1) The document discusses vulnerabilities in PostScript, a programming language used in printers and multifunction printers (MFPs).
2) The speaker demonstrates how PostScript is Turing complete and can be used to crash programs, conduct denial of service attacks, and dynamically generate malicious documents.
3) Vulnerabilities were found that could allow remote code execution on MFPs, extraction of memory contents, and spoofing of printed documents.
4) Solutions proposed include sandboxing print jobs, disabling PostScript processing, and updating firmware to address vulnerabilities.
3. Agenda
1. Quick refresher
2. What about PostScript?
3. So, what and how did you find?
4. Attacks in a nutshell
5. Solutions and conclusions
PHDAYS2012 2
5. MFP hacking goes back to the 1960’s
The “micro”-film camera, marked X
Patent drawing, 1967
Electronics/hardware hacking
“Spies in the Xerox machine”
PHDAYS2012 4
6. Modern printer hacking goes back almost a
decade
2002 2006 2010-2012
Initial printer hacks Broader & deeper Revived printer hacking
(FX/pH) printer hacking interest
(irongeek)
This talk focuses mainly on
remote code execution
inside MFPs/printers
PHDAYS2012 5
7. In 2010 demo’d : mapping public MFPs
http://www.youtube.com/watch?v=t44GibiCoCM
PHDAYS2012 6
8. … and generic MFP payload delivery using Word
http://www.youtube.com/watch?v=KrWFOo2RAnk (there are false claims on this discovery)
PHDAYS2012 7
9. … and generic MFP payload delivery using Java
http://www.youtube.com/watch?v=JcfxvZml6-Y
PHDAYS2012 8
10. Agenda
1. Quick refresher
2. What about PostScript?
3. So, what and how did you find?
4. Attacks in a nutshell
5. Solutions and conclusions
PHDAYS2012 9
12. PS is build to handle complex processing tasks
Graphics & patterns Complex math Web servers
Ray-tracing, OpenGL Milling machine XML Parsers
PHDAYS2012 11
13. Then, what exactly is PostScript?
PostScript IS NOT just a static data stream like
PostScript IS a
Dynamically typed & concatenative
Stack-based
Turing-complete
Programming language
What does it all mean? Exactly!
PHDAYS2012 12
14. What happens when printing PS?
User writes the doc and hits Print
PS printer driver transforms it to PS stream for specific device
PS data stream on PRN
User Opens a PS file from email/hdd
PC-based PS interpreter processes it
PS data stream executes on PC
In both cases, PS data stream IS A PS program
Program != static data
PHDAYS2012 13
15. Demo1
“Programming language” aspect
Programming languages 101:
Control statements
if/else
loop
while
Simplest DoS attack is an “infinite loop”
!%
{} loop
PHDAYS2012 14
16. Demo2
“Dynamically typed concatenative" aspect
You wonder why your smart IDS/IPS rules stopped working?
Here is why:
ps_dynamic_statement_construction_and_execution.ps
Obfuscation at its best built-into the language!
Solution:
Bad news: Need dynamic execution sandbox
Good news: It’s coming up – see sandbox slides below
PHDAYS2012 15
17. Demo3
Real world application – MSOffice PS crash
Submitted to MS
Apparently this is not exploitable as in smash stack attacks
But it opens an interesting perspective on MS Office…
PHDAYS2012 16
18. Demo4
Real world application – GhostScript autoprn
One got to love custom extensions
Sends a print-job stream directly by just opening the file
Requires more investigation, but perspective is interesting…
PHDAYS2012 17
21. Where is PostScript? (Vendor-wise view)
Applications incorporating the PS interpreter
Applications/vendors producing the PS interpreter
The PS interpreter specifications and standards
PHDAYS2012 20
23. PostScript Web 2.0 Style
PostScript made it into the web as well
Around 20+ services found to be vulnerable to various degrees
Google was one them -> Got a “hall of fame” reward
Some fun facts
Effective for host exploitation and information gathering
Some ran GS as root user
Some ran GS without –dSAFER
All of them ran vulnerable GS versions
Heap and stack overflows and what-not…
More details to come…
PHDAYS2012 22
24. Agenda
1. Quick refresher
2. What about PostScript?
3. What else was found?
4. Attacks in a nutshell
5. Solutions and conclusions
PHDAYS2012 23
26. This is too good to be true….
VxWorks API Debug/QA API Logging API
/vx*** /QA*** /***EventLog
Pump PWM BillingMeters API
/***pumppwm /***meter***
RAMdisk API RAM API Flash API
/***ramdisk /***ram*** /***flash***
PHDAYS2012 25
27. Memory dumping reveals computing secrets
SANS Security Predictions 2012/2013 - The Emerging Security Threat
Memory Scraping Will Become More Common
PHDAYS2012 26
37. Agenda
1. Quick refresher
2. What about PostScript?
3. So, what and how did you find?
4. Attacks in a nutshell
5. Solutions and conclusions
PHDAYS2012 36
38. Remote attacks can be used to extract data
Stage 1 – SocEng Stage 2 - Printing Stage 3 – Exploiting/spying
Sent
by Print
email attachment
Malware exploits
internal netw. or
extracts data
Spool
malicious
byte
stream
Drive-
by Print
print from
web
PHDAYS2012 37
39. Agenda
1. Quick refresher
2. What about PostScript?
3. So, what and how did you find?
4. Attacks in a nutshell
5. What’s next, solutions, conclusions
PHDAYS2012 38
41. Protocol-wise mitigation solution
PostScript/PJL sandbox
Secure PostScript Execution/Interpreter Sandbox
Set of online/offline tools for analysis & reporting
Wepawet-like, but for PostScript related data
Subscribe for updates: postscript-sec@andreicostin.com
PHDAYS2012 40
43. Solutions
Actor Suggested actions
Admins • Disable PS processing on printers
• Route print-jobs thru sandboxed print-servers
• Replace PS drivers with PCL ones (well…)
• Disable Language Operator Authorization
• Look for security bulletins and patch
• Sandbox printers in your network
• Include MFPs in security audit lifecycle
Users
• Do not print from untrusted sources
• Be suspicious on PostScript files
Vendors • Create realistic MFP threat models
• Do not enable/expose super-APIs
PHDAYS2012 42
46. Thanks/resources
Xerox Security Team Positive responses, active mitigation
www.tinaja.com Insanely large free postscript resources dir
www.anastigmatix.net Very good postscript resources
www.acumentraining.com Very good postscript resources
Personal thanks
Igor Marinescu, MihaiSa Great logistic support and friendly help
PHDAYS2012 45
47. Take aways
MFPs are badly secured computing
platforms with large abuse potential
Upcoming MFP attack could include
viruses in Office and PS documents that
extract organization data
Securing the MFP infrastructure requires
better segmentation, strong credentials,
and continious vulnerability patching
Check upcoming research papers
Check www.youtube.com/user/zveriu
Join: postscript-sec@andreicostin.com
Andrei Costin andrei@andreicostin.com
Questions? http://andreicostin.com/papers
PHDAYS2012 46