HitB2012Ams : PostScript - Danger Ahead - Hacking MFPs, PCs and Beyond

The Characteristics of a Typeface (for widescreen displays) – A CC NC SA Image by arnoKat
By Andrei Costin (Author, MiFare Classic Universal Toolkit)

Multifunctional Printers (MFPs) have a large abuse potential. They have AD credentials, print confidential information, don’t get patched and often are reachable via the internet.

hacking printers is not new, apparently printers in the soviet embassy where hacked by placing a mechanical camera in them in the 60s.

In 2010 Andrei did a scan and found over 20,000 printers that where accessible from the internet. In the past he has demonstrated that these devices has a lot of vulnerabilities.

What is postscript?

Postscript is Adobe’s PDF big brother. It is not just a graphical language, it is a dynamically type, stack based, turing-complete, programming language that can handle complex tasks like:
  • Graphics and patterns
  • Complex Math
  • Web servers
  • Ray-tracing, OpenGL
  • Milling machines
  • XML Parsers

How is postscript processed?

When a user writes a doc and hits print:
  • PS driver converts it to a PS sream
  • PS stream is rendered by printer

When a user opens a PS file
  • PC based PS interpreter processes it
  • PS stream executes on PC

Demonstration: DoS

By including an “infinte loop” in postscript some printers hang.
  • !{}
  • {} loop

This attack is demonstrated by word loading an eps file and not finishing.

Because Postscript can generate programming lines on the fly. This means that there are endless possibilities for obfuscation of malicious postscript.

Using a recursive function it is possible to crash the postscript interpreter. This is demonstrated.

To exploit printers, the file has to be printed, but it is actually possible to write postscript file that will print itself when it is opened in e.g. Ghostscript.  

Postscript is a programming language. As such it can detect what environment it runs in. So it is possible to create a document that shows something different in Ghostscript but prints a different document when sent to a printer. Or write a document that appears not to show in Ghostscript, but will print or own the printer.

E.g. a user could send a contract that shows a 100 Euro pricetag in postscript, but prints a 100,000 Euro pricetag.  

Postscript is everywhere, in printers, in customer software and on printer servers. Ghostscript even made it to the web.

Andrei investigated and found 20+ services that run Ghostscript. He even got a bug bounty awared from Google. A lot of these Ghostscript instances ran as root and all of them ran vulnerable versions.

Printer vulnerabilities

Andrei found that he was able to upload printer firmware via a Postscrip file, but the full API was accessible allowing him to do a memory dump on the printer. An administrator setting and password does not protect against this attack.

Also dumping the memory he was able to get the admin password because it was sent to the printer using a get request or basic authentication.

Memory dumps can also be used to intercept documens that are print protected with a pin or password.  

MFPs are a good point to exploit a network from. They are usually in a good place in the network and have device discovery protocols in them like uPnP. This uPnP and NDP data is stored in memory that can be dumped.

in summary postscript is a language that can easily be weaponized and used in attacking, users, networks and systems.

Andrei is working on a sandbox to contain postscript and analyse it for malicious behaviour.

Conclusion

MFPs are not well secured.

Attacks on MFPs (via e.g. word documents) can extract confidential data.

Securing MFPs requires better segmentation, stronger credentials and continous pattching

Presentation materials available from http://conference.hitb.org/hitbsecconf2012ams/materials/

ABOUT ANDREI COSTIN


Born and raised in Moldova, Andrei is a Computer Science graduate of the Politechnic University of Bucharest where he did his thesis work in Biometrics and Image Processing. He is the author of the MiFare Classic Universal toolKit (MFCUK), the first publically available (FOSS) card-only key cracking tool for the MiFare Classic RFID card family.


While starting out his IT-career in the Computer Games industry, he has worked in the Telecom field and is currently senior developer at a specialized firm producing custom embedded systems utilizing GSM/UMTS/GPS technologies. He is passionate about IT/App/Info security and has spoken at various security conferences. He usually doesn’t have too much free time, but when he does he simply enjoys the Cyprus’ shores and sea.

0 Comments


Not Published

0/1000 characters
Go Top