Printer has become one of the essential devices in the corporate intranet for the past few years, and its functionalities have also increased significantly. Not only print or fax, cloud printing services like AirPrint are also being supported as well to make it easier to use. Direct printing from mobile devices is now a basic requirement in the IoT era. We also use it to print some internal business documents of the company, which makes it even more important to keep the printer safe. Nowadays, most of the printers on the market do not have to be connected with USB or traditional cable. As long as you are using a LAN cable connected to the intranet, the computer can find and use the printer immediately. Most of them are based on protocols such as SLP and LLMNR. But is it really safe when vendors adopt those protocols? Furthermore, many printers do not use traditional Linux systems, but use RTOS(Real-Time Operating System) instead, how will this affect the attacker? In this talk, we will use Canon ImageCLASS MF644Cdw and HP Color LaserJet Pro MFP M283fdw as case study, showing how to analyze and gain control access to the printer. We will also demonstrate how to use the vulnerabilities to achieve RCE in RTOS in unauthenticated situations.

1. Your printer is not your
printer ! - Hacking Printers at
Pwn2Own
Angelboy
angelboy@chroot.org
@scwuaptx
1

2. Whoami
• Angelboy (An-Jie Yang)
• Researcher at DEVCORE
• Ex-CTF Player
• HITCON / 217
• Chroot
• Pwn2Own
• 2020 Tokyo/2021 Austin
• Co-founder of pwnable.tw
• Speaker
• HITB GSEC 2018/AVTokyo 2018/VXCON/HITCON
2

3. Agenda
• Introduction
• Analysis
• Attack Surface
• Hacking printers at Pwn2Own
• Mitigation
• Conclusion
3

4. Agenda
• Introduction
• Analysis
• Attack Surface
• Hacking printers at Pwn2Own
• Mitigation
• Conclusion
4

5. 5

6. Introduction
• In the early days
• to use the printer, it was necessary to
• Use IEEE1284 or USB to connect to the Computer
• Install Printer driver before printing
• Usually only a single printer feature
Printer
6

7. Introduction
• Nowadays
• Printer can provide a variety of services which make printer not only more
convenient but also closer to IoT
• It can be found immediately when connected to intranet
Printer - IoT
7
image: Flaticon.com

8. Introduction
Printer - IoT
8

9. PrintingHacking is also easier
9

10. 10

11. Motivation
11

12. Introduction
• Red Team
• Printer is one of the most common devices in the intranet
Motivation
12

13. Introduction
• Red Team
• Printer is one of the most common devices in the intranet
• Good target to hide our actions
Motivation
13

14. Introduction
• Red Team
• Printer is one of the most common devices in the intranet
• Good target to hide our actions
• Sometimes integrate with Active Directory
Motivation
14

15. Introduction
• Pwn2Own 2021 Austin
Motivation
15

16. We thought they were trivial at first, but …
16
`ls`
; /bin/usr/id ;
%0Acat%20/etc/passwd

17. RTOS
(Real-Time Operating System)
17

18. 18
Challenge Accept !

19. 19

20. 20

21. We will focus on Canon and HP in this talk
21

22. Agenda
• Introduction
• Analysis
• Attack Surface
• Hacking printers at Pwn2Own
• Mitigation
• Conclusion
22

23. Analysis
• At the beginning, we thought we need to ……
23

24. In fact, we didn’t tear down any of them !
24

25. Canon
25

26. Analysis
• Firmware version v6.03
• From Canon official
• At the beginning, we use binwalk
• But the firmware is obfuscated
• We cannot use IDA directly
Canon - Firmware Extract
26

27. Analysis
• We also try some previous works
• TREASURE CHEST PARTY QUEST: FROM DOOM TO EXPLOIT
• by Synacktiv
• Hacking Canon Pixma Printers – Doomed Encryption
• by Contextis research
Canon - Firmware Extract
27

28. Analysis
• We also try some previous works
• TREASURE CHEST PARTY QUEST: FROM DOOM TO EXPLOIT
• by Synacktiv
• Hacking Canon Pixma Printers – Doomed Encryption
• by Contextis research
• But it cannot extract the firmware :(
Canon - Firmware Extract
28

29. • We can find some information from obfuscated firmware
Analysis
Canon - Firmware Extract
29
Size Magic

30. We decide to use this patten to search other firmwares
without obfuscated
30

31. Analysis
• We need to download other firmwares from Canon official website
• Original firmware download URL is
Canon - Firmware Extract
31
https://pdisp01.c-
wss.com/gdl/WWUFORedirectTarget.do?id=MDQwMDAwNDc1Mj
A1&cmp=Z01&lang=EN

32. Analysis
Canon - Firmware Extract
32
https://pdisp01.c-
wss.com/gdl/WWUFORedirectTarget.do?id=MDQwMDAwNDc1Mj
A1&cmp=Z01&lang=EN
040000475205

33. Analysis
Canon - Firmware Extract
34
https://pdisp01.c-
wss.com/gdl/WWUFORedirectTarget.do?id=MDQwMDAwNDc1Mj
A1&cmp=Z01&lang=EN
040000475205
Type Ordinal
Number
Version
Pdf,firmware …
Other model
Firmware version

34. Analysis
• We can list all versions of firmware
• V2.01
• V4.02
• V6.03
• V9.03 !?
• V10.02 !?
Canon - Firmware Extract
35

35. But all versions are obfuscated 😭
36

36. Let’s download all models
37

37. Analysis
• The total file size is 130GB
• grep NCFW and some plaintext
Canon - Firmware Extract
38

38. Analysis
• WG7000 Series is not obfuscated !
• We analyze the firmware of WG7000 to find the key function
Canon - Firmware Extract
39

39. Analysis
• Try to use the same function to deobfuscate the firmware of MF644CDW
• Bingo !
Canon - Firmware Extract
40
Plaintext message

40. Analysis
• Image Base Address
• We spent some time looking for image base address of firmware
• rbasefind
Canon - Firmware Analysis
41

41. • Original base is 0x40b00000
• It doesn’t seem to be the correct base
Analysis
Canon - Firmware Analysis
42
Should be strings

42. Analysis
• Image Base Address
• We can find a correct function and debug message to adjust to the correct
offset
• We found the base is 0x40affde0
Canon - Firmware Analysis
43

43. Analysis
Canon - Firmware Analysis
44

44. Analysis
• Canon MF644CDW
• OS - DryOSV2
• Customized RTOS by Canon
• ARMv7 32bit little-endian
• Linked with application code into a single image
• Kernel
• Service
• …
Canon - Firmware Analysis
45

45. HP
46

46. Analysis
• Relatively easy
• Binwalk -Z
• Take about 3 - 4 days
• It will get correct firmware !
• Other part is similar to Canon
HP - Firmware Extract
47

47. Analysis
• HP - MFP M283fdw
• OS
• RTOS - Modify from ThreadX/Green Hills
• ARM11 Mixed-endian
• Code - little-endian
• Data - Big-endian
HP - Firmware Analysis
48

48. Agenda
• Introduction
• Analysis
• Attack Surface
• Hacking printers at Pwn2Own
• Mitigation
• Conclusion
49

49. Attack Surface
Service Port Description
RUI TCP 80 Web interface
PDL TCP 9100 Page Description Language
PJL TCP 9100 Printer Job Language
IPP TCP 631 Internet Printing Protocol
LPD TCP 515 Line Printer Daemon Protocol
SNMP UDP 161 Simple Network Management Protocol
50
• Nowadays, there are many services enabled by default

50. Attack Surface
• Nowadays, there are many services enabled by default
Service Port Description
SLP TCP 427 Service Location Protocol
mDNS UDP 5353 Multicast DNS
LLMNR UDP 5355 Link-Local Multicast Name Resolution
… … …
51

51. Attack Surface
• After we evaluate the overall architecture, we decide to focus on service
discovery and DNS series of services
• SLP
• mDNS
• LLMNR
52

52. Such protocols implemented by manufacturer
themselves are often prone to vulnerabilities
53

53. Agenda
• Introduction
• Analysis
• Attack Surface
• Hacking printers at Pwn2Own
• Mitigation
• Conclusion
55

54. Hacking Canon Printer
56

55. Hacking printers at Pwn2Own
• SLP is a service discovery protocol that allows computers and other devices
to find services in local area network
Service Location Protocol
57

56. Hacking printers at Pwn2Own
• SLP Architecture without Directory Agent
Canon - SLP
58
User Agent
Client
Service Agent
Printer

57. Hacking printers at Pwn2Own
• SLP Architecture without Directory Agent
Canon - SLP
59
User Agent
Client
Service Agent
Printer
Unicast/Multicast
Service Request
Attribute Request

58. Hacking printers at Pwn2Own
• SLP Architecture without Directory Agent
Canon - SLP
60
User Agent
Client
Service Agent
Printer
Unicast
Service Reply
Attribute Reply

59. Hacking printers at Pwn2Own
• SLP Packet Structure
Canon - SLP
61
Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31
Version Function-Id Length
Length, contd. O F R Reserved Next Ext Offset
Next Ext Offset, contd. XID
Language Tag Length Language Tag (Variable)
Payload (Variable)

60. Hacking printers at Pwn2Own
• Canon only implemented service request and attribute request
Canon - SLP
62
Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31
Version Function-Id Length
Length, contd. O F R Reserved Next Ext Offset
Next Ext Offset, contd. XID
Language Tag Length Language Tag (Variable)
Payload (Variable)
Function Code Message Type
1
6
Service Request
Attribute Request

61. Hacking printers at Pwn2Own
• Attribute Request (AttrRqst)
• Allow a User Agent to discover attributes of given service (by supplying its
URL) or for entire device type
Canon - SLP
63
https://www.ietf.org/rfc/rfc2608.txt

62. Hacking printers at Pwn2Own
• Attribute Request (AttrRqst)
Canon - SLP
64
Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31
Version Function-Id Length
Length, contd. O F R Reserved Next Ext Offset
Next Ext Offset, contd. XID
Language Tag Length Language Tag (Variable)
Payload (Variable)
… …
Length of <scope-list> <scope-list> string (Variable)
… …
Length of URL URL (Variable)
https://www.ietf.org/rfc/rfc2608.txt

63. Hacking printers at Pwn2Own
• There is a vulnerability when Canon is parsing the body of AttrRqst
• It will convert escape character to character
Canon - Vulnerability
65
¥41 A

64. Hacking printers at Pwn2Own
• There is a vulnerability when Canon is parsing the body of AttrRqst
Canon - Vulnerability
66

65. Hacking printers at Pwn2Own
• There is a stack overflow when Canon is parsing the body of AttrRqst
Canon - Vulnerability
67

66. Hacking printers at Pwn2Own
• There is a stack overflow when Canon is parsing the body of AttrRqst
Canon - Vulnerability
68
Although there is validation in normal case

67. Hacking printers at Pwn2Own
• There is a stack overflow when Canon is parsing the body of AttrRqst
Canon - Vulnerability
69
No validation in escaping case

68. Hacking printers at Pwn2Own
• Protection
• No Stack Guard
• No DEP
• No ASLR
Canon - Exploitation
70
image: Flaticon.com

69. Hacker Friendly :)
71

70. We just need to find a buffer to store our shellcode and
return to it
72

71. Hacking printers at Pwn2Own
• BJNP
• A service discovery protocol designed by Canon
• Exploited by Synacktiv
• It will store session data on the global buffer
Canon - Exploitation
73

72. Hacking printers at Pwn2Own
• Exploit Step
Canon - Exploitation
74

73. Hacking printers at Pwn2Own
• Exploit Step
• Use BJNP to store our shellcode on a global buffer
Canon - Exploitation
75

74. Hacking printers at Pwn2Own
• Exploit Step
• Use BJNP to store our shellcode on a global buffer
• Trigger stack overflow in SLP and overwrite return address
Canon - Exploitation
76

75. Hacking printers at Pwn2Own
• Exploit Step
• Use BJNP to store our shellcode on a global buffer
• Trigger stack overflow in SLP and overwrite return address
• Return to the global buffer
Canon - Exploitation
77

76. Hacking printers at Pwn2Own
• Require you to prove that you have pwned the target
• In terms of printer, we choose to print "DEVCORE logo" on the LCD
screen at first
Pwn2Own Austin 2021
78

77. But we spent a lot of time looking for it …
79

78. Hacking printers at Pwn2Own
• Require you to prove that you have pwned the target
• In terms of printer, we choose to print "DEVCORE logo" on the LCD
screen
• In the end, due to time constraints, we finally only chose to print the
message on the screen
Pwn2Own Austin 2021
80

79. Hacking printers at Pwn2Own
Pwn2Own Austin 2021
84
http://youtu.be/vQbQImZ3XRw?t=18405

80. Hacking printers at Pwn2Own
• Debugger ?
• If we want to debug it, we need to have a debug console
• Need to teardown the printer
• Use an old exploit to install customized debugger
• Need to downgrade the printer
Canon - Exploitation
85

81. Hacking printers at Pwn2Own
• But we are too lazy, we just use sleep debug to debug it :)
Canon - Exploitation
86
ROP/shellcode
Do something
Sleep
Reboot

82. Hacking HP Printer
87

83. Hacking printers at Pwn2Own
• LLMNR is very similar to mDNS. It provides base name resolution on the
same local link
Link-Local Multicast Name Resolution
88

84. Hacking printers at Pwn2Own
• LLMNR protocol
HP - LLMNR
89
Client A
Client B
Client C
Client D
Multicast
Address of Client C ?
Send requests to 224.0.0.252
Address of Client C ?
Address of Client C ?

85. Hacking printers at Pwn2Own
• LLMNR protocol
HP - LLMNR
90
Client A
Client B
Client C
Client D
Response from Client C
LLMNR Response

86. Hacking printers at Pwn2Own
• LLMNR Header (Base on DNS header format)
HP - LLMNR
91
Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31
ID Flags
QDCOUNT ANCOUNT
NSCOUNT ARCOUNT
Queries (Variable)

87. Hacking printers at Pwn2Own
• LLMNR queries use the same format as DNS query
HP - LLMNR
92
Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31
ID Flags
QDCOUNT ANCOUNT
NSCOUNT ARCOUNT
Queries (Variable)
0x3 www 0x6 google 0x3 com
0 Type Class …
0xc0 0xd

88. Hacking printers at Pwn2Own
• There is a stack overflow when LLMNR is parsing the queries
HP - Vulnerability
93

89. Hacking printers at Pwn2Own
• There is a stack overflow when LLMNR is parsing the queries
HP - Vulnerability
94
Fixed size buffer on stack

90. Hacking printers at Pwn2Own
• There is a stack overflow when LLMNR is parsing the queries
HP - Vulnerability
95
Without any length verification

91. We tried to exploit it in the similar way as Canon, but …
96

92. Hacking printers at Pwn2Own
• Protection
• No Stack Guard
• XN (DEP)
• Memory Protect Unit (MPU)
• No ASLR
HP - Exploitation
97
image: Flaticon.com

93. Hacking printers at Pwn2Own
• Some limits in this vulnerability
• We can only overflow about 0x100 bytes
• Null terminated
• XN(DEP) and MPU
• Preventing us from executing shellcode
HP - Exploitation
98
image: Flaticon.com

94. Hacker not Friendly ?
image: Flaticon.com
Can be bypassed ?
How to implement it ?
99

95. Hacking printers at Pwn2Own
• Let's delve into HP RTOS
HP - Exploitation
100

96. Hacking printers at Pwn2Own
• Let's delve into HP RTOS
• Linked with application code into a single image
HP - Exploitation
101

97. Hacking printers at Pwn2Own
• Let's delve into HP RTOS
• Linked with application code into a single image
• Many tasks run
• in the same virtual address space
• in kernel-mode
HP - Exploitation
102

98. MMU
103

99. Hacking printers at Pwn2Own
• MMU in HP M283fdw
• Use one-level page table translation
• Translation table entry for translating a 1MB section
• Translation table is located at 0x4003c000
HP - Exploitation
104

100. Hacking printers at Pwn2Own
HP - MMU
105
Page index
31 20 12 11 10 9 8 7 6 5 4 3 2 1 0
13
Index into first level table
14
15
16
17
18
19
Virtual Address
TTBR
Translation Table Entry
Translation Table
Physical Memory

101. Hacking printers at Pwn2Own
HP - MMU
106
Page index
31 20 12 11 10 9 8 7 6 5 4 3 2 1 0
13
Index into first level table
14
15
16
17
18
19
Virtual Address
TTBR
Translation Table Entry
Translation Table
Physical Memory
0
31 20 12 11 10 9 8 7 6 5 4 3 2 1 0
13
1
B
C
XN
Domain
P
AP
TEX
AP
X
S
nG
0
0
Section Address
14
15
16
17
18
19

102. Hacking printers at Pwn2Own
• MMU in HP M283fdw
• Translation table is on known address
• We can bypass XN through modifying translation table entry !
HP - Exploitation
107

103. Hacking printers at Pwn2Own
• MMU in HP M283fdw
• Translation table is on known address
• We can bypass XN through modifying translation table entry !
• But it's protected by Memory Protection Unit(MPU)
HP - Exploitation
108

104. MPU
109

105. Hacking printers at Pwn2Own
• Memory Protection Unit
• The MPU enables you to partition memory into regions and set individual
protection attributes for each regions
• Enable when booting
HP - Exploitation
110
Physical Memory
Region 0
(Page Table, Code)
Region 1
(Data)
Region …
Read only
RW

106. Hacking printers at Pwn2Own
• Memory Protection Unit
HP - Exploitation
111
Physical Memory
Region 0
(Page Table, Code)
Region 1
(Data)
Region …
Read only
RW
Write access

107. Hacking printers at Pwn2Own
• Memory Protection Unit
• The MPU is configured by a series of memory mapped register in System
Control Spaces
• MPU_CTRL 0xE0400304
HP - Exploitation
112
MPU_TYPE
MPU_CTRL
MPU_RNR
…
…
MPU registers

108. We can easily use ROP to overwrite it with 0 to disable
MPU
113

109. Hacking printers at Pwn2Own
• After we disable MPU and overwrite translation table entry
• We can modify any code page
• Modify the code of LPD(Line Printer Daemon) in order to read our
payload to specific address
• Convert LPD to Debug Console
HP - Exploitation
114

110. Hacking printers at Pwn2Own
• After we disable MPU and overwrite translation table entry
• We must invalidate
• Translation Lookaside Buffer
• D-cache and I-cache
HP - Exploitation
115

111. Hacking printers at Pwn2Own
• Exploit Step
• Trigger stack overflow in LLMNR and overwrite return address
HP - Exploitation
116

112. Hacking printers at Pwn2Own
• Exploit Step
• Trigger stack overflow in LLMNR and overwrite return address
• ROP to disable MPU
HP - Exploitation
117

113. Hacking printers at Pwn2Own
• Exploit Step
• Trigger stack overflow in LLMNR and overwrite return address
• ROP to disable MPU
• ROP to modify translation table entry
HP - Exploitation
118

114. Hacking printers at Pwn2Own
• Exploit Step
• Trigger stack overflow in LLMNR and overwrite return address
• ROP to disable MPU
• ROP to modify translation table entry
• Flush TLB
HP - Exploitation
119

115. Hacking printers at Pwn2Own
• Exploit Step
• Trigger stack overflow in LLMNR and overwrite return address
• ROP to disable MPU
• ROP to modify translation table entry
• Flush TLB
• ROP to invalidate I-cache and D-cache
HP - Exploitation
120

116. Hacking printers at Pwn2Own
• Exploit Step
• Trigger stack overflow in LLMNR and overwrite return address
• ROP to disable MPU
• ROP to modify translation table entry
• Flush TLB
• ROP to invalidate I-cache and D-cache
• ROP to modify code of LPD
HP - Exploitation
121

117. Hacking printers at Pwn2Own
• Exploit Step
• Trigger stack overflow in LLMNR and overwrite return address
• ROP to disable MPU
• ROP to modify translation table entry
• Flush TLB
• ROP to invalidate I-cache and D-cache
• ROP to modify code of LPD
• Use modified LPD to read our shellcode and jump to shellcode
HP - Exploitation
122

118. Hacking printers at Pwn2Own
• Require you to prove that you have pwned the target
• Originally, we just wanted to print the message on the LCD screen
Pwn2Own Austin 2021
123

119. Hacking printers at Pwn2Own
• Require you to prove that you have pwned the target
• Originally, we just wanted to print the message on the LCD screen
• But luckily, we later saw that a little bit like the DEVCORE logo can be
printed
• Just modify the string and trigger printer test
Pwn2Own Austin 2021
124

120. 125

121. Hacking printers at Pwn2Own
Pwn2Own Austin 2021
126

122. Hacking printers at Pwn2Own
• Debug Console
Pwn2Own Austin 2021
127

123. Hacking printers at Pwn2Own
• Result
Pwn2Own Austin 2021
128

124. Hacking printers at Pwn2Own
• After we have code execution
• We can
• Steal Credential
• Lateral movement
• Hard to detect
• …
Exploitation
129

125. Agenda
• Introduction
• Analysis
• Attack Surface
• Hacking printers at Pwn2Own
• Mitigation
• Conclusion
130

126. Mitigation
• Update
• Canon and HP printer have been patched, please update to the latest
131

127. Mitigation
• Update
• Canon and HP printer have been patched, please update to the latest
• Disable unused service
• The attack surface of printer is too huge
• Many services are opened by default
132

128. Mitigation
• Update
• Canon and HP printer have been patched, please update to the latest
• Disable unused service
• The attack surface of printer is too huge
• Many services are opened by default
• Firewall
133

129. Agenda
• Introduction
• Analysis
• Attack Surface
• Hacking printers at Pwn2Own
• Mitigation
• Conclusion
134

130. Conclusion
• Discovery and DNS series services are weak in printer
• Printer is still a good target for red team
135

131. Reference
• https://labs.withsecure.com/assets/BlogFiles/Printing-Shellz.pdf
• https://foxglovesecurity.com/2017/11/20/a-sheep-in-wolfs-clothing-finding-
rce-in-hps-printer-fleet/
• https://research.checkpoint.com/2018/sending-fax-back-to-the-dark-ages/
136

132. Thank you for listening
@scwuaptx
137