exploiting network printers conf...cloudme (read) list stat [cloudconvert] write read list stat read...
TRANSCRIPT
![Page 1: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/1.jpg)
![Page 2: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/2.jpg)
Exploiting Network Printers
Jens Müller, Vladislav Mladenov, Juraj Somorovsky, Jörg Schwenk
![Page 3: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/3.jpg)
1
Why printers?
![Page 4: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/4.jpg)
1987 20172
Evolution
![Page 5: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/5.jpg)
3
Yet another T in the IoT?
![Page 6: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/6.jpg)
• Systematization of printer attacks
• Evaluation of 20 printer models
• PRinter Exploitation Toolkit (PRET)
• Novel attacks beyond printers
• New research directions
4
Contributions
![Page 7: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/7.jpg)
1. Background
2. Attacks
3. Evaluation
4. PRET
5. Beyond printers
6. Countermeasures
5
Overview
![Page 8: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/8.jpg)
1. Printing channel (USB, network, …)
2. Printer language (PJL, PostScript, …)6
How to print?
![Page 9: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/9.jpg)
PrintingUnit
Printer USB
RAW
IPP
LPD
SMB
PJLInterpreter
PostScriptInterpreter
FurtherInterpreter(PCL, PDF, …)
7
What to attack?
![Page 10: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/10.jpg)
• Printer Job Language
• Manages settings like output tray or paper size
@PJL SET PAPER=A4
@PJL SET COPIES=10
@PJL ENTER LANGUAGE=POSTSCRIPT
• NOT limited to the current print job
8
PJL
![Page 11: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/11.jpg)
• Invented by Adobe (1982 – 1984)
• Heavily used on laser printers
• Turing complete language
9
PostScript
![Page 12: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/12.jpg)
1. Background
2. Attacks
3. Evaluation
4. PRET
5. Beyond printers
6. Countermeasures
10
Overview
![Page 13: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/13.jpg)
• Is your copy room always locked?
11
Attacker model: Physical access
![Page 14: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/14.jpg)
• Who would connect a printer to the Internet?
12
Attacker model: Network access
![Page 15: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/15.jpg)
13
Attacker model: Network access
Attacker(Insider)
Attacker
![Page 16: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/16.jpg)
14
Attacker model: Web attacker
Carrier
Attacker(Website)
![Page 17: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/17.jpg)
• Denial of service
• Protection bypass
• Print job manipulation
• Information disclosure
15
Four classes of attacks
![Page 18: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/18.jpg)
• Postscript infinite loop
{} loop
16
Denial of service
![Page 19: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/19.jpg)
• Reset to factory defaults
• Can be done with a print job (HP)
@PJL DMCMD ASCIIHEX=
"040006020501010301040106"
17
Protection bypass
![Page 20: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/20.jpg)
• Redefinition of Postscript showpage operator
18
Print job manipulation
![Page 21: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/21.jpg)
• Access to memory
• Access to file system
• Capture print jobs
Save on file system or in memory
19
Information disclosure
![Page 22: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/22.jpg)
20
Attacker model: Web attacker
Carrier
Attacker(Website)
![Page 23: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/23.jpg)
21
Same-origin policy
Carrier
evil.org internal.bank.com
![Page 24: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/24.jpg)
22
CORS spoofing
Carrier
evil.org printer.bank.com:9100
JavaScript (PS file)
(HTTP/1.0 OK) print(Access-Control-Allow-Origin: evil.org) print…
![Page 25: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/25.jpg)
1. Background
2. Attacks
3. Evaluation
4. PRET
5. Beyond printers
6. Countermeasures
23
Overview
![Page 26: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/26.jpg)
• How would you proceed?
Our approach: Contacted university system administraators
24
Obtaining printers
![Page 27: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/27.jpg)
25
Printers. Lots of printers
![Page 28: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/28.jpg)
26
Evaluation results
![Page 29: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/29.jpg)
Overview
1. Background
2. Attacks
3. Evaluation
4. PRET
5. Beyond printers
6. Countermeasures
27
Overview
![Page 30: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/30.jpg)
Translator
PJL PostScript
PRET
Result
/str 256 string def (%*%../../../*) {==} str filenameforall
PostScript Request
PJL Request
PJL Response
(%disk0%../../../ init)(%disk0%../../../.profile)(%disk0%../../../tmp)
Postscript Response
init TYPE=FILE SIZE=1276.profile TYPE=FILE SIZE=834tmp TYPE=DIR
@PJL FSDIRLIST NAME="0:\..\..\" ENTRY=1 COUNT=3User command
- 834 .profile- 1276 initd - tmp
ConnectorAttacker
ls
28
PRinter Exploitation Toolkit (PRET)
![Page 31: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/31.jpg)
29
PRET commands
![Page 32: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/32.jpg)
1. Background
2. Attacks
3. Evaluation
4. PRET
5. Beyond printers
6. Countermeasures
30
Overview
![Page 33: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/33.jpg)
Attacker
Converting PostScript = interpreting PostScript
31
Google Cloud Print
![Page 34: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/34.jpg)
• PS conversion websites
• Image conversion sites
• Thumbnail preview
32
PostScript in the web?
![Page 35: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/35.jpg)
32
File system Environment
variables
Command
execution
[Dropbox] read list stat read
Box.com (read) list stat read
[Google Drive] (read) (list) stat
MS OneDrive read list stat read
Yandex Disk (read) list stat read
Jumpshare write read list stat read exec
CloudMe (read) list stat
[CloudConvert] write read list stat read exec
Attacks on Cloud Storage
![Page 36: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/36.jpg)
1. Background
2. Attacks
3. Evaluation
4. PRET
5. Beyond printers
6. Countermeasures
33
Overview
![Page 37: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/37.jpg)
34
Countermeasures
![Page 38: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/38.jpg)
“Hacker Stackoverflowin made 160,000 printers spewout ASCII art around the world” -- theregister.co.uk
35
Do not connect printers to the Internet
![Page 39: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/39.jpg)
• Employees: always lock the copy room
• Administrators: sandbox printers in aVLAN accessible only via print server
• Printer vendors: undo insecure designdecisions (PostScript, proprietary PJL)
• Browser vendors: block port 9100
37
Countermeasures
![Page 40: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/40.jpg)
• Systematic analysis of networkprinters and printing standards
• Insecurity of Postscript and PJL
• Attacks applied to different areas
• TODO:
– Firmware Updates, Fax, 3D printing
37
Conclusions and future work
![Page 41: Exploiting Network Printers Conf...CloudMe (read) list stat [CloudConvert] write read list stat read exec Attacks on Cloud Storage. 1. Background 2. Attacks 3. Evaluation 4. PRET 5](https://reader033.vdocuments.mx/reader033/viewer/2022043007/5f93f1626c709f37712dd5ed/html5/thumbnails/41.jpg)
PRET („Printer Exploitation Toolkit“)
https://github.com/RUB-NDS/PRET
Hacking Printers Wiki
http://hacking-printers.net/
Questions?38
Thanks for your attention...