What the Fax!?
2 likes1,033 views
The document discusses the evolution and security vulnerabilities of fax technology, particularly emphasizing modern all-in-one printers that incorporate fax functionalities. It outlines various attacks, exploits, and debugging challenges related to these devices, highlighting a recent exploit named 'devil’s ivy' which affects certain printer models. The document concludes with recommendations for securing fax systems and contexts where they should still be avoided.
What the Fax!?
- 1. Fax?! What The To: Date: Subject: Check Point Research DEFCON 26 Aug-12 2018 Received OK?
- 2. WhoAreWe? Yaniv Balmas “This should theoretically work” Security Researcher Check Point Software Technologies @ynvb Eyal Itkin “That’s cool.” Security Researcher Check Point Software Technologies @eyalitkin
- 3. 1860 Caselli Invents Machine Similar to Today’s FAX 1923 Enter the RadioFAX. Used by Navies 1966 XEROX Introduces the First Commercial FAX Machine 1980 Group III ITU-T Fax Standards T.30, T.4, T.6 GammaFAX Brings Computers Into FAX Network 1985 1846 Alexaner Bain Sends An Image Over a Wire FAXHistory
- 10. WTF?!
- 11. • Modern FAX is no longer a simple “FAX Machines” • The same old FAX technology is now wrapped inside newer technologies • ALL-IN-ONE printers are EVERYWHERE FaxToday
- 12. The Security View ALL-IN-ONE Printers
- 16. What is the Target? How to Obtain the Code? What is The OS? How Does FAX Even Work? How can we Debug it? Where to look for vulns?
- 17. AndTheWinnerIs
- 18. BreakingHW Flash ROM SRAMs (e.g Some More Memory)
- 21. TooEasy?
- 22. FirmwareUpgrade
- 23. How do you upgrade a printer firmware?! You Print it!
- 24. How do you upgrade a printer firmware?! You Print it!
- 26. PrintingTheFirmware NULL Decoder TIFF Decoder Delta Raw Decoder
- 28. Sections Loading Address Section Name Location in Binary
- 30. WhatISThis?! • Probably a compression algorithm • A very bad one … • Some mathematics
- 31. Let'sTakeALook FF 20 72 66 63 75 72 73 69 EF 76 65 6C 79 AE E0 6E 6F 6E DF 70 6F 73 69 74 FE 30 20 73 F7 69 7A 65 0E 32 76 61 72 69 FF 61 62 6C 65 2D 6C 65 6E F7 67 74 68 AD 33 00 00 56 4C FF 6A 70 65 67 2E r e c u r s i v e l y n o n p o s i t s i z e v a r i a b l e - l e n g t h V L j p e g .
- 32. FF 20 72 66 63 75 72 73 69 EF 76 65 6C 79 AE E0 6E 6F 6E DF 70 6F 73 69 74 FE 30 20 73 F7 69 7A 65 0E 32 76 61 72 69 FF 61 62 6C 65 2D 6C 65 6E F7 67 74 68 AD 33 00 00 56 4C FF 6A 70 65 67 2E r e c u r s i v e l y n o n p o s i t s i z e v a r i a b l e - l e n g t h V L j p e g . Let'sTakeALook
- 33. FF EF AE E0 DF FE 30 F7 0E 32 FF F7 AD 33 FF APattern?!
- 34. FF EF DF F7 FF F7 FF 8 Bytes 9 Bytes 9 Bytes 9 Bytes 8 Bytes 9 Bytes 8 Bytes APattern?!
- 35. FF EF DF F7 FF F7 F 11111111 F 1 1 1 1 1 1 1 F E 1 1 1 1 11111111 F 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 D F7 FF F7 DifferentAngle
- 36. F7 AD 33 Forward / Backward Pointer Dictionary Sliding Window ? ?? ? TheMissingLink
- 37. Softdisk
- 39. TheMissingLink AD 33 1 0 1 0 1 1 0 1 0 0 1 1 0 0 1 1 A D 3 3 2771 3 Window Location Data Length
- 40. A BCDABEF Input Text Sliding Window G Output Text MysterySolved
- 41. A BCDABEF Input Text Sliding Window A G Output Text A MysterySolved
- 42. A BCDABEF Input Text Sliding Window A B G Output Text A B MysterySolved
- 43. A BCDABEF Input Text Sliding Window A B C G Output Text A B C MysterySolved
- 44. A BCDABEF Input Text Sliding Window A B C D G Output Text A B C D MysterySolved
- 45. A BCDABEF Input Text Sliding Window A B C D G Output Text A B C D MysterySolved
- 46. A BCDABEF Input Text Sliding Window A B C D G Output Text A B C D MysterySolved
- 47. A BCDABEF Input Text Sliding Window A B C D G Output Text A B C D 00 02 MysterySolved
- 48. A BCDABEF Input Text Sliding Window A B C D E G Output Text A B C D E00 02 MysterySolved
- 49. A BCDABEF Input Text Sliding Window A B C D E F G Output Text A B C D E F00 02 MysterySolved
- 50. A BCDABEF Input Text Sliding Window A B C D E F G G Output Text A B C D E F G00 02 MysterySolved
- 51. A BCDABEF Input Text Output Text Sliding Window A A B B C C D D E E F F G G G 00 02 1 1 1 1 1 1 10 MysterySolved
- 52. A BCDABEF Input Text Output Text Sliding Window A A B B C C D D E E F F G G G EF 00 02 MysterySolved
- 53. ThePrintingBeast • 64,709 Functions • Most of the code not parsed by IDA • Indirect Calls, Dynamic Tables, BootLoader Functions
- 54. ThreadX - ARM9/ Green Hills Treck (IP, TCP/UDP, DNS, HTTP, …) libpng 1.2.29 (2008) tTB, tHTML, … gSOAP 2.7 OpenSSL 1.0.1j (2014) Spidermonkey mDNSResponder 2 Staged Boot Loader tModem tFaxLog tT30 tPrintFax Common Libraries Tasks System n’ Stuff MakingSomeSense
- 55. ThreadX - ARM9/ Green Hills Treck (IP, TCP/UDP, DNS, HTTP, …) libpng 1.2.29 (2008) tTB, tHTML, … gSOAP 2.7 OpenSSL 1.0.1j (2014) mDNSResponder 2 Staged Boot Loader tModem tFaxLog tT30 tPrintFax Common Libraries Tasks System n’ Stuff Spidermonkey MakingSomeSense
- 56. JSOnAPrinter?! • JavaScript is used in a module called PAC. • PAC - Proxy Auto Configuration • Used by a URL linking to a JS file in DHCP settings • Top layer functionality was designed by HP
- 57. FakeURL
- 58. Yep…
- 59. T30 • aka “ITU-T Recommendation T.30” • Procedures for document facsimile transmission in the general switched telephone network • Defined the “heavy lifting” procedures relevant for all fax sending functionality • Designed at 1985 • Last update at 2005
- 60. DynamicHell
- 61. TheUndebuggable • How do we debug this hostile environment? • There are no native debugging facilities • We have no control over the execution flow • Hardware watch-dog is a serious problem
- 62. LuckyBreak • Luck is a fundamental part of every research project • At July 19, SENRIO published an exploit dubbed “Devil’s Ivy” • CVE-2017-9765 - RCE in gSOAP 2.7 - 2.8.47 • And it seems our printer is vulnerable!
- 63. Devil’sIvy
- 64. DebuggingChallenges • Need to read/write memory • Need to Execute code • Create a network tunnel between debugger/debuggee
- 65. DebuggingChallenges • We have control over execution flow • Need to load our own code • Bypass memory protection • Embed debugging stub into current firmware
- 66. Scout • We created our own instruction based debugger • Called - ‘Scout’ • Supports x86, x64, ARM (ARM and Thumb mode) • Embedded mode for firmware • Linux kernel mode
- 67. HowDoesAFAX?
- 68. PHASE 1 Network Interaction PHASE 2 Probing/ Ranging Equalizer and Echo Canceller Training PHASE 3 Training Phase PHASE 4 HowDoesAFAX?
- 69. CallerID PHASE A SenderCaps (DIS) ReceiverCaps (DTC) PHASE B Tunnel HDLC Endofpage (EOP) MsgConfirm (MCF) PHASE D DataTransfer PHASE C HowDoesAFAX?
- 75. Vulnerability • All the layers we showed can contain possible vulnerabilities. • The most convenient layer is the application one. • We started by inspecting the JPEG parsing capabilities.
- 76. JPEG FF D8 FF E0 00 10 4A 46 49 46 00 01 02 00 00 64 00 64 00 00 FF C4 0A 02 34 D3 2A 78 80 42 6D 2B FF DA 12 28 2A 6F 2B 81 6A 16 0F C8 9A 13 FF D9 . . . . . . . J F I F . . . . d . d . . . . . . 4 . * x . Bm+ . . . ( * 0 + . j . . . . . . . EOI - End Of Image DHT - Define Huffman Table APP0 - Application Specific SOI - Start Of Image SOS - Start Of Scan Data Size Data Size Data
- 77. DHT FF C4 20 00 01 00 00 00 00 02 00 01 02 00 00 00 00 00 00 FF FF C4 0A 02 34 D3 2A 78 80 42 6D 2B • Define Huffman Table • Defines 4X4 comparison matrix for the JPEG Image HEADER SIZE 4X4 MATRIX DATA
- 78. DHT FF C4 20 00 01 00 00 00 00 02 00 01 02 00 00 00 00 00 00 FF FF C4 0A 02 34 D3 2A 78 80 42 6D 2B ∑( )=6 • 4X4 Matrix values are summed • The product is used as a size value for data bytes • The data bytes are copied into a 256 bytes array located on the stack
- 79. Stack FF FF C4 0A 02 34 DHT 256 6 FF C4 20 00 01 00 00 00 00 02 00 01 02 00 00 00 00 00 00 FF FF C4 0A 02 34 D3 2A 78 80 42 6D 2B
- 80. CanYouSpotIt?
- 81. FF C4 20 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF C4 0A 02 34 D3 2A 78 80 42 … 2B DHT Stack 256
- 82. Stack FF FF C4 0A 02 34 D3 2A 78 80 42 … 2B DHT 4000 256 Overflow!! FF C4 20 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF C4 0A 02 34 D3 2A 78 80 42 … 2B
- 83. ExploitChain • Trivial stack overflow • No constraints (“forbidden bytes”) • ~4,000 user controlled bytes • The file contains even more information we control…
- 84. Demo Time
- 85. Conclusions • PSTN is still a valid attack surface in 2018! • FAX can be used as a gateway to internal networks • Old outdated protocols are not good for you…
- 86. WhatCanIDo? • Patch your printers • Don't connect FAX where not needed • Segregate your printers from the rest of the network
- 87. STOP USING FAX