For perfect onslaught, I'm sorry you're gonna be...
This'll be fun, Mr. Boy.
So, I figured today we'd talk about hacking PJAL.
And for those of you who know what PJAL is, great.
For those of you that don't, well, it's the printer job language.
It's created by HP and is supported by some 40 odd manufacturers.
And it's basically the way printer jobs are set up, handled, and prepared.
You know, when they're set up by the driver to the printer so that the printer can document.
Keep in mind that everything I am doing here is completely supported by their spec.
It's all documented.
Well, 95% of it's documented.
Their documentation kind of blows. It's about a decade old.
However, all of that being said, this should be fun.
A quick bit about me. For those of you that know me, I'm sorry.
For those of you that don't, I'm sorry.
There's a slide of some of the other stuff I've done later in the presentation.
And we'll get to it there. I don't really think it's kind of important to do what we're doing here.
So, that being said, first slide.
Ta-da!
So, as I said, PJAL stands for printer job language.
It uses the set up for a printer to get in a...
For a job, internal variables, PCL, post-grap, all that kind of stuff.
It gets older than that.
The documents that I started reading when I was working on this stuff are from 97.
And Iron Dex got a wonderful, wonderful site that went back to these...
Some of the older attacks and things like that.
I'll get into a little bit more of that later.
But, so, this stuff has been around forever.
Just keep that in mind.
So, your basic enterprise H3 printer.
And, you know, stock per second, those of you who work in the big enterprise environments,
think about how many of these you have on your network.
Just think about that for a second.
So, you've got your Admin page on 80, and your HTTPS page on 443.
Most of them have SNMP support enabled.
Because nobody's always going to turn that off, regardless of whether it's being used or not.
But that doesn't matter.
We've got a back door for that.
So, your enterprise H3s have disks.
And this is where it starts getting interesting.
They either have a physical disk, you'll find it sometimes in the MMPs,
which are the multi-function printers, your printer scanner, fax copier, you know.
The things he'd always keep on his desk.
Or they have a RANDIS, which is exactly what it sounds like.
It's a RANDIS.
And these are to support uploading and downloading of Firefox.
However, I used to get that myself, but regardless.
To give a quick nod back to, you know, the people who have gone this path before me.
We've got JollyM, which basically gave you the ability to upload your own JollyM into the printer and take control over it.
I've been told it really doesn't work anymore.
I don't have the capability of testing it.
HiJer, once again, an excellent tool.
I remember having loads of fun with this in high school.
That was a phenom group.
Only works with one device, and it crashes really often.
There's also the wonderful SMP get it, the printer admin.
IronSkeet website covers this.
Excellent.
Screw this thing, I'm just going to eat it.
So anyways, let's get back.
So there are several fun PJL commands.
The people on the stream chat probably can't hear you anymore.
Ah, I hate microphones.
Alright, I'm going to talk to the microphone.
There are some fun PJL commands, fsupload, which stands for file system upload,
which actually doesn't do what you think it does because it's actually uploading from the printer to you, not you to the printer.
And fsounder was, once again, backwards.
Director lists, fslead, ready message, this is how we get one update to LCD screens.
Some of the SMP commands over PJL, even if SMP is a table.
Now this is where it gets interesting.
That is exactly what you think it is.
That is an SMP backdoor.
This is documented by HP.
I have talked to them about this.
They readily admit that this is a feature.
I have no idea why.
Because when you think about it, you go, okay, great.
So I don't want SMP on my devices.
I'm not using it.
So I go into the admin page and I check the box and I say I don't want to use this.
And yet I can go do this.
I can sit there and especially encode their lib objects.
Same commands over 9100 on AuthenticCampaign.
And get commands back.
Which proves really useful when I start talking about some of the other stuff I did.
Really, really kind of scary.
There is a document out there on the Internet that will explain all of this to you.
It's marked confidential from HP Barcelona.
And if you're decent with Google, you can go find it on some of our HTTP servers.
This is from way back in 2001 when I spoke to HP about this.
They admitted that they knew it existed and they didn't really care.
So why all of this is awesome?
It's unauthenticated.
Widely supported.
You can't really turn it off.
Your large NFPs, the ones that CEOs got on their staff,
you'll see 40 gig hard drives, 80 gig hard drives, 60 gig hard drives.
Really depends on the model.
Smaller network carriers will give you 20 to 30 megs.
Although some of the newer ones will give you 200 to 300 megs.
Keep that in mind.
So you're faced with that quickly.
When you're showing stuff on the RAM disk,
if I remotely reboot the device, which I can't do,
all your forensic evidence goes away.
So how do we secure these devices?
Well, they've got three passwords.
You've got your web admin password.
You've got your telemark password.
They're typically the same, depending on how old the device is.
And you've got your PJL password for recording both secure jobs.
And this PJL password comes into play later.
The PJL password is set on any one of the disks.
I'm mobile here, so I'm going to sit here.
I apologize.
I'm a bit of a hangover at this point.
So anyways, to give you an example of a secure job,
you can take the PJL password.
You can physically lock a disk and it's in a read-only mode.
There's a recent vulnerability that HP just came out
and admitted to its directory transversal on purpose.
Their response was set the PJL password and lock the disks.
And this is no longer an issue, except for the fact that
the PJL password is horribly, horribly, horribly
one to 65,535 numeric only.
So the software that I will be releasing here at some point
in the near future, probably the next month or so,
has a password cracker.
And the password cracker will sit there and just constantly try.
There's no timeouts. There's no logging.
There's nothing until it figures out what it wants the correct password.
This gets even more fun when you start aggregating
and cost multiple devices.
And this gets back into where I was talking about.
Think about how many of these devices you've got on your network.
So you actually bother to set these things up correctly.
You bother to secure them and things like that.
To set the PJL password, there's not an easy way to do it.
HP typically recommends their administration tool,
which means that there's a good chance the password's going to be the same
on all the devices.
Now, because I can only connect one device at a time,
I can only test one password at a time.
But if I was to say connect to 30 different devices at a time
and test passwords across 30 different devices,
assuming your admins are lazy,
and all the passwords feel the same,
suddenly the password space gets much, much smaller.
You can do it in about four minutes.
So this is once again a slide talking about what I was talking about earlier.
The disk lock.
The disk lock is really interesting because HP's own documentation
says that if you lock the disk, you can only lock disk zero.
Most of the really big hard drives where I've been playing around with,
you can have disks one, two, sometimes even three.
So you can only lock up the first disk,
and that's their acceptable solution.
It's kind of sad, really.
So what can we do with this?
After sitting down and playing with all this,
I decided to write a couple of tools.
So I've got PrintFS.
PrintFS is exactly what it sounds like.
It is a printer file system tool.
It will go out and it will scan an entire network.
It will find all the printers that are supported,
and then aggregate it all into a giant effectively cloud storage device.
And you get this nice little uploading download screen.
You say, put this file here,
and that file is then thrown up into the user.
And then you can delete it off your disk, wander around,
come back and get it later.
Two, and a little skew of one.
PrintJet, once again, a wonderful support tool.
This handles the password cracking.
This handles a bunch of other fun things that we'll show you later.
So, what is the meaning of PrintFS?
We're doing distributed storage across all the printers in a given environment.
PrintFS support is determined by the scanning of the printer via the PFS scan.
Now, PFS scan, to go off on a slight tangent here,
is something I'm particularly proud of,
because I had a ridiculously amount of fun time writing it.
It's polymorphic.
So not only does it have multiple commands to determine the information it needs,
because I'm doing a mix of normal PJL commands,
plus the SMP pass-through commands,
they're running random order, there are random sleeps.
You could sit there and run it a million times against the same device,
and you will never get PCAPS to look the same.
So, really, really, really fun to write.
It was written in such a way to be a horrible pain in the ass to write role-sport.
There's random payload padding.
You'll never get PCAPS to look the same.
So, getting back to PrintFS,
we're using the RAM disk to store works on any supported printer via global network
or over the internet.
So, if you were to use something like the Showdance scanner,
and printers that are out on the internet,
and say 26 devices across five countries will give you a gig of storage.
All files that are uploaded automatically get compressed,
then they're encrypted with a random key.
So every file, anytime you upload a file,
it's encrypted with a random key,
and then it gets a random file.
So even if somebody was to stumble upon this,
it just looks like garbage.
There's local file table that's curated on the disk,
and that's where I store the keys, the names, and everything else like that.
So when you go out to retrieve these files,
it comes back down the same way it went up.
There's ShotGash and everything else.
To handle the fact that we're storing RAM disks,
and the chance that someone might reboot a device,
I actually upload every file twice.
So I'll store it on one printer, and I'll store it on another printer.
And because of the way the code is written,
it may get one name on one printer,
and it'll be a completely different name and encryption key on a different printer.
So there's no way of being able to sit there and go,
okay, this and this are the same object.
The PrintJet, once again, is portable for PrintFS.
It's the user interface for the PJL password cracker.
Mask control panel lock and unlock, really, really funny to do.
Mask RAM disk, lock, unlock.
Mask LCD update, which I have another script that I'll be releasing that does that.
This is a list of known supported models.
This is from me scanning various devices and determining that, yes, they are indeed supported.
There are probably many, many, many, many others that will support these.
These are just the ones that I've had access to play with.
4,000 series, 5,000 series.
I think there's 9,000 in there.
So it's a wide enough range that you more than likely have these devices on your network.
Did I hear you say you can use Shodan to find them on the Internet also?
Yes, you can use Shodan to find them on the Internet.
You can use Google to find them on the Internet.
Typically, what I do is I take the web administration page,
and I pick a couple of things on a URL,
and I start Googling for other objects that have that URL, and you'll pull these devices back.
So, other fun stuff with PJL.
Printer DOS attacks.
One of the things I noticed when I was playing with this is that
when you open up a connection to the printer and don't close it,
the printer won't do anything.
It just sits there and waits.
So it would be very easy to lock them all open so that nobody can print.
Using the SDP passthrough with Reboot, you could turn them into Reboot loops all day long.
Master Printer tracks with PLCD.
You could do social engineering,
which would be really, really funny, and I might have done it in my office.
Animated LCD messages, which actually we will do one of those here real quick.
So, imagine this on every printer in your environment.
Yes, that is Raffle Conqueror's dropping lunch.
So I think that is an excellent, excellent way to show admins that,
hey, you've got an issue.
All multi-threaded, and basically you send it all out, and it goes and does its thing.
The nice thing is the way this is written, every command that actually sets up and closes down the new TCP connection,
which really sucks because there is all sorts of traffic,
but on the other hand, people can actually still print while this is going on.
Now, something that is animated, are you happening to constantly send something new, updating?
Yeah, I'm constantly updating and so forth.
And it's just new. So anyways, mine was a bomb countdown.
Yep, exact same idea.
So, yeah, once again, slide about me.
The Xile, textile, member of an allocated space, we're drinking the space with a hacking problem.
I do a lot of wireless, and I'm kind of branching out from it.
Use security contracting, you can email me.
I don't have Twitter, I don't believe in it, I think it's a mass hallucination.
And at this point, I'm sure there are questions. I hope.
Yes?
How do you identify if it's a RAM disk or a regular disk?
It'll actually tell you.
There are several commands, and I can more than happily go into it if you're really curious.
But when I scan a device, what happens is,
what I do is I actually create a random chunk of data.
It goes out, it just creates a huge block of alphanumeric.
And I say, okay, give me a random amount of that.
This is my file. And I do a shaw hash on it, and I say, okay, tell me about your file system.
Okay, I know you have Xile space. If you return to that to me, tell me what your model number is.
Okay, great, you've returned that to me. Tell me what your serial number is.
And this is how I store everything in the file system.
I base it off the device's serial number, because that's guaranteed to be needed.
So anyways, it goes ahead, compresses it, uploads it, re-downloads it, uncompresses it,
does a shaw hash on it to make sure that nothing's getting modified in transit, I'm not corrupting data.
And at that point, it says, okay, now this is a supported device, and it adds it to the table.
Along that way, you know, when you do random sleeps, you get the random payloads of the commands.
There's all sorts of really fun stuff to do. I actually have a PCAP, so if anyone wants to see it.
I would love for somebody to come up with a way to write roles for this, because it made this so dangerous that I can't stop it now.
And it's proving to be a little problematic, and kind of taking myself for having so much problems.
Other questions?
So you said you're using the built-in hard drives on these machines as a sort of file. How big did you say that was?
It really depends on the device. The NFPs, you get really lucky with, because they have built-in hard drives.
So you get 40, 50, 60 gigs. In the test network where I was playing, I had 26 devices, and had 78 gigs of storage.
Which is pretty sizeable.
Have you looked at your ability to execute code and other things, stuff like that?
I didn't find anything that would give me the ability to execute code on these things.
Chavium was the last known thing that could do that. It's not to say that it can't be fixed more again,
but it really wasn't within the scope of what I was trying to do.
When I originally got into this, I was trying to steal the documents that people were sending to printers.
That's the only thing that should be done right.
Once I realized I could upload downward files, I went, what happens if I add this all together?
And the fact that I can effectively sit on a network, collect everyone's files as they're flying across the wire,
store them out in plain sight on all their printers.
So even if they're scanning for rope services and things like that, they're not going to find the FTP server work, even though I'm using stuff.
And then effectively, correct it all, upload it up to the internet, leave, go to some other internet connection,
pull it back down, and I type the next pan command and poof, it all goes away.
I'd love to combine this with email and a backscan type release to deliver PDFs that are in the EDS.
You can do that. Some of the other older HP devices, there was a vulnerability, I think most of the file, 4000 series had it,
where you could actually upload documents to the web server, which is really funny for running client-side attacks.
You just post it right off the printers.
So yeah, in terms of what you're asking, I think it would be perfectly possible.
If I was to rewrite this again, I'd actually use Fuse and actually give you a multiple device in depth that would be a whole bunch of printers.
Does it work possible? You found it eliminated on a key print this, did other manufacturers pull email?
You know, no. And it's not to say that it's not possible, it's just that I have to try very hard.
So it's entirely possible to do it. There are certain commands that I need to have supported.
The model number I don't generally care about, it's just kind of one of those informational things, that's why I generate a nice list of all known supported things.
If I can't get back the server number and I can't get back the disk information, I assume the device is not supported.
Now it's interesting, I found in scanning, and I never did quite get my timing right, but there are times where I will scan the device and it will come back and say I'm not supported.
And then I'll scan it again and it will be.
So there are some limitations within the programming with inside the devices that you kind of run into sometimes.
But all in all, I kind of stuck with HP because I had the best success with them and being it's their thing, they had implemented the entire subset versus only bits and pieces of it.
Is there a legitimate reason to lock the disk and if you do that, is it about printing or is it about supporting?
So if you lock the disk, you're actually effectively trying to, or removing the ability to upload font files.
I haven't actually found anyone who's ever done it.
It's kind of one of those supported features, but nobody ever uses it.
It was kind of comical after reading HP's response to that vulnerability that came out for the directory transfer.
So I'm like, well, I'll just lock the disk with the PGAO password.
And I started laughing because it really, it's horrible.
I didn't suggest that. It's horribly broken.
This is really, really old technology that they keep sticking in new devices.
I'm really kind of interested to see what their new web name and printers look like because I'm willing to bet they're probably vulnerable to this.
And the sad part is I even contacted them and I said, hey, I'll work with you for free to fix this.
I knew some people that worked for them and they actually put me in touch with the actual teams in charge of this stuff.
As soon as they figured out that I wasn't releasing this to Defcon, they didn't care anymore.
And so, yeah, it was really kind of been better after that point.
Other questions?
So when you release to Defcon, it's probably going to get your attention.
Will that be the first time that people have public consumption up before you plan to release the part?
I submitted this talk for Shmookon and it'll probably be a little bit longer as I've ripped through this way faster than expected.
And unless you guys really want me to.
What?
Yeah, yeah, yeah.
You've been teasing us for six months.
And I've been working on this for the better part of the year, so fight me.
So you may release this book.
Yes, the plan is if the talk at Shmookon is accepted, I will be releasing this at Shmookon.
Hold on a second.
So you've been working on something for the better part of the year that's actually supported you to do a full documentation?
It's not going to be full documentation.
I'll send that at Ackerman.
Shut up.
You might want to repeat that online as a people note.
It's a maximum order.
It's Python, so yes, smartass.
All of this code is written in Python, so you can pretty much run it on anything.
Did you present it to the system to make sure you don't store files in smaller locations?
No.
I ran into, and I will readily admit, the particular algorithm that I'm using for that is garbage.
So basically what it does is it says, okay, give me a list of all the printers.
Show me how much storage they have.
Great.
Search the smallest one, and does the file that you want to store fit in that one?
No.
Go to the next one.
Does it fit in that one?
Great.
Store it there.
Give me the next one.
Does it fit in that one?
Great.
Store it there.
And so there are a lot of problems with doing that.
I'm releasing this as a proof of concept.
This is not meant to be a full-fledged tool.
I don't have much intention to support it once it's out there.
The idea is just to prove that this exists, these devices are vulnerable, and maybe we
should actually start looking at these things.
When I started doing this, I was asked, they said, hey, how do we secure these devices
from this?
The only logical conclusion that I've been able to come up with is put these devices
in their own subnet, wall it off, and only talk to a print server.
Brought everything through the print server because that's going to stop me from doing
this.
So you wouldn't be opposed to someone weaponizing one?
If you've got ideas, I'd be more than happy to talk to you about them.
Why do you need brute force?
Isn't the OPE and PEDset equal to the OPE?
I'm sorry, what was the question?
PGL, OPE, like the PGL scripting and passwords and things like that.
Why do you need that?
So there are reset variables that you can trigger, but the problem is those are technically
treated as secure commands, so you have to know the password column.
Otherwise, it just ignores you.
What happens before you upload your little file file or something?
You only need to brute force when the actual device has been locked.
Most of them are not locked at all.
So that's simply here is just as a subset to test things out, and on the chance that
they actually did figure out how to lock the disks, I've already got a pill for that to
fight back.
Writing the password crack before it was actually a lot of fun.
It'll sit there and rip through about 30 threads.
All the threads are aware of your other thread.
So as soon as one thread tests its password space, finds one, tells all the elements.
We kind of alluded to it, but are you able to steal print jobs?
Like someone sends a print job and that printer schools up on that printer.
Do you steal that job and leave it somewhere else or store it?
No.
That was the goal when I went into this.
Now, this new directory, Transversal, that came out, I just haven't had time to play
with, so it's entirely possible.
Basically what it gets into is they have a write-only directory for every print job,
and I can't view what's in it.
But if I can get in there, yes, we can do that.
So what's the other storage you make it into?
It's normally for uploading font files.
Repeat the question.
She asked what the other storage was for, if it's not for print jobs.
Do you have them stored just for font files?
That's the only thing I've been able to come up with.
All the documentation I've got, keep in mind the documentation I've got is really old.
Don't ask me questions, that's more document.
Dave?
I wasn't going to show this, but I think we've got a Wikipedia entry that we need to show you.
Involving some poor local in a donkey show.
So anyways, yes.
Do we have any other questions?
Am I spacing out, am I missing something?
Yes, good.
All right, I'll get the hell offstage.