PostScript: Danger Ahead?!
1 like1,591 views
1) The document discusses vulnerabilities in PostScript, a programming language used in printers and multifunction printers (MFPs). 2) The speaker demonstrates how PostScript is Turing complete and can be used to crash programs, conduct denial of service attacks, and dynamically generate malicious documents. 3) Vulnerabilities were found that could allow remote code execution on MFPs, extraction of memory contents, and spoofing of printed documents. 4) Solutions proposed include sandboxing print jobs, disabling PostScript processing, and updating firmware to address vulnerabilities.
PostScript: Danger Ahead?!
- 1. PostScript: Danger Ahead?! Andrei Costin <andrei@andreicostin.com> Affiliation - PhD student
- 2. whoami: in-between SW/HW hacker Hacking MFPs (for fun & profit) Holistic Security Mifare Classic MFCUK Interest http://andreicostin.com/papers/ PHDAYS2012 1
- 3. Agenda 1. Quick refresher 2. What about PostScript? 3. So, what and how did you find? 4. Attacks in a nutshell 5. Solutions and conclusions PHDAYS2012 2
- 4. MFPs carry large abuse potential PHDAYS2012 3
- 5. MFP hacking goes back to the 1960’s The “micro”-film camera, marked X Patent drawing, 1967 Electronics/hardware hacking “Spies in the Xerox machine” PHDAYS2012 4
- 6. Modern printer hacking goes back almost a decade 2002 2006 2010-2012 Initial printer hacks Broader & deeper Revived printer hacking (FX/pH) printer hacking interest (irongeek) This talk focuses mainly on remote code execution inside MFPs/printers PHDAYS2012 5
- 7. In 2010 demo’d : mapping public MFPs http://www.youtube.com/watch?v=t44GibiCoCM PHDAYS2012 6
- 8. … and generic MFP payload delivery using Word http://www.youtube.com/watch?v=KrWFOo2RAnk (there are false claims on this discovery) PHDAYS2012 7
- 9. … and generic MFP payload delivery using Java http://www.youtube.com/watch?v=JcfxvZml6-Y PHDAYS2012 8
- 10. Agenda 1. Quick refresher 2. What about PostScript? 3. So, what and how did you find? 4. Attacks in a nutshell 5. Solutions and conclusions PHDAYS2012 9
- 11. PostScript who? It’s Adobe’s PDF big brother PHDAYS2012 10
- 12. PS is build to handle complex processing tasks Graphics & patterns Complex math Web servers Ray-tracing, OpenGL Milling machine XML Parsers PHDAYS2012 11
- 13. Then, what exactly is PostScript? PostScript IS NOT just a static data stream like PostScript IS a Dynamically typed & concatenative Stack-based Turing-complete Programming language What does it all mean? Exactly! PHDAYS2012 12
- 14. What happens when printing PS? User writes the doc and hits Print PS printer driver transforms it to PS stream for specific device PS data stream on PRN User Opens a PS file from email/hdd PC-based PS interpreter processes it PS data stream executes on PC In both cases, PS data stream IS A PS program Program != static data PHDAYS2012 13
- 15. Demo1 “Programming language” aspect Programming languages 101: Control statements if/else loop while Simplest DoS attack is an “infinite loop” !% {} loop PHDAYS2012 14
- 16. Demo2 “Dynamically typed concatenative" aspect You wonder why your smart IDS/IPS rules stopped working? Here is why: ps_dynamic_statement_construction_and_execution.ps Obfuscation at its best built-into the language! Solution: Bad news: Need dynamic execution sandbox Good news: It’s coming up – see sandbox slides below PHDAYS2012 15
- 17. Demo3 Real world application – MSOffice PS crash Submitted to MS Apparently this is not exploitable as in smash stack attacks But it opens an interesting perspective on MS Office… PHDAYS2012 16
- 18. Demo4 Real world application – GhostScript autoprn One got to love custom extensions Sends a print-job stream directly by just opening the file Requires more investigation, but perspective is interesting… PHDAYS2012 17
- 19. Dynamic document forging/generation + SocEng User computer User printout PHDAYS2012 18
- 20. Dynamic document forging/generation + SocEng Computer side – SocEng bait Printer/MFP side – PS virus PHDAYS2012 19
- 21. Where is PostScript? (Vendor-wise view) Applications incorporating the PS interpreter Applications/vendors producing the PS interpreter The PS interpreter specifications and standards PHDAYS2012 20
- 22. Where is PostScript? (Role-wise view) PHDAYS2012 21
- 23. PostScript Web 2.0 Style PostScript made it into the web as well Around 20+ services found to be vulnerable to various degrees Google was one them -> Got a “hall of fame” reward Some fun facts Effective for host exploitation and information gathering Some ran GS as root user Some ran GS without –dSAFER All of them ran vulnerable GS versions Heap and stack overflows and what-not… More details to come… PHDAYS2012 22
- 24. Agenda 1. Quick refresher 2. What about PostScript? 3. What else was found? 4. Attacks in a nutshell 5. Solutions and conclusions PHDAYS2012 23
- 25. A PS-based firmware upload was required PHDAYS2012 24
- 26. This is too good to be true…. VxWorks API Debug/QA API Logging API /vx*** /QA*** /***EventLog Pump PWM BillingMeters API /***pumppwm /***meter*** RAMdisk API RAM API Flash API /***ramdisk /***ram*** /***flash*** PHDAYS2012 25
- 27. Memory dumping reveals computing secrets SANS Security Predictions 2012/2013 - The Emerging Security Threat Memory Scraping Will Become More Common PHDAYS2012 26
- 28. Admin restriction fail to prevent memory dumping PHDAYS2012 27
- 29. Password setup is sniffed by the attacker 1) HTTP GET request – password clear text 2) HTTP reply PHDAYS2012 28
- 30. Basic auth password can be dumped 1) Authorization: Basic YWRtaW4yO… 2) HTTP/1.1 200 OK PHDAYS2012 29
- 31. HTTPS / IPsec secrets are “defaulty” & “leaky” 0x66306630663066306630663066302222 PHDAYS2012 30
- 32. Attacker has access to printed document details PHDAYS2012 31
- 33. Attacker has access to network topology – no-scan PHDAYS2012 32
- 34. Attacker has access to BSD-style sockets… Two-way BSD-style sockets communication PHDAYS2012 33
- 35. Analyzed MFP cannot protect effectively Protection measures Fail / warn / ok Privilege level separation Secure password setup Secure (basic) auth HTTPS, IPSEC secrets protection Network topology protection In-memory document protection Restrict sockets on unprivileged modules PHDAYS2012 34
- 36. Plenty of Xerox printers share affected PS firmware update mechanism PHDAYS2012 35
- 37. Agenda 1. Quick refresher 2. What about PostScript? 3. So, what and how did you find? 4. Attacks in a nutshell 5. Solutions and conclusions PHDAYS2012 36
- 38. Remote attacks can be used to extract data Stage 1 – SocEng Stage 2 - Printing Stage 3 – Exploiting/spying Sent by Print email attachment Malware exploits internal netw. or extracts data Spool malicious byte stream Drive- by Print print from web PHDAYS2012 37
- 39. Agenda 1. Quick refresher 2. What about PostScript? 3. So, what and how did you find? 4. Attacks in a nutshell 5. What’s next, solutions, conclusions PHDAYS2012 38
- 40. Network-wise mitigation solution VLAN1 PCs Print Server PS/PJL-sandboxed VLAN networks VLAN2 Unsafe print jobs PRNs Safe print jobs PHDAYS2012 39
- 41. Protocol-wise mitigation solution PostScript/PJL sandbox Secure PostScript Execution/Interpreter Sandbox Set of online/offline tools for analysis & reporting Wepawet-like, but for PostScript related data Subscribe for updates: postscript-sec@andreicostin.com PHDAYS2012 40
- 42. What’s next? PS + MSF + FS + Sockets = PWN! PHDAYS2012 41
- 43. Solutions Actor Suggested actions Admins • Disable PS processing on printers • Route print-jobs thru sandboxed print-servers • Replace PS drivers with PCL ones (well…) • Disable Language Operator Authorization • Look for security bulletins and patch • Sandbox printers in your network • Include MFPs in security audit lifecycle Users • Do not print from untrusted sources • Be suspicious on PostScript files Vendors • Create realistic MFP threat models • Do not enable/expose super-APIs PHDAYS2012 42
- 44. Acknowledgements The Xerox-related PostScript work & research done under support of PHDAYS2012 43
- 45. Acknowledgements Thanks to EURECOM for great advise and support for this topic PHDAYS2012 44
- 46. Thanks/resources Xerox Security Team Positive responses, active mitigation www.tinaja.com Insanely large free postscript resources dir www.anastigmatix.net Very good postscript resources www.acumentraining.com Very good postscript resources Personal thanks Igor Marinescu, MihaiSa Great logistic support and friendly help PHDAYS2012 45
- 47. Take aways MFPs are badly secured computing platforms with large abuse potential Upcoming MFP attack could include viruses in Office and PS documents that extract organization data Securing the MFP infrastructure requires better segmentation, strong credentials, and continious vulnerability patching Check upcoming research papers Check www.youtube.com/user/zveriu Join: postscript-sec@andreicostin.com Andrei Costin andrei@andreicostin.com Questions? http://andreicostin.com/papers PHDAYS2012 46