Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by An-Jie Yang

CODE BLUE
CODE BLUE

Printer has become one of the essential devices in the corporate intranet for the past few years, and its functionalities have also increased significantly. Not only print or fax, cloud printing services like AirPrint are also being supported as well to make it easier to use. Direct printing from mobile devices is now a basic requirement in the IoT era. We also use it to print some internal business documents of the company, which makes it even more important to keep the printer safe. Nowadays, most of the printers on the market do not have to be connected with USB or traditional cable. As long as you are using a LAN cable connected to the intranet, the computer can find and use the printer immediately. Most of them are based on protocols such as SLP and LLMNR. But is it really safe when vendors adopt those protocols? Furthermore, many printers do not use traditional Linux systems, but use RTOS(Real-Time Operating System) instead, how will this affect the attacker? In this talk, we will use Canon ImageCLASS MF644Cdw and HP Color LaserJet Pro MFP M283fdw as case study, showing how to analyze and gain control access to the printer. We will also demonstrate how to use the vulnerabilities to achieve RCE in RTOS in unauthenticated situations.

Related slideshows

UnboundとNSDの紹介 BIND9との比較編
UnboundとNSDの紹介 BIND9との比較編UnboundとNSDの紹介 BIND9との比較編
UnboundとNSDの紹介 BIND9との比較編
 
[CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼
[CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼 [CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼
[CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼
 
とある診断員とSQLインジェクション
とある診断員とSQLインジェクションとある診断員とSQLインジェクション
とある診断員とSQLインジェクション
 
1 of 132
Download to read offline
Your printer is not your printer ! - Hacking Printers at Pwn2Own Angelboy angelboy@chroot.org @scwuaptx 1
Whoami • Angelboy (An-Jie Yang) • Researcher at DEVCORE • Ex-CTF Player • HITCON / 217 • Chroot • Pwn2Own • 2020 Tokyo/2021 Austin • Co-founder of pwnable.tw • Speaker • HITB GSEC 2018/AVTokyo 2018/VXCON/HITCON 2
Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 3
Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 4
5
Introduction • In the early days • to use the printer, it was necessary to • Use IEEE1284 or USB to connect to the Computer • Install Printer driver before printing • Usually only a single printer feature Printer 6
Introduction • Nowadays • Printer can provide a variety of services which make printer not only more convenient but also closer to IoT • It can be found immediately when connected to intranet Printer - IoT 7 image: Flaticon.com
Introduction Printer - IoT 8
PrintingHacking is also easier 9
10
Motivation 11
Introduction • Red Team • Printer is one of the most common devices in the intranet Motivation 12
Introduction • Red Team • Printer is one of the most common devices in the intranet • Good target to hide our actions Motivation 13
Introduction • Red Team • Printer is one of the most common devices in the intranet • Good target to hide our actions • Sometimes integrate with Active Directory Motivation 14
Introduction • Pwn2Own 2021 Austin Motivation 15
We thought they were trivial at first, but … 16 `ls` ; /bin/usr/id ; %0Acat%20/etc/passwd
RTOS (Real-Time Operating System) 17
18 Challenge Accept !
19
20
We will focus on Canon and HP in this talk 21
Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 22
Analysis • At the beginning, we thought we need to …… 23
In fact, we didn’t tear down any of them ! 24
Canon 25
Analysis • Firmware version v6.03 • From Canon official • At the beginning, we use binwalk • But the firmware is obfuscated • We cannot use IDA directly Canon - Firmware Extract 26
Analysis • We also try some previous works • TREASURE CHEST PARTY QUEST: FROM DOOM TO EXPLOIT • by Synacktiv • Hacking Canon Pixma Printers – Doomed Encryption • by Contextis research Canon - Firmware Extract 27
Analysis • We also try some previous works • TREASURE CHEST PARTY QUEST: FROM DOOM TO EXPLOIT • by Synacktiv • Hacking Canon Pixma Printers – Doomed Encryption • by Contextis research • But it cannot extract the firmware :( Canon - Firmware Extract 28
• We can find some information from obfuscated firmware Analysis Canon - Firmware Extract 29 Size Magic
We decide to use this patten to search other firmwares without obfuscated 30
Analysis • We need to download other firmwares from Canon official website • Original firmware download URL is Canon - Firmware Extract 31 https://pdisp01.c- wss.com/gdl/WWUFORedirectTarget.do?id=MDQwMDAwNDc1Mj A1&cmp=Z01&lang=EN
Analysis Canon - Firmware Extract 32 https://pdisp01.c- wss.com/gdl/WWUFORedirectTarget.do?id=MDQwMDAwNDc1Mj A1&cmp=Z01&lang=EN 040000475205
Analysis Canon - Firmware Extract 34 https://pdisp01.c- wss.com/gdl/WWUFORedirectTarget.do?id=MDQwMDAwNDc1Mj A1&cmp=Z01&lang=EN 040000475205 Type Ordinal Number Version Pdf,firmware … Other model Firmware version
Analysis • We can list all versions of firmware • V2.01 • V4.02 • V6.03 • V9.03 !? • V10.02 !? Canon - Firmware Extract 35
But all versions are obfuscated 😭 36
Let’s download all models 37
Analysis • The total file size is 130GB • grep NCFW and some plaintext Canon - Firmware Extract 38
Analysis • WG7000 Series is not obfuscated ! • We analyze the firmware of WG7000 to find the key function Canon - Firmware Extract 39
Analysis • Try to use the same function to deobfuscate the firmware of MF644CDW • Bingo ! Canon - Firmware Extract 40 Plaintext message
Analysis • Image Base Address • We spent some time looking for image base address of firmware • rbasefind Canon - Firmware Analysis 41
• Original base is 0x40b00000 • It doesn’t seem to be the correct base Analysis Canon - Firmware Analysis 42 Should be strings
Analysis • Image Base Address • We can find a correct function and debug message to adjust to the correct offset • We found the base is 0x40affde0 Canon - Firmware Analysis 43
Analysis Canon - Firmware Analysis 44
Analysis • Canon MF644CDW • OS - DryOSV2 • Customized RTOS by Canon • ARMv7 32bit little-endian • Linked with application code into a single image • Kernel • Service • … Canon - Firmware Analysis 45
HP 46
Analysis • Relatively easy • Binwalk -Z • Take about 3 - 4 days • It will get correct firmware ! • Other part is similar to Canon HP - Firmware Extract 47
Analysis • HP - MFP M283fdw • OS • RTOS - Modify from ThreadX/Green Hills • ARM11 Mixed-endian • Code - little-endian • Data - Big-endian HP - Firmware Analysis 48
Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 49
Attack Surface Service Port Description RUI TCP 80 Web interface PDL TCP 9100 Page Description Language PJL TCP 9100 Printer Job Language IPP TCP 631 Internet Printing Protocol LPD TCP 515 Line Printer Daemon Protocol SNMP UDP 161 Simple Network Management Protocol 50 • Nowadays, there are many services enabled by default
Attack Surface • Nowadays, there are many services enabled by default Service Port Description SLP TCP 427 Service Location Protocol mDNS UDP 5353 Multicast DNS LLMNR UDP 5355 Link-Local Multicast Name Resolution … … … 51
Attack Surface • After we evaluate the overall architecture, we decide to focus on service discovery and DNS series of services • SLP • mDNS • LLMNR 52
Such protocols implemented by manufacturer themselves are often prone to vulnerabilities 53
Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 55
Hacking Canon Printer 56
Hacking printers at Pwn2Own • SLP is a service discovery protocol that allows computers and other devices to find services in local area network Service Location Protocol 57
Hacking printers at Pwn2Own • SLP Architecture without Directory Agent Canon - SLP 58 User Agent Client Service Agent Printer
Hacking printers at Pwn2Own • SLP Architecture without Directory Agent Canon - SLP 59 User Agent Client Service Agent Printer Unicast/Multicast Service Request Attribute Request
Hacking printers at Pwn2Own • SLP Architecture without Directory Agent Canon - SLP 60 User Agent Client Service Agent Printer Unicast Service Reply Attribute Reply
Hacking printers at Pwn2Own • SLP Packet Structure Canon - SLP 61 Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31 Version Function-Id Length Length, contd. O F R Reserved Next Ext Offset Next Ext Offset, contd. XID Language Tag Length Language Tag (Variable) Payload (Variable)
Hacking printers at Pwn2Own • Canon only implemented service request and attribute request Canon - SLP 62 Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31 Version Function-Id Length Length, contd. O F R Reserved Next Ext Offset Next Ext Offset, contd. XID Language Tag Length Language Tag (Variable) Payload (Variable) Function Code Message Type 1 6 Service Request Attribute Request
Hacking printers at Pwn2Own • Attribute Request (AttrRqst) • Allow a User Agent to discover attributes of given service (by supplying its URL) or for entire device type Canon - SLP 63 https://www.ietf.org/rfc/rfc2608.txt
Hacking printers at Pwn2Own • Attribute Request (AttrRqst) Canon - SLP 64 Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31 Version Function-Id Length Length, contd. O F R Reserved Next Ext Offset Next Ext Offset, contd. XID Language Tag Length Language Tag (Variable) Payload (Variable) … … Length of <scope-list> <scope-list> string (Variable) … … Length of URL URL (Variable) https://www.ietf.org/rfc/rfc2608.txt
Hacking printers at Pwn2Own • There is a vulnerability when Canon is parsing the body of AttrRqst • It will convert escape character to character Canon - Vulnerability 65 ¥41 A
Hacking printers at Pwn2Own • There is a vulnerability when Canon is parsing the body of AttrRqst Canon - Vulnerability 66
Hacking printers at Pwn2Own • There is a stack overflow when Canon is parsing the body of AttrRqst Canon - Vulnerability 67
Hacking printers at Pwn2Own • There is a stack overflow when Canon is parsing the body of AttrRqst Canon - Vulnerability 68 Although there is validation in normal case
Hacking printers at Pwn2Own • There is a stack overflow when Canon is parsing the body of AttrRqst Canon - Vulnerability 69 No validation in escaping case
Hacking printers at Pwn2Own • Protection • No Stack Guard • No DEP • No ASLR Canon - Exploitation 70 image: Flaticon.com
Hacker Friendly :) 71
We just need to find a buffer to store our shellcode and return to it 72
Hacking printers at Pwn2Own • BJNP • A service discovery protocol designed by Canon • Exploited by Synacktiv • It will store session data on the global buffer Canon - Exploitation 73
Hacking printers at Pwn2Own • Exploit Step Canon - Exploitation 74
Hacking printers at Pwn2Own • Exploit Step • Use BJNP to store our shellcode on a global buffer Canon - Exploitation 75
Hacking printers at Pwn2Own • Exploit Step • Use BJNP to store our shellcode on a global buffer • Trigger stack overflow in SLP and overwrite return address Canon - Exploitation 76
Hacking printers at Pwn2Own • Exploit Step • Use BJNP to store our shellcode on a global buffer • Trigger stack overflow in SLP and overwrite return address • Return to the global buffer Canon - Exploitation 77
Hacking printers at Pwn2Own • Require you to prove that you have pwned the target • In terms of printer, we choose to print "DEVCORE logo" on the LCD screen at first Pwn2Own Austin 2021 78
But we spent a lot of time looking for it … 79
Hacking printers at Pwn2Own • Require you to prove that you have pwned the target • In terms of printer, we choose to print "DEVCORE logo" on the LCD screen • In the end, due to time constraints, we finally only chose to print the message on the screen Pwn2Own Austin 2021 80
Hacking printers at Pwn2Own Pwn2Own Austin 2021 84 http://youtu.be/vQbQImZ3XRw?t=18405
Hacking printers at Pwn2Own • Debugger ? • If we want to debug it, we need to have a debug console • Need to teardown the printer • Use an old exploit to install customized debugger • Need to downgrade the printer Canon - Exploitation 85
Hacking printers at Pwn2Own • But we are too lazy, we just use sleep debug to debug it :) Canon - Exploitation 86 ROP/shellcode Do something Sleep Reboot
Hacking HP Printer 87
Hacking printers at Pwn2Own • LLMNR is very similar to mDNS. It provides base name resolution on the same local link Link-Local Multicast Name Resolution 88
Hacking printers at Pwn2Own • LLMNR protocol HP - LLMNR 89 Client A Client B Client C Client D Multicast Address of Client C ? Send requests to 224.0.0.252 Address of Client C ? Address of Client C ?
Hacking printers at Pwn2Own • LLMNR protocol HP - LLMNR 90 Client A Client B Client C Client D Response from Client C LLMNR Response
Hacking printers at Pwn2Own • LLMNR Header (Base on DNS header format) HP - LLMNR 91 Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31 ID Flags QDCOUNT ANCOUNT NSCOUNT ARCOUNT Queries (Variable)
Hacking printers at Pwn2Own • LLMNR queries use the same format as DNS query HP - LLMNR 92 Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31 ID Flags QDCOUNT ANCOUNT NSCOUNT ARCOUNT Queries (Variable) 0x3 www 0x6 google 0x3 com 0 Type Class … 0xc0 0xd
Hacking printers at Pwn2Own • There is a stack overflow when LLMNR is parsing the queries HP - Vulnerability 93
Hacking printers at Pwn2Own • There is a stack overflow when LLMNR is parsing the queries HP - Vulnerability 94 Fixed size buffer on stack
Hacking printers at Pwn2Own • There is a stack overflow when LLMNR is parsing the queries HP - Vulnerability 95 Without any length verification
We tried to exploit it in the similar way as Canon, but … 96
Hacking printers at Pwn2Own • Protection • No Stack Guard • XN (DEP) • Memory Protect Unit (MPU) • No ASLR HP - Exploitation 97 image: Flaticon.com
Hacking printers at Pwn2Own • Some limits in this vulnerability • We can only overflow about 0x100 bytes • Null terminated • XN(DEP) and MPU • Preventing us from executing shellcode HP - Exploitation 98 image: Flaticon.com
Hacker not Friendly ? image: Flaticon.com Can be bypassed ? How to implement it ? 99
Hacking printers at Pwn2Own • Let's delve into HP RTOS HP - Exploitation 100
Hacking printers at Pwn2Own • Let's delve into HP RTOS • Linked with application code into a single image HP - Exploitation 101
Hacking printers at Pwn2Own • Let's delve into HP RTOS • Linked with application code into a single image • Many tasks run • in the same virtual address space • in kernel-mode HP - Exploitation 102
MMU 103
Hacking printers at Pwn2Own • MMU in HP M283fdw • Use one-level page table translation • Translation table entry for translating a 1MB section • Translation table is located at 0x4003c000 HP - Exploitation 104
Hacking printers at Pwn2Own HP - MMU 105 Page index 31 20 12 11 10 9 8 7 6 5 4 3 2 1 0 13 Index into first level table 14 15 16 17 18 19 Virtual Address TTBR Translation Table Entry Translation Table Physical Memory
Hacking printers at Pwn2Own HP - MMU 106 Page index 31 20 12 11 10 9 8 7 6 5 4 3 2 1 0 13 Index into first level table 14 15 16 17 18 19 Virtual Address TTBR Translation Table Entry Translation Table Physical Memory 0 31 20 12 11 10 9 8 7 6 5 4 3 2 1 0 13 1 B C XN Domain P AP TEX AP X S nG 0 0 Section Address 14 15 16 17 18 19
Hacking printers at Pwn2Own • MMU in HP M283fdw • Translation table is on known address • We can bypass XN through modifying translation table entry ! HP - Exploitation 107
Hacking printers at Pwn2Own • MMU in HP M283fdw • Translation table is on known address • We can bypass XN through modifying translation table entry ! • But it's protected by Memory Protection Unit(MPU) HP - Exploitation 108
MPU 109
Hacking printers at Pwn2Own • Memory Protection Unit • The MPU enables you to partition memory into regions and set individual protection attributes for each regions • Enable when booting HP - Exploitation 110 Physical Memory Region 0 (Page Table, Code) Region 1 (Data) Region … Read only RW
Hacking printers at Pwn2Own • Memory Protection Unit HP - Exploitation 111 Physical Memory Region 0 (Page Table, Code) Region 1 (Data) Region … Read only RW Write access
Hacking printers at Pwn2Own • Memory Protection Unit • The MPU is configured by a series of memory mapped register in System Control Spaces • MPU_CTRL 0xE0400304 HP - Exploitation 112 MPU_TYPE MPU_CTRL MPU_RNR … … MPU registers
We can easily use ROP to overwrite it with 0 to disable MPU 113
Hacking printers at Pwn2Own • After we disable MPU and overwrite translation table entry • We can modify any code page • Modify the code of LPD(Line Printer Daemon) in order to read our payload to specific address • Convert LPD to Debug Console HP - Exploitation 114
Hacking printers at Pwn2Own • After we disable MPU and overwrite translation table entry • We must invalidate • Translation Lookaside Buffer • D-cache and I-cache HP - Exploitation 115
Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address HP - Exploitation 116
Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address • ROP to disable MPU HP - Exploitation 117
Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address • ROP to disable MPU • ROP to modify translation table entry HP - Exploitation 118
Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address • ROP to disable MPU • ROP to modify translation table entry • Flush TLB HP - Exploitation 119
Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address • ROP to disable MPU • ROP to modify translation table entry • Flush TLB • ROP to invalidate I-cache and D-cache HP - Exploitation 120
Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address • ROP to disable MPU • ROP to modify translation table entry • Flush TLB • ROP to invalidate I-cache and D-cache • ROP to modify code of LPD HP - Exploitation 121
Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address • ROP to disable MPU • ROP to modify translation table entry • Flush TLB • ROP to invalidate I-cache and D-cache • ROP to modify code of LPD • Use modified LPD to read our shellcode and jump to shellcode HP - Exploitation 122
Hacking printers at Pwn2Own • Require you to prove that you have pwned the target • Originally, we just wanted to print the message on the LCD screen Pwn2Own Austin 2021 123
Hacking printers at Pwn2Own • Require you to prove that you have pwned the target • Originally, we just wanted to print the message on the LCD screen • But luckily, we later saw that a little bit like the DEVCORE logo can be printed • Just modify the string and trigger printer test Pwn2Own Austin 2021 124
125
Hacking printers at Pwn2Own Pwn2Own Austin 2021 126
Hacking printers at Pwn2Own • Debug Console Pwn2Own Austin 2021 127
Hacking printers at Pwn2Own • Result Pwn2Own Austin 2021 128
Hacking printers at Pwn2Own • After we have code execution • We can • Steal Credential • Lateral movement • Hard to detect • … Exploitation 129
Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 130
Mitigation • Update • Canon and HP printer have been patched, please update to the latest 131
Mitigation • Update • Canon and HP printer have been patched, please update to the latest • Disable unused service • The attack surface of printer is too huge • Many services are opened by default 132
Mitigation • Update • Canon and HP printer have been patched, please update to the latest • Disable unused service • The attack surface of printer is too huge • Many services are opened by default • Firewall 133
Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 134
Conclusion • Discovery and DNS series services are weak in printer • Printer is still a good target for red team 135
Reference • https://labs.withsecure.com/assets/BlogFiles/Printing-Shellz.pdf • https://foxglovesecurity.com/2017/11/20/a-sheep-in-wolfs-clothing-finding- rce-in-hps-printer-fleet/ • https://research.checkpoint.com/2018/sending-fax-back-to-the-dark-ages/ 136
Thank you for listening @scwuaptx 137

More Related Content

What's hot

UnboundとNSDの紹介 BIND9との比較編
UnboundとNSDの紹介 BIND9との比較編UnboundとNSDの紹介 BIND9との比較編
UnboundとNSDの紹介 BIND9との比較編
hdais
 
[CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼
[CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼 [CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼
[CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼
CODE BLUE
 
とある診断員とSQLインジェクション
とある診断員とSQLインジェクションとある診断員とSQLインジェクション
とある診断員とSQLインジェクション
zaki4649
 
ネットストーカー御用達OSINTツールBlackBirdを触ってみた.pptx
ネットストーカー御用達OSINTツールBlackBirdを触ってみた.pptxネットストーカー御用達OSINTツールBlackBirdを触ってみた.pptx
ネットストーカー御用達OSINTツールBlackBirdを触ってみた.pptx
Shota Shinogi
 
PythonとVeriloggenを用いたRTL設計メタプログラミング
PythonとVeriloggenを用いたRTL設計メタプログラミングPythonとVeriloggenを用いたRTL設計メタプログラミング
PythonとVeriloggenを用いたRTL設計メタプログラミング
Shinya Takamaeda-Y
 
とある診断員と色々厄介な脆弱性達
とある診断員と色々厄介な脆弱性達とある診断員と色々厄介な脆弱性達
とある診断員と色々厄介な脆弱性達
zaki4649
 
Alpine linuxを触ってみよう
Alpine linuxを触ってみようAlpine linuxを触ってみよう
Alpine linuxを触ってみよう
Ryo Adachi
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
CODE BLUE
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
IIJ
 
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
CODE BLUE
 
分散システムについて語らせてくれ
分散システムについて語らせてくれ分散システムについて語らせてくれ
分散システムについて語らせてくれ
Kumazaki Hiroki
 
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
CODE BLUE
 
”30分”ぐらいでわかる「Kubernetes」について
”30分”ぐらいでわかる「Kubernetes」について”30分”ぐらいでわかる「Kubernetes」について
”30分”ぐらいでわかる「Kubernetes」について
Yuya Ohara
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
PPL 2022 招待講演: 静的型つき函数型組版処理システムSATySFiの紹介
PPL 2022 招待講演: 静的型つき函数型組版処理システムSATySFiの紹介PPL 2022 招待講演: 静的型つき函数型組版処理システムSATySFiの紹介
PPL 2022 招待講演: 静的型つき函数型組版処理システムSATySFiの紹介
T. Suwa
 
統合ID管理入門
統合ID管理入門統合ID管理入門
統合ID管理入門
山田(YAMADA) 達司(Tatsushi)
 
バイトコードって言葉をよく目にするけど一体何なんだろう?(JJUG CCC 2022 Spring 発表資料)
バイトコードって言葉をよく目にするけど一体何なんだろう?(JJUG CCC 2022 Spring 発表資料)バイトコードって言葉をよく目にするけど一体何なんだろう?(JJUG CCC 2022 Spring 発表資料)
バイトコードって言葉をよく目にするけど一体何なんだろう?(JJUG CCC 2022 Spring 発表資料)
NTT DATA Technology & Innovation
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行
Akihiro Suda
 
VSCodeで作るPostgreSQL開発環境(第25回 PostgreSQLアンカンファレンス@オンライン 発表資料)
VSCodeで作るPostgreSQL開発環境(第25回 PostgreSQLアンカンファレンス@オンライン 発表資料)VSCodeで作るPostgreSQL開発環境(第25回 PostgreSQLアンカンファレンス@オンライン 発表資料)
VSCodeで作るPostgreSQL開発環境(第25回 PostgreSQLアンカンファレンス@オンライン 発表資料)
NTT DATA Technology & Innovation
 
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
CODE BLUE
 

What's hot (20)

UnboundとNSDの紹介 BIND9との比較編
UnboundとNSDの紹介 BIND9との比較編UnboundとNSDの紹介 BIND9との比較編
UnboundとNSDの紹介 BIND9との比較編
 
[CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼
[CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼 [CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼
[CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼
 
とある診断員とSQLインジェクション
とある診断員とSQLインジェクションとある診断員とSQLインジェクション
とある診断員とSQLインジェクション
 
ネットストーカー御用達OSINTツールBlackBirdを触ってみた.pptx
ネットストーカー御用達OSINTツールBlackBirdを触ってみた.pptxネットストーカー御用達OSINTツールBlackBirdを触ってみた.pptx
ネットストーカー御用達OSINTツールBlackBirdを触ってみた.pptx
 
PythonとVeriloggenを用いたRTL設計メタプログラミング
PythonとVeriloggenを用いたRTL設計メタプログラミングPythonとVeriloggenを用いたRTL設計メタプログラミング
PythonとVeriloggenを用いたRTL設計メタプログラミング
 
とある診断員と色々厄介な脆弱性達
とある診断員と色々厄介な脆弱性達とある診断員と色々厄介な脆弱性達
とある診断員と色々厄介な脆弱性達
 
Alpine linuxを触ってみよう
Alpine linuxを触ってみようAlpine linuxを触ってみよう
Alpine linuxを触ってみよう
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
 
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
 
分散システムについて語らせてくれ
分散システムについて語らせてくれ分散システムについて語らせてくれ
分散システムについて語らせてくれ
 
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
 
”30分”ぐらいでわかる「Kubernetes」について
”30分”ぐらいでわかる「Kubernetes」について”30分”ぐらいでわかる「Kubernetes」について
”30分”ぐらいでわかる「Kubernetes」について
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
PPL 2022 招待講演: 静的型つき函数型組版処理システムSATySFiの紹介
PPL 2022 招待講演: 静的型つき函数型組版処理システムSATySFiの紹介PPL 2022 招待講演: 静的型つき函数型組版処理システムSATySFiの紹介
PPL 2022 招待講演: 静的型つき函数型組版処理システムSATySFiの紹介
 
統合ID管理入門
統合ID管理入門統合ID管理入門
統合ID管理入門
 
バイトコードって言葉をよく目にするけど一体何なんだろう?(JJUG CCC 2022 Spring 発表資料)
バイトコードって言葉をよく目にするけど一体何なんだろう?(JJUG CCC 2022 Spring 発表資料)バイトコードって言葉をよく目にするけど一体何なんだろう?(JJUG CCC 2022 Spring 発表資料)
バイトコードって言葉をよく目にするけど一体何なんだろう?(JJUG CCC 2022 Spring 発表資料)
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行
 
VSCodeで作るPostgreSQL開発環境(第25回 PostgreSQLアンカンファレンス@オンライン 発表資料)
VSCodeで作るPostgreSQL開発環境(第25回 PostgreSQLアンカンファレンス@オンライン 発表資料)VSCodeで作るPostgreSQL開発環境(第25回 PostgreSQLアンカンファレンス@オンライン 発表資料)
VSCodeで作るPostgreSQL開発環境(第25回 PostgreSQLアンカンファレンス@オンライン 発表資料)
 
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
 

Similar to [cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by An-Jie Yang

Kubernetes Robotics Edge Cluster System
Kubernetes Robotics Edge Cluster SystemKubernetes Robotics Edge Cluster System
Kubernetes Robotics Edge Cluster System
Tomoya Fujita
 
SFBigAnalytics_20190724: Monitor kafka like a Pro
SFBigAnalytics_20190724: Monitor kafka like a ProSFBigAnalytics_20190724: Monitor kafka like a Pro
SFBigAnalytics_20190724: Monitor kafka like a Pro
Chester Chen
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
Peter Hlavaty
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
Santhosh Kumar
 
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...
Odinot Stanislas
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 network
idsecconf
 
idsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkidsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 network
Ammar WK
 
Webinar: STM32WB - microcontrolador dual-core certificado BLE 5.0
Webinar: STM32WB - microcontrolador dual-core certificado BLE 5.0Webinar: STM32WB - microcontrolador dual-core certificado BLE 5.0
Webinar: STM32WB - microcontrolador dual-core certificado BLE 5.0
Embarcados
 
Demystifying Binary Reverse Engineering - Pixels Camp
Demystifying Binary Reverse Engineering - Pixels CampDemystifying Binary Reverse Engineering - Pixels Camp
Demystifying Binary Reverse Engineering - Pixels Camp
André Baptista
 
2018 02 20-jeg_index
2018 02 20-jeg_index2018 02 20-jeg_index
2018 02 20-jeg_index
Chester Chen
 
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
PROIDEA
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
Aleksandr Timorin
 
Using VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear ContainersUsing VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear Containers
Michelle Holley
 
The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]
Mahmoud Hatem
 
TMS320DM8148 Embedded Linux
TMS320DM8148 Embedded LinuxTMS320DM8148 Embedded Linux
TMS320DM8148 Embedded Linux
NEEVEE Technologies
 
Serving Deep Learning Models At Scale With RedisAI: Luca Antiga
Serving Deep Learning Models At Scale With RedisAI: Luca AntigaServing Deep Learning Models At Scale With RedisAI: Luca Antiga
Serving Deep Learning Models At Scale With RedisAI: Luca Antiga
Redis Labs
 
Advanced Internet of Things firmware engineering with Thingsquare and Contiki...
Advanced Internet of Things firmware engineering with Thingsquare and Contiki...Advanced Internet of Things firmware engineering with Thingsquare and Contiki...
Advanced Internet of Things firmware engineering with Thingsquare and Contiki...
Adam Dunkels
 
Tool up your lamp stack
Tool up your lamp stackTool up your lamp stack
Tool up your lamp stack
AgileOnTheBeach
 
Tool Up Your LAMP Stack
Tool Up Your LAMP StackTool Up Your LAMP Stack
Tool Up Your LAMP Stack
Lorna Mitchell
 
Up and running with Raspberry Pi
Up and running with Raspberry PiUp and running with Raspberry Pi
Up and running with Raspberry Pi
Shahed Mehbub
 

Similar to [cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by An-Jie Yang (20)

Kubernetes Robotics Edge Cluster System
Kubernetes Robotics Edge Cluster SystemKubernetes Robotics Edge Cluster System
Kubernetes Robotics Edge Cluster System
 
SFBigAnalytics_20190724: Monitor kafka like a Pro
SFBigAnalytics_20190724: Monitor kafka like a ProSFBigAnalytics_20190724: Monitor kafka like a Pro
SFBigAnalytics_20190724: Monitor kafka like a Pro
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 network
 
idsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkidsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 network
 
Webinar: STM32WB - microcontrolador dual-core certificado BLE 5.0
Webinar: STM32WB - microcontrolador dual-core certificado BLE 5.0Webinar: STM32WB - microcontrolador dual-core certificado BLE 5.0
Webinar: STM32WB - microcontrolador dual-core certificado BLE 5.0
 
Demystifying Binary Reverse Engineering - Pixels Camp
Demystifying Binary Reverse Engineering - Pixels CampDemystifying Binary Reverse Engineering - Pixels Camp
Demystifying Binary Reverse Engineering - Pixels Camp
 
2018 02 20-jeg_index
2018 02 20-jeg_index2018 02 20-jeg_index
2018 02 20-jeg_index
 
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
 
Using VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear ContainersUsing VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear Containers
 
The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]
 
TMS320DM8148 Embedded Linux
TMS320DM8148 Embedded LinuxTMS320DM8148 Embedded Linux
TMS320DM8148 Embedded Linux
 
Serving Deep Learning Models At Scale With RedisAI: Luca Antiga
Serving Deep Learning Models At Scale With RedisAI: Luca AntigaServing Deep Learning Models At Scale With RedisAI: Luca Antiga
Serving Deep Learning Models At Scale With RedisAI: Luca Antiga
 
Advanced Internet of Things firmware engineering with Thingsquare and Contiki...
Advanced Internet of Things firmware engineering with Thingsquare and Contiki...Advanced Internet of Things firmware engineering with Thingsquare and Contiki...
Advanced Internet of Things firmware engineering with Thingsquare and Contiki...
 
Tool up your lamp stack
Tool up your lamp stackTool up your lamp stack
Tool up your lamp stack
 
Tool Up Your LAMP Stack
Tool Up Your LAMP StackTool Up Your LAMP Stack
Tool Up Your LAMP Stack
 
Up and running with Raspberry Pi
Up and running with Raspberry PiUp and running with Raspberry Pi
Up and running with Raspberry Pi
 

More from CODE BLUE

[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
CODE BLUE
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
CODE BLUE
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
CODE BLUE
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
CODE BLUE
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
CODE BLUE
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
CODE BLUE
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
CODE BLUE
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
CODE BLUE
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
CODE BLUE
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
CODE BLUE
 
[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...
CODE BLUE
 
[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...
[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...
[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...
CODE BLUE
 
[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...
[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...
[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...
CODE BLUE
 
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
CODE BLUE
 

More from CODE BLUE (20)

[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
 
[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...
 
[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...
[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...
[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...
 
[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...
[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...
[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...
 
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
 

Recently uploaded

stackconf 2024 | Make You Ops-Life Easy – ansible usecases you didn´t out of ...
stackconf 2024 | Make You Ops-Life Easy – ansible usecases you didn´t out of ...stackconf 2024 | Make You Ops-Life Easy – ansible usecases you didn´t out of ...
stackconf 2024 | Make You Ops-Life Easy – ansible usecases you didn´t out of ...
NETWAYS
 
stackconf 2024 | Streamlining Compliance Leveraging Open-Source Terraform AWS...
stackconf 2024 | Streamlining Compliance Leveraging Open-Source Terraform AWS...stackconf 2024 | Streamlining Compliance Leveraging Open-Source Terraform AWS...
stackconf 2024 | Streamlining Compliance Leveraging Open-Source Terraform AWS...
NETWAYS
 
Securing Your Dream Job as a Flutter Developer
Securing Your Dream Job as a Flutter DeveloperSecuring Your Dream Job as a Flutter Developer
Securing Your Dream Job as a Flutter Developer
Ahmed Abu Eldahab
 
Cal Girls Holiday Inn Jaipur City Centre | 8445551418 | Girls Call With Sweet...
Cal Girls Holiday Inn Jaipur City Centre | 8445551418 | Girls Call With Sweet...Cal Girls Holiday Inn Jaipur City Centre | 8445551418 | Girls Call With Sweet...
Cal Girls Holiday Inn Jaipur City Centre | 8445551418 | Girls Call With Sweet...
mohankumar66951#S0007
 
Cal Girls Bani Park Jaipur | | Girls Call Free Drop Service
Cal Girls Bani Park Jaipur | | Girls Call Free Drop ServiceCal Girls Bani Park Jaipur | | Girls Call Free Drop Service
Cal Girls Bani Park Jaipur | | Girls Call Free Drop Service
Deepikakumari457585
 
SaaStr Workshop Wednesday with Jason Lemkin
SaaStr Workshop Wednesday with Jason LemkinSaaStr Workshop Wednesday with Jason Lemkin
SaaStr Workshop Wednesday with Jason Lemkin
saastr
 
Cal Girls Hotel Highway King Jaipur | 8445551418 | Top Class High Profile Bea...
Cal Girls Hotel Highway King Jaipur | 8445551418 | Top Class High Profile Bea...Cal Girls Hotel Highway King Jaipur | 8445551418 | Top Class High Profile Bea...
Cal Girls Hotel Highway King Jaipur | 8445551418 | Top Class High Profile Bea...
pradeepkumar66952#S007
 
stackconf 2024 | Test like a ninja with Go by Ivan Presenti.pdf
stackconf 2024 | Test like a ninja with Go by Ivan Presenti.pdfstackconf 2024 | Test like a ninja with Go by Ivan Presenti.pdf
stackconf 2024 | Test like a ninja with Go by Ivan Presenti.pdf
NETWAYS
 
stackconf 2024 | Insights into Managed Service Provision A STACKIT Retrospect...
stackconf 2024 | Insights into Managed Service Provision A STACKIT Retrospect...stackconf 2024 | Insights into Managed Service Provision A STACKIT Retrospect...
stackconf 2024 | Insights into Managed Service Provision A STACKIT Retrospect...
NETWAYS
 
stackconf 2024 | Talos Linux One (Immutable) OS to Rule Them All by Pip Oomen...
stackconf 2024 | Talos Linux One (Immutable) OS to Rule Them All by Pip Oomen...stackconf 2024 | Talos Linux One (Immutable) OS to Rule Them All by Pip Oomen...
stackconf 2024 | Talos Linux One (Immutable) OS to Rule Them All by Pip Oomen...
NETWAYS
 
Cal Girls Nirman Nagar Jaipur | 8445551418 | Top Class High Profile Beauty Girl
Cal Girls Nirman Nagar Jaipur | 8445551418 | Top Class High Profile Beauty GirlCal Girls Nirman Nagar Jaipur | 8445551418 | Top Class High Profile Beauty Girl
Cal Girls Nirman Nagar Jaipur | 8445551418 | Top Class High Profile Beauty Girl
pradeepkumar66952#S007
 
HOW TO LEAD A SPIRIT-POWERED LIFE. CHURC
HOW TO LEAD A SPIRIT-POWERED LIFE. CHURCHOW TO LEAD A SPIRIT-POWERED LIFE. CHURC
HOW TO LEAD A SPIRIT-POWERED LIFE. CHURC
EthanSsengonzi
 
Cal Girls Shyam Nagar Jaipur | 8445551418 | Sweet Girls Call With Hotels
Cal Girls Shyam Nagar Jaipur | 8445551418 | Sweet Girls Call With HotelsCal Girls Shyam Nagar Jaipur | 8445551418 | Sweet Girls Call With Hotels
Cal Girls Shyam Nagar Jaipur | 8445551418 | Sweet Girls Call With Hotels
chanchalrani3534
 
stackconf 2024 | Ignite DevOps Driving School – Explaining DevOps in 5 Minute...
stackconf 2024 | Ignite DevOps Driving School – Explaining DevOps in 5 Minute...stackconf 2024 | Ignite DevOps Driving School – Explaining DevOps in 5 Minute...
stackconf 2024 | Ignite DevOps Driving School – Explaining DevOps in 5 Minute...
NETWAYS
 
Tata Technologies - Investor Presentation Q1 FY 2024-25
Tata Technologies - Investor Presentation Q1 FY 2024-25Tata Technologies - Investor Presentation Q1 FY 2024-25
Tata Technologies - Investor Presentation Q1 FY 2024-25
Tata Technologies
 
stackconf 2024 | Ignite: Distributed Tracing using OpenTelemetry and Jaeger b...
stackconf 2024 | Ignite: Distributed Tracing using OpenTelemetry and Jaeger b...stackconf 2024 | Ignite: Distributed Tracing using OpenTelemetry and Jaeger b...
stackconf 2024 | Ignite: Distributed Tracing using OpenTelemetry and Jaeger b...
NETWAYS
 
MOL- Management of Learning MATATAG Curriculum
MOL- Management of Learning MATATAG CurriculumMOL- Management of Learning MATATAG Curriculum
MOL- Management of Learning MATATAG Curriculum
KennethAbante
 
Large language model for public services
Large language model for public servicesLarge language model for public services
Large language model for public services
Mohamed Elharty
 
Communication Skills........Let's Learn
Communication Skills........Let's Learn Communication Skills........Let's Learn
Communication Skills........Let's Learn
pdtrainernayab
 
Girls Call Raja Park Jaipur | 08445551418 | Free Drop Service
Girls Call Raja Park Jaipur | 08445551418 | Free Drop ServiceGirls Call Raja Park Jaipur | 08445551418 | Free Drop Service
Girls Call Raja Park Jaipur | 08445551418 | Free Drop Service
yadhnajanni
 

Recently uploaded (20)

stackconf 2024 | Make You Ops-Life Easy – ansible usecases you didn´t out of ...
stackconf 2024 | Make You Ops-Life Easy – ansible usecases you didn´t out of ...stackconf 2024 | Make You Ops-Life Easy – ansible usecases you didn´t out of ...
stackconf 2024 | Make You Ops-Life Easy – ansible usecases you didn´t out of ...
 
stackconf 2024 | Streamlining Compliance Leveraging Open-Source Terraform AWS...
stackconf 2024 | Streamlining Compliance Leveraging Open-Source Terraform AWS...stackconf 2024 | Streamlining Compliance Leveraging Open-Source Terraform AWS...
stackconf 2024 | Streamlining Compliance Leveraging Open-Source Terraform AWS...
 
Securing Your Dream Job as a Flutter Developer
Securing Your Dream Job as a Flutter DeveloperSecuring Your Dream Job as a Flutter Developer
Securing Your Dream Job as a Flutter Developer
 
Cal Girls Holiday Inn Jaipur City Centre | 8445551418 | Girls Call With Sweet...
Cal Girls Holiday Inn Jaipur City Centre | 8445551418 | Girls Call With Sweet...Cal Girls Holiday Inn Jaipur City Centre | 8445551418 | Girls Call With Sweet...
Cal Girls Holiday Inn Jaipur City Centre | 8445551418 | Girls Call With Sweet...
 
Cal Girls Bani Park Jaipur | | Girls Call Free Drop Service
Cal Girls Bani Park Jaipur | | Girls Call Free Drop ServiceCal Girls Bani Park Jaipur | | Girls Call Free Drop Service
Cal Girls Bani Park Jaipur | | Girls Call Free Drop Service
 
SaaStr Workshop Wednesday with Jason Lemkin
SaaStr Workshop Wednesday with Jason LemkinSaaStr Workshop Wednesday with Jason Lemkin
SaaStr Workshop Wednesday with Jason Lemkin
 
Cal Girls Hotel Highway King Jaipur | 8445551418 | Top Class High Profile Bea...
Cal Girls Hotel Highway King Jaipur | 8445551418 | Top Class High Profile Bea...Cal Girls Hotel Highway King Jaipur | 8445551418 | Top Class High Profile Bea...
Cal Girls Hotel Highway King Jaipur | 8445551418 | Top Class High Profile Bea...
 
stackconf 2024 | Test like a ninja with Go by Ivan Presenti.pdf
stackconf 2024 | Test like a ninja with Go by Ivan Presenti.pdfstackconf 2024 | Test like a ninja with Go by Ivan Presenti.pdf
stackconf 2024 | Test like a ninja with Go by Ivan Presenti.pdf
 
stackconf 2024 | Insights into Managed Service Provision A STACKIT Retrospect...
stackconf 2024 | Insights into Managed Service Provision A STACKIT Retrospect...stackconf 2024 | Insights into Managed Service Provision A STACKIT Retrospect...
stackconf 2024 | Insights into Managed Service Provision A STACKIT Retrospect...
 
stackconf 2024 | Talos Linux One (Immutable) OS to Rule Them All by Pip Oomen...
stackconf 2024 | Talos Linux One (Immutable) OS to Rule Them All by Pip Oomen...stackconf 2024 | Talos Linux One (Immutable) OS to Rule Them All by Pip Oomen...
stackconf 2024 | Talos Linux One (Immutable) OS to Rule Them All by Pip Oomen...
 
Cal Girls Nirman Nagar Jaipur | 8445551418 | Top Class High Profile Beauty Girl
Cal Girls Nirman Nagar Jaipur | 8445551418 | Top Class High Profile Beauty GirlCal Girls Nirman Nagar Jaipur | 8445551418 | Top Class High Profile Beauty Girl
Cal Girls Nirman Nagar Jaipur | 8445551418 | Top Class High Profile Beauty Girl
 
HOW TO LEAD A SPIRIT-POWERED LIFE. CHURC
HOW TO LEAD A SPIRIT-POWERED LIFE. CHURCHOW TO LEAD A SPIRIT-POWERED LIFE. CHURC
HOW TO LEAD A SPIRIT-POWERED LIFE. CHURC
 
Cal Girls Shyam Nagar Jaipur | 8445551418 | Sweet Girls Call With Hotels
Cal Girls Shyam Nagar Jaipur | 8445551418 | Sweet Girls Call With HotelsCal Girls Shyam Nagar Jaipur | 8445551418 | Sweet Girls Call With Hotels
Cal Girls Shyam Nagar Jaipur | 8445551418 | Sweet Girls Call With Hotels
 
stackconf 2024 | Ignite DevOps Driving School – Explaining DevOps in 5 Minute...
stackconf 2024 | Ignite DevOps Driving School – Explaining DevOps in 5 Minute...stackconf 2024 | Ignite DevOps Driving School – Explaining DevOps in 5 Minute...
stackconf 2024 | Ignite DevOps Driving School – Explaining DevOps in 5 Minute...
 
Tata Technologies - Investor Presentation Q1 FY 2024-25
Tata Technologies - Investor Presentation Q1 FY 2024-25Tata Technologies - Investor Presentation Q1 FY 2024-25
Tata Technologies - Investor Presentation Q1 FY 2024-25
 
stackconf 2024 | Ignite: Distributed Tracing using OpenTelemetry and Jaeger b...
stackconf 2024 | Ignite: Distributed Tracing using OpenTelemetry and Jaeger b...stackconf 2024 | Ignite: Distributed Tracing using OpenTelemetry and Jaeger b...
stackconf 2024 | Ignite: Distributed Tracing using OpenTelemetry and Jaeger b...
 
MOL- Management of Learning MATATAG Curriculum
MOL- Management of Learning MATATAG CurriculumMOL- Management of Learning MATATAG Curriculum
MOL- Management of Learning MATATAG Curriculum
 
Large language model for public services
Large language model for public servicesLarge language model for public services
Large language model for public services
 
Communication Skills........Let's Learn
Communication Skills........Let's Learn Communication Skills........Let's Learn
Communication Skills........Let's Learn
 
Girls Call Raja Park Jaipur | 08445551418 | Free Drop Service
Girls Call Raja Park Jaipur | 08445551418 | Free Drop ServiceGirls Call Raja Park Jaipur | 08445551418 | Free Drop Service
Girls Call Raja Park Jaipur | 08445551418 | Free Drop Service
 

[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by An-Jie Yang

  • 1. Your printer is not your printer ! - Hacking Printers at Pwn2Own Angelboy angelboy@chroot.org @scwuaptx 1
  • 2. Whoami • Angelboy (An-Jie Yang) • Researcher at DEVCORE • Ex-CTF Player • HITCON / 217 • Chroot • Pwn2Own • 2020 Tokyo/2021 Austin • Co-founder of pwnable.tw • Speaker • HITB GSEC 2018/AVTokyo 2018/VXCON/HITCON 2
  • 3. Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 3
  • 4. Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 4
  • 5. 5
  • 6. Introduction • In the early days • to use the printer, it was necessary to • Use IEEE1284 or USB to connect to the Computer • Install Printer driver before printing • Usually only a single printer feature Printer 6
  • 7. Introduction • Nowadays • Printer can provide a variety of services which make printer not only more convenient but also closer to IoT • It can be found immediately when connected to intranet Printer - IoT 7 image: Flaticon.com
  • 10. 10
  • 12. Introduction • Red Team • Printer is one of the most common devices in the intranet Motivation 12
  • 13. Introduction • Red Team • Printer is one of the most common devices in the intranet • Good target to hide our actions Motivation 13
  • 14. Introduction • Red Team • Printer is one of the most common devices in the intranet • Good target to hide our actions • Sometimes integrate with Active Directory Motivation 14
  • 15. Introduction • Pwn2Own 2021 Austin Motivation 15
  • 16. We thought they were trivial at first, but … 16 `ls` ; /bin/usr/id ; %0Acat%20/etc/passwd
  • 19. 19
  • 20. 20
  • 21. We will focus on Canon and HP in this talk 21
  • 22. Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 22
  • 23. Analysis • At the beginning, we thought we need to …… 23
  • 24. In fact, we didn’t tear down any of them ! 24
  • 26. Analysis • Firmware version v6.03 • From Canon official • At the beginning, we use binwalk • But the firmware is obfuscated • We cannot use IDA directly Canon - Firmware Extract 26
  • 27. Analysis • We also try some previous works • TREASURE CHEST PARTY QUEST: FROM DOOM TO EXPLOIT • by Synacktiv • Hacking Canon Pixma Printers – Doomed Encryption • by Contextis research Canon - Firmware Extract 27
  • 28. Analysis • We also try some previous works • TREASURE CHEST PARTY QUEST: FROM DOOM TO EXPLOIT • by Synacktiv • Hacking Canon Pixma Printers – Doomed Encryption • by Contextis research • But it cannot extract the firmware :( Canon - Firmware Extract 28
  • 29. • We can find some information from obfuscated firmware Analysis Canon - Firmware Extract 29 Size Magic
  • 30. We decide to use this patten to search other firmwares without obfuscated 30
  • 31. Analysis • We need to download other firmwares from Canon official website • Original firmware download URL is Canon - Firmware Extract 31 https://pdisp01.c- wss.com/gdl/WWUFORedirectTarget.do?id=MDQwMDAwNDc1Mj A1&cmp=Z01&lang=EN
  • 32. Analysis Canon - Firmware Extract 32 https://pdisp01.c- wss.com/gdl/WWUFORedirectTarget.do?id=MDQwMDAwNDc1Mj A1&cmp=Z01&lang=EN 040000475205
  • 33. Analysis Canon - Firmware Extract 34 https://pdisp01.c- wss.com/gdl/WWUFORedirectTarget.do?id=MDQwMDAwNDc1Mj A1&cmp=Z01&lang=EN 040000475205 Type Ordinal Number Version Pdf,firmware … Other model Firmware version
  • 34. Analysis • We can list all versions of firmware • V2.01 • V4.02 • V6.03 • V9.03 !? • V10.02 !? Canon - Firmware Extract 35
  • 35. But all versions are obfuscated 😭 36
  • 36. Let’s download all models 37
  • 37. Analysis • The total file size is 130GB • grep NCFW and some plaintext Canon - Firmware Extract 38
  • 38. Analysis • WG7000 Series is not obfuscated ! • We analyze the firmware of WG7000 to find the key function Canon - Firmware Extract 39
  • 39. Analysis • Try to use the same function to deobfuscate the firmware of MF644CDW • Bingo ! Canon - Firmware Extract 40 Plaintext message
  • 40. Analysis • Image Base Address • We spent some time looking for image base address of firmware • rbasefind Canon - Firmware Analysis 41
  • 41. • Original base is 0x40b00000 • It doesn’t seem to be the correct base Analysis Canon - Firmware Analysis 42 Should be strings
  • 42. Analysis • Image Base Address • We can find a correct function and debug message to adjust to the correct offset • We found the base is 0x40affde0 Canon - Firmware Analysis 43
  • 44. Analysis • Canon MF644CDW • OS - DryOSV2 • Customized RTOS by Canon • ARMv7 32bit little-endian • Linked with application code into a single image • Kernel • Service • … Canon - Firmware Analysis 45
  • 45. HP 46
  • 46. Analysis • Relatively easy • Binwalk -Z • Take about 3 - 4 days • It will get correct firmware ! • Other part is similar to Canon HP - Firmware Extract 47
  • 47. Analysis • HP - MFP M283fdw • OS • RTOS - Modify from ThreadX/Green Hills • ARM11 Mixed-endian • Code - little-endian • Data - Big-endian HP - Firmware Analysis 48
  • 48. Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 49
  • 49. Attack Surface Service Port Description RUI TCP 80 Web interface PDL TCP 9100 Page Description Language PJL TCP 9100 Printer Job Language IPP TCP 631 Internet Printing Protocol LPD TCP 515 Line Printer Daemon Protocol SNMP UDP 161 Simple Network Management Protocol 50 • Nowadays, there are many services enabled by default
  • 50. Attack Surface • Nowadays, there are many services enabled by default Service Port Description SLP TCP 427 Service Location Protocol mDNS UDP 5353 Multicast DNS LLMNR UDP 5355 Link-Local Multicast Name Resolution … … … 51
  • 51. Attack Surface • After we evaluate the overall architecture, we decide to focus on service discovery and DNS series of services • SLP • mDNS • LLMNR 52
  • 52. Such protocols implemented by manufacturer themselves are often prone to vulnerabilities 53
  • 53. Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 55
  • 55. Hacking printers at Pwn2Own • SLP is a service discovery protocol that allows computers and other devices to find services in local area network Service Location Protocol 57
  • 56. Hacking printers at Pwn2Own • SLP Architecture without Directory Agent Canon - SLP 58 User Agent Client Service Agent Printer
  • 57. Hacking printers at Pwn2Own • SLP Architecture without Directory Agent Canon - SLP 59 User Agent Client Service Agent Printer Unicast/Multicast Service Request Attribute Request
  • 58. Hacking printers at Pwn2Own • SLP Architecture without Directory Agent Canon - SLP 60 User Agent Client Service Agent Printer Unicast Service Reply Attribute Reply
  • 59. Hacking printers at Pwn2Own • SLP Packet Structure Canon - SLP 61 Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31 Version Function-Id Length Length, contd. O F R Reserved Next Ext Offset Next Ext Offset, contd. XID Language Tag Length Language Tag (Variable) Payload (Variable)
  • 60. Hacking printers at Pwn2Own • Canon only implemented service request and attribute request Canon - SLP 62 Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31 Version Function-Id Length Length, contd. O F R Reserved Next Ext Offset Next Ext Offset, contd. XID Language Tag Length Language Tag (Variable) Payload (Variable) Function Code Message Type 1 6 Service Request Attribute Request
  • 61. Hacking printers at Pwn2Own • Attribute Request (AttrRqst) • Allow a User Agent to discover attributes of given service (by supplying its URL) or for entire device type Canon - SLP 63 https://www.ietf.org/rfc/rfc2608.txt
  • 62. Hacking printers at Pwn2Own • Attribute Request (AttrRqst) Canon - SLP 64 Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31 Version Function-Id Length Length, contd. O F R Reserved Next Ext Offset Next Ext Offset, contd. XID Language Tag Length Language Tag (Variable) Payload (Variable) … … Length of <scope-list> <scope-list> string (Variable) … … Length of URL URL (Variable) https://www.ietf.org/rfc/rfc2608.txt
  • 63. Hacking printers at Pwn2Own • There is a vulnerability when Canon is parsing the body of AttrRqst • It will convert escape character to character Canon - Vulnerability 65 ¥41 A
  • 64. Hacking printers at Pwn2Own • There is a vulnerability when Canon is parsing the body of AttrRqst Canon - Vulnerability 66
  • 65. Hacking printers at Pwn2Own • There is a stack overflow when Canon is parsing the body of AttrRqst Canon - Vulnerability 67
  • 66. Hacking printers at Pwn2Own • There is a stack overflow when Canon is parsing the body of AttrRqst Canon - Vulnerability 68 Although there is validation in normal case
  • 67. Hacking printers at Pwn2Own • There is a stack overflow when Canon is parsing the body of AttrRqst Canon - Vulnerability 69 No validation in escaping case
  • 68. Hacking printers at Pwn2Own • Protection • No Stack Guard • No DEP • No ASLR Canon - Exploitation 70 image: Flaticon.com
  • 70. We just need to find a buffer to store our shellcode and return to it 72
  • 71. Hacking printers at Pwn2Own • BJNP • A service discovery protocol designed by Canon • Exploited by Synacktiv • It will store session data on the global buffer Canon - Exploitation 73
  • 72. Hacking printers at Pwn2Own • Exploit Step Canon - Exploitation 74
  • 73. Hacking printers at Pwn2Own • Exploit Step • Use BJNP to store our shellcode on a global buffer Canon - Exploitation 75
  • 74. Hacking printers at Pwn2Own • Exploit Step • Use BJNP to store our shellcode on a global buffer • Trigger stack overflow in SLP and overwrite return address Canon - Exploitation 76
  • 75. Hacking printers at Pwn2Own • Exploit Step • Use BJNP to store our shellcode on a global buffer • Trigger stack overflow in SLP and overwrite return address • Return to the global buffer Canon - Exploitation 77
  • 76. Hacking printers at Pwn2Own • Require you to prove that you have pwned the target • In terms of printer, we choose to print "DEVCORE logo" on the LCD screen at first Pwn2Own Austin 2021 78
  • 77. But we spent a lot of time looking for it … 79
  • 78. Hacking printers at Pwn2Own • Require you to prove that you have pwned the target • In terms of printer, we choose to print "DEVCORE logo" on the LCD screen • In the end, due to time constraints, we finally only chose to print the message on the screen Pwn2Own Austin 2021 80
  • 79. Hacking printers at Pwn2Own Pwn2Own Austin 2021 84 http://youtu.be/vQbQImZ3XRw?t=18405
  • 80. Hacking printers at Pwn2Own • Debugger ? • If we want to debug it, we need to have a debug console • Need to teardown the printer • Use an old exploit to install customized debugger • Need to downgrade the printer Canon - Exploitation 85
  • 81. Hacking printers at Pwn2Own • But we are too lazy, we just use sleep debug to debug it :) Canon - Exploitation 86 ROP/shellcode Do something Sleep Reboot
  • 83. Hacking printers at Pwn2Own • LLMNR is very similar to mDNS. It provides base name resolution on the same local link Link-Local Multicast Name Resolution 88
  • 84. Hacking printers at Pwn2Own • LLMNR protocol HP - LLMNR 89 Client A Client B Client C Client D Multicast Address of Client C ? Send requests to 224.0.0.252 Address of Client C ? Address of Client C ?
  • 85. Hacking printers at Pwn2Own • LLMNR protocol HP - LLMNR 90 Client A Client B Client C Client D Response from Client C LLMNR Response
  • 86. Hacking printers at Pwn2Own • LLMNR Header (Base on DNS header format) HP - LLMNR 91 Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31 ID Flags QDCOUNT ANCOUNT NSCOUNT ARCOUNT Queries (Variable)
  • 87. Hacking printers at Pwn2Own • LLMNR queries use the same format as DNS query HP - LLMNR 92 Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31 ID Flags QDCOUNT ANCOUNT NSCOUNT ARCOUNT Queries (Variable) 0x3 www 0x6 google 0x3 com 0 Type Class … 0xc0 0xd
  • 88. Hacking printers at Pwn2Own • There is a stack overflow when LLMNR is parsing the queries HP - Vulnerability 93
  • 89. Hacking printers at Pwn2Own • There is a stack overflow when LLMNR is parsing the queries HP - Vulnerability 94 Fixed size buffer on stack
  • 90. Hacking printers at Pwn2Own • There is a stack overflow when LLMNR is parsing the queries HP - Vulnerability 95 Without any length verification
  • 91. We tried to exploit it in the similar way as Canon, but … 96
  • 92. Hacking printers at Pwn2Own • Protection • No Stack Guard • XN (DEP) • Memory Protect Unit (MPU) • No ASLR HP - Exploitation 97 image: Flaticon.com
  • 93. Hacking printers at Pwn2Own • Some limits in this vulnerability • We can only overflow about 0x100 bytes • Null terminated • XN(DEP) and MPU • Preventing us from executing shellcode HP - Exploitation 98 image: Flaticon.com
  • 94. Hacker not Friendly ? image: Flaticon.com Can be bypassed ? How to implement it ? 99
  • 95. Hacking printers at Pwn2Own • Let's delve into HP RTOS HP - Exploitation 100
  • 96. Hacking printers at Pwn2Own • Let's delve into HP RTOS • Linked with application code into a single image HP - Exploitation 101
  • 97. Hacking printers at Pwn2Own • Let's delve into HP RTOS • Linked with application code into a single image • Many tasks run • in the same virtual address space • in kernel-mode HP - Exploitation 102
  • 99. Hacking printers at Pwn2Own • MMU in HP M283fdw • Use one-level page table translation • Translation table entry for translating a 1MB section • Translation table is located at 0x4003c000 HP - Exploitation 104
  • 100. Hacking printers at Pwn2Own HP - MMU 105 Page index 31 20 12 11 10 9 8 7 6 5 4 3 2 1 0 13 Index into first level table 14 15 16 17 18 19 Virtual Address TTBR Translation Table Entry Translation Table Physical Memory
  • 101. Hacking printers at Pwn2Own HP - MMU 106 Page index 31 20 12 11 10 9 8 7 6 5 4 3 2 1 0 13 Index into first level table 14 15 16 17 18 19 Virtual Address TTBR Translation Table Entry Translation Table Physical Memory 0 31 20 12 11 10 9 8 7 6 5 4 3 2 1 0 13 1 B C XN Domain P AP TEX AP X S nG 0 0 Section Address 14 15 16 17 18 19
  • 102. Hacking printers at Pwn2Own • MMU in HP M283fdw • Translation table is on known address • We can bypass XN through modifying translation table entry ! HP - Exploitation 107
  • 103. Hacking printers at Pwn2Own • MMU in HP M283fdw • Translation table is on known address • We can bypass XN through modifying translation table entry ! • But it's protected by Memory Protection Unit(MPU) HP - Exploitation 108
  • 105. Hacking printers at Pwn2Own • Memory Protection Unit • The MPU enables you to partition memory into regions and set individual protection attributes for each regions • Enable when booting HP - Exploitation 110 Physical Memory Region 0 (Page Table, Code) Region 1 (Data) Region … Read only RW
  • 106. Hacking printers at Pwn2Own • Memory Protection Unit HP - Exploitation 111 Physical Memory Region 0 (Page Table, Code) Region 1 (Data) Region … Read only RW Write access
  • 107. Hacking printers at Pwn2Own • Memory Protection Unit • The MPU is configured by a series of memory mapped register in System Control Spaces • MPU_CTRL 0xE0400304 HP - Exploitation 112 MPU_TYPE MPU_CTRL MPU_RNR … … MPU registers
  • 108. We can easily use ROP to overwrite it with 0 to disable MPU 113
  • 109. Hacking printers at Pwn2Own • After we disable MPU and overwrite translation table entry • We can modify any code page • Modify the code of LPD(Line Printer Daemon) in order to read our payload to specific address • Convert LPD to Debug Console HP - Exploitation 114
  • 110. Hacking printers at Pwn2Own • After we disable MPU and overwrite translation table entry • We must invalidate • Translation Lookaside Buffer • D-cache and I-cache HP - Exploitation 115
  • 111. Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address HP - Exploitation 116
  • 112. Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address • ROP to disable MPU HP - Exploitation 117
  • 113. Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address • ROP to disable MPU • ROP to modify translation table entry HP - Exploitation 118
  • 114. Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address • ROP to disable MPU • ROP to modify translation table entry • Flush TLB HP - Exploitation 119
  • 115. Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address • ROP to disable MPU • ROP to modify translation table entry • Flush TLB • ROP to invalidate I-cache and D-cache HP - Exploitation 120
  • 116. Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address • ROP to disable MPU • ROP to modify translation table entry • Flush TLB • ROP to invalidate I-cache and D-cache • ROP to modify code of LPD HP - Exploitation 121
  • 117. Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address • ROP to disable MPU • ROP to modify translation table entry • Flush TLB • ROP to invalidate I-cache and D-cache • ROP to modify code of LPD • Use modified LPD to read our shellcode and jump to shellcode HP - Exploitation 122
  • 118. Hacking printers at Pwn2Own • Require you to prove that you have pwned the target • Originally, we just wanted to print the message on the LCD screen Pwn2Own Austin 2021 123
  • 119. Hacking printers at Pwn2Own • Require you to prove that you have pwned the target • Originally, we just wanted to print the message on the LCD screen • But luckily, we later saw that a little bit like the DEVCORE logo can be printed • Just modify the string and trigger printer test Pwn2Own Austin 2021 124
  • 120. 125
  • 121. Hacking printers at Pwn2Own Pwn2Own Austin 2021 126
  • 122. Hacking printers at Pwn2Own • Debug Console Pwn2Own Austin 2021 127
  • 123. Hacking printers at Pwn2Own • Result Pwn2Own Austin 2021 128
  • 124. Hacking printers at Pwn2Own • After we have code execution • We can • Steal Credential • Lateral movement • Hard to detect • … Exploitation 129
  • 125. Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 130
  • 126. Mitigation • Update • Canon and HP printer have been patched, please update to the latest 131
  • 127. Mitigation • Update • Canon and HP printer have been patched, please update to the latest • Disable unused service • The attack surface of printer is too huge • Many services are opened by default 132
  • 128. Mitigation • Update • Canon and HP printer have been patched, please update to the latest • Disable unused service • The attack surface of printer is too huge • Many services are opened by default • Firewall 133
  • 129. Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 134
  • 130. Conclusion • Discovery and DNS series services are weak in printer • Printer is still a good target for red team 135
  • 132. Thank you for listening @scwuaptx 137