1) The document discusses vulnerabilities in PostScript, a programming language used in printers and multifunction printers (MFPs). 2) The speaker demonstrates how PostScript is Turing complete and can be used to crash programs, conduct denial of service attacks, and dynamically generate malicious documents. 3) Vulnerabilities were found that could allow remote code execution on MFPs, extraction of memory contents, and spoofing of printed documents. 4) Solutions proposed include sandboxing print jobs, disabling PostScript processing, and updating firmware to address vulnerabilities.

1. PostScript: Danger Ahead?!
Andrei Costin <andrei@andreicostin.com>
Affiliation - PhD student

2. whoami: in-between SW/HW hacker
Hacking MFPs (for fun & profit)
Holistic
Security
Mifare Classic MFCUK Interest
http://andreicostin.com/papers/
PHDAYS2012 1

3. Agenda
1. Quick refresher
2. What about PostScript?
3. So, what and how did you find?
4. Attacks in a nutshell
5. Solutions and conclusions
PHDAYS2012 2

4. MFPs carry large abuse potential
PHDAYS2012 3

5. MFP hacking goes back to the 1960’s
The “micro”-film camera, marked X
Patent drawing, 1967
Electronics/hardware hacking
“Spies in the Xerox machine”
PHDAYS2012 4

6. Modern printer hacking goes back almost a
decade
2002 2006 2010-2012
Initial printer hacks Broader & deeper Revived printer hacking
(FX/pH) printer hacking interest
(irongeek)
This talk focuses mainly on
remote code execution
inside MFPs/printers
PHDAYS2012 5

7. In 2010 demo’d : mapping public MFPs
http://www.youtube.com/watch?v=t44GibiCoCM
PHDAYS2012 6

8. … and generic MFP payload delivery using Word
http://www.youtube.com/watch?v=KrWFOo2RAnk (there are false claims on this discovery)
PHDAYS2012 7

9. … and generic MFP payload delivery using Java
http://www.youtube.com/watch?v=JcfxvZml6-Y
PHDAYS2012 8

10. Agenda
1. Quick refresher
2. What about PostScript?
3. So, what and how did you find?
4. Attacks in a nutshell
5. Solutions and conclusions
PHDAYS2012 9

11. PostScript who? It’s Adobe’s PDF big brother
PHDAYS2012 10

12. PS is build to handle complex processing tasks
Graphics & patterns Complex math Web servers
Ray-tracing, OpenGL Milling machine XML Parsers
PHDAYS2012 11

13. Then, what exactly is PostScript?
 PostScript IS NOT just a static data stream like
 PostScript IS a
 Dynamically typed & concatenative
 Stack-based
 Turing-complete
 Programming language
 What does it all mean? Exactly!
PHDAYS2012 12

14. What happens when printing PS?
 User writes the doc and hits Print
 PS printer driver transforms it to PS stream for specific device
 PS data stream on PRN
 User Opens a PS file from email/hdd
 PC-based PS interpreter processes it
 PS data stream executes on PC
 In both cases, PS data stream IS A PS program
 Program != static data
PHDAYS2012 13

15. Demo1
“Programming language” aspect
 Programming languages 101:
 Control statements
 if/else
 loop
 while
 Simplest DoS attack is an “infinite loop”
 !%
 {} loop
PHDAYS2012 14

16. Demo2
“Dynamically typed concatenative" aspect
 You wonder why your smart IDS/IPS rules stopped working?
 Here is why:
 ps_dynamic_statement_construction_and_execution.ps
 Obfuscation at its best built-into the language!
 Solution:
 Bad news: Need dynamic execution sandbox
 Good news: It’s coming up – see sandbox slides below
PHDAYS2012 15

17. Demo3
Real world application – MSOffice PS crash
 Submitted to MS
 Apparently this is not exploitable as in smash stack attacks 
 But it opens an interesting perspective on MS Office…
PHDAYS2012 16

18. Demo4
Real world application – GhostScript autoprn
 One got to love custom extensions
 Sends a print-job stream directly by just opening the file
 Requires more investigation, but perspective is interesting…
PHDAYS2012 17

19. Dynamic document forging/generation + SocEng
User computer User printout
PHDAYS2012 18

20. Dynamic document forging/generation + SocEng
Computer side – SocEng bait Printer/MFP side – PS virus
PHDAYS2012 19

21. Where is PostScript? (Vendor-wise view)
Applications incorporating the PS interpreter
Applications/vendors producing the PS interpreter
The PS interpreter specifications and standards
PHDAYS2012 20

22. Where is PostScript? (Role-wise view)
PHDAYS2012 21

23. PostScript Web 2.0 Style
 PostScript made it into the web as well
 Around 20+ services found to be vulnerable to various degrees
 Google was one them -> Got a “hall of fame” reward 
 Some fun facts
 Effective for host exploitation and information gathering
 Some ran GS as root user
 Some ran GS without –dSAFER
 All of them ran vulnerable GS versions
 Heap and stack overflows and what-not…
 More details to come…
PHDAYS2012 22

24. Agenda
1. Quick refresher
2. What about PostScript?
3. What else was found?
4. Attacks in a nutshell
5. Solutions and conclusions
PHDAYS2012 23

25. A PS-based firmware upload was required
PHDAYS2012 24

26. This is too good to be true….
VxWorks API Debug/QA API Logging API
/vx*** /QA*** /***EventLog
Pump PWM BillingMeters API
/***pumppwm /***meter***
RAMdisk API RAM API Flash API
/***ramdisk /***ram*** /***flash***
PHDAYS2012 25

27. Memory dumping reveals computing secrets
 SANS Security Predictions 2012/2013 - The Emerging Security Threat
 Memory Scraping Will Become More Common
PHDAYS2012 26

28. Admin restriction fail to prevent memory dumping
PHDAYS2012 27

29. Password setup is sniffed by the attacker
1) HTTP GET request – password clear text
2) HTTP reply
PHDAYS2012 28

30. Basic auth password can be dumped
1) Authorization: Basic YWRtaW4yO…
2) HTTP/1.1 200 OK
PHDAYS2012 29

31. HTTPS / IPsec secrets are “defaulty” & “leaky”
0x66306630663066306630663066302222
PHDAYS2012 30

32. Attacker has access to printed document details
PHDAYS2012 31

33. Attacker has access to network topology – no-scan
PHDAYS2012 32

34. Attacker has access to BSD-style sockets…
Two-way BSD-style sockets communication
PHDAYS2012 33

35. Analyzed MFP cannot protect effectively
Protection measures Fail / warn / ok
Privilege level separation
Secure password setup
Secure (basic) auth
HTTPS, IPSEC secrets protection
Network topology protection
In-memory document protection
Restrict sockets on unprivileged modules
PHDAYS2012 34

36. Plenty of Xerox printers share affected PS firmware
update mechanism
PHDAYS2012 35

37. Agenda
1. Quick refresher
2. What about PostScript?
3. So, what and how did you find?
4. Attacks in a nutshell
5. Solutions and conclusions
PHDAYS2012 36

38. Remote attacks can be used to extract data
Stage 1 – SocEng Stage 2 - Printing Stage 3 – Exploiting/spying
Sent
by Print
email attachment
Malware exploits
internal netw. or
extracts data
Spool
malicious
byte
stream
Drive-
by Print
print from
web
PHDAYS2012 37

39. Agenda
1. Quick refresher
2. What about PostScript?
3. So, what and how did you find?
4. Attacks in a nutshell
5. What’s next, solutions, conclusions
PHDAYS2012 38

40. Network-wise mitigation solution
VLAN1
PCs
Print Server
PS/PJL-sandboxed
VLAN networks
VLAN2
Unsafe print jobs
PRNs
Safe print jobs
PHDAYS2012 39

41. Protocol-wise mitigation solution
PostScript/PJL sandbox
 Secure PostScript Execution/Interpreter Sandbox
 Set of online/offline tools for analysis & reporting
 Wepawet-like, but for PostScript related data
 Subscribe for updates: postscript-sec@andreicostin.com
PHDAYS2012 40

42. What’s next? PS + MSF + FS + Sockets = PWN!
PHDAYS2012 41

43. Solutions
Actor Suggested actions
Admins • Disable PS processing on printers
• Route print-jobs thru sandboxed print-servers
• Replace PS drivers with PCL ones (well…)
• Disable Language Operator Authorization
• Look for security bulletins and patch
• Sandbox printers in your network
• Include MFPs in security audit lifecycle
Users
• Do not print from untrusted sources
• Be suspicious on PostScript files
Vendors • Create realistic MFP threat models
• Do not enable/expose super-APIs
PHDAYS2012 42

44. Acknowledgements
The Xerox-related PostScript work & research done under support of
PHDAYS2012 43

45. Acknowledgements
Thanks to EURECOM for great advise and support for this topic
PHDAYS2012 44

46. Thanks/resources
Xerox Security Team Positive responses, active mitigation
www.tinaja.com Insanely large free postscript resources dir
www.anastigmatix.net Very good postscript resources
www.acumentraining.com Very good postscript resources
Personal thanks
Igor Marinescu, MihaiSa Great logistic support and friendly help
PHDAYS2012 45

47. Take aways
 MFPs are badly secured computing
platforms with large abuse potential
 Upcoming MFP attack could include
viruses in Office and PS documents that
extract organization data
 Securing the MFP infrastructure requires
better segmentation, strong credentials,
and continious vulnerability patching
 Check upcoming research papers
 Check www.youtube.com/user/zveriu
 Join: postscript-sec@andreicostin.com
Andrei Costin andrei@andreicostin.com
Questions? http://andreicostin.com/papers
PHDAYS2012 46