What the Fax?! Get Ready for a 1980's Hack Party!
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 322 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/39689 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
Hacker (term)Information securityComputer-generated imageryMedical imagingInformation securityBitVirtual machine
00:56
Similarity (geometry)Virtual machineComputer-generated imageryCASE <Informatik>Standard deviationVirtual machineStandard deviationRight angleSelf-organizationCommunications protocolEmail
01:58
Term (mathematics)Public-key cryptographyExtension (kinesiology)Coefficient of determinationEmailVirtual machineTable (information)AuthenticationRight angleCartesian coordinate system
02:58
Inclusion mapOpen setMappingNumber
03:54
Office suiteForm (programming)Traffic reportingOffice suitePoint (geometry)InformationCommunications protocolService (economics)TelecommunicationEmailGoogolRight angle
05:06
Information securityView (database)Functional (mathematics)SatelliteInterface (computing)Right angleSoftwareLine (geometry)InternetworkingView (database)Black boxGame controllerNumberInformation securitySemiconductor memoryBefehlsprozessorPoint (geometry)NeuroinformatikBridging (networking)Computer animation
06:48
Data compressionFirmwareSound effectPhysical systemMonster groupBEEPComputer animationProgram flowchart
07:31
Table (information)Right angleVulnerability (computing)MereologyControl flowFirmwareProgram flowchart
08:32
BefehlsprozessorModemSet (mathematics)Shared memoryTheory of relativityReading (process)Flash memoryConnectivity (graph theory)Software bugWebsiteSerial portThermal expansionInterface (computing)WritingBefehlsprozessorSemiconductor memoryBitModemFirmware
10:15
Price indexWebsiteMessage passingRadical (chemistry)File Transfer ProtocolSerial portFirmwareProduct (business)Revision controlComputer fileXML
11:09
FirmwareCommunications protocolSocial classSocial classLetterpress printingCommunications protocolComputer fileNormal (geometry)Process (computing)
11:45
Letterpress printingProcess (computing)File Transfer ProtocolFormal languageComputer fileFirmwareBinary fileLine (geometry)Codierung <Programmierung>SpacetimeSerial portRow (database)Computer animation
12:42
Computer fileProcess (computing)Letterpress printingFirmwareTable (information)Right angleError messageData compressionSerial portSheaf (mathematics)Address spaceBinary codeMereology
14:27
Data compressionComputer configurationMereologyString (computer science)Form (programming)ASCII
15:08
Integrated development environmentPattern languageCurve fittingWindowPointer (computer programming)Data dictionaryRight angleMereologyASCIIView (database)BitPerspective (visual)Pattern languageWindowInternetworkingDistanceComputer configurationPointer (computer programming)Doubling the cubeSingle-precision floating-point formatComputer fileMultiplication signLevel (video gaming)Data compressionRaster graphicsData dictionaryInformationAmsterdam Ordnance DatumComputer animation
17:32
Formal grammarInternet forumData compressionMiniDiscFile formatLibrary (computing)WikiSource codeXML
18:10
LengthWindowInformationRaster graphicsWindowUniform resource locatorLengthOrder (biology)outputFunction (mathematics)Computer animation
18:48
WindowWindowFunction (mathematics)outputRaster graphicsMultiplication signPosition operatorMonster groupComputer filePhysical systemString (computer science)Right angleBitReverse engineeringFirmwareComputer animation
20:02
Green's functionPhysical systemTask (computing)UDP <Protokoll>Direct numerical simulationBootingLevel (video gaming)ModemProxy serverDynamic Host Configuration ProtocolModule (mathematics)Operator (mathematics)Operating systemReal-time operating systemPhysical systemTask (computing)Library (computing)BefehlsprozessorLine (geometry)ArmNormal operatorOrder (biology)Configuration spaceEquivalence relationImplementationÜbertragungsfunktionBootingLevel (video gaming)Web crawlerFunctional (mathematics)Proxy serverProcess (computing)Modem
21:44
Uniform resource locatorFunctional (mathematics)Software testingHoaxDomain nameQuicksortComa BerenicesStandard deviationMusical ensembleCommunications protocolWeb crawlerSource codeJSONXML
22:56
Computer networkData transmissionOrder (biology)Message passingSystem callPhase transitionProcedural programmingWeb pageProbability density functionStandard deviationTracing (software)Perspective (visual)Vulnerability (computing)Finite-state machineFirmwareReverse engineeringSource code
23:40
Reverse engineeringCodebuchSoftware frameworkVariable (mathematics)Finite-state machinePointer (computer programming)Functional (mathematics)DebuggerProcess (computing)AdditionDynamical systemData compressionView (database)FirmwareGraph (mathematics)Block (periodic table)Computer animation
24:20
CAN busIntegrated development environmentControl flowComputer hardwareFrobenius normal formFundamental theorem of algebraExploit (computer security)Read-only memoryCodeProxy serverFirmwareData compressionFlow separationAddress spaceDebuggerMultiplication signRoundness (object)MereologyPoint (geometry)Mathematical optimizationComputer programmingBootingCASE <Informatik>Vulnerability (computing)Crash (computing)FrequencyFault-tolerant systemLibrary (computing)Sound effectRemote procedure callFirmwareCurveProjective planeBefehlsprozessorBitGame controllerServer (computing)Web 2.0SpacetimeOrder (biology)DataflowOpen sourceSerial portRight angleReading (process)Finite-state machineTwitterWeightArithmetic meanLoop (music)Data transmissionLattice (order)WordWritingFamilyIntegerComputer hardwareReverse engineeringBit rateComputer animationSource code
28:11
DebuggerArmAsynchronous Transfer ModeKernel (computing)FirmwareModul <Datentyp>Data Encryption StandardDevice driverIntegrated development environmentDebuggerKernel (computing)Software frameworkTable (information)Asynchronous Transfer ModeFunctional (mathematics)Compilation albumWritingIndependence (probability theory)Reading (process)SpacetimePosition operatorPrinciple of maximum entropyServer (computing)Computer-assisted translationMultiplication signKeyboard shortcutRevision controlNetwork socketPrototypePoint (geometry)BefehlsprozessorExtension (kinesiology)Address spaceImplementationOrder (biology)ArmFirmwareReverse engineeringThumbnailSoftware developerComputer animation
30:15
Phase transitionComputer networkEqualiser (mathematics)ModemMultiplication signFile formatLetterpress printingVulnerability (computing)Computer fileProcess (computing)Finite-state machinePerspective (visual)Entire functionLine (geometry)Order (biology)BefehlsprozessorExtension (kinesiology)ResultantPhase transitionArc (geometry)Web pageSystem callStreaming mediaGraph coloringWave packetEqualiser (mathematics)Interactive televisionData compressionFunctional (mathematics)SoftwareEmailParsingHigh-Level Data Link ControlString (computer science)Limit (category theory)Communications protocol
33:47
Vulnerability (computing)Vulnerability (computing)Entire functionString (computer science)Cartesian coordinate systemMereologyFile formatDifferent (Kate Ryan album)SurfaceFinite-state machineData compressionComputer fileFlow separationState of matterParsingComputer animation
34:24
Electronic data interchangeComputer-generated imageryTable (information)Data compressionMatrix (mathematics)EmailStack (abstract data type)SummierbarkeitMatrix (mathematics)Field (computer science)BitTable (information)LengthOpcodeComputer fileData compressionLink (knot theory)Medical imagingCASE <Informatik>Buffer solutionLatent heatSound effectStack (abstract data type)JSONXML
36:27
Stack (abstract data type)Game controllerBuffer solutionBuffer overflowMatrix (mathematics)Physical systemQuicksortSkewnessInformation securityConstraint (mathematics)LengthPoint (geometry)Computer fileProxy serverStructural loadVulnerability (computing)Real-time operating systemASCIIComputer animation
37:52
Proxy serverVulnerability (computing)Real-time operating systemFront and back endsHoaxBitCore dumpAddress spaceOffice suiteUsabilityProcess (computing)Product (business)Dependent and independent variablesInformation securityHypermediaMultiplication signFlow separationSoftware testingNetwork topologyPoint (geometry)Task (computing)Computer animation
39:30
System programmingInformation securityMultiplication signInformation securityVulnerability (computing)Physical systemInternet service providerDemo (music)Game controllerSoftwareExploit (computer security)Ring (mathematics)Connected spaceNeuroinformatikLaptopParsingLine (geometry)Musical ensembleGroup actionTouchscreenComputer animation
41:38
SurfaceGateway (telecommunications)Computer networkCommunications protocolPresentation of a groupSummierbarkeitLaptopSoftwarePatch (Unix)Validity (statistics)Vulnerability (computing)Communications protocolSurfaceUniform resource locatorOffice suiteEndliche ModelltheorieGateway (telecommunications)Computer animationJSONXMLUML
43:19
Latent heatProcess (computing)FirmwareTwitter
Transcript: English(auto-generated)
00:21
coming to our talk. What the facts? Um let's do some 1980's hacking party. Um yeah so um my name is Yaniv Balmas and here is Eyal Itkin. We are both security researchers who work for checkpoint research and let's begin with a brief history of facts. Um so it was it
00:44
all started in 1846 when a scientist named Alexander Bain invented uh sent the first image of a wire and just a fun fact this happened around 20 years before the invention of the light bulb. Um and then facts evolved a bit and came to be these machines again just before the
01:01
invention of the telephone uh radio fakes facts came to be and then in 1966 uh a small company called Xerox uh invented the first commercial facts machines and really changed the way we send electronic documents from one to each other. Um and then throughout the years there was few standards for facts but in 1980 the last and most recent standards for facts
01:24
came to be by an organization called ITU and namely the protocols are T30, T4, T6 those are practically the same protocols we still use today when we send facts. Um and now you know this was in the past but what's happening today? I mean let's compare uh we have
01:45
better uh ways to send electronic documents from one to to other right? Uh let's compare facts to just one of them um let's say email right? So if we compare facts to email and just to remind you we are comparing this to this right? Um so in terms of
02:03
quality you've just saw the pictures you know I I have nothing to add uh in terms of accessibility I'm pretty sure most or all of you have 24 by 7 access to emails right? I'm not so sure you're carrying around your facts machines with you? Um in terms of reliability so when you send an email it gets received but you know when you send a
02:23
fax it might get accidentally shredded the dog might might eat it or you know you can never know if it got to its destination. And in terms of authenticity well we can argue about email whether or not it's authenticated but we do have extensions like public key cryptography what we don't have is we we have nothing for fax simply no
02:41
authentication at all um so yeah um looking at this table you might think ok so it's 2018 who is using fax probably nobody is using right? Um wrong uh fax is pretty much live and kicking still um it's been used all over the place. Ships uh maritime use it to
03:02
receive those critical maps uh in open seas according to Wikipedia uh 90% of the Japanese population use fax well they really like fax over there but uh I don't know why but they are Japanese so um and if you do a lot of uh Google combos like you know contact us and
03:22
fax you'll find over 300 million fax numbers published on Google and that's just the published numbers think about how many fax machines uh don't have published numbers out there so it's simply a huge amount of fax numbers and fax machines out there today and the thing is that it's not only how many fax machines are out there but it's also who uses
03:42
fax well if you're a small corporate or a huge corporate you have a fax number you don't necessarily receive faxes over this uh number but you do have a fax number and it's published out there if you're a bank they love faxes in banks right? So this is Bank of China the biggest bank in the world with over 3.62 trillion dollars in assets
04:01
and that's their fax number and maybe most importantly government uh offices use fax um if you ever wanted to fax our beloved Donald Trump this is his fax number we just googled it it's there um so the thing is that sometimes those banks and healthcare and government agencies they don't only allow you to send fax but it's actually mandatory to
04:26
send fax you can either use postal mail or fax to send them information it's a good thing that they took uh mail pigeons out of it but you know um so yeah it's a thing and when you're thinking about it well you're thinking probably what the fax I mean it's 2018 we
04:44
should evolve to better ways of electronic document delivery right? Um and now see this is how fax looks like today well it's no longer this stand alone fax machines that we used to have 20 or 30 years ago right? Today fax is embedded this old protocols are embedded
05:02
within newer technologies we have fax to email services as I said we have fax over radio and fax over satellite and we have I think most commonly these all in one printers they have a lot of things right and they come uh pre equipped with fax uh functionality in them and now let's take a look at this all in one printers for a second um and if you
05:25
think of it from a security point of view uh they are just black boxes right? And those black boxes has interfaces uh on one side uh they have interfaces like wifi, usb, bluetooth, internet, stuff like that those interfaces connects us to the internal
05:40
network or to the external network or basically they connect us to the world right? And on the other hand we have interfaces for uh connecting fax to the phone line and those interfaces connects us well to the 1970s uh something like that um and now this sounded interesting to us and we thought okay let's imagine this nice attack scenario right? If
06:04
you consider that those all in one printers are at the end of the day nothing but computers right? They have memory, they have CPU, they are just big computers uh what happens if an attacker uh with access to the telephone line and equipped only with its victims phone number will be able to attack this printer just through the telephone line and
06:24
exploit this printer and then take full control of it right? In this scenario it can then propagate from the printer through any one of the other interfaces let's say the internet to the internal network right? Effectively creating a bridge between the internal network and the external network using the telephone. That's 1980s again
06:45
right? Uh so we thought that's a really cool concept and we went on and began the research for that. And after we got excited we sat down and talked about the challenges that we have and it seemed like we have well quite a few challenges uh in front of us and they
07:03
are really not simple so let's just name a few of those challenges um for example how do we obtain the firmware the code for this printer um uh how do we analyze the firmware once we got it? Uh what operating system does this huge monsters are are using? Um how
07:22
can we debug this thing? We have no idea um how does fax even work? We just know the beeping sounds we have no idea how fax works and then after we understand all that we need to understand where should we look for vulnerabilities inside this big big big ecosystem. Um so today we're gonna try and take you through these questions one by one
07:41
until we'll be able to exploit this printer right here on the table. Uh so let's begin with how do we obtain the firmware for a printer? Um so this is our printer. I can tell you a lot of things about why we chose this printer but basically it's the cheapest one. Uh so yeah we we could afford to break like four or five of those during the
08:04
research. Uh so that was fun. Um actually we have a lot of ink and it's really expensive so if you want some ink we'll be able we'll be happy to share. Um so we need to break fax right? But just a minute before we break fax uh we need to break the printer and I
08:21
mean literally break the printer. Um that was the fun part of the research we broke everything up and tried to look inside and see what is this thing even built from. Um and this is basically the brain of the printer. That's how it looks like in the inside from the inside. Um let's go through the major components of this PCB. So it has a flash
08:43
ROM manufactured by expansion uh and then some more memory and looking at it it looks a bit like some components are missing right? Uh that's mainly because the PCB has two sides. Uh so on the other side is mo- the most interesting uh stuff like USB, Wi-Fi, electricity, SRAM, this huge battery that's used for something. Um and then two very
09:05
interesting components. One is the main CPU. Um that's a Marvel CPU and it's manufactured uh specifically for HP. By the way I didn't mention that we chose HP and not because we dislike HP but they are just the biggest vendor. They have around 40% of the
09:21
market share so uh they look like a good target. Um and then another component is this component and this is a fax modem. It's a CSP 1040 and we uh basically want to focus our research on those two components and understand how do they work and what is the relation between them. Um so as I said one of the first challenges will be to obtain the
09:42
firmware of this printer so we're taking a closer look at this PCB and we find these two very interest- interesting um uh things in here like it's serial debug and a JTAG. It's clearly marked on the PCB so we say okay that's gonna be really easy. If you're not familiar with them they are just interfaces that will let you debug the the the the printer, the
10:04
CPU, uh read and write memory so uh that's basically all we need to obtain the firmware. Unfortunately for us the JTAG is completely disabled, we can't access it and the serial well we were able to uh access the serial and get this terminal but almost every
10:22
command we try to write would give us this strange message that I don't understand, what we don't understand either. Uh so uh uh it seems like we're not gonna go anywhere from here, we need to find an alternate path to get the firmware. Um we looked a bit around and it turns out that actually luckily for us HP has this site online, an FTP site
10:44
and this site contains each and every firmware version for every HP product ever produced in history. Uh that's a huge FTP site, it actually took us about 2 weeks to find our firmware within this mess of uh of filmwares. Uh but yeah finally we were able to
11:02
find this firmware and now we have our firmware file, yeah we can start working uh but then we asked ourselves wait, how do you even upgrade a printer firmware? Have you ever done that? I haven't. Um so we have this file, we need to understand how to do that and the answer to this question is surprisingly simple. Well you just print it. Um
11:23
yeah you see uh HP defined this uh uh standard called PCL, Excel feature reference protocol class 2.1 supplement that if you are still sane after reading this thing you understand that the printer receives a pre- a firmware upgrade just the same way as it receives a print job, a normal print job. Um that's nice um so cool and if we look at the
11:46
file that we got from this FTP site uh this actually correlates pretty well because you see it says PGL, it stands for print job language. Um so now that we know that we just need to decode this firmware. Uh we're not gonna take you to the process of
12:02
decoding this thing, I'll just give you the highlights uh this thing is composed of a few uh decoding decoders like uh serial uh serially uh aligned decoders um like null decoder, tiff decoder, delta row decoder uh there's a lot I can say about them but they do
12:20
something like you know if the previous line was all spaces then if this line is also all spaces just write one instead of the line so you will save some space. Now this makes a lot of sense if you're talking about a print job because you're expecting to see a lot of empty lines in the in there but when you're talking about binary file it makes absolutely no sense to to to encode it this way and to that we have to say well if
12:44
you're a hammer everything looks like a nail and if you're a printer everything looks like a print job. Um and okay we were finally able to decode this thing and we got ourselves what seems to be the firmware file and now we can finally start working uh but how do
13:00
we analyze this file? Uh so we start looking at this file and right in the beginning of it we see something that looks like a table so we're able to parse this thing and to understand that it is a table and this actually is a section table so it means that the big file that we have is actually composed of sections and this table actually
13:21
tells us stuff like the loading address for each section sorry um the section name and the location in binary and this basically enables us to break this big file into small sections and now we can inspect each and every section. Specifically there's one really big section in there that we're really interested in because it looks to be uh our actual
13:42
firmware and we start to look at it uh and when we look at it we see this. Now this looks promising but something is not right. Um look at this. This is a part of the section. It clearly says error I don't understand this is the same error message we got from the
14:00
serial port so yeah yeah that that that's probably the code that we're looking for right? Uh but but it's not exactly there. Something is missing you see we can understand it's error I don't understand but something is missing some bytes are missing and those bytes are consistently consistently missing from the entire file so although we know we are there we still can't analyze this thing until we we we will be able to fill those
14:22
missing bytes. Um and now we are trying to understand what is this thing um there are a lot of options all of them are crazy but the least craziest option uh is to understand that this thing is another form of compression uh because yeah it's just uh it has to be there's no other option uh it's a really bad compression because when we try to compress
14:44
this thing with Zlib for for example we get 80 percent better compression and the thing is that we know that we have Zlib in the printer because we see the strings to it so why would we use this compression? I don't know but it must be a compression and now let's try to analyze this thing together here. Um so this is one of
15:02
the snippets I've just showed you before and let's try to analyze it. Basically it's composed of two parts. One part is ASCII characters stuff that we can read right and the other part is non-ASCII characters stuff that we can't read. Those non-ASCII characters are actually the missing bytes that we have and we need to understand how to
15:21
you know understand what they are. So what we do is just take this uh byte view right and take all the ASCII characters out of it and now we are left with with our missing bytes right? Um now if you stare this long enough you will start seeing a pattern um and let me help you a bit with this because you see this thing is composed of single bytes and
15:44
double bytes right? And the distance between the single bytes looks suspiciously patternish I would say like 8 bytes, 9 bytes, 9 bytes, 8 bytes and now try to look at this for a second from a different perspective. So from this perspective the pattern starts seeing uh being more clear right? Because you see the F7 and F7 they look the same the
16:05
FF and FF they look the same but what does it mean? Uh well to understand that you need to sharpen your binary view for a second and if you understand that FF for example is just 8 one bits right? Uh and if you do this consistently for every chunk
16:21
that you have here you will see the pattern and the pattern is that the zero bit always falls within this 2 bytes hole and that practically means that the first byte is just a bitmap describing the next the following 8 bytes so this is all 9 byte chunks and the first byte is just a map of the of the following 8 bytes. That's amazing so now we
16:42
understand what this 1 byte 1 bytes are and all we need to do is to understand this 2 bytes what are those 2 bytes and they must be replaced for some characters but what are they replaced for? Um that's a big question it took us some time to to to understand that and if you know anything about compression you know that you don't have a lot
17:02
of options here. It can either be a forward or backward pointer it could be some kind of dictionary or it could be a sliding window. Now we could pretty easily say that it's not a forward and backward pointer and it's also not a dictionary because we try to find references with with uh from within our file and we can't so the only valid option will be
17:22
that this thing is a sliding window right? And equipped with this information we go to our favorite place to Google um and in some dark corner of the internet we find this wiki strange wiki page uh defining something called the soft disk library format and this thing within it has a compression algorithm that looks really familiar and it looks
17:44
really like ours I mean really really like ours I mean it looks exactly like our compression exactly the same thing uh we find it really funny and the thing is that this thing the anybody knows what soft disk is? So it turns out that this compression
18:01
algorithm was invented by soft disk uh and it was used once in history once in the past uh you will never guess where um that's because it was used in commander kin yeah now how did this make its way into an HP printer? I have no idea but it did uh so if you
18:26
want to follow up on that feel free um and now uh once we have we're equipped with this information we actually know what those 2 bytes are I mean they are just composed of you know this this uh bitmap which uh stands for 2 values a window location and a data
18:43
length and that's basically all the information we we required in order to open this thing let me show you how it works so we have an input text an output text and a sliding window and let's try to compress this string here a b c d e f g uh so what we do is the first byte as I said is a bitmap so we just leave it open for now we don't
19:01
know what the value will be and we start working so a we write it both in the output text and the sliding window same for b c d and then we get to a a is already present in the sliding window so we don't need to write it in the output text and then b again is just following a and then when we hit e we just write 0002 that means go to the
19:22
sliding window at position 0 and take the first 2 bytes that's that's the replacement that we were looking for right and then we continue e f g and once we have that we can just put our bitmap here see that the the replacement was at this position and we we have our bitmap that's pretty easy looking at that way of course when you're doing it in
19:43
reverse it's uh kinda a bit more tricky um but with this we were able to open the firmware file and now we have a full firmware file that we can finally finally analyze um and now that we have that we need to understand what operating system is this
20:00
monster using um well we spent quite a few time on that but let me give you a brief explanation so basically this thing uh as a operating system called Tredex it's a real time operating system and the CPU is running on its arm line big in the end um something really sexy um and then there's some system and stuff here some common libraries that are
20:23
loaded and tasks which are the rough equivalent of processes in normal operating systems um now the for system we have 2 stage boot loader and some networking functionalities and some other stuff uh we have a lot of common libraries just common libraries uh and then we have tasks and once we have this picture in mind we know that we have to focus on this
20:44
specific tasks because this is what we're looking for T30, fax log, Tmodem all the rest we can pretty much put aside right uh so we need to start analyzing them but just a second before we do that we notice something that looks fishy um you see this thing has a
21:02
spider monkey library now if you're not familiar with this spider monkey is the Mozilla implementation of JavaScript it's used in Firefox and we were thinking to ourselves why would the printer use JavaScript it makes absolutely no sense uh and we were intrigued by this question so we tried looking at where does this thing implement
21:23
JavaScript and it turns out that the answer is simple it uses that in a feature called PAC this stands for proxy auto configuration it uses JavaScript in order to auto configure proxies it's a pretty common thing um and the thing is that the top layer functionality of
21:40
this thing was written by HP and when we're looking at this top layer functionality um we see this this thing before it does the PAC functionality it contacts this URL fake URL 1234.com it does nothing with it it just it just contacts to it and and that's it like some sort of sanity test maybe I don't know uh but the interesting thing is does anybody know
22:06
who owns the domain fake URL 1234.com any guesses? How did you know? Yes it wasn't registered so we just registered this domain so if anybody is interested in a domain uh
22:24
please contact me I have a very good price for this domain uh basically every HP printer in the world now con connects to my domain so uh that's really nice um and now after we've done all that we need to actually start looking at facts and for that I will hand it
22:42
over to Eyal. So so thank you Yannick um after we finish messing around with spider monkey we can actually focus on T30. T30 the standard defines the facts protocol
23:00
it's called ITU T recommendation T30 in its full name. The standard defines the procedures and traces and messages needed in order to send or receive a facts document. It's actually a huge standard it has a PDF with over 300 pages um we read through it all
23:21
and it's complicated. The standard itself was first designed on 1985 and it was last updated more than a decade ago so from our perspective it was like it's an old standard it's complicated we're going to find vulnerabilities in it. While you read through the standard we started to reverse engineer the T30 state machine in the firmware and you can
23:43
look to see how it looks like. Don't let this graph view fool you as most of the code blocks you see over there contains additional state machines inside them and this means we're going to have a pretty rough job reversing it. As this that wasn't enough it
24:01
turns out the the firmware heavily relies on function pointers and global variables and it's going to be a real mess to statically reverse engineering this thing. So we decided to change tactics. We're going to use um dynamic reverse engineering we'll need a debugger. So how can you debug a printer? Uh we can't connect to it uh we can't
24:24
um we've already said that we tried to connect to the JTAG and the serial port but that weren't very helpful. We then tried to look for built in GDB stuff we could connect to but we couldn't find one either. At this point we should remember that I can't simply load a
24:41
debugger because we don't have any control over the execution flow and even if you could load a debugger the printer uses a hardware watchdog. As soon as the CPU will halt or enter this loop the watchdog will trigger a reboot and a breakpoint usually halts the program so we
25:00
can't simply hit breakpoints without the watchdog kicking us out. At this point we decided to split it in parts. If we could find a code execution vulnerability we could try to exploit it and load our own debugger. Um at this point we had a stroke of luck. Actually we believe that luck is an important part of our research project and we sure had our
25:23
stroke of luck. On the 19th of July Sanrio published a vulnerability called Devil's Ivy. Devil's Ivy is actually a remote code execution vulnerability in the GSoP open source library. Embedded devices and our printer included tend to implement uh embedded
25:40
web server inside them so you could manage and configure your embedded device. In our case the printer uses GSoP in its web server. After we dug in a bit deeper we saw that we had a jackpot. Our printer is vulnerable to Devil's Ivy and we now have high debugging vulnerability. So for those of you who are not familiar with Devil's Ivy this is a
26:02
relevant piece of code and here is the vulnerability itself. The bad part about this vulnerability is that it's a signed integer underflow and this means we need to send roughly two gigabytes of data in order to exploit it. Uh I don't know if you're familiar with the data rates of printers however printers are pretty slow so after many
26:27
optimization rounds we wanted to reduce the transmission time to roughly seven minutes so each successful exploit took us seven minutes and this practically signals the end of our stroke of luck because our exploit had several side effects on top of them so
26:45
after each successful exploit we're going to have a grace period of three to ten minutes and then the printer crashes. So we waited a lot of seven minutes in our research um but at least we have an uh vulnerability we can try to use it for debugging it's
27:04
better than nothing. So we had pretty much uh we had several debugging challenges uh so we need to focus up. Originally we wanted to read RAM and write RAM so we could dynamically reverse engineer the T30 state machine. So now we have a control of the
27:21
execution flow we can use Devil's Ivy. We can try to exploit it in order to load a debugger of our own. Once loaded we need to tell the MPU that our debugger is worthy of execution so we get it's privileges um and when we start uh executing our debugger we need to actually install it and blend it inside the firmware address space because we
27:46
want to connect to this debugger and we don't want it to crash the printer so it should natively blend inside the firmware address space. We couldn't find any known debugger we know that does it and my brother always tells me to stop reinventing the
28:03
wheel and he's correct because wheels are not very useful so we reinvented the debugger instead. So meet Scout. Scout is an instruction based debugger that we've developed. It currently supports Intel CPUs as well as ARM and in fact it even
28:21
supports ARM thumb mode. I don't really like this mode but that's what the printer uses so you get it as a bonus. Uh on our previous research we use actually a prototype version of Scout in a Linux kernel environment in which we loaded Scout as a Linux kernel driver to debug RPE. This time however we use Scout in it's embedded
28:43
uh environment. In this environment we use Scout with a fully position independent compilation. It actually uses it's own global of the table when it tries to locate and
29:02
execute functions from the firmware itself. All you have to do in order to use Scout is to compile it and supply it with the addresses in the firmware of usual firmware functions such as socket, bind, mem copy or even sleep. Once compiled you throw the compiled binary somewhere inside the address space of your target and you have it. Once
29:24
executed Scout will create a network server and wait for instruction because it's an instruction based debugger. By remotely connecting to the newly created network server we can now issue instructions to read RAM, write RAM or any other extension you wish to
29:41
implement. It's extendable. In checkpoint research we believe in sharing with the community so we can find Scout in our GitHub account. It includes an embedded environment, tutorials and even the Linux kernel driver we use for previous research. At
30:00
different subjects um but we haven't covered yet the most important thing how Fax actually works. Using Scout we were able to dynamically reverse engineer the firmware so let us now tell you how Fax actually works. In order to set a Fax I need a Fax machine. It's going to be sent to the receiver's modem. The modem will
30:25
transfer packets to the CPU which handle the T30 state machine and later on the data will be handled for processing and printing. When we start interacting between both of the modems we have network interaction, we have probing and raging, we have an equalizer
30:45
and echo canceler and we have additional trainings. You should be quite familiar with these four faces they actually sound like this. What we actually done was to create an HDLC tunnel. Using this HDLC tunnel we are able now to send our T30 packets as HDLC
31:07
datagrams from our fax machine to the receiver fax machine. T30 itself has many faces of its own. On face A we send our caller ID it's 20 bytes uh string we can send
31:21
whatever we want. On face B we negotiate our capabilities and face C is the most important face of them all because here we actually send the data itself. So our document is going to be sent line by line, page by page until it's finally received. And on face D we finish. We send X we receive X and that's it. So let us now see how a
31:45
normal black and white fax document is going to be sent through this protocol. So here's our document. It will go through the HDLC tunnel. The data will be transferred using face C and the received result looks like this. We actually send the data of a TIF file
32:04
format compressed in G3 or G4 compression layers. And if you think that something here is missing then you're correct. We can't control the headers of the TIF file. The printer actually builds them itself using data we negotiated on face A and face B.
32:22
So from an attacker's perspective these are partially bad news. There are many vulnerabilities and TIF parsers however they usually require us to control the header. This time we only control the data itself so we're a bit limited. And after we finish building up and processing the TIF file it's going to be sent for um printing you
32:45
know because that's what normal people do with fax documents. And here it's where it becomes really interesting. Because we figured out that T30 had several extensions for it and one of the extensions can you guess? Well the extension is color extension. I didn't
33:07
know that faxes can be colorful but it's a thing. So let's see how a colorful fax is going to be sent. We have here our fax document which will travel through the TLC tunnel using face C of the T30 protocol and the received result will be a JPEG file.
33:28
This time we control the entire JPEG file, its headers and data because a colorful fax is in fact a fully functional JPEG file. So we received a T file with a black and white fax and a JPEG file with a colorful fax. Both will be sent for printing. Now that we
33:48
finally understood how fax even works where we should look for vulnerabilities in it. So all of the layers we showed earlier can contain vulnerabilities. We have complicated state
34:00
machines, we exchange strings, there are several decompression layers and we have two different file formats we need to parse. We decided that the most convenient layer of them all will be the application one and more specifically the JPEG parser because we can fully control the entire JPEG file so we have a much better attack surface. Let us now see
34:22
how a JPEG file actually looks like. So this is a JPEG file, it stands for, it defines a colorful image and the most important thing is that JPEG consists of markers. You have a start up marker after which you have an additional marker with its opcode, link field and
34:41
data. After which you have a marker with its opcode, length and data and so on and so on and you finish with a marker. Now we know how a JPEG file actually looks like let's zoom in on one such marker. Our specific marker is going to present a compression table. We
35:06
define a 4x4 compression matrix to efficiently compress our specific document. In T files you use other tables and they were designed and fixed. In JPEG files you can use your own
35:20
compression table for a specific image. The marker itself looks like this. You have our opcode, our link field, the 4x4 matrix and our data. If you zoom in a bit deeper we can see that the values of our 4x4 matrix are going to be accumulated together. The matrix
35:44
is supposed to be really sparse as you can see over there. Most of it is zeros, some ones, some twos. The accumulated value is going to be the link field for the data inside the marker. In this case we have our data is six. So we're going to have six data
36:01
bytes. The data bytes themselves are going to be copied into a small array located on the stack. So let's sum it up a bit. We're going to sum all of the values in a 4x4 matrix. The link field will be six in this case. And six bytes are going to be copied into our local stack buffer as so. At this point we're like what effects because what will
36:29
happen if we'll use large values inside our matrix. We have 16 bytes in our 4x4 matrix and we're going to sum them all up to roughly four kilobytes. And four kilobytes
36:41
of data are going to be copied to a small stack buffer of size 256 bytes. So that's bad news for the firmware. We have an overflow. Now that we found our vulnerability, it's a trivial stack based buffer overflow. Let us see if we have any sort of constraints.
37:02
Because we simply copied data from our file to the stack buffer, we have no constraints or forbidden bytes. We can use null bytes, non ASCII bytes, whatever bytes you choose. We can use up to four kilobytes of data and we can control the length so we can, we actually use in our exploit roughly 2k so it's controllable. And since we
37:23
actually sent a large jpeg file, we can embed inside it much more data to be used later. So we can use roughly 4k for our exploit and our exploit can load enormous amount of data from the fax itself so we can continue on. At this point we have a
37:42
vulnerability. Let us now see what bypass we should use for operating system security mitigations. Nah, not really because it's a real-time operating system, all of the addresses are fixed, there's no stack anaries, all of the tasks share the same address space,
38:02
we're running the highest of privileges so it's, it's an 80s party and it couldn't be easier. Once we found the vulnerabilities, we contacted HP and we started a responsible disclosure process. We actually flew over there to HP's campus to help them, we
38:21
demonstrated a vulnerability and we helped them patch it. It was quite interesting because at first we were told to fly to Portland, um, and there are no HP offices in Portland. So we talked to them a bit more and they told Yaneev that we, I should fly to Vancouver and we were like, Vancouver's in Canada. Um, so I flew to Portland and I
38:44
drove to Vancouver, Washington and we helped them fix it. And if you were to the Black Hat, I was the Black Hat the first time this year, you couldn't miss a huge booth of HP with, with, using the Wolf or the Fixer this year so you probably know
39:04
that HP really cares about the security of its product. So we got an official, uh, CVE's from HP. Here are the two CVE's. They're both rated as critical with a CVS score of 9.8 out of 10 so that's quite rare. Um, maybe you've been familiar with these two CVE's
39:23
because they got several media attention, uh, in the past week. So here's the official response from HP. When HP learned of the issue, they worked quickly to provide updates to mitigate risks. HP takes security seriously and encourages customers to keep their systems updated to protect against potential vulnerabilities. And once we
39:43
finish this, this is a good time for our live demo. Okay, thank you. So we don't, we don't have a lot of time. Um, let's see this thing in action. So we brought you here a printer, um, that concluded supply us with phone lines
40:02
so we just brought our own phone, um, thing. Um, and then we have the attacker, uh, attacker laptop over there and we're sending our fax now. Yeah, it will answer in two rings. Take a look at the LCD screen of the, of the printer. Receiving fax from
40:34
malicious attacker, if you can read it. So if you see these fax, run away. And should be
40:48
here now. Yeah, faxes are slow. Sorry for that. Yeah, fax received. Now the JPEG parsing
41:04
is going on and basically we have control of the printer. So this is our logo and that means the printer is ours. Thank you, thank you. But, but we have, we have, we have something else because now that we have control of the printer, it's not enough. We
41:25
basically what we did is to embed eternal blue, the leaked NSA exploit within our fax and now this printer, uh, once it, once it identifies any connected computer, you just try to exploit it and here, uh, AL connects. If you look at the laptop for a second, then you
41:43
will see a calc popping. So we did it. It was a long research, let me tell you, but it was successful. We think that this is groundbreaking. I hope you feel the same. Um, and now
42:02
let's sum up with some conclusions. If you switch back to the presentation. Yeah, thank you. So, conclusions. Well, PSTN is still a valid attack surface even in 2018. Uh, fax can be used as a gateway, uh, to internal networks and another thing is that all, and outdated protocols are probably bad for you so, uh, keep an eye for them. Um, and
42:24
probably you're asking yourselves what can you do. Well, you can do, um, some stuff. Uh, you can patch your printers. As we said, HP published, uh, patches for this specific vulnerabilities. You can find them in this URL here, uh, and instructions from HP to identify. By the way, this works for any HP office jet printer. Uh, inkjet, yeah. Like
42:46
80 or 100 models, uh, of them so make sure you are patched. Um, another, uh, thing is don't connect fax if you don't, if you don't need it, right? And if you do not need to connect fax, then make sure to segregate your printers so they won't be connected to the
43:01
rest of the network. So, if somebody manages to take over your printers, at least the risk will be, um, contained within the printer and you won't be able to propagate to the rest of the network. Now, these are all really good, uh, suggestions, but really the best suggestion, the best suggestion I have to give you today is please stop using fax. Um, and now we really couldn't, uh, do a lot of this research if
43:33
it wasn't for our wonderful friends so they helped us physically, technically and mentally throughout the entire process of this research so they deserve some, uh, some
43:43
clapping. Um, thank you. Um, thank them. And one specific, uh, guy, Yanai, also helped us a lot in the, in the firmware thing, um, and that's practically it. So, thank you very much and if you want to follow us, please follow us on Twitter, read our stuff on
44:03
the, on our blog and thank you very much for coming to this talk.