[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by An-Jie Yang
0 likes435 views
The document provides an in-depth analysis of hacking printers at the Pwn2Own competition, specifically focusing on Canon and HP printers. It covers the vulnerabilities found in their firmware, the attack surface, exploitation techniques, and mitigation strategies. The presentation highlights the ease of exploiting printers due to their integration into local networks and the lack of adequate security measures.
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by An-Jie Yang
- 1. Your printer is not your printer ! - Hacking Printers at Pwn2Own Angelboy angelboy@chroot.org @scwuaptx 1
- 2. Whoami • Angelboy (An-Jie Yang) • Researcher at DEVCORE • Ex-CTF Player • HITCON / 217 • Chroot • Pwn2Own • 2020 Tokyo/2021 Austin • Co-founder of pwnable.tw • Speaker • HITB GSEC 2018/AVTokyo 2018/VXCON/HITCON 2
- 3. Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 3
- 4. Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 4
- 5. 5
- 6. Introduction • In the early days • to use the printer, it was necessary to • Use IEEE1284 or USB to connect to the Computer • Install Printer driver before printing • Usually only a single printer feature Printer 6
- 7. Introduction • Nowadays • Printer can provide a variety of services which make printer not only more convenient but also closer to IoT • It can be found immediately when connected to intranet Printer - IoT 7 image: Flaticon.com
- 9. PrintingHacking is also easier 9
- 10. 10
- 11. Motivation 11
- 12. Introduction • Red Team • Printer is one of the most common devices in the intranet Motivation 12
- 13. Introduction • Red Team • Printer is one of the most common devices in the intranet • Good target to hide our actions Motivation 13
- 14. Introduction • Red Team • Printer is one of the most common devices in the intranet • Good target to hide our actions • Sometimes integrate with Active Directory Motivation 14
- 15. Introduction • Pwn2Own 2021 Austin Motivation 15
- 16. We thought they were trivial at first, but … 16 `ls` ; /bin/usr/id ; %0Acat%20/etc/passwd
- 19. 19
- 20. 20
- 21. We will focus on Canon and HP in this talk 21
- 22. Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 22
- 23. Analysis • At the beginning, we thought we need to …… 23
- 24. In fact, we didn’t tear down any of them ! 24
- 25. Canon 25
- 26. Analysis • Firmware version v6.03 • From Canon official • At the beginning, we use binwalk • But the firmware is obfuscated • We cannot use IDA directly Canon - Firmware Extract 26
- 27. Analysis • We also try some previous works • TREASURE CHEST PARTY QUEST: FROM DOOM TO EXPLOIT • by Synacktiv • Hacking Canon Pixma Printers – Doomed Encryption • by Contextis research Canon - Firmware Extract 27
- 28. Analysis • We also try some previous works • TREASURE CHEST PARTY QUEST: FROM DOOM TO EXPLOIT • by Synacktiv • Hacking Canon Pixma Printers – Doomed Encryption • by Contextis research • But it cannot extract the firmware :( Canon - Firmware Extract 28
- 29. • We can find some information from obfuscated firmware Analysis Canon - Firmware Extract 29 Size Magic
- 30. We decide to use this patten to search other firmwares without obfuscated 30
- 31. Analysis • We need to download other firmwares from Canon official website • Original firmware download URL is Canon - Firmware Extract 31 https://pdisp01.c- wss.com/gdl/WWUFORedirectTarget.do?id=MDQwMDAwNDc1Mj A1&cmp=Z01&lang=EN
- 32. Analysis Canon - Firmware Extract 32 https://pdisp01.c- wss.com/gdl/WWUFORedirectTarget.do?id=MDQwMDAwNDc1Mj A1&cmp=Z01&lang=EN 040000475205
- 33. Analysis Canon - Firmware Extract 34 https://pdisp01.c- wss.com/gdl/WWUFORedirectTarget.do?id=MDQwMDAwNDc1Mj A1&cmp=Z01&lang=EN 040000475205 Type Ordinal Number Version Pdf,firmware … Other model Firmware version
- 34. Analysis • We can list all versions of firmware • V2.01 • V4.02 • V6.03 • V9.03 !? • V10.02 !? Canon - Firmware Extract 35
- 35. But all versions are obfuscated 😭 36
- 36. Let’s download all models 37
- 37. Analysis • The total file size is 130GB • grep NCFW and some plaintext Canon - Firmware Extract 38
- 38. Analysis • WG7000 Series is not obfuscated ! • We analyze the firmware of WG7000 to find the key function Canon - Firmware Extract 39
- 39. Analysis • Try to use the same function to deobfuscate the firmware of MF644CDW • Bingo ! Canon - Firmware Extract 40 Plaintext message
- 40. Analysis • Image Base Address • We spent some time looking for image base address of firmware • rbasefind Canon - Firmware Analysis 41
- 41. • Original base is 0x40b00000 • It doesn’t seem to be the correct base Analysis Canon - Firmware Analysis 42 Should be strings
- 42. Analysis • Image Base Address • We can find a correct function and debug message to adjust to the correct offset • We found the base is 0x40affde0 Canon - Firmware Analysis 43
- 43. Analysis Canon - Firmware Analysis 44
- 44. Analysis • Canon MF644CDW • OS - DryOSV2 • Customized RTOS by Canon • ARMv7 32bit little-endian • Linked with application code into a single image • Kernel • Service • … Canon - Firmware Analysis 45
- 45. HP 46
- 46. Analysis • Relatively easy • Binwalk -Z • Take about 3 - 4 days • It will get correct firmware ! • Other part is similar to Canon HP - Firmware Extract 47
- 47. Analysis • HP - MFP M283fdw • OS • RTOS - Modify from ThreadX/Green Hills • ARM11 Mixed-endian • Code - little-endian • Data - Big-endian HP - Firmware Analysis 48
- 48. Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 49
- 49. Attack Surface Service Port Description RUI TCP 80 Web interface PDL TCP 9100 Page Description Language PJL TCP 9100 Printer Job Language IPP TCP 631 Internet Printing Protocol LPD TCP 515 Line Printer Daemon Protocol SNMP UDP 161 Simple Network Management Protocol 50 • Nowadays, there are many services enabled by default
- 50. Attack Surface • Nowadays, there are many services enabled by default Service Port Description SLP TCP 427 Service Location Protocol mDNS UDP 5353 Multicast DNS LLMNR UDP 5355 Link-Local Multicast Name Resolution … … … 51
- 51. Attack Surface • After we evaluate the overall architecture, we decide to focus on service discovery and DNS series of services • SLP • mDNS • LLMNR 52
- 52. Such protocols implemented by manufacturer themselves are often prone to vulnerabilities 53
- 53. Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 55
- 55. Hacking printers at Pwn2Own • SLP is a service discovery protocol that allows computers and other devices to find services in local area network Service Location Protocol 57
- 56. Hacking printers at Pwn2Own • SLP Architecture without Directory Agent Canon - SLP 58 User Agent Client Service Agent Printer
- 57. Hacking printers at Pwn2Own • SLP Architecture without Directory Agent Canon - SLP 59 User Agent Client Service Agent Printer Unicast/Multicast Service Request Attribute Request
- 58. Hacking printers at Pwn2Own • SLP Architecture without Directory Agent Canon - SLP 60 User Agent Client Service Agent Printer Unicast Service Reply Attribute Reply
- 59. Hacking printers at Pwn2Own • SLP Packet Structure Canon - SLP 61 Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31 Version Function-Id Length Length, contd. O F R Reserved Next Ext Offset Next Ext Offset, contd. XID Language Tag Length Language Tag (Variable) Payload (Variable)
- 60. Hacking printers at Pwn2Own • Canon only implemented service request and attribute request Canon - SLP 62 Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31 Version Function-Id Length Length, contd. O F R Reserved Next Ext Offset Next Ext Offset, contd. XID Language Tag Length Language Tag (Variable) Payload (Variable) Function Code Message Type 1 6 Service Request Attribute Request
- 61. Hacking printers at Pwn2Own • Attribute Request (AttrRqst) • Allow a User Agent to discover attributes of given service (by supplying its URL) or for entire device type Canon - SLP 63 https://www.ietf.org/rfc/rfc2608.txt
- 62. Hacking printers at Pwn2Own • Attribute Request (AttrRqst) Canon - SLP 64 Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31 Version Function-Id Length Length, contd. O F R Reserved Next Ext Offset Next Ext Offset, contd. XID Language Tag Length Language Tag (Variable) Payload (Variable) … … Length of <scope-list> <scope-list> string (Variable) … … Length of URL URL (Variable) https://www.ietf.org/rfc/rfc2608.txt
- 63. Hacking printers at Pwn2Own • There is a vulnerability when Canon is parsing the body of AttrRqst • It will convert escape character to character Canon - Vulnerability 65 ¥41 A
- 64. Hacking printers at Pwn2Own • There is a vulnerability when Canon is parsing the body of AttrRqst Canon - Vulnerability 66
- 65. Hacking printers at Pwn2Own • There is a stack overflow when Canon is parsing the body of AttrRqst Canon - Vulnerability 67
- 66. Hacking printers at Pwn2Own • There is a stack overflow when Canon is parsing the body of AttrRqst Canon - Vulnerability 68 Although there is validation in normal case
- 67. Hacking printers at Pwn2Own • There is a stack overflow when Canon is parsing the body of AttrRqst Canon - Vulnerability 69 No validation in escaping case
- 68. Hacking printers at Pwn2Own • Protection • No Stack Guard • No DEP • No ASLR Canon - Exploitation 70 image: Flaticon.com
- 70. We just need to find a buffer to store our shellcode and return to it 72
- 71. Hacking printers at Pwn2Own • BJNP • A service discovery protocol designed by Canon • Exploited by Synacktiv • It will store session data on the global buffer Canon - Exploitation 73
- 72. Hacking printers at Pwn2Own • Exploit Step Canon - Exploitation 74
- 73. Hacking printers at Pwn2Own • Exploit Step • Use BJNP to store our shellcode on a global buffer Canon - Exploitation 75
- 74. Hacking printers at Pwn2Own • Exploit Step • Use BJNP to store our shellcode on a global buffer • Trigger stack overflow in SLP and overwrite return address Canon - Exploitation 76
- 75. Hacking printers at Pwn2Own • Exploit Step • Use BJNP to store our shellcode on a global buffer • Trigger stack overflow in SLP and overwrite return address • Return to the global buffer Canon - Exploitation 77
- 76. Hacking printers at Pwn2Own • Require you to prove that you have pwned the target • In terms of printer, we choose to print "DEVCORE logo" on the LCD screen at first Pwn2Own Austin 2021 78
- 77. But we spent a lot of time looking for it … 79
- 78. Hacking printers at Pwn2Own • Require you to prove that you have pwned the target • In terms of printer, we choose to print "DEVCORE logo" on the LCD screen • In the end, due to time constraints, we finally only chose to print the message on the screen Pwn2Own Austin 2021 80
- 79. Hacking printers at Pwn2Own Pwn2Own Austin 2021 84 http://youtu.be/vQbQImZ3XRw?t=18405
- 80. Hacking printers at Pwn2Own • Debugger ? • If we want to debug it, we need to have a debug console • Need to teardown the printer • Use an old exploit to install customized debugger • Need to downgrade the printer Canon - Exploitation 85
- 81. Hacking printers at Pwn2Own • But we are too lazy, we just use sleep debug to debug it :) Canon - Exploitation 86 ROP/shellcode Do something Sleep Reboot
- 83. Hacking printers at Pwn2Own • LLMNR is very similar to mDNS. It provides base name resolution on the same local link Link-Local Multicast Name Resolution 88
- 84. Hacking printers at Pwn2Own • LLMNR protocol HP - LLMNR 89 Client A Client B Client C Client D Multicast Address of Client C ? Send requests to 224.0.0.252 Address of Client C ? Address of Client C ?
- 85. Hacking printers at Pwn2Own • LLMNR protocol HP - LLMNR 90 Client A Client B Client C Client D Response from Client C LLMNR Response
- 86. Hacking printers at Pwn2Own • LLMNR Header (Base on DNS header format) HP - LLMNR 91 Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31 ID Flags QDCOUNT ANCOUNT NSCOUNT ARCOUNT Queries (Variable)
- 87. Hacking printers at Pwn2Own • LLMNR queries use the same format as DNS query HP - LLMNR 92 Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31 ID Flags QDCOUNT ANCOUNT NSCOUNT ARCOUNT Queries (Variable) 0x3 www 0x6 google 0x3 com 0 Type Class … 0xc0 0xd
- 88. Hacking printers at Pwn2Own • There is a stack overflow when LLMNR is parsing the queries HP - Vulnerability 93
- 89. Hacking printers at Pwn2Own • There is a stack overflow when LLMNR is parsing the queries HP - Vulnerability 94 Fixed size buffer on stack
- 90. Hacking printers at Pwn2Own • There is a stack overflow when LLMNR is parsing the queries HP - Vulnerability 95 Without any length verification
- 91. We tried to exploit it in the similar way as Canon, but … 96
- 92. Hacking printers at Pwn2Own • Protection • No Stack Guard • XN (DEP) • Memory Protect Unit (MPU) • No ASLR HP - Exploitation 97 image: Flaticon.com
- 93. Hacking printers at Pwn2Own • Some limits in this vulnerability • We can only overflow about 0x100 bytes • Null terminated • XN(DEP) and MPU • Preventing us from executing shellcode HP - Exploitation 98 image: Flaticon.com
- 94. Hacker not Friendly ? image: Flaticon.com Can be bypassed ? How to implement it ? 99
- 95. Hacking printers at Pwn2Own • Let's delve into HP RTOS HP - Exploitation 100
- 96. Hacking printers at Pwn2Own • Let's delve into HP RTOS • Linked with application code into a single image HP - Exploitation 101
- 97. Hacking printers at Pwn2Own • Let's delve into HP RTOS • Linked with application code into a single image • Many tasks run • in the same virtual address space • in kernel-mode HP - Exploitation 102
- 98. MMU 103
- 99. Hacking printers at Pwn2Own • MMU in HP M283fdw • Use one-level page table translation • Translation table entry for translating a 1MB section • Translation table is located at 0x4003c000 HP - Exploitation 104
- 100. Hacking printers at Pwn2Own HP - MMU 105 Page index 31 20 12 11 10 9 8 7 6 5 4 3 2 1 0 13 Index into first level table 14 15 16 17 18 19 Virtual Address TTBR Translation Table Entry Translation Table Physical Memory
- 101. Hacking printers at Pwn2Own HP - MMU 106 Page index 31 20 12 11 10 9 8 7 6 5 4 3 2 1 0 13 Index into first level table 14 15 16 17 18 19 Virtual Address TTBR Translation Table Entry Translation Table Physical Memory 0 31 20 12 11 10 9 8 7 6 5 4 3 2 1 0 13 1 B C XN Domain P AP TEX AP X S nG 0 0 Section Address 14 15 16 17 18 19
- 102. Hacking printers at Pwn2Own • MMU in HP M283fdw • Translation table is on known address • We can bypass XN through modifying translation table entry ! HP - Exploitation 107
- 103. Hacking printers at Pwn2Own • MMU in HP M283fdw • Translation table is on known address • We can bypass XN through modifying translation table entry ! • But it's protected by Memory Protection Unit(MPU) HP - Exploitation 108
- 104. MPU 109
- 105. Hacking printers at Pwn2Own • Memory Protection Unit • The MPU enables you to partition memory into regions and set individual protection attributes for each regions • Enable when booting HP - Exploitation 110 Physical Memory Region 0 (Page Table, Code) Region 1 (Data) Region … Read only RW
- 106. Hacking printers at Pwn2Own • Memory Protection Unit HP - Exploitation 111 Physical Memory Region 0 (Page Table, Code) Region 1 (Data) Region … Read only RW Write access
- 107. Hacking printers at Pwn2Own • Memory Protection Unit • The MPU is configured by a series of memory mapped register in System Control Spaces • MPU_CTRL 0xE0400304 HP - Exploitation 112 MPU_TYPE MPU_CTRL MPU_RNR … … MPU registers
- 108. We can easily use ROP to overwrite it with 0 to disable MPU 113
- 109. Hacking printers at Pwn2Own • After we disable MPU and overwrite translation table entry • We can modify any code page • Modify the code of LPD(Line Printer Daemon) in order to read our payload to specific address • Convert LPD to Debug Console HP - Exploitation 114
- 110. Hacking printers at Pwn2Own • After we disable MPU and overwrite translation table entry • We must invalidate • Translation Lookaside Buffer • D-cache and I-cache HP - Exploitation 115
- 111. Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address HP - Exploitation 116
- 112. Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address • ROP to disable MPU HP - Exploitation 117
- 113. Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address • ROP to disable MPU • ROP to modify translation table entry HP - Exploitation 118
- 114. Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address • ROP to disable MPU • ROP to modify translation table entry • Flush TLB HP - Exploitation 119
- 115. Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address • ROP to disable MPU • ROP to modify translation table entry • Flush TLB • ROP to invalidate I-cache and D-cache HP - Exploitation 120
- 116. Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address • ROP to disable MPU • ROP to modify translation table entry • Flush TLB • ROP to invalidate I-cache and D-cache • ROP to modify code of LPD HP - Exploitation 121
- 117. Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address • ROP to disable MPU • ROP to modify translation table entry • Flush TLB • ROP to invalidate I-cache and D-cache • ROP to modify code of LPD • Use modified LPD to read our shellcode and jump to shellcode HP - Exploitation 122
- 118. Hacking printers at Pwn2Own • Require you to prove that you have pwned the target • Originally, we just wanted to print the message on the LCD screen Pwn2Own Austin 2021 123
- 119. Hacking printers at Pwn2Own • Require you to prove that you have pwned the target • Originally, we just wanted to print the message on the LCD screen • But luckily, we later saw that a little bit like the DEVCORE logo can be printed • Just modify the string and trigger printer test Pwn2Own Austin 2021 124
- 120. 125
- 121. Hacking printers at Pwn2Own Pwn2Own Austin 2021 126
- 122. Hacking printers at Pwn2Own • Debug Console Pwn2Own Austin 2021 127
- 123. Hacking printers at Pwn2Own • Result Pwn2Own Austin 2021 128
- 124. Hacking printers at Pwn2Own • After we have code execution • We can • Steal Credential • Lateral movement • Hard to detect • … Exploitation 129
- 125. Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 130
- 126. Mitigation • Update • Canon and HP printer have been patched, please update to the latest 131
- 127. Mitigation • Update • Canon and HP printer have been patched, please update to the latest • Disable unused service • The attack surface of printer is too huge • Many services are opened by default 132
- 128. Mitigation • Update • Canon and HP printer have been patched, please update to the latest • Disable unused service • The attack surface of printer is too huge • Many services are opened by default • Firewall 133
- 129. Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 134
- 130. Conclusion • Discovery and DNS series services are weak in printer • Printer is still a good target for red team 135
- 131. Reference • https://labs.withsecure.com/assets/BlogFiles/Printing-Shellz.pdf • https://foxglovesecurity.com/2017/11/20/a-sheep-in-wolfs-clothing-finding- rce-in-hps-printer-fleet/ • https://research.checkpoint.com/2018/sending-fax-back-to-the-dark-ages/ 136
- 132. Thank you for listening @scwuaptx 137