Phishing attacks, Types Of Phishing Attacks, How To Avoid Phishing Attacks
Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read...
Transcript of Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read...
Exploiting Network Printers
Jens Müller, Vladislav Mladenov, Juraj Somorovsky, Jörg Schwenk
1
Why printers?
1987 20172
Evolution
3
Yet another T in the IoT?
• Systematization of printer attacks
• Evaluation of 20 printer models
• PRinter Exploitation Toolkit (PRET)
• Novel attacks beyond printers
• New research directions
4
Contributions
1. Background
2. Attacks
3. Evaluation
4. PRET
5. Beyond printers
6. Countermeasures
5
Overview
1. Printing channel (USB, network, …)
2. Printer language (PJL, PostScript, …)6
How to print?
PrintingUnit
Printer USB
RAW
IPP
LPD
SMB
PJLInterpreter
PostScriptInterpreter
FurtherInterpreter(PCL, PDF, …)
7
What to attack?
• Printer Job Language
• Manages settings like output tray or paper size
@PJL SET PAPER=A4
@PJL SET COPIES=10
@PJL ENTER LANGUAGE=POSTSCRIPT
• NOT limited to the current print job
8
PJL
• Invented by Adobe (1982 – 1984)
• Heavily used on laser printers
• Turing complete language
9
PostScript
1. Background
2. Attacks
3. Evaluation
4. PRET
5. Beyond printers
6. Countermeasures
10
Overview
• Is your copy room always locked?
11
Attacker model: Physical access
• Who would connect a printer to the Internet?
12
Attacker model: Network access
13
Attacker model: Network access
Attacker(Insider)
Attacker
14
Attacker model: Web attacker
Carrier
Attacker(Website)
• Denial of service
• Protection bypass
• Print job manipulation
• Information disclosure
15
Four classes of attacks
• Postscript infinite loop
{} loop
16
Denial of service
• Reset to factory defaults
• Can be done with a print job (HP)
@PJL DMCMD ASCIIHEX=
"040006020501010301040106"
17
Protection bypass
• Redefinition of Postscript showpage operator
18
Print job manipulation
• Access to memory
• Access to file system
• Capture print jobs
Save on file system or in memory
19
Information disclosure
20
Attacker model: Web attacker
Carrier
Attacker(Website)
21
Same-origin policy
Carrier
evil.org internal.bank.com
22
CORS spoofing
Carrier
evil.org printer.bank.com:9100
JavaScript (PS file)
(HTTP/1.0 OK) print(Access-Control-Allow-Origin: evil.org) print…
1. Background
2. Attacks
3. Evaluation
4. PRET
5. Beyond printers
6. Countermeasures
23
Overview
• How would you proceed?
Our approach: Contacted university system administraators
24
Obtaining printers
25
Printers. Lots of printers
26
Evaluation results
Overview
1. Background
2. Attacks
3. Evaluation
4. PRET
5. Beyond printers
6. Countermeasures
27
Overview
Translator
PJL PostScript
PRET
Result
/str 256 string def (%*%../../../*) {==} str filenameforall
PostScript Request
PJL Request
PJL Response
(%disk0%../../../ init)(%disk0%../../../.profile)(%disk0%../../../tmp)
Postscript Response
init TYPE=FILE SIZE=1276.profile TYPE=FILE SIZE=834tmp TYPE=DIR
@PJL FSDIRLIST NAME="0:\..\..\" ENTRY=1 COUNT=3User command
- 834 .profile- 1276 initd - tmp
ConnectorAttacker
ls
28
PRinter Exploitation Toolkit (PRET)
29
PRET commands
1. Background
2. Attacks
3. Evaluation
4. PRET
5. Beyond printers
6. Countermeasures
30
Overview
Attacker
Converting PostScript = interpreting PostScript
31
Google Cloud Print
• PS conversion websites
• Image conversion sites
• Thumbnail preview
32
PostScript in the web?
32
File system Environment
variables
Command
execution
[Dropbox] read list stat read
Box.com (read) list stat read
[Google Drive] (read) (list) stat
MS OneDrive read list stat read
Yandex Disk (read) list stat read
Jumpshare write read list stat read exec
CloudMe (read) list stat
[CloudConvert] write read list stat read exec
Attacks on Cloud Storage
1. Background
2. Attacks
3. Evaluation
4. PRET
5. Beyond printers
6. Countermeasures
33
Overview
34
Countermeasures
“Hacker Stackoverflowin made 160,000 printers spewout ASCII art around the world” -- theregister.co.uk
35
Do not connect printers to the Internet
• Employees: always lock the copy room
• Administrators: sandbox printers in aVLAN accessible only via print server
• Printer vendors: undo insecure designdecisions (PostScript, proprietary PJL)
• Browser vendors: block port 9100
37
Countermeasures
• Systematic analysis of networkprinters and printing standards
• Insecurity of Postscript and PJL
• Attacks applied to different areas
• TODO:
– Firmware Updates, Fax, 3D printing
37
Conclusions and future work
PRET („Printer Exploitation Toolkit“)
https://github.com/RUB-NDS/PRET
Hacking Printers Wiki
http://hacking-printers.net/
Questions?38
Thanks for your attention...