The printer goes brrrr
Network printers are good target candidates from an attacker perspective since they are rarely reinstalled or supervised and thus constitute a perfect place to hide on a network. Moreover they provide the attackers with persistent access to sensitive documents that may be scanned or printed.
This kind of device has been featured for the first time at Pwn2Own competition in Austin 2021. Three popular LaserJet printers were included in the competition: HP, Lexmark and Canon. During the event, we (Synacktiv) managed to compromise all of them, which among other targets allowed us to win the whole competition. In this talk, we will focus on how we achieved code execution on the Canon printer.
The primary step was to obtain the firmware to start reverse analysis. These are distributed through custom packages that are obfuscated. In this research, we will dissect the package format. Specifically, we will present how the primary analysis of the bootloader that we extracted from the flash memory allowed us to identify the deobfuscation routine, enabling us to decode further package updates available from Canon's website. The firmware is based on DryOs, a real-time OS powering several Canon products including cameras and printers.
The Canon printer exposes several network services that we have analysed. In particular, we will present the CADM service as part of the attack surface and how we identified a heap-based overflow in one of the numerous operations handled by that protocol. The exploitation of the vulnerability requires an understanding of the DryOs allocator which will also be presented to the audience. Thanks to the DryOS console available via UART, we were able to dump the heap state and to elaborate a generic scenario to attack the allocator. We will present our exploitation strategy and how one could reuse it to exploit similar heap-based overflows. We will finally showcase how we managed to display an arbitrary image on the printer's LCD screen thanks to a shellcode that directly encodes pixel values in the framebuffer.
Mehdi Talbi, PhD
Mehdi Talbi, PhD, is a computer security researcher at Synacktiv. His main interests are vulnerability research, exploit development, reverse engineering, and source code auditing. Mehdi has published his work in several peer-reviewed journals (Journal in computer Virology) and magazines (Phrack). He has also presented his work at several international conferences including Infiltrate, Blackhat Europe, Virus Bulletin, SSTIC, Warcon, etc. Mehdi is one of the contributor to the Haka open source project showcased at DEF CON and Black Hat Arsenal.
Rémi Jullian
Rémi Jullian is a computer security researcher at Synacktiv. He started working in infosec as an intrusion detection engineer for the French National Security Agency (ANSSI). He then moved to reverse engineering, working first as a malware analyst, then as a vulnerability researcher. Passionate about computer security, both on defensive and offensive aspects, he also participates during his free time in CTF. Remi has also presented his work at BotConf 2018 and THCon 2021.
Thomas Jeunet
Thomas Jeunet is a long time pentester and now computer security researcher at Synacktiv. This research is his first publication and presentation. His main interests are vulnerability research, exploit development, and reverse engineering, particularly on exotic architecture.