postscript: danger ahead?!

47
PostScript: Danger Ahead?! Andrei Costin <[email protected]> Affiliation - PhD student

Upload: positive-hack-days

Post on 29-Nov-2014

1.012 views

Category:

Technology


0 download

DESCRIPTION

 

TRANSCRIPT

Page 1: PostScript: Danger Ahead?!

PostScript Danger Ahead

Andrei Costin ltandreiandreicostincomgt

Affiliation - PhD student

PHDAYS2012

whoami in-between SWHW hacker

1

Mifare Classic MFCUK

Hacking MFPs (for fun amp profit) Holistic

Security

Interest

httpandreicostincompapers

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

2

PHDAYS2012

MFPs carry large abuse potential

3

PHDAYS2012

MFP hacking goes back to the 1960rsquos

4

ldquoSpies in the Xerox machinerdquo

The ldquomicrordquo-film camera marked X

Patent drawing 1967

Electronicshardware hacking

PHDAYS2012

Modern printer hacking goes back almost a decade

5

Broader amp deeper printer hacking (irongeek)

Initial printer hacks (FXpH)

2002 2006

Revived printer hacking interest

This talk focuses mainly on remote code execution inside MFPsprinters

2010-2012

PHDAYS2012

In 2010 demorsquod mapping public MFPs

6

httpwwwyoutubecomwatchv=t44GibiCoCM

PHDAYS2012

hellip and generic MFP payload delivery using Word

7

httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims on this discovery)

PHDAYS2012

hellip and generic MFP payload delivery using Java

8

httpwwwyoutubecomwatchv=JcfxvZml6-Y

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

9

PHDAYS2012

PostScript who Itrsquos Adobersquos PDF big brother

10

PHDAYS2012

PS is build to handle complex processing tasks

11

Graphics amp patterns Complex math Web servers

Ray-tracing OpenGL Milling machine XML Parsers

PHDAYS2012

Then what exactly is PostScript

12

PostScript IS NOT just a static data stream like

PostScript IS a

Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly

PHDAYS2012

What happens when printing PS

13

User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN

User Opens a PS file from emailhdd

PC-based PS interpreter processes it PS data stream executes on PC

In both cases PS data stream IS A PS program

Program = static data

PHDAYS2012

Demo1 ldquoProgramming languagerdquo aspect

14

Programming languages 101

Control statements ifelse loop while

Simplest DoS attack is an ldquoinfinite looprdquo

loop

PHDAYS2012

Demo2 ldquoDynamically typed concatenative aspect

15

You wonder why your smart IDSIPS rules stopped working

Here is why

ps_dynamic_statement_construction_and_executionps Obfuscation at its best built-into the language

Solution

Bad news Need dynamic execution sandbox Good news Itrsquos coming up ndash see sandbox slides below

PHDAYS2012

Demo3 Real world application ndash MSOffice PS crash

16

Submitted to MS

Apparently this is not exploitable as in smash stack attacks

But it opens an interesting perspective on MS Officehellip

PHDAYS2012

Demo4 Real world application ndash GhostScript autoprn

17

One got to love custom extensions

Sends a print-job stream directly by just opening the file

Requires more investigation but perspective is interestinghellip

PHDAYS2012

Dynamic document forginggeneration + SocEng

18

User computer User printout

PHDAYS2012

Dynamic document forginggeneration + SocEng

19

Computer side ndash SocEng bait PrinterMFP side ndash PS virus

PHDAYS2012

Where is PostScript (Vendor-wise view)

20

Applications incorporating the PS interpreter

Applicationsvendors producing the PS interpreter

The PS interpreter specifications and standards

PHDAYS2012

Where is PostScript (Role-wise view)

21

PHDAYS2012

PostScript Web 20 Style

22

PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees

Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts

Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions

Heap and stack overflows and what-nothellip More details to comehellip

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 What else was found

4 Attacks in a nutshell

5 Solutions and conclusions

23

PHDAYS2012

A PS-based firmware upload was required

24

PHDAYS2012

This is too good to be truehellip

25

VxWorks API vx

DebugQA API QA

Logging API EventLog

BillingMeters API meter

Pump PWM pumppwm

RAMdisk API ramdisk

RAM API ram

Flash API flash

PHDAYS2012

Memory dumping reveals computing secrets

26

SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common

PHDAYS2012

Admin restriction fail to prevent memory dumping

27

PHDAYS2012

Password setup is sniffed by the attacker

28

1) HTTP GET request ndash password clear text

2) HTTP reply

PHDAYS2012

Basic auth password can be dumped

29

1) Authorization Basic YWRtaW4yOhellip

2) HTTP11 200 OK

PHDAYS2012

HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo

30

0x66306630663066306630663066302222

PHDAYS2012

Attacker has access to printed document details

31

PHDAYS2012

Attacker has access to network topology ndash no-scan

32

PHDAYS2012

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 2: PostScript: Danger Ahead?!

PHDAYS2012

whoami in-between SWHW hacker

1

Mifare Classic MFCUK

Hacking MFPs (for fun amp profit) Holistic

Security

Interest

httpandreicostincompapers

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

2

PHDAYS2012

MFPs carry large abuse potential

3

PHDAYS2012

MFP hacking goes back to the 1960rsquos

4

ldquoSpies in the Xerox machinerdquo

The ldquomicrordquo-film camera marked X

Patent drawing 1967

Electronicshardware hacking

PHDAYS2012

Modern printer hacking goes back almost a decade

5

Broader amp deeper printer hacking (irongeek)

Initial printer hacks (FXpH)

2002 2006

Revived printer hacking interest

This talk focuses mainly on remote code execution inside MFPsprinters

2010-2012

PHDAYS2012

In 2010 demorsquod mapping public MFPs

6

httpwwwyoutubecomwatchv=t44GibiCoCM

PHDAYS2012

hellip and generic MFP payload delivery using Word

7

httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims on this discovery)

PHDAYS2012

hellip and generic MFP payload delivery using Java

8

httpwwwyoutubecomwatchv=JcfxvZml6-Y

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

9

PHDAYS2012

PostScript who Itrsquos Adobersquos PDF big brother

10

PHDAYS2012

PS is build to handle complex processing tasks

11

Graphics amp patterns Complex math Web servers

Ray-tracing OpenGL Milling machine XML Parsers

PHDAYS2012

Then what exactly is PostScript

12

PostScript IS NOT just a static data stream like

PostScript IS a

Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly

PHDAYS2012

What happens when printing PS

13

User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN

User Opens a PS file from emailhdd

PC-based PS interpreter processes it PS data stream executes on PC

In both cases PS data stream IS A PS program

Program = static data

PHDAYS2012

Demo1 ldquoProgramming languagerdquo aspect

14

Programming languages 101

Control statements ifelse loop while

Simplest DoS attack is an ldquoinfinite looprdquo

loop

PHDAYS2012

Demo2 ldquoDynamically typed concatenative aspect

15

You wonder why your smart IDSIPS rules stopped working

Here is why

ps_dynamic_statement_construction_and_executionps Obfuscation at its best built-into the language

Solution

Bad news Need dynamic execution sandbox Good news Itrsquos coming up ndash see sandbox slides below

PHDAYS2012

Demo3 Real world application ndash MSOffice PS crash

16

Submitted to MS

Apparently this is not exploitable as in smash stack attacks

But it opens an interesting perspective on MS Officehellip

PHDAYS2012

Demo4 Real world application ndash GhostScript autoprn

17

One got to love custom extensions

Sends a print-job stream directly by just opening the file

Requires more investigation but perspective is interestinghellip

PHDAYS2012

Dynamic document forginggeneration + SocEng

18

User computer User printout

PHDAYS2012

Dynamic document forginggeneration + SocEng

19

Computer side ndash SocEng bait PrinterMFP side ndash PS virus

PHDAYS2012

Where is PostScript (Vendor-wise view)

20

Applications incorporating the PS interpreter

Applicationsvendors producing the PS interpreter

The PS interpreter specifications and standards

PHDAYS2012

Where is PostScript (Role-wise view)

21

PHDAYS2012

PostScript Web 20 Style

22

PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees

Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts

Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions

Heap and stack overflows and what-nothellip More details to comehellip

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 What else was found

4 Attacks in a nutshell

5 Solutions and conclusions

23

PHDAYS2012

A PS-based firmware upload was required

24

PHDAYS2012

This is too good to be truehellip

25

VxWorks API vx

DebugQA API QA

Logging API EventLog

BillingMeters API meter

Pump PWM pumppwm

RAMdisk API ramdisk

RAM API ram

Flash API flash

PHDAYS2012

Memory dumping reveals computing secrets

26

SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common

PHDAYS2012

Admin restriction fail to prevent memory dumping

27

PHDAYS2012

Password setup is sniffed by the attacker

28

1) HTTP GET request ndash password clear text

2) HTTP reply

PHDAYS2012

Basic auth password can be dumped

29

1) Authorization Basic YWRtaW4yOhellip

2) HTTP11 200 OK

PHDAYS2012

HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo

30

0x66306630663066306630663066302222

PHDAYS2012

Attacker has access to printed document details

31

PHDAYS2012

Attacker has access to network topology ndash no-scan

32

PHDAYS2012

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 3: PostScript: Danger Ahead?!

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

2

PHDAYS2012

MFPs carry large abuse potential

3

PHDAYS2012

MFP hacking goes back to the 1960rsquos

4

ldquoSpies in the Xerox machinerdquo

The ldquomicrordquo-film camera marked X

Patent drawing 1967

Electronicshardware hacking

PHDAYS2012

Modern printer hacking goes back almost a decade

5

Broader amp deeper printer hacking (irongeek)

Initial printer hacks (FXpH)

2002 2006

Revived printer hacking interest

This talk focuses mainly on remote code execution inside MFPsprinters

2010-2012

PHDAYS2012

In 2010 demorsquod mapping public MFPs

6

httpwwwyoutubecomwatchv=t44GibiCoCM

PHDAYS2012

hellip and generic MFP payload delivery using Word

7

httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims on this discovery)

PHDAYS2012

hellip and generic MFP payload delivery using Java

8

httpwwwyoutubecomwatchv=JcfxvZml6-Y

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

9

PHDAYS2012

PostScript who Itrsquos Adobersquos PDF big brother

10

PHDAYS2012

PS is build to handle complex processing tasks

11

Graphics amp patterns Complex math Web servers

Ray-tracing OpenGL Milling machine XML Parsers

PHDAYS2012

Then what exactly is PostScript

12

PostScript IS NOT just a static data stream like

PostScript IS a

Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly

PHDAYS2012

What happens when printing PS

13

User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN

User Opens a PS file from emailhdd

PC-based PS interpreter processes it PS data stream executes on PC

In both cases PS data stream IS A PS program

Program = static data

PHDAYS2012

Demo1 ldquoProgramming languagerdquo aspect

14

Programming languages 101

Control statements ifelse loop while

Simplest DoS attack is an ldquoinfinite looprdquo

loop

PHDAYS2012

Demo2 ldquoDynamically typed concatenative aspect

15

You wonder why your smart IDSIPS rules stopped working

Here is why

ps_dynamic_statement_construction_and_executionps Obfuscation at its best built-into the language

Solution

Bad news Need dynamic execution sandbox Good news Itrsquos coming up ndash see sandbox slides below

PHDAYS2012

Demo3 Real world application ndash MSOffice PS crash

16

Submitted to MS

Apparently this is not exploitable as in smash stack attacks

But it opens an interesting perspective on MS Officehellip

PHDAYS2012

Demo4 Real world application ndash GhostScript autoprn

17

One got to love custom extensions

Sends a print-job stream directly by just opening the file

Requires more investigation but perspective is interestinghellip

PHDAYS2012

Dynamic document forginggeneration + SocEng

18

User computer User printout

PHDAYS2012

Dynamic document forginggeneration + SocEng

19

Computer side ndash SocEng bait PrinterMFP side ndash PS virus

PHDAYS2012

Where is PostScript (Vendor-wise view)

20

Applications incorporating the PS interpreter

Applicationsvendors producing the PS interpreter

The PS interpreter specifications and standards

PHDAYS2012

Where is PostScript (Role-wise view)

21

PHDAYS2012

PostScript Web 20 Style

22

PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees

Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts

Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions

Heap and stack overflows and what-nothellip More details to comehellip

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 What else was found

4 Attacks in a nutshell

5 Solutions and conclusions

23

PHDAYS2012

A PS-based firmware upload was required

24

PHDAYS2012

This is too good to be truehellip

25

VxWorks API vx

DebugQA API QA

Logging API EventLog

BillingMeters API meter

Pump PWM pumppwm

RAMdisk API ramdisk

RAM API ram

Flash API flash

PHDAYS2012

Memory dumping reveals computing secrets

26

SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common

PHDAYS2012

Admin restriction fail to prevent memory dumping

27

PHDAYS2012

Password setup is sniffed by the attacker

28

1) HTTP GET request ndash password clear text

2) HTTP reply

PHDAYS2012

Basic auth password can be dumped

29

1) Authorization Basic YWRtaW4yOhellip

2) HTTP11 200 OK

PHDAYS2012

HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo

30

0x66306630663066306630663066302222

PHDAYS2012

Attacker has access to printed document details

31

PHDAYS2012

Attacker has access to network topology ndash no-scan

32

PHDAYS2012

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 4: PostScript: Danger Ahead?!

PHDAYS2012

MFPs carry large abuse potential

3

PHDAYS2012

MFP hacking goes back to the 1960rsquos

4

ldquoSpies in the Xerox machinerdquo

The ldquomicrordquo-film camera marked X

Patent drawing 1967

Electronicshardware hacking

PHDAYS2012

Modern printer hacking goes back almost a decade

5

Broader amp deeper printer hacking (irongeek)

Initial printer hacks (FXpH)

2002 2006

Revived printer hacking interest

This talk focuses mainly on remote code execution inside MFPsprinters

2010-2012

PHDAYS2012

In 2010 demorsquod mapping public MFPs

6

httpwwwyoutubecomwatchv=t44GibiCoCM

PHDAYS2012

hellip and generic MFP payload delivery using Word

7

httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims on this discovery)

PHDAYS2012

hellip and generic MFP payload delivery using Java

8

httpwwwyoutubecomwatchv=JcfxvZml6-Y

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

9

PHDAYS2012

PostScript who Itrsquos Adobersquos PDF big brother

10

PHDAYS2012

PS is build to handle complex processing tasks

11

Graphics amp patterns Complex math Web servers

Ray-tracing OpenGL Milling machine XML Parsers

PHDAYS2012

Then what exactly is PostScript

12

PostScript IS NOT just a static data stream like

PostScript IS a

Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly

PHDAYS2012

What happens when printing PS

13

User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN

User Opens a PS file from emailhdd

PC-based PS interpreter processes it PS data stream executes on PC

In both cases PS data stream IS A PS program

Program = static data

PHDAYS2012

Demo1 ldquoProgramming languagerdquo aspect

14

Programming languages 101

Control statements ifelse loop while

Simplest DoS attack is an ldquoinfinite looprdquo

loop

PHDAYS2012

Demo2 ldquoDynamically typed concatenative aspect

15

You wonder why your smart IDSIPS rules stopped working

Here is why

ps_dynamic_statement_construction_and_executionps Obfuscation at its best built-into the language

Solution

Bad news Need dynamic execution sandbox Good news Itrsquos coming up ndash see sandbox slides below

PHDAYS2012

Demo3 Real world application ndash MSOffice PS crash

16

Submitted to MS

Apparently this is not exploitable as in smash stack attacks

But it opens an interesting perspective on MS Officehellip

PHDAYS2012

Demo4 Real world application ndash GhostScript autoprn

17

One got to love custom extensions

Sends a print-job stream directly by just opening the file

Requires more investigation but perspective is interestinghellip

PHDAYS2012

Dynamic document forginggeneration + SocEng

18

User computer User printout

PHDAYS2012

Dynamic document forginggeneration + SocEng

19

Computer side ndash SocEng bait PrinterMFP side ndash PS virus

PHDAYS2012

Where is PostScript (Vendor-wise view)

20

Applications incorporating the PS interpreter

Applicationsvendors producing the PS interpreter

The PS interpreter specifications and standards

PHDAYS2012

Where is PostScript (Role-wise view)

21

PHDAYS2012

PostScript Web 20 Style

22

PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees

Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts

Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions

Heap and stack overflows and what-nothellip More details to comehellip

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 What else was found

4 Attacks in a nutshell

5 Solutions and conclusions

23

PHDAYS2012

A PS-based firmware upload was required

24

PHDAYS2012

This is too good to be truehellip

25

VxWorks API vx

DebugQA API QA

Logging API EventLog

BillingMeters API meter

Pump PWM pumppwm

RAMdisk API ramdisk

RAM API ram

Flash API flash

PHDAYS2012

Memory dumping reveals computing secrets

26

SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common

PHDAYS2012

Admin restriction fail to prevent memory dumping

27

PHDAYS2012

Password setup is sniffed by the attacker

28

1) HTTP GET request ndash password clear text

2) HTTP reply

PHDAYS2012

Basic auth password can be dumped

29

1) Authorization Basic YWRtaW4yOhellip

2) HTTP11 200 OK

PHDAYS2012

HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo

30

0x66306630663066306630663066302222

PHDAYS2012

Attacker has access to printed document details

31

PHDAYS2012

Attacker has access to network topology ndash no-scan

32

PHDAYS2012

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 5: PostScript: Danger Ahead?!

PHDAYS2012

MFP hacking goes back to the 1960rsquos

4

ldquoSpies in the Xerox machinerdquo

The ldquomicrordquo-film camera marked X

Patent drawing 1967

Electronicshardware hacking

PHDAYS2012

Modern printer hacking goes back almost a decade

5

Broader amp deeper printer hacking (irongeek)

Initial printer hacks (FXpH)

2002 2006

Revived printer hacking interest

This talk focuses mainly on remote code execution inside MFPsprinters

2010-2012

PHDAYS2012

In 2010 demorsquod mapping public MFPs

6

httpwwwyoutubecomwatchv=t44GibiCoCM

PHDAYS2012

hellip and generic MFP payload delivery using Word

7

httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims on this discovery)

PHDAYS2012

hellip and generic MFP payload delivery using Java

8

httpwwwyoutubecomwatchv=JcfxvZml6-Y

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

9

PHDAYS2012

PostScript who Itrsquos Adobersquos PDF big brother

10

PHDAYS2012

PS is build to handle complex processing tasks

11

Graphics amp patterns Complex math Web servers

Ray-tracing OpenGL Milling machine XML Parsers

PHDAYS2012

Then what exactly is PostScript

12

PostScript IS NOT just a static data stream like

PostScript IS a

Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly

PHDAYS2012

What happens when printing PS

13

User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN

User Opens a PS file from emailhdd

PC-based PS interpreter processes it PS data stream executes on PC

In both cases PS data stream IS A PS program

Program = static data

PHDAYS2012

Demo1 ldquoProgramming languagerdquo aspect

14

Programming languages 101

Control statements ifelse loop while

Simplest DoS attack is an ldquoinfinite looprdquo

loop

PHDAYS2012

Demo2 ldquoDynamically typed concatenative aspect

15

You wonder why your smart IDSIPS rules stopped working

Here is why

ps_dynamic_statement_construction_and_executionps Obfuscation at its best built-into the language

Solution

Bad news Need dynamic execution sandbox Good news Itrsquos coming up ndash see sandbox slides below

PHDAYS2012

Demo3 Real world application ndash MSOffice PS crash

16

Submitted to MS

Apparently this is not exploitable as in smash stack attacks

But it opens an interesting perspective on MS Officehellip

PHDAYS2012

Demo4 Real world application ndash GhostScript autoprn

17

One got to love custom extensions

Sends a print-job stream directly by just opening the file

Requires more investigation but perspective is interestinghellip

PHDAYS2012

Dynamic document forginggeneration + SocEng

18

User computer User printout

PHDAYS2012

Dynamic document forginggeneration + SocEng

19

Computer side ndash SocEng bait PrinterMFP side ndash PS virus

PHDAYS2012

Where is PostScript (Vendor-wise view)

20

Applications incorporating the PS interpreter

Applicationsvendors producing the PS interpreter

The PS interpreter specifications and standards

PHDAYS2012

Where is PostScript (Role-wise view)

21

PHDAYS2012

PostScript Web 20 Style

22

PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees

Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts

Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions

Heap and stack overflows and what-nothellip More details to comehellip

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 What else was found

4 Attacks in a nutshell

5 Solutions and conclusions

23

PHDAYS2012

A PS-based firmware upload was required

24

PHDAYS2012

This is too good to be truehellip

25

VxWorks API vx

DebugQA API QA

Logging API EventLog

BillingMeters API meter

Pump PWM pumppwm

RAMdisk API ramdisk

RAM API ram

Flash API flash

PHDAYS2012

Memory dumping reveals computing secrets

26

SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common

PHDAYS2012

Admin restriction fail to prevent memory dumping

27

PHDAYS2012

Password setup is sniffed by the attacker

28

1) HTTP GET request ndash password clear text

2) HTTP reply

PHDAYS2012

Basic auth password can be dumped

29

1) Authorization Basic YWRtaW4yOhellip

2) HTTP11 200 OK

PHDAYS2012

HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo

30

0x66306630663066306630663066302222

PHDAYS2012

Attacker has access to printed document details

31

PHDAYS2012

Attacker has access to network topology ndash no-scan

32

PHDAYS2012

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 6: PostScript: Danger Ahead?!

PHDAYS2012

Modern printer hacking goes back almost a decade

5

Broader amp deeper printer hacking (irongeek)

Initial printer hacks (FXpH)

2002 2006

Revived printer hacking interest

This talk focuses mainly on remote code execution inside MFPsprinters

2010-2012

PHDAYS2012

In 2010 demorsquod mapping public MFPs

6

httpwwwyoutubecomwatchv=t44GibiCoCM

PHDAYS2012

hellip and generic MFP payload delivery using Word

7

httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims on this discovery)

PHDAYS2012

hellip and generic MFP payload delivery using Java

8

httpwwwyoutubecomwatchv=JcfxvZml6-Y

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

9

PHDAYS2012

PostScript who Itrsquos Adobersquos PDF big brother

10

PHDAYS2012

PS is build to handle complex processing tasks

11

Graphics amp patterns Complex math Web servers

Ray-tracing OpenGL Milling machine XML Parsers

PHDAYS2012

Then what exactly is PostScript

12

PostScript IS NOT just a static data stream like

PostScript IS a

Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly

PHDAYS2012

What happens when printing PS

13

User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN

User Opens a PS file from emailhdd

PC-based PS interpreter processes it PS data stream executes on PC

In both cases PS data stream IS A PS program

Program = static data

PHDAYS2012

Demo1 ldquoProgramming languagerdquo aspect

14

Programming languages 101

Control statements ifelse loop while

Simplest DoS attack is an ldquoinfinite looprdquo

loop

PHDAYS2012

Demo2 ldquoDynamically typed concatenative aspect

15

You wonder why your smart IDSIPS rules stopped working

Here is why

ps_dynamic_statement_construction_and_executionps Obfuscation at its best built-into the language

Solution

Bad news Need dynamic execution sandbox Good news Itrsquos coming up ndash see sandbox slides below

PHDAYS2012

Demo3 Real world application ndash MSOffice PS crash

16

Submitted to MS

Apparently this is not exploitable as in smash stack attacks

But it opens an interesting perspective on MS Officehellip

PHDAYS2012

Demo4 Real world application ndash GhostScript autoprn

17

One got to love custom extensions

Sends a print-job stream directly by just opening the file

Requires more investigation but perspective is interestinghellip

PHDAYS2012

Dynamic document forginggeneration + SocEng

18

User computer User printout

PHDAYS2012

Dynamic document forginggeneration + SocEng

19

Computer side ndash SocEng bait PrinterMFP side ndash PS virus

PHDAYS2012

Where is PostScript (Vendor-wise view)

20

Applications incorporating the PS interpreter

Applicationsvendors producing the PS interpreter

The PS interpreter specifications and standards

PHDAYS2012

Where is PostScript (Role-wise view)

21

PHDAYS2012

PostScript Web 20 Style

22

PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees

Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts

Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions

Heap and stack overflows and what-nothellip More details to comehellip

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 What else was found

4 Attacks in a nutshell

5 Solutions and conclusions

23

PHDAYS2012

A PS-based firmware upload was required

24

PHDAYS2012

This is too good to be truehellip

25

VxWorks API vx

DebugQA API QA

Logging API EventLog

BillingMeters API meter

Pump PWM pumppwm

RAMdisk API ramdisk

RAM API ram

Flash API flash

PHDAYS2012

Memory dumping reveals computing secrets

26

SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common

PHDAYS2012

Admin restriction fail to prevent memory dumping

27

PHDAYS2012

Password setup is sniffed by the attacker

28

1) HTTP GET request ndash password clear text

2) HTTP reply

PHDAYS2012

Basic auth password can be dumped

29

1) Authorization Basic YWRtaW4yOhellip

2) HTTP11 200 OK

PHDAYS2012

HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo

30

0x66306630663066306630663066302222

PHDAYS2012

Attacker has access to printed document details

31

PHDAYS2012

Attacker has access to network topology ndash no-scan

32

PHDAYS2012

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 7: PostScript: Danger Ahead?!

PHDAYS2012

In 2010 demorsquod mapping public MFPs

6

httpwwwyoutubecomwatchv=t44GibiCoCM

PHDAYS2012

hellip and generic MFP payload delivery using Word

7

httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims on this discovery)

PHDAYS2012

hellip and generic MFP payload delivery using Java

8

httpwwwyoutubecomwatchv=JcfxvZml6-Y

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

9

PHDAYS2012

PostScript who Itrsquos Adobersquos PDF big brother

10

PHDAYS2012

PS is build to handle complex processing tasks

11

Graphics amp patterns Complex math Web servers

Ray-tracing OpenGL Milling machine XML Parsers

PHDAYS2012

Then what exactly is PostScript

12

PostScript IS NOT just a static data stream like

PostScript IS a

Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly

PHDAYS2012

What happens when printing PS

13

User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN

User Opens a PS file from emailhdd

PC-based PS interpreter processes it PS data stream executes on PC

In both cases PS data stream IS A PS program

Program = static data

PHDAYS2012

Demo1 ldquoProgramming languagerdquo aspect

14

Programming languages 101

Control statements ifelse loop while

Simplest DoS attack is an ldquoinfinite looprdquo

loop

PHDAYS2012

Demo2 ldquoDynamically typed concatenative aspect

15

You wonder why your smart IDSIPS rules stopped working

Here is why

ps_dynamic_statement_construction_and_executionps Obfuscation at its best built-into the language

Solution

Bad news Need dynamic execution sandbox Good news Itrsquos coming up ndash see sandbox slides below

PHDAYS2012

Demo3 Real world application ndash MSOffice PS crash

16

Submitted to MS

Apparently this is not exploitable as in smash stack attacks

But it opens an interesting perspective on MS Officehellip

PHDAYS2012

Demo4 Real world application ndash GhostScript autoprn

17

One got to love custom extensions

Sends a print-job stream directly by just opening the file

Requires more investigation but perspective is interestinghellip

PHDAYS2012

Dynamic document forginggeneration + SocEng

18

User computer User printout

PHDAYS2012

Dynamic document forginggeneration + SocEng

19

Computer side ndash SocEng bait PrinterMFP side ndash PS virus

PHDAYS2012

Where is PostScript (Vendor-wise view)

20

Applications incorporating the PS interpreter

Applicationsvendors producing the PS interpreter

The PS interpreter specifications and standards

PHDAYS2012

Where is PostScript (Role-wise view)

21

PHDAYS2012

PostScript Web 20 Style

22

PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees

Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts

Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions

Heap and stack overflows and what-nothellip More details to comehellip

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 What else was found

4 Attacks in a nutshell

5 Solutions and conclusions

23

PHDAYS2012

A PS-based firmware upload was required

24

PHDAYS2012

This is too good to be truehellip

25

VxWorks API vx

DebugQA API QA

Logging API EventLog

BillingMeters API meter

Pump PWM pumppwm

RAMdisk API ramdisk

RAM API ram

Flash API flash

PHDAYS2012

Memory dumping reveals computing secrets

26

SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common

PHDAYS2012

Admin restriction fail to prevent memory dumping

27

PHDAYS2012

Password setup is sniffed by the attacker

28

1) HTTP GET request ndash password clear text

2) HTTP reply

PHDAYS2012

Basic auth password can be dumped

29

1) Authorization Basic YWRtaW4yOhellip

2) HTTP11 200 OK

PHDAYS2012

HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo

30

0x66306630663066306630663066302222

PHDAYS2012

Attacker has access to printed document details

31

PHDAYS2012

Attacker has access to network topology ndash no-scan

32

PHDAYS2012

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 8: PostScript: Danger Ahead?!

PHDAYS2012

hellip and generic MFP payload delivery using Word

7

httpwwwyoutubecomwatchv=KrWFOo2RAnk (there are false claims on this discovery)

PHDAYS2012

hellip and generic MFP payload delivery using Java

8

httpwwwyoutubecomwatchv=JcfxvZml6-Y

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

9

PHDAYS2012

PostScript who Itrsquos Adobersquos PDF big brother

10

PHDAYS2012

PS is build to handle complex processing tasks

11

Graphics amp patterns Complex math Web servers

Ray-tracing OpenGL Milling machine XML Parsers

PHDAYS2012

Then what exactly is PostScript

12

PostScript IS NOT just a static data stream like

PostScript IS a

Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly

PHDAYS2012

What happens when printing PS

13

User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN

User Opens a PS file from emailhdd

PC-based PS interpreter processes it PS data stream executes on PC

In both cases PS data stream IS A PS program

Program = static data

PHDAYS2012

Demo1 ldquoProgramming languagerdquo aspect

14

Programming languages 101

Control statements ifelse loop while

Simplest DoS attack is an ldquoinfinite looprdquo

loop

PHDAYS2012

Demo2 ldquoDynamically typed concatenative aspect

15

You wonder why your smart IDSIPS rules stopped working

Here is why

ps_dynamic_statement_construction_and_executionps Obfuscation at its best built-into the language

Solution

Bad news Need dynamic execution sandbox Good news Itrsquos coming up ndash see sandbox slides below

PHDAYS2012

Demo3 Real world application ndash MSOffice PS crash

16

Submitted to MS

Apparently this is not exploitable as in smash stack attacks

But it opens an interesting perspective on MS Officehellip

PHDAYS2012

Demo4 Real world application ndash GhostScript autoprn

17

One got to love custom extensions

Sends a print-job stream directly by just opening the file

Requires more investigation but perspective is interestinghellip

PHDAYS2012

Dynamic document forginggeneration + SocEng

18

User computer User printout

PHDAYS2012

Dynamic document forginggeneration + SocEng

19

Computer side ndash SocEng bait PrinterMFP side ndash PS virus

PHDAYS2012

Where is PostScript (Vendor-wise view)

20

Applications incorporating the PS interpreter

Applicationsvendors producing the PS interpreter

The PS interpreter specifications and standards

PHDAYS2012

Where is PostScript (Role-wise view)

21

PHDAYS2012

PostScript Web 20 Style

22

PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees

Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts

Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions

Heap and stack overflows and what-nothellip More details to comehellip

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 What else was found

4 Attacks in a nutshell

5 Solutions and conclusions

23

PHDAYS2012

A PS-based firmware upload was required

24

PHDAYS2012

This is too good to be truehellip

25

VxWorks API vx

DebugQA API QA

Logging API EventLog

BillingMeters API meter

Pump PWM pumppwm

RAMdisk API ramdisk

RAM API ram

Flash API flash

PHDAYS2012

Memory dumping reveals computing secrets

26

SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common

PHDAYS2012

Admin restriction fail to prevent memory dumping

27

PHDAYS2012

Password setup is sniffed by the attacker

28

1) HTTP GET request ndash password clear text

2) HTTP reply

PHDAYS2012

Basic auth password can be dumped

29

1) Authorization Basic YWRtaW4yOhellip

2) HTTP11 200 OK

PHDAYS2012

HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo

30

0x66306630663066306630663066302222

PHDAYS2012

Attacker has access to printed document details

31

PHDAYS2012

Attacker has access to network topology ndash no-scan

32

PHDAYS2012

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 9: PostScript: Danger Ahead?!

PHDAYS2012

hellip and generic MFP payload delivery using Java

8

httpwwwyoutubecomwatchv=JcfxvZml6-Y

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

9

PHDAYS2012

PostScript who Itrsquos Adobersquos PDF big brother

10

PHDAYS2012

PS is build to handle complex processing tasks

11

Graphics amp patterns Complex math Web servers

Ray-tracing OpenGL Milling machine XML Parsers

PHDAYS2012

Then what exactly is PostScript

12

PostScript IS NOT just a static data stream like

PostScript IS a

Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly

PHDAYS2012

What happens when printing PS

13

User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN

User Opens a PS file from emailhdd

PC-based PS interpreter processes it PS data stream executes on PC

In both cases PS data stream IS A PS program

Program = static data

PHDAYS2012

Demo1 ldquoProgramming languagerdquo aspect

14

Programming languages 101

Control statements ifelse loop while

Simplest DoS attack is an ldquoinfinite looprdquo

loop

PHDAYS2012

Demo2 ldquoDynamically typed concatenative aspect

15

You wonder why your smart IDSIPS rules stopped working

Here is why

ps_dynamic_statement_construction_and_executionps Obfuscation at its best built-into the language

Solution

Bad news Need dynamic execution sandbox Good news Itrsquos coming up ndash see sandbox slides below

PHDAYS2012

Demo3 Real world application ndash MSOffice PS crash

16

Submitted to MS

Apparently this is not exploitable as in smash stack attacks

But it opens an interesting perspective on MS Officehellip

PHDAYS2012

Demo4 Real world application ndash GhostScript autoprn

17

One got to love custom extensions

Sends a print-job stream directly by just opening the file

Requires more investigation but perspective is interestinghellip

PHDAYS2012

Dynamic document forginggeneration + SocEng

18

User computer User printout

PHDAYS2012

Dynamic document forginggeneration + SocEng

19

Computer side ndash SocEng bait PrinterMFP side ndash PS virus

PHDAYS2012

Where is PostScript (Vendor-wise view)

20

Applications incorporating the PS interpreter

Applicationsvendors producing the PS interpreter

The PS interpreter specifications and standards

PHDAYS2012

Where is PostScript (Role-wise view)

21

PHDAYS2012

PostScript Web 20 Style

22

PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees

Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts

Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions

Heap and stack overflows and what-nothellip More details to comehellip

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 What else was found

4 Attacks in a nutshell

5 Solutions and conclusions

23

PHDAYS2012

A PS-based firmware upload was required

24

PHDAYS2012

This is too good to be truehellip

25

VxWorks API vx

DebugQA API QA

Logging API EventLog

BillingMeters API meter

Pump PWM pumppwm

RAMdisk API ramdisk

RAM API ram

Flash API flash

PHDAYS2012

Memory dumping reveals computing secrets

26

SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common

PHDAYS2012

Admin restriction fail to prevent memory dumping

27

PHDAYS2012

Password setup is sniffed by the attacker

28

1) HTTP GET request ndash password clear text

2) HTTP reply

PHDAYS2012

Basic auth password can be dumped

29

1) Authorization Basic YWRtaW4yOhellip

2) HTTP11 200 OK

PHDAYS2012

HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo

30

0x66306630663066306630663066302222

PHDAYS2012

Attacker has access to printed document details

31

PHDAYS2012

Attacker has access to network topology ndash no-scan

32

PHDAYS2012

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 10: PostScript: Danger Ahead?!

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

9

PHDAYS2012

PostScript who Itrsquos Adobersquos PDF big brother

10

PHDAYS2012

PS is build to handle complex processing tasks

11

Graphics amp patterns Complex math Web servers

Ray-tracing OpenGL Milling machine XML Parsers

PHDAYS2012

Then what exactly is PostScript

12

PostScript IS NOT just a static data stream like

PostScript IS a

Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly

PHDAYS2012

What happens when printing PS

13

User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN

User Opens a PS file from emailhdd

PC-based PS interpreter processes it PS data stream executes on PC

In both cases PS data stream IS A PS program

Program = static data

PHDAYS2012

Demo1 ldquoProgramming languagerdquo aspect

14

Programming languages 101

Control statements ifelse loop while

Simplest DoS attack is an ldquoinfinite looprdquo

loop

PHDAYS2012

Demo2 ldquoDynamically typed concatenative aspect

15

You wonder why your smart IDSIPS rules stopped working

Here is why

ps_dynamic_statement_construction_and_executionps Obfuscation at its best built-into the language

Solution

Bad news Need dynamic execution sandbox Good news Itrsquos coming up ndash see sandbox slides below

PHDAYS2012

Demo3 Real world application ndash MSOffice PS crash

16

Submitted to MS

Apparently this is not exploitable as in smash stack attacks

But it opens an interesting perspective on MS Officehellip

PHDAYS2012

Demo4 Real world application ndash GhostScript autoprn

17

One got to love custom extensions

Sends a print-job stream directly by just opening the file

Requires more investigation but perspective is interestinghellip

PHDAYS2012

Dynamic document forginggeneration + SocEng

18

User computer User printout

PHDAYS2012

Dynamic document forginggeneration + SocEng

19

Computer side ndash SocEng bait PrinterMFP side ndash PS virus

PHDAYS2012

Where is PostScript (Vendor-wise view)

20

Applications incorporating the PS interpreter

Applicationsvendors producing the PS interpreter

The PS interpreter specifications and standards

PHDAYS2012

Where is PostScript (Role-wise view)

21

PHDAYS2012

PostScript Web 20 Style

22

PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees

Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts

Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions

Heap and stack overflows and what-nothellip More details to comehellip

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 What else was found

4 Attacks in a nutshell

5 Solutions and conclusions

23

PHDAYS2012

A PS-based firmware upload was required

24

PHDAYS2012

This is too good to be truehellip

25

VxWorks API vx

DebugQA API QA

Logging API EventLog

BillingMeters API meter

Pump PWM pumppwm

RAMdisk API ramdisk

RAM API ram

Flash API flash

PHDAYS2012

Memory dumping reveals computing secrets

26

SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common

PHDAYS2012

Admin restriction fail to prevent memory dumping

27

PHDAYS2012

Password setup is sniffed by the attacker

28

1) HTTP GET request ndash password clear text

2) HTTP reply

PHDAYS2012

Basic auth password can be dumped

29

1) Authorization Basic YWRtaW4yOhellip

2) HTTP11 200 OK

PHDAYS2012

HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo

30

0x66306630663066306630663066302222

PHDAYS2012

Attacker has access to printed document details

31

PHDAYS2012

Attacker has access to network topology ndash no-scan

32

PHDAYS2012

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 11: PostScript: Danger Ahead?!

PHDAYS2012

PostScript who Itrsquos Adobersquos PDF big brother

10

PHDAYS2012

PS is build to handle complex processing tasks

11

Graphics amp patterns Complex math Web servers

Ray-tracing OpenGL Milling machine XML Parsers

PHDAYS2012

Then what exactly is PostScript

12

PostScript IS NOT just a static data stream like

PostScript IS a

Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly

PHDAYS2012

What happens when printing PS

13

User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN

User Opens a PS file from emailhdd

PC-based PS interpreter processes it PS data stream executes on PC

In both cases PS data stream IS A PS program

Program = static data

PHDAYS2012

Demo1 ldquoProgramming languagerdquo aspect

14

Programming languages 101

Control statements ifelse loop while

Simplest DoS attack is an ldquoinfinite looprdquo

loop

PHDAYS2012

Demo2 ldquoDynamically typed concatenative aspect

15

You wonder why your smart IDSIPS rules stopped working

Here is why

ps_dynamic_statement_construction_and_executionps Obfuscation at its best built-into the language

Solution

Bad news Need dynamic execution sandbox Good news Itrsquos coming up ndash see sandbox slides below

PHDAYS2012

Demo3 Real world application ndash MSOffice PS crash

16

Submitted to MS

Apparently this is not exploitable as in smash stack attacks

But it opens an interesting perspective on MS Officehellip

PHDAYS2012

Demo4 Real world application ndash GhostScript autoprn

17

One got to love custom extensions

Sends a print-job stream directly by just opening the file

Requires more investigation but perspective is interestinghellip

PHDAYS2012

Dynamic document forginggeneration + SocEng

18

User computer User printout

PHDAYS2012

Dynamic document forginggeneration + SocEng

19

Computer side ndash SocEng bait PrinterMFP side ndash PS virus

PHDAYS2012

Where is PostScript (Vendor-wise view)

20

Applications incorporating the PS interpreter

Applicationsvendors producing the PS interpreter

The PS interpreter specifications and standards

PHDAYS2012

Where is PostScript (Role-wise view)

21

PHDAYS2012

PostScript Web 20 Style

22

PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees

Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts

Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions

Heap and stack overflows and what-nothellip More details to comehellip

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 What else was found

4 Attacks in a nutshell

5 Solutions and conclusions

23

PHDAYS2012

A PS-based firmware upload was required

24

PHDAYS2012

This is too good to be truehellip

25

VxWorks API vx

DebugQA API QA

Logging API EventLog

BillingMeters API meter

Pump PWM pumppwm

RAMdisk API ramdisk

RAM API ram

Flash API flash

PHDAYS2012

Memory dumping reveals computing secrets

26

SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common

PHDAYS2012

Admin restriction fail to prevent memory dumping

27

PHDAYS2012

Password setup is sniffed by the attacker

28

1) HTTP GET request ndash password clear text

2) HTTP reply

PHDAYS2012

Basic auth password can be dumped

29

1) Authorization Basic YWRtaW4yOhellip

2) HTTP11 200 OK

PHDAYS2012

HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo

30

0x66306630663066306630663066302222

PHDAYS2012

Attacker has access to printed document details

31

PHDAYS2012

Attacker has access to network topology ndash no-scan

32

PHDAYS2012

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 12: PostScript: Danger Ahead?!

PHDAYS2012

PS is build to handle complex processing tasks

11

Graphics amp patterns Complex math Web servers

Ray-tracing OpenGL Milling machine XML Parsers

PHDAYS2012

Then what exactly is PostScript

12

PostScript IS NOT just a static data stream like

PostScript IS a

Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly

PHDAYS2012

What happens when printing PS

13

User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN

User Opens a PS file from emailhdd

PC-based PS interpreter processes it PS data stream executes on PC

In both cases PS data stream IS A PS program

Program = static data

PHDAYS2012

Demo1 ldquoProgramming languagerdquo aspect

14

Programming languages 101

Control statements ifelse loop while

Simplest DoS attack is an ldquoinfinite looprdquo

loop

PHDAYS2012

Demo2 ldquoDynamically typed concatenative aspect

15

You wonder why your smart IDSIPS rules stopped working

Here is why

ps_dynamic_statement_construction_and_executionps Obfuscation at its best built-into the language

Solution

Bad news Need dynamic execution sandbox Good news Itrsquos coming up ndash see sandbox slides below

PHDAYS2012

Demo3 Real world application ndash MSOffice PS crash

16

Submitted to MS

Apparently this is not exploitable as in smash stack attacks

But it opens an interesting perspective on MS Officehellip

PHDAYS2012

Demo4 Real world application ndash GhostScript autoprn

17

One got to love custom extensions

Sends a print-job stream directly by just opening the file

Requires more investigation but perspective is interestinghellip

PHDAYS2012

Dynamic document forginggeneration + SocEng

18

User computer User printout

PHDAYS2012

Dynamic document forginggeneration + SocEng

19

Computer side ndash SocEng bait PrinterMFP side ndash PS virus

PHDAYS2012

Where is PostScript (Vendor-wise view)

20

Applications incorporating the PS interpreter

Applicationsvendors producing the PS interpreter

The PS interpreter specifications and standards

PHDAYS2012

Where is PostScript (Role-wise view)

21

PHDAYS2012

PostScript Web 20 Style

22

PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees

Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts

Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions

Heap and stack overflows and what-nothellip More details to comehellip

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 What else was found

4 Attacks in a nutshell

5 Solutions and conclusions

23

PHDAYS2012

A PS-based firmware upload was required

24

PHDAYS2012

This is too good to be truehellip

25

VxWorks API vx

DebugQA API QA

Logging API EventLog

BillingMeters API meter

Pump PWM pumppwm

RAMdisk API ramdisk

RAM API ram

Flash API flash

PHDAYS2012

Memory dumping reveals computing secrets

26

SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common

PHDAYS2012

Admin restriction fail to prevent memory dumping

27

PHDAYS2012

Password setup is sniffed by the attacker

28

1) HTTP GET request ndash password clear text

2) HTTP reply

PHDAYS2012

Basic auth password can be dumped

29

1) Authorization Basic YWRtaW4yOhellip

2) HTTP11 200 OK

PHDAYS2012

HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo

30

0x66306630663066306630663066302222

PHDAYS2012

Attacker has access to printed document details

31

PHDAYS2012

Attacker has access to network topology ndash no-scan

32

PHDAYS2012

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 13: PostScript: Danger Ahead?!

PHDAYS2012

Then what exactly is PostScript

12

PostScript IS NOT just a static data stream like

PostScript IS a

Dynamically typed amp concatenative Stack-based Turing-complete Programming language What does it all mean Exactly

PHDAYS2012

What happens when printing PS

13

User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN

User Opens a PS file from emailhdd

PC-based PS interpreter processes it PS data stream executes on PC

In both cases PS data stream IS A PS program

Program = static data

PHDAYS2012

Demo1 ldquoProgramming languagerdquo aspect

14

Programming languages 101

Control statements ifelse loop while

Simplest DoS attack is an ldquoinfinite looprdquo

loop

PHDAYS2012

Demo2 ldquoDynamically typed concatenative aspect

15

You wonder why your smart IDSIPS rules stopped working

Here is why

ps_dynamic_statement_construction_and_executionps Obfuscation at its best built-into the language

Solution

Bad news Need dynamic execution sandbox Good news Itrsquos coming up ndash see sandbox slides below

PHDAYS2012

Demo3 Real world application ndash MSOffice PS crash

16

Submitted to MS

Apparently this is not exploitable as in smash stack attacks

But it opens an interesting perspective on MS Officehellip

PHDAYS2012

Demo4 Real world application ndash GhostScript autoprn

17

One got to love custom extensions

Sends a print-job stream directly by just opening the file

Requires more investigation but perspective is interestinghellip

PHDAYS2012

Dynamic document forginggeneration + SocEng

18

User computer User printout

PHDAYS2012

Dynamic document forginggeneration + SocEng

19

Computer side ndash SocEng bait PrinterMFP side ndash PS virus

PHDAYS2012

Where is PostScript (Vendor-wise view)

20

Applications incorporating the PS interpreter

Applicationsvendors producing the PS interpreter

The PS interpreter specifications and standards

PHDAYS2012

Where is PostScript (Role-wise view)

21

PHDAYS2012

PostScript Web 20 Style

22

PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees

Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts

Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions

Heap and stack overflows and what-nothellip More details to comehellip

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 What else was found

4 Attacks in a nutshell

5 Solutions and conclusions

23

PHDAYS2012

A PS-based firmware upload was required

24

PHDAYS2012

This is too good to be truehellip

25

VxWorks API vx

DebugQA API QA

Logging API EventLog

BillingMeters API meter

Pump PWM pumppwm

RAMdisk API ramdisk

RAM API ram

Flash API flash

PHDAYS2012

Memory dumping reveals computing secrets

26

SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common

PHDAYS2012

Admin restriction fail to prevent memory dumping

27

PHDAYS2012

Password setup is sniffed by the attacker

28

1) HTTP GET request ndash password clear text

2) HTTP reply

PHDAYS2012

Basic auth password can be dumped

29

1) Authorization Basic YWRtaW4yOhellip

2) HTTP11 200 OK

PHDAYS2012

HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo

30

0x66306630663066306630663066302222

PHDAYS2012

Attacker has access to printed document details

31

PHDAYS2012

Attacker has access to network topology ndash no-scan

32

PHDAYS2012

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 14: PostScript: Danger Ahead?!

PHDAYS2012

What happens when printing PS

13

User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN

User Opens a PS file from emailhdd

PC-based PS interpreter processes it PS data stream executes on PC

In both cases PS data stream IS A PS program

Program = static data

PHDAYS2012

Demo1 ldquoProgramming languagerdquo aspect

14

Programming languages 101

Control statements ifelse loop while

Simplest DoS attack is an ldquoinfinite looprdquo

loop

PHDAYS2012

Demo2 ldquoDynamically typed concatenative aspect

15

You wonder why your smart IDSIPS rules stopped working

Here is why

ps_dynamic_statement_construction_and_executionps Obfuscation at its best built-into the language

Solution

Bad news Need dynamic execution sandbox Good news Itrsquos coming up ndash see sandbox slides below

PHDAYS2012

Demo3 Real world application ndash MSOffice PS crash

16

Submitted to MS

Apparently this is not exploitable as in smash stack attacks

But it opens an interesting perspective on MS Officehellip

PHDAYS2012

Demo4 Real world application ndash GhostScript autoprn

17

One got to love custom extensions

Sends a print-job stream directly by just opening the file

Requires more investigation but perspective is interestinghellip

PHDAYS2012

Dynamic document forginggeneration + SocEng

18

User computer User printout

PHDAYS2012

Dynamic document forginggeneration + SocEng

19

Computer side ndash SocEng bait PrinterMFP side ndash PS virus

PHDAYS2012

Where is PostScript (Vendor-wise view)

20

Applications incorporating the PS interpreter

Applicationsvendors producing the PS interpreter

The PS interpreter specifications and standards

PHDAYS2012

Where is PostScript (Role-wise view)

21

PHDAYS2012

PostScript Web 20 Style

22

PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees

Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts

Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions

Heap and stack overflows and what-nothellip More details to comehellip

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 What else was found

4 Attacks in a nutshell

5 Solutions and conclusions

23

PHDAYS2012

A PS-based firmware upload was required

24

PHDAYS2012

This is too good to be truehellip

25

VxWorks API vx

DebugQA API QA

Logging API EventLog

BillingMeters API meter

Pump PWM pumppwm

RAMdisk API ramdisk

RAM API ram

Flash API flash

PHDAYS2012

Memory dumping reveals computing secrets

26

SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common

PHDAYS2012

Admin restriction fail to prevent memory dumping

27

PHDAYS2012

Password setup is sniffed by the attacker

28

1) HTTP GET request ndash password clear text

2) HTTP reply

PHDAYS2012

Basic auth password can be dumped

29

1) Authorization Basic YWRtaW4yOhellip

2) HTTP11 200 OK

PHDAYS2012

HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo

30

0x66306630663066306630663066302222

PHDAYS2012

Attacker has access to printed document details

31

PHDAYS2012

Attacker has access to network topology ndash no-scan

32

PHDAYS2012

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 15: PostScript: Danger Ahead?!

PHDAYS2012

Demo1 ldquoProgramming languagerdquo aspect

14

Programming languages 101

Control statements ifelse loop while

Simplest DoS attack is an ldquoinfinite looprdquo

loop

PHDAYS2012

Demo2 ldquoDynamically typed concatenative aspect

15

You wonder why your smart IDSIPS rules stopped working

Here is why

ps_dynamic_statement_construction_and_executionps Obfuscation at its best built-into the language

Solution

Bad news Need dynamic execution sandbox Good news Itrsquos coming up ndash see sandbox slides below

PHDAYS2012

Demo3 Real world application ndash MSOffice PS crash

16

Submitted to MS

Apparently this is not exploitable as in smash stack attacks

But it opens an interesting perspective on MS Officehellip

PHDAYS2012

Demo4 Real world application ndash GhostScript autoprn

17

One got to love custom extensions

Sends a print-job stream directly by just opening the file

Requires more investigation but perspective is interestinghellip

PHDAYS2012

Dynamic document forginggeneration + SocEng

18

User computer User printout

PHDAYS2012

Dynamic document forginggeneration + SocEng

19

Computer side ndash SocEng bait PrinterMFP side ndash PS virus

PHDAYS2012

Where is PostScript (Vendor-wise view)

20

Applications incorporating the PS interpreter

Applicationsvendors producing the PS interpreter

The PS interpreter specifications and standards

PHDAYS2012

Where is PostScript (Role-wise view)

21

PHDAYS2012

PostScript Web 20 Style

22

PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees

Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts

Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions

Heap and stack overflows and what-nothellip More details to comehellip

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 What else was found

4 Attacks in a nutshell

5 Solutions and conclusions

23

PHDAYS2012

A PS-based firmware upload was required

24

PHDAYS2012

This is too good to be truehellip

25

VxWorks API vx

DebugQA API QA

Logging API EventLog

BillingMeters API meter

Pump PWM pumppwm

RAMdisk API ramdisk

RAM API ram

Flash API flash

PHDAYS2012

Memory dumping reveals computing secrets

26

SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common

PHDAYS2012

Admin restriction fail to prevent memory dumping

27

PHDAYS2012

Password setup is sniffed by the attacker

28

1) HTTP GET request ndash password clear text

2) HTTP reply

PHDAYS2012

Basic auth password can be dumped

29

1) Authorization Basic YWRtaW4yOhellip

2) HTTP11 200 OK

PHDAYS2012

HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo

30

0x66306630663066306630663066302222

PHDAYS2012

Attacker has access to printed document details

31

PHDAYS2012

Attacker has access to network topology ndash no-scan

32

PHDAYS2012

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 16: PostScript: Danger Ahead?!

PHDAYS2012

Demo2 ldquoDynamically typed concatenative aspect

15

You wonder why your smart IDSIPS rules stopped working

Here is why

ps_dynamic_statement_construction_and_executionps Obfuscation at its best built-into the language

Solution

Bad news Need dynamic execution sandbox Good news Itrsquos coming up ndash see sandbox slides below

PHDAYS2012

Demo3 Real world application ndash MSOffice PS crash

16

Submitted to MS

Apparently this is not exploitable as in smash stack attacks

But it opens an interesting perspective on MS Officehellip

PHDAYS2012

Demo4 Real world application ndash GhostScript autoprn

17

One got to love custom extensions

Sends a print-job stream directly by just opening the file

Requires more investigation but perspective is interestinghellip

PHDAYS2012

Dynamic document forginggeneration + SocEng

18

User computer User printout

PHDAYS2012

Dynamic document forginggeneration + SocEng

19

Computer side ndash SocEng bait PrinterMFP side ndash PS virus

PHDAYS2012

Where is PostScript (Vendor-wise view)

20

Applications incorporating the PS interpreter

Applicationsvendors producing the PS interpreter

The PS interpreter specifications and standards

PHDAYS2012

Where is PostScript (Role-wise view)

21

PHDAYS2012

PostScript Web 20 Style

22

PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees

Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts

Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions

Heap and stack overflows and what-nothellip More details to comehellip

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 What else was found

4 Attacks in a nutshell

5 Solutions and conclusions

23

PHDAYS2012

A PS-based firmware upload was required

24

PHDAYS2012

This is too good to be truehellip

25

VxWorks API vx

DebugQA API QA

Logging API EventLog

BillingMeters API meter

Pump PWM pumppwm

RAMdisk API ramdisk

RAM API ram

Flash API flash

PHDAYS2012

Memory dumping reveals computing secrets

26

SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common

PHDAYS2012

Admin restriction fail to prevent memory dumping

27

PHDAYS2012

Password setup is sniffed by the attacker

28

1) HTTP GET request ndash password clear text

2) HTTP reply

PHDAYS2012

Basic auth password can be dumped

29

1) Authorization Basic YWRtaW4yOhellip

2) HTTP11 200 OK

PHDAYS2012

HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo

30

0x66306630663066306630663066302222

PHDAYS2012

Attacker has access to printed document details

31

PHDAYS2012

Attacker has access to network topology ndash no-scan

32

PHDAYS2012

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 17: PostScript: Danger Ahead?!

PHDAYS2012

Demo3 Real world application ndash MSOffice PS crash

16

Submitted to MS

Apparently this is not exploitable as in smash stack attacks

But it opens an interesting perspective on MS Officehellip

PHDAYS2012

Demo4 Real world application ndash GhostScript autoprn

17

One got to love custom extensions

Sends a print-job stream directly by just opening the file

Requires more investigation but perspective is interestinghellip

PHDAYS2012

Dynamic document forginggeneration + SocEng

18

User computer User printout

PHDAYS2012

Dynamic document forginggeneration + SocEng

19

Computer side ndash SocEng bait PrinterMFP side ndash PS virus

PHDAYS2012

Where is PostScript (Vendor-wise view)

20

Applications incorporating the PS interpreter

Applicationsvendors producing the PS interpreter

The PS interpreter specifications and standards

PHDAYS2012

Where is PostScript (Role-wise view)

21

PHDAYS2012

PostScript Web 20 Style

22

PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees

Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts

Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions

Heap and stack overflows and what-nothellip More details to comehellip

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 What else was found

4 Attacks in a nutshell

5 Solutions and conclusions

23

PHDAYS2012

A PS-based firmware upload was required

24

PHDAYS2012

This is too good to be truehellip

25

VxWorks API vx

DebugQA API QA

Logging API EventLog

BillingMeters API meter

Pump PWM pumppwm

RAMdisk API ramdisk

RAM API ram

Flash API flash

PHDAYS2012

Memory dumping reveals computing secrets

26

SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common

PHDAYS2012

Admin restriction fail to prevent memory dumping

27

PHDAYS2012

Password setup is sniffed by the attacker

28

1) HTTP GET request ndash password clear text

2) HTTP reply

PHDAYS2012

Basic auth password can be dumped

29

1) Authorization Basic YWRtaW4yOhellip

2) HTTP11 200 OK

PHDAYS2012

HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo

30

0x66306630663066306630663066302222

PHDAYS2012

Attacker has access to printed document details

31

PHDAYS2012

Attacker has access to network topology ndash no-scan

32

PHDAYS2012

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 18: PostScript: Danger Ahead?!

PHDAYS2012

Demo4 Real world application ndash GhostScript autoprn

17

One got to love custom extensions

Sends a print-job stream directly by just opening the file

Requires more investigation but perspective is interestinghellip

PHDAYS2012

Dynamic document forginggeneration + SocEng

18

User computer User printout

PHDAYS2012

Dynamic document forginggeneration + SocEng

19

Computer side ndash SocEng bait PrinterMFP side ndash PS virus

PHDAYS2012

Where is PostScript (Vendor-wise view)

20

Applications incorporating the PS interpreter

Applicationsvendors producing the PS interpreter

The PS interpreter specifications and standards

PHDAYS2012

Where is PostScript (Role-wise view)

21

PHDAYS2012

PostScript Web 20 Style

22

PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees

Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts

Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions

Heap and stack overflows and what-nothellip More details to comehellip

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 What else was found

4 Attacks in a nutshell

5 Solutions and conclusions

23

PHDAYS2012

A PS-based firmware upload was required

24

PHDAYS2012

This is too good to be truehellip

25

VxWorks API vx

DebugQA API QA

Logging API EventLog

BillingMeters API meter

Pump PWM pumppwm

RAMdisk API ramdisk

RAM API ram

Flash API flash

PHDAYS2012

Memory dumping reveals computing secrets

26

SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common

PHDAYS2012

Admin restriction fail to prevent memory dumping

27

PHDAYS2012

Password setup is sniffed by the attacker

28

1) HTTP GET request ndash password clear text

2) HTTP reply

PHDAYS2012

Basic auth password can be dumped

29

1) Authorization Basic YWRtaW4yOhellip

2) HTTP11 200 OK

PHDAYS2012

HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo

30

0x66306630663066306630663066302222

PHDAYS2012

Attacker has access to printed document details

31

PHDAYS2012

Attacker has access to network topology ndash no-scan

32

PHDAYS2012

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 19: PostScript: Danger Ahead?!

PHDAYS2012

Dynamic document forginggeneration + SocEng

18

User computer User printout

PHDAYS2012

Dynamic document forginggeneration + SocEng

19

Computer side ndash SocEng bait PrinterMFP side ndash PS virus

PHDAYS2012

Where is PostScript (Vendor-wise view)

20

Applications incorporating the PS interpreter

Applicationsvendors producing the PS interpreter

The PS interpreter specifications and standards

PHDAYS2012

Where is PostScript (Role-wise view)

21

PHDAYS2012

PostScript Web 20 Style

22

PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees

Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts

Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions

Heap and stack overflows and what-nothellip More details to comehellip

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 What else was found

4 Attacks in a nutshell

5 Solutions and conclusions

23

PHDAYS2012

A PS-based firmware upload was required

24

PHDAYS2012

This is too good to be truehellip

25

VxWorks API vx

DebugQA API QA

Logging API EventLog

BillingMeters API meter

Pump PWM pumppwm

RAMdisk API ramdisk

RAM API ram

Flash API flash

PHDAYS2012

Memory dumping reveals computing secrets

26

SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common

PHDAYS2012

Admin restriction fail to prevent memory dumping

27

PHDAYS2012

Password setup is sniffed by the attacker

28

1) HTTP GET request ndash password clear text

2) HTTP reply

PHDAYS2012

Basic auth password can be dumped

29

1) Authorization Basic YWRtaW4yOhellip

2) HTTP11 200 OK

PHDAYS2012

HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo

30

0x66306630663066306630663066302222

PHDAYS2012

Attacker has access to printed document details

31

PHDAYS2012

Attacker has access to network topology ndash no-scan

32

PHDAYS2012

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 20: PostScript: Danger Ahead?!

PHDAYS2012

Dynamic document forginggeneration + SocEng

19

Computer side ndash SocEng bait PrinterMFP side ndash PS virus

PHDAYS2012

Where is PostScript (Vendor-wise view)

20

Applications incorporating the PS interpreter

Applicationsvendors producing the PS interpreter

The PS interpreter specifications and standards

PHDAYS2012

Where is PostScript (Role-wise view)

21

PHDAYS2012

PostScript Web 20 Style

22

PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees

Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts

Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions

Heap and stack overflows and what-nothellip More details to comehellip

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 What else was found

4 Attacks in a nutshell

5 Solutions and conclusions

23

PHDAYS2012

A PS-based firmware upload was required

24

PHDAYS2012

This is too good to be truehellip

25

VxWorks API vx

DebugQA API QA

Logging API EventLog

BillingMeters API meter

Pump PWM pumppwm

RAMdisk API ramdisk

RAM API ram

Flash API flash

PHDAYS2012

Memory dumping reveals computing secrets

26

SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common

PHDAYS2012

Admin restriction fail to prevent memory dumping

27

PHDAYS2012

Password setup is sniffed by the attacker

28

1) HTTP GET request ndash password clear text

2) HTTP reply

PHDAYS2012

Basic auth password can be dumped

29

1) Authorization Basic YWRtaW4yOhellip

2) HTTP11 200 OK

PHDAYS2012

HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo

30

0x66306630663066306630663066302222

PHDAYS2012

Attacker has access to printed document details

31

PHDAYS2012

Attacker has access to network topology ndash no-scan

32

PHDAYS2012

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 21: PostScript: Danger Ahead?!

PHDAYS2012

Where is PostScript (Vendor-wise view)

20

Applications incorporating the PS interpreter

Applicationsvendors producing the PS interpreter

The PS interpreter specifications and standards

PHDAYS2012

Where is PostScript (Role-wise view)

21

PHDAYS2012

PostScript Web 20 Style

22

PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees

Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts

Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions

Heap and stack overflows and what-nothellip More details to comehellip

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 What else was found

4 Attacks in a nutshell

5 Solutions and conclusions

23

PHDAYS2012

A PS-based firmware upload was required

24

PHDAYS2012

This is too good to be truehellip

25

VxWorks API vx

DebugQA API QA

Logging API EventLog

BillingMeters API meter

Pump PWM pumppwm

RAMdisk API ramdisk

RAM API ram

Flash API flash

PHDAYS2012

Memory dumping reveals computing secrets

26

SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common

PHDAYS2012

Admin restriction fail to prevent memory dumping

27

PHDAYS2012

Password setup is sniffed by the attacker

28

1) HTTP GET request ndash password clear text

2) HTTP reply

PHDAYS2012

Basic auth password can be dumped

29

1) Authorization Basic YWRtaW4yOhellip

2) HTTP11 200 OK

PHDAYS2012

HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo

30

0x66306630663066306630663066302222

PHDAYS2012

Attacker has access to printed document details

31

PHDAYS2012

Attacker has access to network topology ndash no-scan

32

PHDAYS2012

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 22: PostScript: Danger Ahead?!

PHDAYS2012

Where is PostScript (Role-wise view)

21

PHDAYS2012

PostScript Web 20 Style

22

PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees

Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts

Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions

Heap and stack overflows and what-nothellip More details to comehellip

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 What else was found

4 Attacks in a nutshell

5 Solutions and conclusions

23

PHDAYS2012

A PS-based firmware upload was required

24

PHDAYS2012

This is too good to be truehellip

25

VxWorks API vx

DebugQA API QA

Logging API EventLog

BillingMeters API meter

Pump PWM pumppwm

RAMdisk API ramdisk

RAM API ram

Flash API flash

PHDAYS2012

Memory dumping reveals computing secrets

26

SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common

PHDAYS2012

Admin restriction fail to prevent memory dumping

27

PHDAYS2012

Password setup is sniffed by the attacker

28

1) HTTP GET request ndash password clear text

2) HTTP reply

PHDAYS2012

Basic auth password can be dumped

29

1) Authorization Basic YWRtaW4yOhellip

2) HTTP11 200 OK

PHDAYS2012

HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo

30

0x66306630663066306630663066302222

PHDAYS2012

Attacker has access to printed document details

31

PHDAYS2012

Attacker has access to network topology ndash no-scan

32

PHDAYS2012

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 23: PostScript: Danger Ahead?!

PHDAYS2012

PostScript Web 20 Style

22

PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees

Google was one them -gt Got a ldquohall of famerdquo reward Some fun facts

Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without ndashdSAFER All of them ran vulnerable GS versions

Heap and stack overflows and what-nothellip More details to comehellip

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 What else was found

4 Attacks in a nutshell

5 Solutions and conclusions

23

PHDAYS2012

A PS-based firmware upload was required

24

PHDAYS2012

This is too good to be truehellip

25

VxWorks API vx

DebugQA API QA

Logging API EventLog

BillingMeters API meter

Pump PWM pumppwm

RAMdisk API ramdisk

RAM API ram

Flash API flash

PHDAYS2012

Memory dumping reveals computing secrets

26

SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common

PHDAYS2012

Admin restriction fail to prevent memory dumping

27

PHDAYS2012

Password setup is sniffed by the attacker

28

1) HTTP GET request ndash password clear text

2) HTTP reply

PHDAYS2012

Basic auth password can be dumped

29

1) Authorization Basic YWRtaW4yOhellip

2) HTTP11 200 OK

PHDAYS2012

HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo

30

0x66306630663066306630663066302222

PHDAYS2012

Attacker has access to printed document details

31

PHDAYS2012

Attacker has access to network topology ndash no-scan

32

PHDAYS2012

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 24: PostScript: Danger Ahead?!

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 What else was found

4 Attacks in a nutshell

5 Solutions and conclusions

23

PHDAYS2012

A PS-based firmware upload was required

24

PHDAYS2012

This is too good to be truehellip

25

VxWorks API vx

DebugQA API QA

Logging API EventLog

BillingMeters API meter

Pump PWM pumppwm

RAMdisk API ramdisk

RAM API ram

Flash API flash

PHDAYS2012

Memory dumping reveals computing secrets

26

SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common

PHDAYS2012

Admin restriction fail to prevent memory dumping

27

PHDAYS2012

Password setup is sniffed by the attacker

28

1) HTTP GET request ndash password clear text

2) HTTP reply

PHDAYS2012

Basic auth password can be dumped

29

1) Authorization Basic YWRtaW4yOhellip

2) HTTP11 200 OK

PHDAYS2012

HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo

30

0x66306630663066306630663066302222

PHDAYS2012

Attacker has access to printed document details

31

PHDAYS2012

Attacker has access to network topology ndash no-scan

32

PHDAYS2012

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 25: PostScript: Danger Ahead?!

PHDAYS2012

A PS-based firmware upload was required

24

PHDAYS2012

This is too good to be truehellip

25

VxWorks API vx

DebugQA API QA

Logging API EventLog

BillingMeters API meter

Pump PWM pumppwm

RAMdisk API ramdisk

RAM API ram

Flash API flash

PHDAYS2012

Memory dumping reveals computing secrets

26

SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common

PHDAYS2012

Admin restriction fail to prevent memory dumping

27

PHDAYS2012

Password setup is sniffed by the attacker

28

1) HTTP GET request ndash password clear text

2) HTTP reply

PHDAYS2012

Basic auth password can be dumped

29

1) Authorization Basic YWRtaW4yOhellip

2) HTTP11 200 OK

PHDAYS2012

HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo

30

0x66306630663066306630663066302222

PHDAYS2012

Attacker has access to printed document details

31

PHDAYS2012

Attacker has access to network topology ndash no-scan

32

PHDAYS2012

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 26: PostScript: Danger Ahead?!

PHDAYS2012

This is too good to be truehellip

25

VxWorks API vx

DebugQA API QA

Logging API EventLog

BillingMeters API meter

Pump PWM pumppwm

RAMdisk API ramdisk

RAM API ram

Flash API flash

PHDAYS2012

Memory dumping reveals computing secrets

26

SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common

PHDAYS2012

Admin restriction fail to prevent memory dumping

27

PHDAYS2012

Password setup is sniffed by the attacker

28

1) HTTP GET request ndash password clear text

2) HTTP reply

PHDAYS2012

Basic auth password can be dumped

29

1) Authorization Basic YWRtaW4yOhellip

2) HTTP11 200 OK

PHDAYS2012

HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo

30

0x66306630663066306630663066302222

PHDAYS2012

Attacker has access to printed document details

31

PHDAYS2012

Attacker has access to network topology ndash no-scan

32

PHDAYS2012

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 27: PostScript: Danger Ahead?!

PHDAYS2012

Memory dumping reveals computing secrets

26

SANS Security Predictions 20122013 - The Emerging Security Threat Memory Scraping Will Become More Common

PHDAYS2012

Admin restriction fail to prevent memory dumping

27

PHDAYS2012

Password setup is sniffed by the attacker

28

1) HTTP GET request ndash password clear text

2) HTTP reply

PHDAYS2012

Basic auth password can be dumped

29

1) Authorization Basic YWRtaW4yOhellip

2) HTTP11 200 OK

PHDAYS2012

HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo

30

0x66306630663066306630663066302222

PHDAYS2012

Attacker has access to printed document details

31

PHDAYS2012

Attacker has access to network topology ndash no-scan

32

PHDAYS2012

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 28: PostScript: Danger Ahead?!

PHDAYS2012

Admin restriction fail to prevent memory dumping

27

PHDAYS2012

Password setup is sniffed by the attacker

28

1) HTTP GET request ndash password clear text

2) HTTP reply

PHDAYS2012

Basic auth password can be dumped

29

1) Authorization Basic YWRtaW4yOhellip

2) HTTP11 200 OK

PHDAYS2012

HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo

30

0x66306630663066306630663066302222

PHDAYS2012

Attacker has access to printed document details

31

PHDAYS2012

Attacker has access to network topology ndash no-scan

32

PHDAYS2012

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 29: PostScript: Danger Ahead?!

PHDAYS2012

Password setup is sniffed by the attacker

28

1) HTTP GET request ndash password clear text

2) HTTP reply

PHDAYS2012

Basic auth password can be dumped

29

1) Authorization Basic YWRtaW4yOhellip

2) HTTP11 200 OK

PHDAYS2012

HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo

30

0x66306630663066306630663066302222

PHDAYS2012

Attacker has access to printed document details

31

PHDAYS2012

Attacker has access to network topology ndash no-scan

32

PHDAYS2012

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 30: PostScript: Danger Ahead?!

PHDAYS2012

Basic auth password can be dumped

29

1) Authorization Basic YWRtaW4yOhellip

2) HTTP11 200 OK

PHDAYS2012

HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo

30

0x66306630663066306630663066302222

PHDAYS2012

Attacker has access to printed document details

31

PHDAYS2012

Attacker has access to network topology ndash no-scan

32

PHDAYS2012

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 31: PostScript: Danger Ahead?!

PHDAYS2012

HTTPS IPsec secrets are ldquodefaultyrdquo amp ldquoleakyrdquo

30

0x66306630663066306630663066302222

PHDAYS2012

Attacker has access to printed document details

31

PHDAYS2012

Attacker has access to network topology ndash no-scan

32

PHDAYS2012

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 32: PostScript: Danger Ahead?!

PHDAYS2012

Attacker has access to printed document details

31

PHDAYS2012

Attacker has access to network topology ndash no-scan

32

PHDAYS2012

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 33: PostScript: Danger Ahead?!

PHDAYS2012

Attacker has access to network topology ndash no-scan

32

PHDAYS2012

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 34: PostScript: Danger Ahead?!

PHDAYS2012

Attacker has access to BSD-style socketshellip

33

Two-way BSD-style sockets communication

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 35: PostScript: Danger Ahead?!

PHDAYS2012

Analyzed MFP cannot protect effectively

34

Privilege level separation

Secure password setup

Secure (basic) auth

HTTPS IPSEC secrets protection

Network topology protection

In-memory document protection

Restrict sockets on unprivileged modules

Protection measures Fail warn ok

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 36: PostScript: Danger Ahead?!

PHDAYS2012

Plenty of Xerox printers share affected PS firmware update mechanism

35

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 37: PostScript: Danger Ahead?!

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Solutions and conclusions

36

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 38: PostScript: Danger Ahead?!

PHDAYS2012

Remote attacks can be used to extract data

37

Sent

by

email

Drive-

by

print

Stage 1 ndash SocEng Stage 2 - Printing Stage 3 ndash Exploitingspying

Print

attachment

Print

from

web

Malware exploits

internal netw or

extracts data

Spool

malicious

byte

stream

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 39: PostScript: Danger Ahead?!

PHDAYS2012

Agenda

1 Quick refresher

2 What about PostScript

3 So what and how did you find

4 Attacks in a nutshell

5 Whatrsquos next solutions conclusions

38

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 40: PostScript: Danger Ahead?!

PHDAYS2012

Network-wise mitigation solution

39

VLAN1 PCs

VLAN2 PRNs

Print Server PSPJL-sandboxed

VLAN networks Unsafe print jobs Safe print jobs

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 41: PostScript: Danger Ahead?!

PHDAYS2012

Protocol-wise mitigation solution PostScriptPJL sandbox

40

Secure PostScript ExecutionInterpreter Sandbox Set of onlineoffline tools for analysis amp reporting Wepawet-like but for PostScript related data Subscribe for updates postscript-secandreicostincom

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 42: PostScript: Danger Ahead?!

PHDAYS2012

Whatrsquos next PS + MSF + FS + Sockets = PWN

41

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 43: PostScript: Danger Ahead?!

PHDAYS2012

Solutions

42

Admins bull Disable PS processing on printers bull Route print-jobs thru sandboxed print-servers bull Replace PS drivers with PCL ones (wellhellip) bull Disable Language Operator Authorization bull Look for security bulletins and patch bull Sandbox printers in your network bull Include MFPs in security audit lifecycle

Users bull Do not print from untrusted sources bull Be suspicious on PostScript files

Vendors bull Create realistic MFP threat models bull Do not enableexpose super-APIs

Actor Suggested actions

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 44: PostScript: Danger Ahead?!

PHDAYS2012

Acknowledgements

43

The Xerox-related PostScript work amp research done under support of

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 45: PostScript: Danger Ahead?!

PHDAYS2012

Acknowledgements

44

Thanks to EURECOM for great advise and support for this topic

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 46: PostScript: Danger Ahead?!

PHDAYS2012

Thanksresources

45

Personal thanks

Igor Marinescu MihaiSa Great logistic support and friendly help

Xerox Security Team Positive responses active mitigation

wwwtinajacom Insanely large free postscript resources dir

wwwanastigmatixnet Very good postscript resources

wwwacumentrainingcom Very good postscript resources

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom

Page 47: PostScript: Danger Ahead?!

PHDAYS2012

Take aways

46

Questions Andrei Costin andreiandreicostincom httpandreicostincompapers

Upcoming MFP attack could include viruses in Office and PS documents that extract organization data

Securing the MFP infrastructure requires better segmentation strong credentials and continious vulnerability patching

MFPs are badly secured computing platforms with large abuse potential

Check upcoming research papers Check wwwyoutubecomuserzveriu Join postscript-secandreicostincom