What the Fax?! Get Ready for a 1980's Hack Party!

Video thumbnail (Frame 0) Video thumbnail (Frame 1412) Video thumbnail (Frame 2954) Video thumbnail (Frame 4460) Video thumbnail (Frame 5847) Video thumbnail (Frame 7645) Video thumbnail (Frame 10205) Video thumbnail (Frame 11269) Video thumbnail (Frame 12799) Video thumbnail (Frame 15373) Video thumbnail (Frame 16719) Video thumbnail (Frame 17617) Video thumbnail (Frame 19062) Video thumbnail (Frame 21674) Video thumbnail (Frame 22693) Video thumbnail (Frame 26307) Video thumbnail (Frame 27259) Video thumbnail (Frame 28210) Video thumbnail (Frame 30054) Video thumbnail (Frame 32598) Video thumbnail (Frame 34394) Video thumbnail (Frame 35499) Video thumbnail (Frame 36491) Video thumbnail (Frame 42282) Video thumbnail (Frame 45382) Video thumbnail (Frame 50669) Video thumbnail (Frame 51609) Video thumbnail (Frame 54677) Video thumbnail (Frame 56788) Video thumbnail (Frame 59242) Video thumbnail (Frame 62451) Video thumbnail (Frame 64977)
Video in TIB AV-Portal: What the Fax?! Get Ready for a 1980's Hack Party!

Formal Metadata

What the Fax?! Get Ready for a 1980's Hack Party!
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Unless you've been living under a rock for the past 30 years or so, you probably know what a fax machine is. For decades, fax machines were used worldwide as the main way of electronic document delivery. But this happened in the 1980s. Humanity has since developed far more advanced ways to send digital content, and fax machines are all in the past, right? After all, they should now be nothing more than a glorified museum item. Who on earth is still using fax machines? The answer, to our great horror, is EVERYONE. State authorities, banks, service providers and many others are still using fax machines, despite their debatable quality and almost non-existent security. In fact, using fax machines is often mandatory and considered a solid and trustworthy method of delivering information. What the Fax?! We embarked on a journey with the singular goal of disrupting this insane state of affairs. We went to work, determined to show that the common fax machine could be compromised via mere access to its fully exposed and unprotected telephone line -- thus completely bypassing all perimeter security protections and shattering to pieces all modern-day security concepts. Join us as we take you through the strange world of embedded operating systems, 30-year-old protocols, museum grade compression algorithms, weird extensions and undebuggable environments. See for yourself first-hand as we give a live demonstration of the first ever full fax exploitation, leading to complete control over the entire device as well as the network, using nothing but a standard telephone line. This talk is intended to be the canary in the coal mine. The technology community cannot sit idly by while this ongoing madness is allowed to continue. The world must stop using FAX!
Medical imaging Computer-generated imagery Bit Hacker (term) Information security Information security
Standard deviation Standard deviation Email Computer-generated imagery Personal digital assistant Virtual machine Self-organization Right angle Communications protocol Virtual machine Similarity (geometry)
Authentication Coefficient of determination Email Term (mathematics) Right angle Table (information) Extension (kinesiology) Cartesian coordinate system Public-key cryptography
Inclusion map Mapping Open set Number
Point (geometry) Email Service (economics) Googol Information Telecommunication Office suite Right angle Office suite Communications protocol Form (programming) Traffic reporting
Satellite Point (geometry) Functional (mathematics) Game controller View (database) View (database) Interface (computing) Line (geometry) Black box Number Neuroinformatik Befehlsprozessor Software Bridging (networking) Internetworking Semiconductor memory Right angle Information security Information security
Sound effect Data compression Monster group Physical system
Control flow Right angle Table (information) Mereology Vulnerability (computing)
Theory of relativity Serial port Interface (computing) Flash memory Shared memory Thermal expansion Bit Software bug File Transfer Protocol Message passing Befehlsprozessor Component-based software engineering Semiconductor memory Befehlsprozessor Set (mathematics) Website Reading (process) Writing Modem Modem
Computer file Letterpress printing Price index Product (business) Revision control File Transfer Protocol Process (computing) Website Normal (geometry) Social class Communications protocol Communications protocol Social class Firmware
File Transfer Protocol Process (computing) Serial port Computer file Letterpress printing Line (geometry) Codierung <Programmierung> Binary file Formal language Spacetime
Process (computing) Serial port Computer file Binary code Letterpress printing Sheaf (mathematics) Right angle Table (information) Mereology Data compression Error message Address space
ASCII Computer configuration String (computer science) View (database) Integrated development environment Right angle Mereology Data compression Form (programming)
Computer file Multiplication sign View (database) Amsterdam Ordnance Datum Data dictionary Distance Perspective (visual) Pointer (computer programming) Computer configuration Internetworking Single-precision floating-point format Pattern language Data compression Formal grammar Window Data dictionary Mapping Information File format Bit Pointer (computer programming) Doubling the cube Internet forum MiniDisc Pattern language Right angle Curve fitting Window Library (computing)
Uniform resource locator Information Length Order (biology) Length Raster graphics Window Window
Computer file Multiplication sign Bit Raster graphics Function (mathematics) String (computer science) Operator (mathematics) output Right angle Monster group Window Position operator Reverse engineering Physical system Window
Implementation Web crawler Functional (mathematics) Module (mathematics) Proxy server Real-time operating system Normal operator UDP <Protokoll> Proxy server Booting Physical system Task (computing) Modem Equivalence relation Dynamic Host Configuration Protocol Befehlsprozessor Process (computing) √úbertragungsfunktion Green's function Order (biology) Direct numerical simulation Configuration space Physical system Task (computing) Modem Library (computing) Booting
Functional (mathematics) Uniform resource locator Standard deviation Hoax Public domain Software testing Coma Berenices Quicksort Musical ensemble
Web page Standard deviation Message passing Phase transition Order (biology) Computer network Procedural programming Data transmission System call Perspective (visual) Probability density function Vulnerability (computing)
CAN bus Addition Functional (mathematics) Dynamical system Pointer (computer programming) Process (computing) Debugger Codebuch Finite-state machine Software framework Variable (mathematics) Reverse engineering
Computer program Serial port Debugger Multiplication sign Principle of maximum entropy Mereology Fault-tolerant system Arm Data transmission Web 2.0 Frobenius normal form Roundness (object) Kernel (computing) Network socket Software framework Extension (kinesiology) Data compression Position operator Vulnerability (computing) Fundamental theorem of algebra Curve Keyboard shortcut Sound effect Bit Lattice (order) Control flow Flow separation Arithmetic mean Befehlsprozessor Order (biology) Right angle Modul <Datentyp> Remote procedure call Reading (process) Writing Spacetime Asynchronous Transfer Mode Firmware Point (geometry) Dataflow Asynchronous Transfer Mode Server (computing) Game controller Functional (mathematics) Implementation Proxy server Open source Exploit (computer security) Device driver Twitter Revision control Frequency Crash (computing) Prototype Read-only memory Integrated development environment Computer-assisted translation Booting Firmware Mathematical optimization Address space Compilation album Weight Debugger Projective plane Code Independence (probability theory) Word Loop (music) Kernel (computing) Integrated development environment Personal digital assistant Computer hardware Data Encryption Standard Finite-state machine Table (information) Library (computing)
Web page Functional (mathematics) Computer file Multiplication sign Equaliser (mathematics) Letterpress printing Streaming media Perspective (visual) Graph coloring Wave packet Phase transition Equaliser (mathematics) Extension (kinesiology) Data compression Modem Vulnerability (computing) Email File format Interactive television Computer network Line (geometry) System call Entire function Process (computing) Befehlsprozessor Software Order (biology) Phase transition Finite-state machine Resultant Arc (geometry)
Email Table (information) Computer file Link (knot theory) Length Computer-generated imagery Mereology Field (computer science) Medical imaging Latent heat Different (Kate Ryan album) String (computer science) Matrix (mathematics) Data compression Vulnerability (computing) Vulnerability (computing) Electronic data interchange File format Surface Bit Stack (abstract data type) Cartesian coordinate system Opcode Flow separation Entire function Personal digital assistant Buffer solution Finite-state machine Summierbarkeit Table (information) Matrix (mathematics) Data compression
Point (geometry) Game controller Constraint (mathematics) Computer file Length Structural load Skewness Stack (abstract data type) Buffer solution Matrix (mathematics) Quicksort Proxy server Information security Buffer overflow Physical system Vulnerability (computing)
Point (geometry) Hoax Proxy server Multiplication sign Real-time operating system Usability Product (business) Front and back ends Hypermedia Core dump Software testing Office suite Information security Address space Vulnerability (computing) Physical system Dependent and independent variables Bit Flow separation Shareware Process (computing) Network topology Internet service provider System programming Information security
Laptop Game controller Group action Presentation of a group Parsing Touchscreen Multiplication sign Line (geometry) Exploit (computer security) Neuroinformatik Connected space Software Ring (mathematics) Summierbarkeit Musical ensemble
Gateway (telecommunications) Surface Uniform resource locator Gateway (telecommunications) Software Validity (statistics) Surface Patch (Unix) Computer network Endliche Modelltheorie Communications protocol Communications protocol
Latent heat Process (computing) Twitter
[Applause] hello everyone thanks for coming to our talk what the facts let's do some 1980s hacking party yeah so my name is Yaniv
Palmas and here is a young it cane we are both security researcher as a walk for checkpoint research and let's begin with a brief history of facts so it was it all started in 1846 when a scientist named Alexander Bane invented a center first image of a wire and just a fun fact this happened around 20 years before the invention of the light bulb and then facts evolved a bit and came to
be this machines again just before the invention of the telephone radio fakes fax came to be and then in 1966 a small company called Xerox invented the first commercial fax machines and really change the way we send electronic documents from one to each other and then throughout the years there was few standards for fax but at 1980 the last
and most recent standards for fax came to be by an organization called ITU and namely the protocols are t-38 e46 those are practically the same protocols we still use today when we send fax and now you know this was in the past but what's happening today I mean let's compare we have better ways to send aleko electronic documents who want to to other right let's compare fax to just one of them let's say email right so if we compare fax to email and just to remind you we are comparing this to this right so in
terms of quality you just saw the
pictures you know I have nothing to add in terms of accessibility I'm pretty sure most or all of you have 24 by 7 axis females right I'm not so sure you're carrying around your fax machines with you in terms of reliability so when you send an email it gets received but you know when it's in the fax it might get accidentally shredded the dog might might eat it or you know you can never know if it got to its destination and in terms of authenticity well we can argue about email whether or not it's authenticated but we do have extensions like public key cryptography what we don't have is we have nothing for fax simply no authentication at all so yeah looking at this table you might think okay so it's 2018 who is using fax probably nobody is using right wrong fax is pretty much live in qicang still it's being used all
over the place ships maritime use it to receive those critical maps in open seas according to Wikipedia 90% of the Japanese population use fax what they really like fax over there but I don't know why yeah but they're Japanese so and if you do a lot
of Google combos like you know contact us and fax you'll find over 300 million fax numbers published on Google and that's just the published numbers think about how many fax machines don't have the published numbers out there so it's simply a huge amount of fax numbers and fax machines out there today and the thing is that it's not only how many fax machines are other but it's also who uses fax well if you're a small corporate or a huge cooperate you have a fax number you don't necessarily receive faxes over this number but you do have a fax number and it's published out there if you're a bank they love faxes in
banks right so this is Bank of China the biggest bank in the world with over three point six two trillion dollars in assets and that's their fax number and maybe most importantly government offices use fax if you ever wanted to
fax to our beloved Donald Trump this is his fax number which is google it it's there so the thing is that sometimes all banks and healthcare and government agencies they don't only allow you to send fax but it's actually taury to send fax you can under either use postal mail or fax to send them information it's a good thing that they took mail pigeons out of it but you know so yeah it's a thing and when you're thinking about it well you're thinking probably what the fax I mean it's 2018 we should evolve to better ways of electronic document delivery right and now see this is how fax looks like today well it's no longer this standalone fax machines that we used to add twenty or thirty years ago right today fax is embedded this all protocols are embedded within newer technologies we have fax to email services as I said
we have fax of a radio and fax over satellite and we have I think most commonly these all-in-one printers they have a lot of things right and they come pre equipped with fax functionality in them and now let's take a look at this all-in-one printers for a second and if
you think of it from a security point of view there are just black boxes right and those black boxes has interfaces on one side they have interfaces like Wi-Fi USB bluetooth Ethernet stuff like that those interfaces connects us to the internal network or to the external network or basically they connect us to the world right and on the other hand we have interfaces for connecting facts to the phone line and those interfaces connects us well to the 1970s something like that and now this sounded interesting to us and we thought ok let's imagine this nice attack scenario right if you consider those all-in-one printers are at the end of the day nothing but computers right they have memory they have CPU just complete computers what happens if an attacker with access to the telephone line and equipped only with its victims phone number will be able to attack this printer just through the telephone line and exploit the printer and then take full control of it right in this scenario it can then propagate from the printer through any one of the other interfaces let's say the internet to the internal network right effectively creating a bridge between the internal work and external network using the telephone that's 1980s again right so we thought that's a really cool concept and we went
on and began the research for that and after we got excited which sat down and talked about the challenges we have and it seems like we have quite a few challenges in front of us and they are really not simple so let's just name a few of those challenges for example how
do we obtain the film were the code for this printer how do we analyze the film
where once we got it what operating system does this huge monsters are using how can we be back this thing we have no idea how does fax even work we just know the beeping sounds but we have no idea effects works and then after we understand all that we need to
understand where should we look for vulnerabilities inside this big big big ecosystem so today we're gonna try and take you through these questions one by one until we'll be able to exploit this printer right here on the table so let's
begin with how do we obtain the fumer for printer so this is our printer I can tell you a lot of things about why we chose this printer but basically it's the cheapest one so yeah we could afford to break like four or five of those doing the research so that was fun actually we have a lot of ink and it's really expensive so if you want something will be able we'll be happy to share so we need to break fax right but just a minute before we break fax we need to break the printer and I mean literally break the printer that was the fun part of the research we broke everything up and try to look inside and see what is this thing even built from and this is basically the brain of the
printer that's how it looks like in the inside from the inside let's go through the major components of this PCB so it has a flash rom manufactured by expansion and then some more memory and looking at that it looks a bit like some components are missing right that's mainly because the PCB has two sites so on the other side is the most interesting stuff like USB Wi-Fi electricity SRAM this huge battery that's used for something and then two very interesting components one is the main CPU that's a Marvel CPU and it's manufactured specifically for HP by the way I didn't mention that we chose HP and not because we dislike HP but there are just the biggest vendor they have around 40% of the market share so they look like a good target and then another component is this component and this is a fax modem it's a CSP 1040 and we basically want to focus our research on those two components and understand how do they work and what is the relation between them so as I said one of the first challenges will be to obtain the film wear of this printer so we're taking a closer look at this PCB and we find these two very interesting interesting things in here like its serial debug and a JTAG it's clearly marked on the PCB so we say okay that's gonna be really easy if you're not familiar with them they are just interfaces that will let you deep bug the the printer the the CPU read and write memory so that's basically all we need to obtain a few more unfortunately for us the JTAG is completely disabled we can't access it and the serial what we were able to
access the serial get is terminal but almost every command we try to write would give us this strange message I don't understand what we don't understand either so it seems like we're not gonna go anywhere from here we need to find an alternate path to get the film work we looked a bit around and it turns out that actually luckily for us HP has this site online an FTP site and
this site contains each and every few more version for every HP product ever produced in history that's a huge FTP site it actually took us about two weeks to find our film were within this mess of a few MERS but yeah finally we were able to find this fumarole have our female file yeah we can start war King but then we asked ourselves wait
how do you even upgrade a printer fumer have have you ever done that I hadn't so we have this file we need to understand to do that and the answer to this question is surprisingly simple well you just print it yeah you see HP define this standard called PCL excel future reference protocol class 2.1 supplement that if you are still sane after reading this thing you understand that the printer receives a pretty few more upgrades the same way as it receives a print job a normal print job that's nice so cool if we look at the
file that we got from this FTP site this actually correlates pretty well because you see it says pjl it stands for print job language so now that we know that we just need to decode this fum? work we're not going to take you to the process of decoding this thing I'll just give you
the highlights this thing is composed of a few decoding decoders like serial C really aligned decoders like null decoder TIF decoder Delta all decoder there's a lot I can say about them but they do something like you know if the previous line was all spaces then if this line is also all spaces just write one instead of the line so you will save some space now this makes a lot of sense if you're talking about the print job because you're expecting to see a lot of empty lines in the in there but when you're talking about binary file it makes absolutely no sense to encode it this way and to that we have to say well
if you're a hammer everything looks like a nail and if you're a printer everything looks like a print job and okay we were finally able to decode this thing and we got ourselves what seems to be the few more file and now we can finally start working but how do we
analyze this file so we start looking at this file and right in the beginning of it we see something that looks like a
table so we're able to parse this thing and to understand that it is a table and this actually is a section table so it means that the big file that we have is actually composed of sections and this table actually tells us stuff like the loading address for each section sorry the section name and the location in binary and this basically enables us to break this big file into small sections and now we can inspect each and every section specifically there's one really big section in there that we're really interested in because it looks to be our actual femur and we start to look at it and when we look at that we see this now this looks promising but something is not right look at this this is the part of the section it clearly says error I don't understand this is the same error message we got from the serial port so yeah that's probably the code that we are looking for right but but it's not exactly there something is missing you see what we can understand its error I don't understand but something is missing bytes are missing and those bytes are consistently consistently missing from the entire file so although we know we are there we still can't analyze this thing until we will be able to fill those missing bytes and now we are trying to understand what is this thing there are
a lot of options all of them are crazy but the least craziest option is to understand that this thing is another form of compression because yeah it's just it has to be there is no other option it's really bad compression because when we try to compress this thing with zealey for for example we get 80% better compression and the thing is that we know that we have Z live in the printer because we see the strings to it so why would you use this compression I don't know but it must be a compression now let's try to analyze this thing together here so this is one of the snippets I just showed you before and let's try to analyze it basically it's composed of two parts one part is ASCII
characters stuff that we can read right and the other part is non ASCII characters stuff that we can't read those non ASCII characters are actually the missing bytes that we have and we need to understand how to you know understand what they are so what we do is just take this byte view right and take all the ascii characters out of
it and now we are left with with our missing bytes right now if you stir this long enough you will start seeing a pattern and let me help you a bit with this because you see this thing is composed of single bytes and double bytes right and the distance between the single bytes looks suspiciously pattern ish I would say like 8 bytes 9 bytes 9 by 8 bytes and now try to look at this for a second from a different perspective so from this perspective the pattern starts seeing being more clear right because you see the F 7 and F 7 they look the same the FF & FF they look the same but what does it mean well to understand that you need to sharpen your binary view for a second and if you understand that FF for example is just 8 1 bits right and if you do this consistently for every chunk that you have here you will see the pattern and the pattern is that the 0 bit always falls within this 2 bytes hole and that practically means that the first byte is just a bit nap describing the next the following 8 bytes so this is all 9 by chunks and the first byte is just a map of the of the following 8 bytes that's amazing so now we understand what is 1 byte 1 bytes are and all we need to do is to understand this 2 bytes what are those 2 bytes and they must be replaced for some characters but what are the replaced 4 that's a big question it took us some time to understand that and if you know anything about compression you know that you don't have a lot of options here it can either be a forward or backward pointer it could be some kind of dictionary or it could be a sliding window now we could pretty easily say that it's not a forward and backward pointer and it's also not a dictionary because we try to find references with from within our file and we can't so the only valid option will be that this thing is a sliding window right and equipped with this information we go to our favorite place to Google and in some dark corner of the Internet
we find this Wiki strange wikipage defining something called the soft disk library format and this thing within it has a compression algorithm that looks really familiar and it looks really like ours I mean really really like ours I mean it looks exactly like our compression exactly the same thing we find it really funny and the thing is that this thing anybody knows what soft disk is so it turns out that this compression algorithm was invented by soft disk and it was used once in history once in the past you will never guess where that's because it was used in Commander Keen yeah now how did this
make its way into an HP printer I have no idea but it did so if you want to follow up on that feel free and now once
we have we're equipped with this information we actually know what those two bytes are I mean they are just composed of you know this this bitmap
which stands for two values a window location and a data length and that's basically all the information we required in order to open this thing let me show you how it works so we have an
input text and output text and a sliding window and let's try to compress this string here abcdefg so what we do is the first byte as I said is a bitmap so we just leave it open for now we don't know what the value will be and we start working so a we write it boiling in the output text and sliding windows aims for BCD and then we get to a a is already present in the sliding window so we don't need to write it in the output text and then B again is just following a and then when we eat E we just write zero zero zero two that means go to the sliding window at position zero and take the first two bytes that's that's the replacement that we were looking for right and then we continue e FG and once we have that we can just put our bitmap here see that the replacement was at this position and we have our bitmap that's pretty easy looking at that way of course when you're doing it in Reverse it's kind of a bit more but with this we were able to open the Fillmore file and now we have a full Fillmore file that we can finally finally analyze and now that we have that we need to understand what operating system is this monster using well we spent quite a few time on that
but let me give you a brief explanation so basically this thing as an operating
system called tread X it's a real-time operating system and the CPU is running on as arm9 big-endian something really sexy and then there's some system and stuff here some common libraries and tasks which are the rat
equivalent of processes in normal operating systems now the for system we have two-stage bootloader and some networking functionality is some other stuff we have a lot of common libraries just common libraries and then we have tasks and once we have this picture in mind we know that we have to focus on these specific tasks because this is what we're looking for t30 tax log t modem all the rest we can pretty much put aside right so we need to start analyzing them but just a second before we do that we notice something that looks fishy you see this thing has a spider monkey library now if you're not familiar with this spider monkey is the most illa inflammation of JavaScript it's used in Firefox and we were thinking to ourselves why would the printer use JavaScript it makes absolutely no sense and we were intrigued by this question so we tried looking at where does this thing implement JavaScript and it turns out that the answer is simple it uses that in a feature called pack pac-10 for proxy Auto configuration it uses JavaScript in order to auto configure proxy is a pretty pretty common thing and the thing is that the top layer functionality of this thing was written by HP and when we're looking at this top layer functionality we see this this
thing before it does the functionality it can it contacts this URL fake URL one two three four com it does nothing with it it just it just contacts to it and and that's it like some sort of sanity test maybe I don't know but the interesting is thing is does anybody know who owns the domain fake URL one two three four comm any guesses how did you know yes it
wasn't registered so we just registered this domain so if anybody is interested in a domain please contact me I have a very good price for this domain basically every HP printer in the world now connects to my domain so that's really nice and now after we've done all that we need to actually start looking at facts and for that I will hand it over to Al [Music] so so finish messing around we can actually focus on T 30 T 30 the standard
defines the facts for a call it's called itu-t recommendation T 14 in its full name thus I define the procedures and phases and messages needed in order to Center to see the fax document it's actually a huge standard it has a PDF we've all 300 pages we read through it all and it's complicated under standard itself was first design on 1985 and it was last updated move in a decade ago so
from our perspective it was like it's an old standard it's complicated we're going to find vulnerabilities in it while you read through the standard we started to reverse-engineer the teeth
ready state machine in the framework and you can look to see how it looks like don't let this we have you folio as most of the code books you see over there contains additional state machines inside them and this means we're going to have a pretty rough job reversing it as if that wasn't enough he turns out the femur heavily relies on function pointers in global variables and it's going to be a real mess to statically reverse engineering this thing so we decided to change tactics we are going to use dynamic reverse engineering we'll need a debugger so how can you
debug a printer we can't connect to it yaniv already said but we try to connect
to the JTAG and the serial port but that word really helpful we then try to look for ability in gdb stop we could connect to but we couldn't find one either at this point we should remember that I can't simply load a debugger because we don't have any control over the execution flow and even if we could load a debugger the printer uses the harbor watchdog this soon as the CPU will halt or enter a netlist loop the watchdog will trigger a reboot and a breakpoint usually halts the program so we can simply hit breakpoints we are the watchdog kicking us out at this point we decided to split it parts if we could find a code execution vulnerability we could try to exploit it and load the debugger at this point we had a stroke of luck actually we believe that luck is an important part of every research project and we sure had our stroke of luck on the 19th of July send you a publish the curve an ability called devil's Ivy Davis IV is actually a remote code execution vulnerability in the gzip open source library embedded devices in document included tend to implement embedded web server inside them so you could manage and configure your embedded device in our case the printer uses gee soap in its web server after we dug in a bit deeper we saw that we had a jackpot our Peter is fun over the David's IV and we now have how I debugging vulnerability so for those of you who are not familiar of Devon's IV this is a relevant piece of code and here is the vulnerability itself the bad part about this vulnerability is that it's assigned in detail under flow and this means we need to send roughly 2gb bytes of data in order to exploit it I don't know if you're familiar with the daily weights of printers however Twitter's are pretty slow so after many optimization rounds you wanted to reduce the transmission time to roughly seven minutes so it's successful exploit took us seven minutes and this practically signals the end of our stock of luck because our exploit had several side effects on top of them so after each successful exploit we're going to have a grace period of three to ten minutes and then the printer crashes so we waited a lot of seven minutes in research but at least we have an ability we can try to use it for e buggying it's better than nothing so we had pretty much we had several debugging challenges so we need to focus up originally we wanted to read ram in right round soak a dynamically reverse-engineer the t30 state machine so now we have a control of the execution flow you can use there is Ivy we can try to exploit it in order to load a debugger phone once loaded we'll need to tell the MP you what our debugger is were free of execution so it get its privileges and when we start executing our debugger we need to actually install it and blend it inside the firmware address space because we want to connect to this debugger and it will you don't want it to crash the printer so it should natively blend in signed a few more at this space we couldn't find any known debugger we know that does it and my battled always tells me to stop reinventing the wheel and is correct because wheels are not very useful so we reinvented a debugger instead so meet Scout Scott is an
instruction based debugger but we've developed it currently supports Intel CPUs as well as RM and in fact it even supports aren't some mode I don't really like this mode but that's what the printer uses so you get it as a bonus on a previous research we use actually a prototype version of Scout in a Linux kernel environment in which we loaded Scout is a Linux kernel driver to debug RPE this time we used cat in its embedded environment but in this environment we use Scout with a fully position independent compilation it actually uses its own global of the table when we try to locate and execute functions from the framework itself all you have to do in order to use Scout is to compile it and supplied with the addresses in the framework of usual framer functions such as socket bind mem copy or even sleep once compiled you throw the compiled binary somewhere inside the other space of your target and you have it once executed Scout will create a network server and wait for instructions because it's an instruction based debugger by remotely connecting that the newly created network server we can now issue instructions to read Ram write RAM or any other extension you wish to implement it's extendable in checkpoint user to believe in sharing with the community so we can find Scout in our github account it includes an embedded environment tutorials and even the Linux kernel driver we use for previous research at this point of the topic we call it many different subjects but you haven't covered yet the most important thing how facts actually works using Scout we were able to dynamically reverse-engineer the framework so let us now tell you how facts actually works in
order to set of facts I need a fax machine it's going to be sent to the receivers modem the modem will transfer packets to the CPU which handles the t30 state machine and later on the data will be handled for processing and printing when we start interacting between both of the modems we have network interaction we have throw being and Reggie we have a equalizer and echo canceller and we have additional trainings you should be quite familiar of these four phases they actually sound like this what would be actually done was to create an hdl-c tonic using this hdl-c tunnel we are able now to send our t30 packets as hdl-c data grounds from our fax machine to the receive a fax machine t30 itself has many faces of its own on face a we send our caller ID it's 20 bytes stream we can send whatever we want on face bo we negotiate our capabilities and tracy is the most important phase of them all because here we actually send the data itself so our document is going to be sent line by line page by page until it finally receive and then face deal we finish we send arcs we receive the acts and that's it so let us now see how a normal black and white fats document is going to be sent for this follicle so here's our document it will go through the HPLC tunnel the data will be transferred using phase C and the received result looks like this we actually send the data of a tiff file format a compressed in g3 of G for compression layers and if you think with something here is missing then you're correct we can't cut to all the heroes of the defile the printer actually builds them itself using data we negotiated on phase a and phase B so from an attackers perspective either partially bad news there are many vulnerabilities and TIFF parcels however we usually require us to control the hero this time we only control the data itself so we're a bit limited and after we finish building up and processing the TIFF file it's going to be sent for printing you know because that's what normal people do with fax documents and here's where it becomes really interesting because we figured out where t30 had extensions for it and one of the extensions can you guess well the extension is color extension that I didn't know that taxes can be colorful but it's a thing so let's see how a colorful fax is going to be sent we have here our fax documents which will travel through the atlc tunnel using Phase II of the t-34 the call and the receive result will be a jpg file this time we control the entire JPEG file its headers and data because the colorful fax is in fact a fully functional JPEG file so we received 80 file with a black and white fax and a JPEG file with colorful fax both will be sent for printing now that we finally
understood how fax even works where we should look for vulnerabilities in it so
all of the layers we showed earlier can contain vulnerabilities we have complicated state machines we exchange strings were several decompression layers and we have two different file formats we need two parts we decided that the most convenient layer of them all will be the application one and more specifically the jpg parcel because we can fully control the entire JPEG file so we have a much better attack surface let us now see how Jake your viola actually looks like so this is a JPEG
file it stands for it finds a colorful image and the most important thing is that JPEG consists of markers you have a start of marker after which we have an additional marker with its opcode link field and data after which you have a Malkiel with its opcode length and data and so on and so on and you finish with a marker now we know how big a file actually looks like let's zoom in on one such marker Oh specific marker is going to present a compression table we define a forever for compression matrix to efficiently compress our specific document in T files you use other tables and they were design and fixed and JPEG files you can use your own compression table for a specific image namakkal itself looks like this you have our opcode or length field the 4x4 matrix and our data if you assume in a bit deeper we can see that the values of four or four matrix are going to be accumulated together the matrix is supposed to be really sparse as you can see over there most of these zeros some one some twos the accumulated value is going to be the length field for the data inside a marker in this case we have our data is six so we're going to have six data bytes the data byte is themselves are going to be copied into a small array located on the stack so let's sum grab a bit we're going to sum all of the values you know forward for matrix the length field will be 6 in this case and 6 bytes are going to be copied into our local stack buffer so at this point we're like over the facts because what will happen if we'll use
large values inside our matrix we have 16 bytes you know 4 by 4 matrix and we're going to send them all up to roughly 4 kilobytes and 4 kilobytes of data are going to be copy into a small stack buffer of size 256 bytes so that's be ideas for the film where we have an overflow now that we found our
vulnerability it's still stuck based buffer overflow let us do you have any sort of constraints because we simply copy data from one file to the stock buffer where have no constraints or forbidden bytes we can use null by it's not a skew by its whatever bytes you choose we can use up to 4 kilobytes of data and we can control the length so we can we actually used in our exploit roughly 2 K so it's controllable and since we actually sent a large JPEG file we can embed inside it much more data to be used layer so we can use roughly 4k for exploit and our exploit can load enormous amount of data from the fax itself so we could continue on at this point we have a vulnerability let us now see what bypass we should use for operating system security mitigations no not really because it's a
real-time operating system all of the addresses are fakes with no stack Canaries all the tests share the same address space we run in the highest of privileges so it's it's an 80s party and it couldn't be easier once we found a vulnerability is we contacted HP and we started a responsible disclosure process we actually flew over there to HP's campus to help them with demonstrated a vulnerability and we help them catch it it was quite interesting because at first we were told to fly to Portland and very no HP offices in Portland so we talked to them a bit more and they told you neva tree I should fly to Vancouver and we were like Vancouver in Canada so I flew the Portland and I drilled to Vancouver Washington and we help them fix it and if you were to their blackhat I was the back end and first time this year you couldn't miss a huge booth of HP we're using the wolf or the fixer this year so you don't probably know the HP really cares about the security of its product so we got an official I see the ease from HP here the two CVEs they're both rated as critical with a CVS core of nine point eight out of ten so that's quite rare maybe even familiar with these two CVEs because they got several media attention in the past week so here's the official response from HP
when HP learned of the issue we worked quickly to provide updates amiss risks HP take security seriously and causes customers the keep the system's updated to protect against potential vulnerabilities and once we finish this this is a good time for our live demo
[Applause] okay thank you so we don't we don't have a lot of time let's see this thing in action so we brought you here printer Def Con could supply us with phone lines so we just brought our own phone thing and then we have the attacker attacker a laptop over there and we're sending our fax now yeah good and our answer in two rings take a look at the LCD screen of the of the critter receiving fax from malicious attacker if you can relive so if you see these facts right run away [Music] and should be here now yeah faxes are slow sorry for that yeah fax received now the JPEG parsing is going on and basically we have control of the printer so this is our logo and that means the printer is ours thank you thank you but but we have we have we have something else because now that we have control over the printer it's not enough we want to show that we can propagate from the printer to the rest of the network and basically what we did is to embed eternal blew the leaked NSA exploit within our fax and now this printer once it what's it identifies any connected computer you just try to exploit it and here I'll connect if you
look at the laptop for a second then you will see a calque popping so we did it it was a long research let me tell you but it was successful we think this is groundbreaking I hope you feel the same and now let's sum up with some conclusions if you'll switch back to the presentation yeah thank you so
conclusions or pstn is still a valid attack surface even in 2018 facts can be used as a gateway to internal networks and another thing is that all in outdated protocols are probably bad for you so keep an eye for them and now probably you're asking yourselves what can you do well you can do some stuff you can patch your printers as we said HP published patches for these specific more abilities you can find them in this URL here and instructions from HP too and it identify by the way this works for any HP Officejet printer in inkjet like 80 or 100 models of them so make sure your another thing is don't connect fax if you don't if you don't need it right and if you do not need to connect fax then make sure to segregate your printers so they won't be connected to the rest of the network so if somebody manages to take over your printers at least the risk will be contained within the printer and you won't be able to propagate to the rest of the network now these are all really good suggestions but really the best suggestions are the best suggestion I have to give you today is please stop using fax
[Applause] and now we really couldn't do a lot of this research if it wasn't for our wonderful friends so they helped us
physically technically and mentally throughout the entire process of this research so they deserve some some clapping thank you thank them and one specific guy Ian I also helped us a lot
in the few more thing and that's practically it so thank you very much and if you want to follow us please follow us on Twitter read our stuff on the on our blog and thank you very much for coming to this talk [Applause]