The Printer goes brrrr

Presented at CanSecWest 2022, May 20, 2022, 1:15 p.m. (60 minutes)

Network printers are good target candidates from an attacker perspective since they are rarely reinstalled or supervised and thus constitute a perfect place to hide on a network. Moreover they provide the attackers with persistent access to sensitive documents that may be scanned or printed. This kind of device has been featured for the first time at Pwn2Own competition in Austin 2021. Three popular LaserJet printers were included in the competition: HP, Lexmark and Canon. During the event, we (Synacktiv) managed to compromise all of them, which among other targets allowed us to win the whole competition. In this talk, we will focus on how we achieved code execution on the Canon printer. The primary step was to obtain the firmware to start reverse analysis. These are distributed through custom packages that are obfuscated. In this research, we will dissect the package format. Specifically, we will present how the primary analysis of the bootloader that we extracted from the flash memory allowed us to identify the deobfuscation routine, enabling us to decode further package updates available from Canon's website. The firmware is based on DryOs, a real-time OS powering several Canon products including cameras and printers. The Canon printer exposes several network services that we have analysed. In particular, we will present the CADM service as part of the attack surface and how we identified a heap-based overflow in one of the numerous operations handled by that protocol. The exploitation of the vulnerability requires an understanding of the DryOs allocator which will also be presented to the audience. Thanks to the DryOS console available via UART, we were able to dump the heap state and to elaborate a generic scenario to attack the allocator. We will present our exploitation strategy and how one could reuse it to exploit similar heap-based overflows. We will finally showcase how we managed to display an arbitrary image on the printer's LCD screen thanks to a shellcode that directly encodes pixel values in the framebuffer.

Presenters:

• Mehdi Talbi - Synacktiv
  Mehdi Talbi, PhD, is a computer security researcher at Synacktiv. His main interests are vulnerability research, exploit development, reverse engineering, and source code auditing. Mehdi has published his work in several peer-reviewed journals (Journal in computer Virology) and magazines (Phrack). He has also presented his work at several international conferences including Infiltrate, Blackhat Europe, Virus Bulletin, SSTIC, Warcon, etc. Mehdi is one of the contributor to the Haka open source project showcased at DEF CON and Black Hat Arsenal.
• Thomas Jeunet - Synacktiv
  Thomas Jeunet is a long time pentester and now computer security researcher at Synacktiv. This research is his first publication and presentation. His main interests are vulnerability research, exploit development, and reverse engineering, particularly on exotic architecture.
• Rémi Jullian - Synacktiv

Links:

• https://cansecwest2022.sched.com/event/ztKJ/the-printer-goes-brrrr

Similar Presentations:

• DEF CON 27 (2019) / Why You Should Fear Your "mundane" Office Equipment
• 44CON 2019 / Mundane office equipment: The front door to persistence on enterprise networks
• Black Hat Europe 2020 Virtual / This is for the Pwners : Exploiting a WebKit 0-day in PlayStation 4