and you get root on that box so there's 1.4 million of these and after I did the RFU vulnerability or if you attack on HP printers I turned the scanner on to the vulnerable printer population and it turns out that there are over 75,000 vulnerable wait unique vulnerable HP printers out there on the internet right now and I'm going to show you guys some interesting distribution of you know where these things are who is using them etc and on the qualifying front I've been working on various explore offensive techniques for exploiting embedded systems and I've basically done this in a bidirectional approach right looking at things from the top down and the bottom up perspective top down I'm talking about things that make up the internet substrate where the big iron routers that hold the internet together and from the bottom up perspective and looking at you know common embedded systems that are connected on the periphery right on networks that you have at home at work in your school so the top-down stuff I did some interesting work on Cisco IOS shellcode techniques and that was presented and blackhat of this year and today we're talking about exploitation for printers right this is something that you could all have you've all used in the past year and chances are if you've used the printer this year you've probably used an HP printer and all this work is done so we can answer some really fundamental questions about the nature of embedded insecurity all right like can embedded systems be compromised okay I'm standing here I'm talking to you I don't think I have to work very hard to convince you that the answer to this question is yes of course these are written with code that's mantra below there they're much like general-purpose computers except there's a single function all right but if you answered yes to this question few other tricky questions necessarily follow like you know have embedded systems been exploited in the past and more importantly have your embedded systems been exploited in the past or right now and really how do you know for sure right so it's imagine your office you have your computer you have your printer you have your little LCD picture frame doodad that's on the wireless network you have a TiVo and a top set box and a wireless access point and a teleconferencing unit they all seem to work just fine right but how do you know that there's no malware running on that device right secretly sneaking information out of your network or you being used as a backdoor for other people to come in and pone your entire network it's not like we have antivirus for embedded systems right so I want to pause I want you did think about what that means and why it is that we don't have anti-virus for embedded systems we're gonna get back to that thought at the end of my presentation and here is even trickier question okay so suppose I told you that your printer has been owned okay through maybe the vulnerability that I'm gonna show you today can you be sure that you can really remove the malware once the malware has been installed on your printer now cleaning up with general purpose computers is tricky but you know more or less it can be done for most things but I'm gonna show you some techniques that's gonna make cleaning a printer malware very difficult to potentially impossible so with that said let's talk Printers okay this is the printer that I did most of my research on and we have a pair of these on stage and we're going to show you some live demos this is the HP 20 55 DN and just for the record we bought these in what middle of September or October of this year so you know they're definitely on the market and they're definitely still vulnerable here's a puzzle a Cohen okay how does printer update firmware so you have to imagine that you're a printer you're on the network sometimes you print pages out and once in a while you update your own programming what is the most then way to do this you print to it right I'm flipping through HP's manual and I see this remote firmware update using lpr command so I look at that and they say it's probably not a good idea right I click on the link and it's basically a page that explains how to use LPR in the most user unfriendly way possible all right but basically all it's saying is if you want to update firmware on your magical printer just type LPR and some magical dot are a few file right if it prints to the printer then the firmware is magically changed so for folks who know what happens after you press LPR ok you can already see where this is going and it's not gonna be good ok so I look what is this magical are a few father you're talking about I go to HP's website I download this file right from you know this is for my version of the printer which is P 25 or 20 55 DN I look at it and I say ah this looks a lot like just a bunch of pjl commands the first one is a comment you can throw that away the second one is this the pjo upgrade size equals blah and then this is followed by it just that's a third pgl command that enters into this mysterious a CL language right so if you play this stare at the binary blob game for long enough you'll realize that the thing that actually changes the firmware is a pjl command which stands for printer and job language it's a single pjo command and it's a single 7 megabyte long pjl command and that seven megabytes is compressed and not encrypted and I figured this just by looking at the byte distribution looking at the entropy of the data and it's very typical for a compressed file and not an encrypted file and I started flipping bits in this command and sending it to the printer and it turns out this entire command is covered by integrity checking but the big question now is is there a mechanism that stops me from crafting my own pjl command because if I can do that I can just print to a printer and update the firmware in a permanent way right and one way that you know that would stop this from it working is digital signature verification so do that you state signatures so here's a lazy way to sort of approximate instead of River sending the whole thing right away I just look at the the service manual and I look at all the error messages that this printer can produce right so if it does check for signatures you would expect to see something like you know signature verification failed right didn't see anything like that only thing I was able to see was code CRC error send full are a few important now this is a fairly technical output right so I'm gonna go on a limb and say you know CRC doesn't make digital signature and CRC actually means CRC okay so let's just review something obvious about what we've just talked about when you hit LPR right that RFU file is sent to the raw printing queue usually on an HP printer and that once you go to that queue the file is sent I modified unconverted to let's say port 90 100 on the printer right and this mechanism TCP port 90 100 Rob printing has absolutely no authentication mechanism right if you can print a page it'll just let you print there's nothing that says oh you want to print a page please enter username and password doesn't exist and this thing that updates the firmware is a PJ outcome and now it's very easy to embed PJ out commands inside PostScript files right but if you just thought about a little bit harder you can probably figure out all sorts of ways of sneaking this valid pgl command into all sorts of different file formats and if you put one and two together right suppose you are able to craft your own malicious are a few what you would get is printer malware right it's bad it's not that bad but if you have malicious RFU plus some sort of a document attack vector okay you get something much worse or much better I don't know well so first of all you can use this as a spear phishing attack right so suppose I want to penetrate you know super duper secret code right and they have just hardcore perimeter defense and when done guys with guns guarding their base right but they're also hiring so I put a resume you know with along with his malicious are view I packaged together and I send it to HR HR says oh this guy is not an idiot let's print out his resume and consider him right what happens then is the printer will print out my resume and again begin to update its firmware and from that point on I have a persistent foothold into super duper secret co and what if I made it backward steve CP clinician out to the Internet to my laptop all of a sudden have just penetrated the firewall I have a persistent foothold from Internet through the firewall to the printer and now I can run all my reconnaissance and attacks from a printer right which is usually not monitored by IDs so this is the perfect thing to do and this is why if you had this you would not burn it okay you would save it and you wouldn't destroy it and another thing to think about is so suppose I had this attack vector plus I combined it with an existing botnet code for let's say general purpose computers right all of a sudden we're talking about multi species propagation right you can imagine let's say you know I get under your PC using some sort of you know an old a and then I'll find all the printers on the network then I own those printers and from there right I would use the printers to scan it on other pcs to put my malware back onto those PCs so this is something that can spread from computer into printer printer to a computer and something like that it's going to be really very difficult to eradicate okay so all of this depends on ability for me to my ability to reverse-engineer the RFU format and craft arbitrary code into this thing if you want to do something like this I'll save you a week of your life this is what didn't work okay so you can just skip all that stuff staring at the blob work okay but it only gets you so far Ben walk is a great tool that supposed to interpret firmware in all sorts of different ways and give you hints about what is actually potentially in this data for whatever reason Ben Wilk actually failed in this case trying to find standard file system headers and not there because the data is compressed right and googling didn't work because if you just Google HP pjl ACL I'm gonna come up with anything at this point I think this is the middle of September we actually went to HP a little background story the reason why I wanted to do this in the first place was because I have this project that's essentially antivirus for embedded systems my thing is that I can inject this antivirus in an OS agnostic way into embedded systems now we contacted HP to say yeah we're trying to put antivirus on your printer can you a give a super priority RFU format and B you know get back to us soon and of course they said no thanks go away we don't anything to do with you so we went back to the drawing board and I noticed it so I started twiddling with this are a few and it's pretty easy to break the printer but it was also really easy to unbreak the printer all you have to do is turn the power off right hold these two special keys into combination on the front control panel and the boot code would actually boot back up and it would rewrite all of the NVRAM content back to a pristine factory reset so it basically just does a clean slate factory reset so I start getting this idea okay so if I can get physical act I mean the answer is in that box right so if I can get physical access to the boot code I should at least be able to see how I can write the mm and if I get lucky I should probably be able to see some code that tries to parse were validated and are a few file and if I have that I should be able to get some sort of specification for this thing and then figure out how I can pack my own code into this format that's very mysterious all right so I hit this nervous manual this is a page at the circuit diagram for the p20 55 and you'll notice that there are two big rectangles right the formatter board and the control PCA and there's this little thing here and I want to just take a moment to digress and just say okay the printer fire story's just got it totally wrong if anything we proved in our lab that you cannot turn a printer into flaming death bomb and here's why okay this is something I wrote to my advisor slid it under his door and say this little thing here is a ceramic heater is good for fire right but here are these thermal switches that cut off things get too hot and that's bad for fire and in fact I brought the original sheet of paper okay then you just maybe you saw in the YouTube video I put the fuser on this printer hooked it up to a 24 volt 10m power supply put this piece of paper on stood there and watch for 15 minutes and this is how it burned it just Brown the paper okay so fire on this thing really not that possible you can actually look at it if you want and pass it around in the crowd what I I think my advice would do one sit back we're gonna make a t-shirt out of it I think but anyway so we looked at you know I went through and looked at about six different models of printers and generally this is the design that I was able to figure out okay in the HP printer there's actually two microcontrollers at work at least to the the formatter board is where most of the general-purpose computing happens this is where your web server runs this is where your telnet server your format conversion blah blah blah right your SNMP LDAP sips just everything so if you wanted to write malware that's useful this is probably the place where you want to live but there's also a second microcontroller called the engine controller board okay this microcontroller is also programmable it seems like through the RFU format and this is the thing that actually keeps track of you know turning on and off the the engines and and the little roller is putting the paper at the right place turning on the laser turning on the heater and the fuser and all this stuff so this is where the real-time printing mechanism is controlled and on this formatter board you have your usual NIC controller some piece of memory that you boot from volatile memory and in some cases persistent storage okay so now I'm starting to rip apart the printer right this is how I destroyed the first one but I got this information the formatter board is is armed okay it's this chip here 8 8 PA 2 al 2 - tah 1 long story short I spoke to dozens of yield pirates in Asia trying to get the datasheet for this chip but this is by NDA so I can buy a thousands of these chips and they can send me pictures of their stock and they can sell it to me for you know just a few cents per chip but nobody can even give me a pin out of the chip that they're trying to sell me and there are lots and lots of these vendors it's really fascinating but the rest of the board there was one thing that actually made my job really easy and it's the suspension FL o 6-4 P alright and it turns out that that's a flash chip that's a flash chip that the printer boots off of when you do a factory reset so here's what the formatter board looks like you know in real life this socket thingamabob I soldered on myself right and this is after I learned how to do surface mount soldering I'll show you some pictures of what I did before I had a higher rework station but I did this so I can actually switch different flash chips in and out to have the thing boot up in different ways to poke at the hardware okay so this is the datasheet that I was able to pull off of digi-key or somewhere for the flash chip so this is just a very standard SPI interface right this is a stock component so for example if you want to read some memory address you just send a one byte command followed by three bytes of target address and you just wait on the output pin for the contents of that address right pretty simple I also want you guys to keep to look at this the right control right you can actually lock pages in this flash chip keep that in mind that's gonna be important for later so you know I take the chip off I look at the pin out it looks like exactly the same chip I have on the board so I basically you know send my read commands in here now wait for the output here alright and if I could do that I can just you know dump the the content of the boot chip and then figure out how this thing actually boots up and right to NVRAM etc so I bust out my trusty old Arduino okay I built this very simple I spared dumper basically just 40 lines of code I mean it's really not that big wrote a small Python script to control the Arduino so I can get the data back save it to a follow my laptop and analyze it in HIDA pro okay this is what I built first you see how I just have no idea how to solder and PC board this is my monkey soldering I basically just got the pins straight to the Arduino and it worked but it was it worked terribly and it wasn't reliable at all and just got all sorts of noise so I gave myself a b-minus for this effort and then I have a temp - same thing same monk monkey soldering got the chip off of the board taped it duct taped it to my desk throw up a lot of duct tape and it worked perfectly right so this is how I got a plus with just massive amounts of duct tape so after a couple hours right I come back to my laptop and I slurp this into Ida Pro and I started looking at the strings and the code in the boot sector and it makes some very interesting observations so first the code thing said the chip that a boot off of is a boot spi wrong okay wrong but we it's obviously not because this is writable it's a flash chip the chip has eight megabytes of capacity and it has a small bootloader and right after the bootloader actually is a a small factory reset RFU this is just the minimum feature set RFU that's meant to get you back in the network the webserver back running so you can actually start you know updating the firmware that you want and look at there so there are a few parser right because it needs to you know read this are a few the RFU parser is actually in the boot code right so if i can just sit there in reverse engineer like this much random arm code i would be able to figure out the format of the RFU and this is the content of the wrong right right after the bootloader and I noticed this funny little sequence here the UAT sequence right I remembered maybe seeing that before so I think let's look around here is the the slide that I showed you you know five minutes ago in the beginning right can you guys spot where UAT is yeah it's right here it's right underneath HCI so I'm thinking ah you know if this thing is parsed right and it has a uit header and looks a lot like the same format as this so maybe the bootloader code okay well parse the thing I downloaded from HP's website to write so I start reversing the code and I started getting the tense and staring at it a little bit more I figured out some structure to this code first of all okay so if you look at upgrade sighs okay this is obviously decimal represented and ASCII you convert this thing into a hex and you get 7 9 0 0 3 2 which is super close to the nice round number array 7 9 0 0 0 0 so I'm thinking what what is this 32 all about right 50 you shift and realign so I throw away the first two commands right I throw away the pjo comment and the upgrade size and then I jump to bite 50 inside the actual command that parses the RFU I'm sorry no no this is that's an image I can't sorry look closer but anyway so right if you jump to a nearby 50 you get uit so things are really starting to fit together right so there's a 32 at 150 byte header and the rest of it is the rest of the payload shift again for realignment now I look at the first two words before the UAT header right I read 0 for the first word and 0 0 7 9 0 0 0 0 right so things are really starting to fit these things are starting to converge so this is this looks like you know the format of this binary string right you have the start address and address this mystery header and then various payload which describes the structure of the rest of thing which contains multiple compressed files for you note the update package now at this point we've talked to come or we've talked to HP and various Columbia folks and we've agreed to not release the checksum algorithm and not release the the UAT header format until folks have more time to go home and update their firmware like I said firmware released on December 23rd but that's you know not enough time for people to do this and roll it out and test it my goal for this presentation is to convince you that this vulnerability is real right it's exploitable and I want you guys to go home and tell everyone that it's time to upgrade your printer firmware so with that said I start you know scrubbing through the rest of the data or the data section in the in the bootloader and I find this you know I'm thinking yes right verify from Ricky's super secret bypass of crypto key enabled I think I don't care what this thing does I have to use it in my project because that's just this such a good freebie it turns out I didn't actually have to even use the super crypto super secret crypto bypass but here's what I did you know so I figured out the RFU format I was able to unpack and pack all of the the form words that are available for download and made some observations about what's inside this are a few now I can't tell you that the compression algorithm right but I can tell you that the specific version of the compression library that is compiled into this printer has a known stack based buffer overflow whether that's a you know exploitable for arm you know that's another story but at least there's a known bug in the the boot code of this printer and what's inside there are a few is essentially just the VxWorks operating system right it doesn't have the MMU Edition doesn't have any memory separation whatsoever no kernel level security right and everything basically runs to supervisor mode on the CPU which means if you have a vulnerability that gets your arbitrary code execution you win and you win completely and the whole device right I've vulnerability like this so but then I thought oh you don't even have to do that right because we're gonna just walk through the front door and use and not exploit a bug but just use the feature right the RFU update standard is a feature that is supported and all of these laser jet printers so this is actually much better way to do it because it's more you know reliable then you know exploiting a very specific version of a library ok so let's talk about the proof of concept you know John's gonna warm up and do his thing the actual Packer that packs arbitrary RF use right for this demo is 200 lines exactly 200 lines of Python and this includes comments spaces commented out crap and I just want to brag a little bit that I actually wrote a unit test for this thing so I'm really proud of myself what were you about to see is essentially if the experts work it no I know there's gotta be better ones out there but you know I didn't know anything about vxworks when I started so I want to write my own this is basically 3k of arm assembly and it really has two features that we're going to show you in the demo the first one is a print job duplicator I mean it intercepts but it basically duplicate the job that gets sent to the victim printer and then it forwards it on to another IP address and the second one that you're gonna see is a reverse IP proxy right like I said before suppose I got this malware on a printer in SuperDuper secret Co but I can't get access into the the environment inside because of the firewall this reverse proxy will what when the printer boots up the reverse proxy would activate it'll connect outward through the firewall to my laptop and from that point I can use the printer as a launching off point I can you know do start doing reconnaissance and I can actually what we're gonna show you were gonna show Metasploit working through this IP tunnel and we're gonna get reached out on that XP desktop laptop thingamabob over there all through the printer so to put all this thing all this stuff together there's two components there is a our efi Packer which is about 200 lines that just talked about it takes an arbitrary by an elf binary and it spits out a pgl command that you can send to the printer and the second part is just you know mice in do stuff that I rework to make this thing happen and it really all it does is cross-compilation the malware code right there's some binary rewriting some function of hooking and that input it takes the original firmware for the printer uncompressed and it spits out a modified version of this firmware right so obviously you take output of this you feed it back into this and you get a PG l string that you can use I included some details for people that may want to do this but it's really not for reading but I want to show you this okay some mystery programmer types and the data section is full of this gold I mean you've got you have to read through it I think do not type plot you will end up inside a small building with keys on the ground so I saw this yeah three o'clock in the morning and I thought maybe some mystery programmer wrote this 3 o'clock in the morning many years ago so like I hear you you're out there so this is a slide that I want to show you okay this is important detail this is my main make file okay it's two lines all it does is called pack the firmware right with the prefix that you want and then lpr the firmware to the printer so this is basically print a poem right you do this and it just sends the thing to the printer and it'll work okay so we're ready for the demo and I just want to say we did sacrifice the demo gods because I got so I got checked all my equipment is okay with 240-volt except for the little power strip so I plug that in smoke ever in my hotel room the electrician from the hotel comes up and we're just like I don't know why I like none of my sockets work in my room like can you take a look so we actually bought this guy which I also blow up we returned that and bought two more so we're gonna show you the demo now alright the first demo we're gonna show is the print job replicator okay so basically what's gonna happen is oh so first let me explain a little bit about the network topology here right so this makes sense this red cable here represents Internet okay this is the only thing that connects this stuff to this stuff down here is a Cisco router that we're going to call our perimeter firewall right this is a compromise printer that's behind the corporate environment we have this XP machine that we're going to try to own through the printer and John is an employee of super duper secret oh so he's going to print his tax return on that printer because he likes to pay taxes and now what's gonna happen is that the tax return is going to be sent to this printer but then the printer is gonna afford all the package that it gets to my laptop over there which is why we're you seeing the scrolling and once I read the end of this file I'm going to forward that to a printer on the internet and it's gonna print exact same document now in our original demo we showed that we can tweak your social security number and whatnot but I don't have internet tippity but hopefully I can convince you that all right doing this is not all that difficult I can scribe out whatever information I want and exit rate it any way I want all right so this is all done through this internet cable here second line is gonna be a little bit more exciting so I just want you just gave away your tax return all right so we're gonna show you the second one where we're gonna use the reverse IP proxy right to make this printer compromise this machine to get reverse channel back out through the firewall here so what happened here is John just activated the you touch the wrong sorry I know what's going on yeah okay so John just activated the Riverside proxy right he's gonna use Metasploit to essentially send the good old MSRP see vulnerability to the laptops IP address right which is an I'm going to forward that packet to the printer right and the printer is going to be instructed to for that packet to this machine here okay and now this machine is gonna make we just spawned on meterpreter shell back to my laptop through the firewall out on the internet you see that okay okay let's just review what we just did we made a printer pone a machine to get a reverse shell out and Internet to me okay so this is what can happen if you don't lock down your printers okay done so we did the sacrifice paid off there was demo guide wait a minute don't die on me now oh all right hey PowerPoint there will be a short intermission okay we're gonna try this again I do full screen this name all right no more PowerPoint when you just do this PDF style this is reviewed so you don't forget about what I just talked about totally plan okay so we go back to you know all right so you saw what the the malware is capable of doing so let's talk about attack vectors how do you get this RFU this malicious code onto the printer okay there are two obvious ways to do it what I'm going to call the active method and what I'm going to call the reflexive method active is very simple okay so if you can connect make it Network TCP connection to port 9100 on your victim printer you can do this you just connect to the port push this malicious RFU through kill the TCP connection and the the firm will start updating and this is true because prior to the December 23rd patch RF you update is turn on by default on all the printers that you saw in that list and well doing this to port 9100 has absolutely no authentication mechanism so if it's on then anyone who can connect to this printer can do it reflexive attack is a little bit more complicated right so here we're embedding the malicious are viewing a document let's say in a resume and mailing it to someone and hoping that they'll print it out but then again you know if you're sending a resume or like a gift certificate or something right it probably wouldn't be all that difficult so let's talk about the quantitative scope okay this is the TR message from HP right after the public disclosure and it reads the specific vulnerability exists for some HP LaserJet devices if placed on a public internet without a firewall you know I subsea on earth would do that right actually 75,000 people did on the planet so we scanned using our scanner for the last month and a half and we found seventy six thousand nine hundred ninety five unique vulnerable HP printers on planet and forty three of these printers belong to government's and 16 of them belonged to the US government and here's the thing I love okay there are nine printers on the planet named payroll and they all belong to universities and I'm just gonna skip save the question yes one of the payroll printers is Columbia and yes we locked it down so okay and it says and this is something that you rarely ever read great Linux in some Linux and Mac environments and may be possible to do blah blah blah right this bad thing but implies the Windows not possible so I'm not gonna sit here and try to convince you guys that you can't do this in Windows because anything that prints can do this and Windows can print so Windows can do this but if I have time I have some really funny backup slides about a support case that I had with Windows to get a bug in Word fixed so this attack would work insight word but it's not really that it was a feature that it was supposed to work but so let's talk about the quantitative quantitative scope of the reflexive attack okay so we're not talking about you know 76,000 printers anymore we're talking about all the printers HP shipped that are vulnerable to this attack between I don't know like 2005 and 2000 now right like I said before you know we're not talking out a hundred thousand this is not a million right this is not even ten million we're really in the order of hundreds of millions of potentially vulnerable printers and like I said before if you think about a malware that takes this combines it with you know takes attack factors that involve general-purpose computers combine this with let's say a firmware update attack for embedded systems right you can imagine how difficult this thing will be to eradicate yeah so let's look at just I want to give you a feel about how easy the reflects of a postscript attack is okay this is a standard PostScript file somewhere in here it describes my resume alright and when it's done I just do this very simple thing I say yo J and a job okay and the printer is gonna receive this file and says ah I am processing PostScript file I am printing PostScript file I have reached end of job I am going to process new job I am entering language a CL am now updating firmware cuz that's totally reasonable I am done updating and the nice thing about it is it's actually gonna print out the resume so it's gonna be fine and unless you're staring at the printer you won't notice that you know jobs aren't being printed for a minute and a half which is basically how long this takes to work all right and for most of this update process your printer actually responds to pings so it's not like if you constantly pain the printer you're gonna see oh this thing went down for a minute and a half it's about like a 45 second downtime on the network okay so everything I talked about here applies to the 2030 and 2050 model like I saw before HP released 56 firmware so there are different types of are a few formats out there they're slightly different but you know so if you repeat the same exercises that I did it really wouldn't be difficult to figure out the format for the printer that you're interested in and the other day John and I threw up this little diagram just to see what so we unpacked a lot of HP printer printer firmware and we just wanted to really quickly see you know what's underneath what I say is right and when the operating system is so you know it looks like most of them run MIPS and most of them run this thing called Lynx OS don't know very much about either but you know that's what we found so this idea that you know HP printers have a lot of diversity in the software maybe but you know it looks like there's a lot of shared code right in these models here so here is how you can go home run home and verify to see if your printer is vulnerable to this attack or not right lock down your printer any way you can every way you can maybe according to the HP in this guide which is actually fairly useful download the printer RFU for your model and just print to it okay from firmware changes you're not ok and if you're firmer doesn't change you're probably good and some obvious immediate mitigation right you want to disable RF use this is actually a harder than you think because for most of the models I looked at you can't actually disable the RFU feature from the weapon interface or the tonette interface you have to download this thing called website admin or some other tool right and use this massive control software to actually disable RFU's and well you probably want to a call off your printers so that only your print server can connect and send jobs to the printer you probably want to fill through some jobs fill through the jobs on the print server but if you saw Andre Cussons talk yesterday and you can think about how you can put that together with this and see maybe you know PostScript being a Turing complete language have the PostScript generate on the fly and RFU which was then printed so you really can't filter this easily without right emulating PostScript on your filter right so this is not something that's really gonna be that easy to prevent and of course okay most places you can you can well you can't cut off people's access to the internet because they'll probably if they can't Twitter they're gonna burn the building down but your printers don't complain and they don't need to talk to Twitter okay so you should probably segregate your printers on a network that is away from the sensitive stuff on internal network and also can't talk to the internet alright so this is just a good thing to think about now that being said on the 2055 all of these steps actually proved to be irrelevant prior to the December 23rd firmware update I haven't looked at this update but with the older version of the firmware before the release there was no way of disabling the RFU update feature right either either in the website admin tool or any of the interfaces that I saw the results of this thing called the pjo password which was supposed to prevent unauthorized pgl commands but it didn't actually prevent this command so you can set a password on it and this one just flow right through long story short there's just no way to disable this attack prior to the December 23rd firm which is why you should go home and update your firmware print printer firmware and you need to do this quickly ok because it's a race so whoever it gets on the printer first can probably win forever now here's why now if I'm the bad guy right I generated malicious RFU I have it on your printer the first thing I probably want to do is just disable our few updates right so you can't get rid of me I could be a little sneaky and just update the firmware version strings in the right places so you think you updated your firmware alright but I probably won't let you do any more firmware updates and that's not it that's not all I can actually potentially right my malware into the boot flash chip I remember when I told you about the right controls here right so if I could do this I can probably just lock all the pages and on some of these flash chips there's a feature where you can write or you can lock once permanently now if you can do that then your malware is physically resident you know inside this printer and the only way to get rid of it is to desolder there's the chip from the board but realistically you you're gonna want to buy a new printer basically but it's not like you're gonna do that because we don't have any antivirus for embedded devices so you won't even know that you've been compromised okay so I'm mostly done with my presentation I want to leave you guys with you know a talk on the bigger picture of embedded defense okay so let's not just think about this immediate Vanar ability but let's just think about the nature of embedded and security all together now HP's reaction which is very predictable and pretty nature is to say ah you are arbitrarily crafted malicious RFU's so we're going to prevent you from doing that we're gonna digitally sign all the firmwares which is one of the features that they rolled out but I don't have to convince you that you know sign code doesn't mean secure code right because you're going to go ahead and sign that compression library that has the buffer overflow in it that's just gonna be assigned vulnerability right so it's like you know putting up your thumb to block out the Sun right this specific vulnerability won't work anymore but we can just go back to buffer overflows right to own the printer you know let's use a general-purpose analogy let's say if Microsoft said you know we're gonna cut off all third-party antivirus and everything that runs on the kernel is going to be just signed okay and but that's okay don't worry about it you probably say no thanks but if HP says the same thing right right now this is sort of just accepted that is okay now I'm gonna say that that's probably not in the right direction right so if you really think about real embedded defense and what you want out of it it actually ends up being a lot like just real regular defense right you first want host base defense for these things to exist right they don't exist now they it should exist you want this thing to be a well-known defensive mechanism right you don't want any more obscure secrets don't worry you'll never guess the magic number type of Defense and you want this thing to be essentially decoupled from the operating system right because the operating system is the untrusted code that you're trying to protect so you can't really say my operating system isn't secure but it protects itself right and you know OS fortification is a good idea we should continue to do that but it shouldn't replace independent security software living on the host on an embedded system and this is my plug ok this is what I've spent the last three and a half years of my PhD career working on I've created this thing called the software symbiote it's something that can inject generic host base defenses like rootkit detection into arbitrary programs binary firmwares in an OS agnostic manner and we've shown that this does work we've injected rootkit detectors into many different types of physical Cisco routers across tens of thousands of different iOS versions and if you actually want a sensor you want to test it out please email me privately because we're actually trying to get people to to test out our defense and see you know what's good and what's bad and I'm hoping that we can do this I'm hoping I can get back to my original project which is put defenses on two printers so this type of attack can't happen and hopefully I can do this in 2012 and actually demonstrate that this is not just you know iOS version independent but operating system independent right I can get the same defense to work in a router as a printer so that's it that's right funny right awesome talk so we've got ten minutes for questions and I believe all the angel of the back there has the microphone for questions in the audience so if you have a question could you put your hand up please okay we'll start with this gentleman here right at the very back what sort of performance can you actually impact the malicious code into could you files and put it in word doctor PDF file which come I supplied for printing okay so you know for my demonstration I only put it in PostScript but this is close enough to my backup slide that I want to show you this really funny Microsoft story so I'm looking at you know all the legit ways I can put pjl commands inside a Word document and it turns out that there is an actual feature in word that does exactly this it's called print field okay and it just does just put up whatever pgl command you want in the doc on you it couldn't be printed now problem is there was a bug anything that was longer than 240 characters introduces random weird character in it so I'm thinking well this is not the specification I'm going to open in a support case with Microsoft and happen to fix it and they tried okay we spent this guy spent two months trying to figure out why it was not okay but what didn't work when I tried to put a 7 megabyte pjl command in something that great it's something that it was supposed to supercontinents ease the characters and you know dozens and dozens of exchanges later never once it he asked why are you putting seven megabytes of data in this thing it's not supposed to be the way but actually HP released a driver update on December 1st after we made their disclosure to them and this guy poor guy comes in the office and tries it again and all of a sudden this big scary pop-up box comes up and says you can't do this anymore it go away thanks long story short well I haven't tried any other document formats yet but I think that if you think about the way that the Cup server converts your binary right as long as you can have your pgl command survive the conversion intact or have it be generated somewhere in the process and they have it survive intact when it's once it reaches the printer this is definitely possible right exactly which formats it's possible right now you know I can't really say but I would expect that many different file formats would be possible with this type of attack we'll take this Cena have we got any questions from the IRC yeah that's stupid question right okay we'll go with these guys here cuz hopefully your questions aren't dumb okay first of all I have small note basically a princefield command and war document were practically demonstrated like in 2010 yeah so that's not news but the question is is like from both the 56 firmware updates actually the reason why you cannot disclose the compression algorithm is because they just deployed the fixes with disabling there are a few and still working on the signature link or they deployed the signature but they it's not in my slide I have the link to the exact SS RT there were there two revisions the second one actually details I think something like 20 different printer models have introduced the feature for signature verification right the rest of them that had signature verification it's my understanding I just looked at it you know I just read it not an HP product person but I think the rest of them or all of them have disabled are a few update by default right and some of them at the it's actually now possible to disable RFU updates on those printers like this one so that's been patch to printers where you couldn't disable this feature before you can now so this is really important for everybody to go home check your printer and just update the firmware okay you've shown this job control language command where you can choose which language the following blob is have you actually tried using the PostScript console for that's right I just saw the talk yesterday so I'm gonna go home and check it out actually so I'm gonna take these printers down to the hardware hacking area then probably just try that so you know come find me after the talk and we'll find out right okay okay more questions back here oh okay sorry sorry so um one question is about okay one question is about so don't put it to my mouth okay I would not want to eat the microphone okay so my question is about self-modifying code so facts for example you make they make them in a pop-up box that detects our data do you want to do something evil so at least I understood that it at that I understood like this driver said in the pop-up box now it's not possible anymore it always so if you make self-modifying codes for example you make this payload maybe X or by some some some some short string and then you make the self-modifying code into PostScript and it edit these ciphers in the prints of memory and then gets executed exactly so I mean that's not the only way you can get this thing to print through you know word I'm sure there are lots of other ways I just wanted to use the PGR print coding because it was cute and it was an actual feature that I thought it would be great if it works but it didn't so but yes you know like that's the thing you know I'm gonna try out what I heard yesterday and maybe potentially compute right there are a few on the fly so that filtering would actually be very difficult and maybe have the thing print to itself right who knows maybe that's possible hi what's the chances other printers have these kinds of vulnerabilities ah I can't really I mean I don't want to say I mean I don't answer is I don't know but it wouldn't surprise me if other printers have this vulnerability right I don't think I think Andre mentioned yesterday that Xerox printers would share a lot of common history I think with HP printers also can update the firmware through you know PostScript there p GL interface so maybe there are sprinters but I don't know I mean it wouldn't surprise me of others have the same vulnerability basically hi I was wondering if you could elaborate on your fingerprinting are you relying on like a version string or what else what I mean what do mean by fingerprinting like you were you were fingerprinting all the printers on the internet oh oh so I did that by a few different ways you know by looking at the the web server the telnet prompt banner and by looking at there's this actual command that's um I think pjl info Pradhan faux on some models of printers it would actually just return the entire chassis ID and then the model number etc so we put all that data together to find it to figure out this figure and we have one question here from IRC that's got being voted up a few times and it doesn't seem totally stupid the other one was can you make the printer blow up like have you actually watched the tour okay okay I've got a question is there an attack and do wild you know this is a really great question and I don't think we know why because you don't have detectors anti-virus for embedded systems to find this type of thing which is why my original project was to inject right this type of detector into the printer to fight figure out if printers happen exploit it in the wild right and that's exactly what I've been trying to do with the Cisco router sensor because if you think about it you know this code is very old we've talked about vulnerabilities for these things the question is not can they be exploited but have they been exploited and if so how sophisticated is the payload right we don't really know for sure because we have no good way of finding these things which is exactly why I've been working on the software symbiote project okay and I think that's I think we're out of time we've overrun by a couple of minutes so I think it's time for a massive round of applause for the whole team especially John John get up man I think this I think their supervisor getting need to stand up and take the power up sponsoring the work