SlideShare uma empresa Scribd logo

In the Middle of Printers: (In)security of Pull Printing Solutions

Transferir como PPTX, PDF
Positive Hack Days
Positive Hack Days
Tecnologia
1 de 38
In The Middle Of Printers (In)security of Pull Printing Solutions Jakub Kałużny PHDays IV, Moscow, 2014
22 #whoami • IT Security Consultant at SecuRing • Consulting all phases of SDLC • Previously worked for ESA and online money transfers company • Bug bounty hunter
33 Why hack pull printing? • Widely used • Confidential data • Getting popular
44 Pull Printing Solutions
55 Pull Printing Solutions https://www.laservalley.com/images/hp_AccessControl.jpg
66 Threat modelling – key risks sniffing print queues accountability users’ data
77 Attack vectors Other users’ data Access to other print queues Sniffing, MITM Authorization bypass User/admin interface vulnerabilities
88 Sniffing documents • No encryption • No challenge • Only documents encrypted • ECB mode for PostScript ? • Encryption layer over the traffic • Network level – IPsec, SSL • Proprietary protocol ? https://en.wikipedia.org/wiki/ECB_mode http://quickmeme.com
99 What is needed ? http://www.memegen.com/meme/e4tvwy
1010 Ex 1: Secure Pull Printing “is a modern printing solution that safeguards document confidentiality and unauthorized access to print, scan, copy and e-mail functions. Its user- authentication provides air-tight security on your shared MFPs that function as personal printers.”
1111 Vendor ensures „Documents are delivered only into the right hands” „Information is kept confidential. No risk of being left unattended at the printer” „Document collection is safe anytime and anywhere — no “print and sprint”.” „Integration with other enterprise applications and workflows is kept secure through single sign-on”
1212 Ex 1: Proprietary protocol First look on communication: • TCP, 2 ports • No cleartext, no SSL • Seems to follow some scheme…
1313 Ex1: Deeper sight on traffic S E R V E R P R I N T E R constant 263B 96B, “X” B, 128B always different 64 B many identical 16B blocks HELLO HELLO, CERTIFICATE SESSION KEY PostScript, ECB mode
1414 PoC script for MITM
1515 Ex 1: Reverse-engineered • Hardcoded RSA certificate in printer embedded software • No trust store • AES-128 ECB used for traffic encryption • Same protocol in admin interface
1616 Ex 1: Consequences sniffing print queues accountability users’ data
1717 “Many of the devices does not have the CPU power that allows a fast login response and at the same time establish a high security level” For example changing ECB to CBC mode encryption will be more CPU intensive and introducing that may cause slower performance of the devices, which the customers are very reluctant to see implemented.” Ex 1: Vendor gets notified “(…) system has been deployed at many high security customers and has passed internal audits.”
1818 Ex 2: Responsible vendor “With its roots in education and the full understanding that college kids “like to hack”, our development processes continually focus on security.” “Secure print release (…) can integrate card-swipe user authentication at devices (…) ensuring jobs are only printed when the collecting user is present.”
1919 Ex 2: Another binary protocol S E R V E R P R I N T E R HELLO USER: user1 token HASH(password + token) Password ok Release my print queue OK Just copied 100 pages
2020 Charge user “guest-xyz” for copying 100 pages Ex 2: Detailed communication Release my print queue Just copied 100 pages User permissions beginDeviceTransaction (…) guest-xyz Release print queue for user “guest-xyz” S E R V E R P R I N T E R
2121 Ex 2: Consequences sniffing print queues accountability users’ data
2222 Ex 2: Vendor gets notified • Gave access to KB and support service • And all versions of software • Responded in few hours and patched in few days • Was happy to be pentested
2323 Ex 3: Secure Print Solutions “The Secure Print technology offers: High Security - Jobs only print when released by the user”
2424 Ex 3: Architecture design • Network level protection • IP whitelist • Stateless HTTP service, no session token, no cookie
2525 Ex 3: Authentication request S E R V E R P R I N T E R POST /AuthenticateLogin2 HTTP/1.1 (...) param1=username&param2=password
2626 Ex 3: Hacking without any tools
2727 Ex 3: Tampering accountability S E R V E R P R I N T E R POST /LogJob HTTP/1.1 (…) data=<job><job-id>1073741847</job- id><name>_Print_____1073741847</name><type>103</type>< type-string>Print</type-string><page-cnt>0</page- cnt><color-page-cnt>0</color-page- cnt><color>0</color><duplex>0</duplex><page- size>0</page-size><page-size- string>Unknown_Size</page-size- string><media>Unknown</media><dest>UNKNOWN</dest> <user-name>USER1</user-name><email- address>unknown@unknown.com</email-address></job> Just printed a job, note it and charge
2828 Ex 3: Consequences sniffing print queues accountability users’ data
2929 Ex 3: Vendor gets notified Received, and will look it over with engineers. I'll come back to you shortly. Discussed with engineers, and the reason why communication was non-SSL, was to support older Lexmark devices which cannot do SSL.
3030 Other vulnerabilities • Logs and printed files on a default web server • Brute-force attack in admin/user interfaces, no logs • XSS and CSRF in web interfaces • Predictable session identifiers • DoS attack vulnerability
3131 Get the software Pentests Report Get the software Pentests Report vulnerabilities Research process What we thought How does it really look like
3232 Research problems Why do vendors fear pentests? • no direct profit • risk of finding criticals • implies a lot of patching
3333 Cheat sheet - developers Encryption between server and printer/user: • Avoid writing your own crypto • Avoid writing your own proto • Authenticate both side
3434 Cheat sheet - developers Behind the proprietary protocol: • Access control • Separate interfaces • MITM protection is not enough
3535 Cheat sheet - testers Look for vulnerabilities in: • Encryption and authentication • Access control in proprietary protocols • Infrastructure design
3636 Cheat sheet - owners While deploying a pull printing solution: • Get it pentested • Network layer security - IPsec, VLANs • Verify vendor claims http://gigaimg.com/images/68175143262443344759.gif
3737 What’s next ? • CVEs disclosure • A follow-up paper • Ready to fight new proprietary protocols
3838 Q&A http://www.securing.pl e-mail: info@securing.pl tel. +48 (12) 4252575 Jakub Kałużny jakub.kaluzny@securing.pl

Recomendados

Security printing
Security printingSecurity printing
Security printing
Specialized Print
 
Printing Techniques & Substrates
Printing Techniques & SubstratesPrinting Techniques & Substrates
Printing Techniques & Substrates
Tukaram Karve
 
Printing techniques
Printing techniquesPrinting techniques
Printing techniques
Jill Allden
 
Digital Printing ppt by Sukhvir Sabharwal
Digital Printing ppt by Sukhvir SabharwalDigital Printing ppt by Sukhvir Sabharwal
Digital Printing ppt by Sukhvir Sabharwal
Sukhvir Sabharwal
 
Computer to Plate - Presentation
Computer to Plate - PresentationComputer to Plate - Presentation
Computer to Plate - Presentation
Dinesh Ravichandran
 
Paper 101
Paper 101Paper 101
Paper 101
SpicersPaper
 
Printing on-textiles
Printing on-textilesPrinting on-textiles
Printing on-textiles
Rajeev Sharan
 
Manufacturing of fibre polymer composites
Manufacturing of fibre polymer compositesManufacturing of fibre polymer composites
Manufacturing of fibre polymer composites
Mosarruf Shawon
 

Recomendados

Security printing
Security printingSecurity printing
Security printing
Specialized Print
 
Printing Techniques & Substrates
Printing Techniques & SubstratesPrinting Techniques & Substrates
Printing Techniques & Substrates
Tukaram Karve
 
Printing techniques
Printing techniquesPrinting techniques
Printing techniques
Jill Allden
 
Digital Printing ppt by Sukhvir Sabharwal
Digital Printing ppt by Sukhvir SabharwalDigital Printing ppt by Sukhvir Sabharwal
Digital Printing ppt by Sukhvir Sabharwal
Sukhvir Sabharwal
 
Computer to Plate - Presentation
Computer to Plate - PresentationComputer to Plate - Presentation
Computer to Plate - Presentation
Dinesh Ravichandran
 
Paper 101
Paper 101Paper 101
Paper 101
SpicersPaper
 
Printing on-textiles
Printing on-textilesPrinting on-textiles
Printing on-textiles
Rajeev Sharan
 
Manufacturing of fibre polymer composites
Manufacturing of fibre polymer compositesManufacturing of fibre polymer composites
Manufacturing of fibre polymer composites
Mosarruf Shawon
 
rotary printing
rotary printing rotary printing
rotary printing
Karthiba Jegan
 
Printing technologies compared
Printing technologies comparedPrinting technologies compared
Printing technologies compared
SappiHouston
 
Artificial leather
Artificial leatherArtificial leather
Artificial leather
primary information services
 
Offset printing
Offset printingOffset printing
Offset printing
CicilSandra
 
Print quality
Print qualityPrint quality
Print quality
SappiHouston
 
Printing
PrintingPrinting
Printing
Sabeema
 
Advanced garment printing
Advanced garment printing Advanced garment printing
Advanced garment printing
Azmir Latif Beg
 
Web offset presses
Web offset pressesWeb offset presses
Web offset presses
Md Ali Hossain
 
Presentation on green chemistry in gravure printing
Presentation on green chemistry in gravure printingPresentation on green chemistry in gravure printing
Presentation on green chemistry in gravure printing
Adesh Katariya
 
Pulp and paper mill waste
Pulp and paper mill wastePulp and paper mill waste
Pulp and paper mill waste
Rimpi Rimpy
 
Coating
CoatingCoating
Coating
SappiHouston
 
Metal casting process
Metal casting processMetal casting process
Metal casting process
R G Sanjay Prakash
 
Introduction to Digital Textile Printing
Introduction to Digital Textile PrintingIntroduction to Digital Textile Printing
Introduction to Digital Textile Printing
Aditya Chandavarkar
 
textile bleaching
textile bleachingtextile bleaching
textile bleaching
Hemant yadav
 
How to Manufacture Synthetic Resins (Actel Resins, Amino Resins, Casein Resin...
How to Manufacture Synthetic Resins (Actel Resins, Amino Resins, Casein Resin...How to Manufacture Synthetic Resins (Actel Resins, Amino Resins, Casein Resin...
How to Manufacture Synthetic Resins (Actel Resins, Amino Resins, Casein Resin...
Ajjay Kumar Gupta
 
Enviromental Friendly Leather Manufacturer
Enviromental Friendly Leather ManufacturerEnviromental Friendly Leather Manufacturer
Enviromental Friendly Leather Manufacturer
Irwan Andy Cahyono
 
Types of extrusion dies
Types of extrusion diesTypes of extrusion dies
Types of extrusion dies
Haider Abbas
 
DETERMINATION OF AVERAGE GRAIN SIZE AND DISTRIBUTION OF MOULDING SAND
DETERMINATION OF AVERAGE GRAIN SIZE AND DISTRIBUTION OF MOULDING SANDDETERMINATION OF AVERAGE GRAIN SIZE AND DISTRIBUTION OF MOULDING SAND
DETERMINATION OF AVERAGE GRAIN SIZE AND DISTRIBUTION OF MOULDING SAND
Prashanth Manickam
 
DRY PROCESS
DRY PROCESSDRY PROCESS
DRY PROCESS
Rehnuma Chowdhury
 
Burn-out printing
Burn-out printingBurn-out printing
Burn-out printing
Azmir Latif Beg
 
In The Middle of Printers –The (In)Security of Pull Printing Solutions
In The Middle of Printers –The (In)Security of Pull Printing SolutionsIn The Middle of Printers –The (In)Security of Pull Printing Solutions
In The Middle of Printers –The (In)Security of Pull Printing Solutions
SecuRing
 
Eclipse Printing Business Plan
Eclipse Printing Business PlanEclipse Printing Business Plan
Eclipse Printing Business Plan
John Hansen
 

Mais conteúdo relacionado

Mais procurados

Printing technologies compared
Printing technologies comparedPrinting technologies compared
Printing technologies compared
SappiHouston
 
Pulp and paper mill waste
Pulp and paper mill wastePulp and paper mill waste
Pulp and paper mill waste
Rimpi Rimpy
 
How to Manufacture Synthetic Resins (Actel Resins, Amino Resins, Casein Resin...
How to Manufacture Synthetic Resins (Actel Resins, Amino Resins, Casein Resin...How to Manufacture Synthetic Resins (Actel Resins, Amino Resins, Casein Resin...
How to Manufacture Synthetic Resins (Actel Resins, Amino Resins, Casein Resin...
Ajjay Kumar Gupta
 

Mais procurados (20)

rotary printing
rotary printing rotary printing
rotary printing
 
Printing technologies compared
Printing technologies comparedPrinting technologies compared
Printing technologies compared
 
Artificial leather
Artificial leatherArtificial leather
Artificial leather
 
Offset printing
Offset printingOffset printing
Offset printing
 
Print quality
Print qualityPrint quality
Print quality
 
Printing
PrintingPrinting
Printing
 
Advanced garment printing
Advanced garment printing Advanced garment printing
Advanced garment printing
 
Web offset presses
Web offset pressesWeb offset presses
Web offset presses
 
Presentation on green chemistry in gravure printing
Presentation on green chemistry in gravure printingPresentation on green chemistry in gravure printing
Presentation on green chemistry in gravure printing
 
Pulp and paper mill waste
Pulp and paper mill wastePulp and paper mill waste
Pulp and paper mill waste
 
Coating
CoatingCoating
Coating
 
Metal casting process
Metal casting processMetal casting process
Metal casting process
 
Introduction to Digital Textile Printing
Introduction to Digital Textile PrintingIntroduction to Digital Textile Printing
Introduction to Digital Textile Printing
 
textile bleaching
textile bleachingtextile bleaching
textile bleaching
 
How to Manufacture Synthetic Resins (Actel Resins, Amino Resins, Casein Resin...
How to Manufacture Synthetic Resins (Actel Resins, Amino Resins, Casein Resin...How to Manufacture Synthetic Resins (Actel Resins, Amino Resins, Casein Resin...
How to Manufacture Synthetic Resins (Actel Resins, Amino Resins, Casein Resin...
 
Enviromental Friendly Leather Manufacturer
Enviromental Friendly Leather ManufacturerEnviromental Friendly Leather Manufacturer
Enviromental Friendly Leather Manufacturer
 
Types of extrusion dies
Types of extrusion diesTypes of extrusion dies
Types of extrusion dies
 
DETERMINATION OF AVERAGE GRAIN SIZE AND DISTRIBUTION OF MOULDING SAND
DETERMINATION OF AVERAGE GRAIN SIZE AND DISTRIBUTION OF MOULDING SANDDETERMINATION OF AVERAGE GRAIN SIZE AND DISTRIBUTION OF MOULDING SAND
DETERMINATION OF AVERAGE GRAIN SIZE AND DISTRIBUTION OF MOULDING SAND
 
DRY PROCESS
DRY PROCESSDRY PROCESS
DRY PROCESS
 
Burn-out printing
Burn-out printingBurn-out printing
Burn-out printing
 

Destaque

DPI Solutions, Digital printing & Imaging Solutions Company Profile
DPI Solutions, Digital printing & Imaging Solutions Company ProfileDPI Solutions, Digital printing & Imaging Solutions Company Profile
DPI Solutions, Digital printing & Imaging Solutions Company Profile
npradeep19832004
 
Advertising Agency
Advertising AgencyAdvertising Agency
Advertising Agency
Mohsin Akbar
 
Advertising agency and its functions
Advertising agency and its functionsAdvertising agency and its functions
Advertising agency and its functions
Harshita Tandon
 
Real estate ppt(1)hp
Real estate ppt(1)hpReal estate ppt(1)hp
Real estate ppt(1)hp
WISDOM PARK
 
Business Plan Powerpoint 1
Business Plan Powerpoint 1Business Plan Powerpoint 1
Business Plan Powerpoint 1
haleydawn
 
Sample Business Proposal Presentation
Sample Business Proposal PresentationSample Business Proposal Presentation
Sample Business Proposal Presentation
Daryll Cabagay
 

Destaque (19)

In The Middle of Printers –The (In)Security of Pull Printing Solutions
In The Middle of Printers –The (In)Security of Pull Printing SolutionsIn The Middle of Printers –The (In)Security of Pull Printing Solutions
In The Middle of Printers –The (In)Security of Pull Printing Solutions
 
Eclipse Printing Business Plan
Eclipse Printing Business PlanEclipse Printing Business Plan
Eclipse Printing Business Plan
 
DPI Solutions, Digital printing & Imaging Solutions Company Profile
DPI Solutions, Digital printing & Imaging Solutions Company ProfileDPI Solutions, Digital printing & Imaging Solutions Company Profile
DPI Solutions, Digital printing & Imaging Solutions Company Profile
 
Business Plan Sample for a Technology Company - Vilex in Pitchdeck (PowerPoin...
Business Plan Sample for a Technology Company - Vilex in Pitchdeck (PowerPoin...Business Plan Sample for a Technology Company - Vilex in Pitchdeck (PowerPoin...
Business Plan Sample for a Technology Company - Vilex in Pitchdeck (PowerPoin...
 
Advertising Agency
Advertising AgencyAdvertising Agency
Advertising Agency
 
Business Planning & Startup Strategies
Business Planning & Startup StrategiesBusiness Planning & Startup Strategies
Business Planning & Startup Strategies
 
Advertising agency and its functions
Advertising agency and its functionsAdvertising agency and its functions
Advertising agency and its functions
 
Real estate ppt(1)hp
Real estate ppt(1)hpReal estate ppt(1)hp
Real estate ppt(1)hp
 
Dave McClure Batch 19 Demo Day
Dave McClure Batch 19 Demo DayDave McClure Batch 19 Demo Day
Dave McClure Batch 19 Demo Day
 
Business plan - Entrepreneurship
Business plan - EntrepreneurshipBusiness plan - Entrepreneurship
Business plan - Entrepreneurship
 
Movie Business Plan
Movie Business PlanMovie Business Plan
Movie Business Plan
 
Business proposal ppt
Business proposal pptBusiness proposal ppt
Business proposal ppt
 
Restaurant Business Plan Presentation
Restaurant Business Plan PresentationRestaurant Business Plan Presentation
Restaurant Business Plan Presentation
 
Business Plan - Mobile Application Development
Business Plan - Mobile Application DevelopmentBusiness Plan - Mobile Application Development
Business Plan - Mobile Application Development
 
Business plan for fast food restaurant
Business plan for fast food restaurantBusiness plan for fast food restaurant
Business plan for fast food restaurant
 
Business Plan
Business PlanBusiness Plan
Business Plan
 
Sample Business Plan Presentation
Sample Business Plan PresentationSample Business Plan Presentation
Sample Business Plan Presentation
 
Business Plan Powerpoint 1
Business Plan Powerpoint 1Business Plan Powerpoint 1
Business Plan Powerpoint 1
 
Sample Business Proposal Presentation
Sample Business Proposal PresentationSample Business Proposal Presentation
Sample Business Proposal Presentation
 

Semelhante a In the Middle of Printers: (In)security of Pull Printing Solutions

BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
Jakub Kałużny
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
Yossi Sassi
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
Slawomir Jasek
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
PROIDEA
 
Practical advice for cloud data protection ulf mattsson - jun 2014
Practical advice for cloud data protection ulf mattsson - jun 2014Practical advice for cloud data protection ulf mattsson - jun 2014
Practical advice for cloud data protection ulf mattsson - jun 2014
Ulf Mattsson
 
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
SecuRing
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3
qqlan
 

Semelhante a In the Middle of Printers: (In)security of Pull Printing Solutions (20)

In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
 
RSA SecurID Access
RSA SecurID AccessRSA SecurID Access
RSA SecurID Access
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
 
Internet .ppt
Internet .pptInternet .ppt
Internet .ppt
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAM
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure code
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Practical advice for cloud data protection ulf mattsson - jun 2014
Practical advice for cloud data protection ulf mattsson - jun 2014Practical advice for cloud data protection ulf mattsson - jun 2014
Practical advice for cloud data protection ulf mattsson - jun 2014
 
Automatski - The Internet of Things - Security in IoT
Automatski - The Internet of Things - Security in IoTAutomatski - The Internet of Things - Security in IoT
Automatski - The Internet of Things - Security in IoT
 
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
 
Demystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchIDDemystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchID
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3
 
20-security.ppt
20-security.ppt20-security.ppt
20-security.ppt
 

Mais de Positive Hack Days

Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
Positive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
Positive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
Positive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Positive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
Positive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
Positive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
Positive Hack Days
 

Mais de Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Último

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Último (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

In the Middle of Printers: (In)security of Pull Printing Solutions

  • 1. In The Middle Of Printers (In)security of Pull Printing Solutions Jakub Kałużny PHDays IV, Moscow, 2014
  • 2. 22 #whoami • IT Security Consultant at SecuRing • Consulting all phases of SDLC • Previously worked for ESA and online money transfers company • Bug bounty hunter
  • 3. 33 Why hack pull printing? • Widely used • Confidential data • Getting popular
  • 6. 66 Threat modelling – key risks sniffing print queues accountability users’ data
  • 7. 77 Attack vectors Other users’ data Access to other print queues Sniffing, MITM Authorization bypass User/admin interface vulnerabilities
  • 8. 88 Sniffing documents • No encryption • No challenge • Only documents encrypted • ECB mode for PostScript ? • Encryption layer over the traffic • Network level – IPsec, SSL • Proprietary protocol ? https://en.wikipedia.org/wiki/ECB_mode http://quickmeme.com
  • 9. 99 What is needed ? http://www.memegen.com/meme/e4tvwy
  • 10. 1010 Ex 1: Secure Pull Printing “is a modern printing solution that safeguards document confidentiality and unauthorized access to print, scan, copy and e-mail functions. Its user- authentication provides air-tight security on your shared MFPs that function as personal printers.”
  • 11. 1111 Vendor ensures „Documents are delivered only into the right hands” „Information is kept confidential. No risk of being left unattended at the printer” „Document collection is safe anytime and anywhere — no “print and sprint”.” „Integration with other enterprise applications and workflows is kept secure through single sign-on”
  • 12. 1212 Ex 1: Proprietary protocol First look on communication: • TCP, 2 ports • No cleartext, no SSL • Seems to follow some scheme…
  • 13. 1313 Ex1: Deeper sight on traffic S E R V E R P R I N T E R constant 263B 96B, “X” B, 128B always different 64 B many identical 16B blocks HELLO HELLO, CERTIFICATE SESSION KEY PostScript, ECB mode
  • 15. 1515 Ex 1: Reverse-engineered • Hardcoded RSA certificate in printer embedded software • No trust store • AES-128 ECB used for traffic encryption • Same protocol in admin interface
  • 16. 1616 Ex 1: Consequences sniffing print queues accountability users’ data
  • 17. 1717 “Many of the devices does not have the CPU power that allows a fast login response and at the same time establish a high security level” For example changing ECB to CBC mode encryption will be more CPU intensive and introducing that may cause slower performance of the devices, which the customers are very reluctant to see implemented.” Ex 1: Vendor gets notified “(…) system has been deployed at many high security customers and has passed internal audits.”
  • 18. 1818 Ex 2: Responsible vendor “With its roots in education and the full understanding that college kids “like to hack”, our development processes continually focus on security.” “Secure print release (…) can integrate card-swipe user authentication at devices (…) ensuring jobs are only printed when the collecting user is present.”
  • 19. 1919 Ex 2: Another binary protocol S E R V E R P R I N T E R HELLO USER: user1 token HASH(password + token) Password ok Release my print queue OK Just copied 100 pages
  • 20. 2020 Charge user “guest-xyz” for copying 100 pages Ex 2: Detailed communication Release my print queue Just copied 100 pages User permissions beginDeviceTransaction (…) guest-xyz Release print queue for user “guest-xyz” S E R V E R P R I N T E R
  • 21. 2121 Ex 2: Consequences sniffing print queues accountability users’ data
  • 22. 2222 Ex 2: Vendor gets notified • Gave access to KB and support service • And all versions of software • Responded in few hours and patched in few days • Was happy to be pentested
  • 23. 2323 Ex 3: Secure Print Solutions “The Secure Print technology offers: High Security - Jobs only print when released by the user”
  • 24. 2424 Ex 3: Architecture design • Network level protection • IP whitelist • Stateless HTTP service, no session token, no cookie
  • 25. 2525 Ex 3: Authentication request S E R V E R P R I N T E R POST /AuthenticateLogin2 HTTP/1.1 (...) param1=username&param2=password
  • 26. 2626 Ex 3: Hacking without any tools
  • 27. 2727 Ex 3: Tampering accountability S E R V E R P R I N T E R POST /LogJob HTTP/1.1 (…) data=<job><job-id>1073741847</job- id><name>_Print_____1073741847</name><type>103</type>< type-string>Print</type-string><page-cnt>0</page- cnt><color-page-cnt>0</color-page- cnt><color>0</color><duplex>0</duplex><page- size>0</page-size><page-size- string>Unknown_Size</page-size- string><media>Unknown</media><dest>UNKNOWN</dest> <user-name>USER1</user-name><email- address>unknown@unknown.com</email-address></job> Just printed a job, note it and charge
  • 28. 2828 Ex 3: Consequences sniffing print queues accountability users’ data
  • 29. 2929 Ex 3: Vendor gets notified Received, and will look it over with engineers. I'll come back to you shortly. Discussed with engineers, and the reason why communication was non-SSL, was to support older Lexmark devices which cannot do SSL.
  • 30. 3030 Other vulnerabilities • Logs and printed files on a default web server • Brute-force attack in admin/user interfaces, no logs • XSS and CSRF in web interfaces • Predictable session identifiers • DoS attack vulnerability
  • 31. 3131 Get the software Pentests Report Get the software Pentests Report vulnerabilities Research process What we thought How does it really look like
  • 32. 3232 Research problems Why do vendors fear pentests? • no direct profit • risk of finding criticals • implies a lot of patching
  • 33. 3333 Cheat sheet - developers Encryption between server and printer/user: • Avoid writing your own crypto • Avoid writing your own proto • Authenticate both side
  • 34. 3434 Cheat sheet - developers Behind the proprietary protocol: • Access control • Separate interfaces • MITM protection is not enough
  • 35. 3535 Cheat sheet - testers Look for vulnerabilities in: • Encryption and authentication • Access control in proprietary protocols • Infrastructure design
  • 36. 3636 Cheat sheet - owners While deploying a pull printing solution: • Get it pentested • Network layer security - IPsec, VLANs • Verify vendor claims http://gigaimg.com/images/68175143262443344759.gif
  • 37. 3737 What’s next ? • CVEs disclosure • A follow-up paper • Ready to fight new proprietary protocols
  • 38. 3838 Q&A http://www.securing.pl e-mail: info@securing.pl tel. +48 (12) 4252575 Jakub Kałużny jakub.kaluzny@securing.pl

Notas do Editor

  1. Threat modelling, penetration tests, vulnerability assessment, opinions Web, mobile applications, network, infrastructure, devices (ATMs, Cash Deposit Machines), printers
  2. Banks, financial institutions, big corporations Documents, contracts, payrolls Money saving, security
  3. Flow diagram; User not directly with the printer, he only authenticate and release print queues
  4. A lot of funcionality, Different access roles, many threat agents, attack vectors and as it turned out – many vulnerabilities
  5. An owner would not like to have Their documents sniffed Subordinate employee printing chairman’s contracts Employees printing books at others’ expense, tampering acc Users data stolen
  6. In case of sniffing – printer is the client
  7. MFP got everything – hard disk, usb port, embedded software, VNC server
  8. Quantity analysis
  9. ECB is faster, but Only when using parallel Either printers have multi-thread procesor, or they lack computation power.
  10. Widely used on universitites
  11. We started with basic tests: SQLi in param2, omitting param2, empty param2…