SlideShare a Scribd company logo

[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by An-Jie Yang

CODE BLUE
CODE BLUE

Printer has become one of the essential devices in the corporate intranet for the past few years, and its functionalities have also increased significantly. Not only print or fax, cloud printing services like AirPrint are also being supported as well to make it easier to use. Direct printing from mobile devices is now a basic requirement in the IoT era. We also use it to print some internal business documents of the company, which makes it even more important to keep the printer safe. Nowadays, most of the printers on the market do not have to be connected with USB or traditional cable. As long as you are using a LAN cable connected to the intranet, the computer can find and use the printer immediately. Most of them are based on protocols such as SLP and LLMNR. But is it really safe when vendors adopt those protocols? Furthermore, many printers do not use traditional Linux systems, but use RTOS(Real-Time Operating System) instead, how will this affect the attacker? In this talk, we will use Canon ImageCLASS MF644Cdw and HP Color LaserJet Pro MFP M283fdw as case study, showing how to analyze and gain control access to the printer. We will also demonstrate how to use the vulnerabilities to achieve RCE in RTOS in unauthenticated situations.

Presentations & Public Speaking
1 of 132
Download to read offline
Your printer is not your printer ! - Hacking Printers at Pwn2Own Angelboy angelboy@chroot.org @scwuaptx 1
Whoami • Angelboy (An-Jie Yang) • Researcher at DEVCORE • Ex-CTF Player • HITCON / 217 • Chroot • Pwn2Own • 2020 Tokyo/2021 Austin • Co-founder of pwnable.tw • Speaker • HITB GSEC 2018/AVTokyo 2018/VXCON/HITCON 2
Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 3
Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 4
5
Introduction • In the early days • to use the printer, it was necessary to • Use IEEE1284 or USB to connect to the Computer • Install Printer driver before printing • Usually only a single printer feature Printer 6
Introduction • Nowadays • Printer can provide a variety of services which make printer not only more convenient but also closer to IoT • It can be found immediately when connected to intranet Printer - IoT 7 image: Flaticon.com
Introduction Printer - IoT 8
PrintingHacking is also easier 9
10
Motivation 11
Introduction • Red Team • Printer is one of the most common devices in the intranet Motivation 12
Introduction • Red Team • Printer is one of the most common devices in the intranet • Good target to hide our actions Motivation 13
Introduction • Red Team • Printer is one of the most common devices in the intranet • Good target to hide our actions • Sometimes integrate with Active Directory Motivation 14
Introduction • Pwn2Own 2021 Austin Motivation 15
We thought they were trivial at first, but … 16 `ls` ; /bin/usr/id ; %0Acat%20/etc/passwd
RTOS (Real-Time Operating System) 17
18 Challenge Accept !
19
20
We will focus on Canon and HP in this talk 21
Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 22
Analysis • At the beginning, we thought we need to …… 23
In fact, we didn’t tear down any of them ! 24
Canon 25
Analysis • Firmware version v6.03 • From Canon official • At the beginning, we use binwalk • But the firmware is obfuscated • We cannot use IDA directly Canon - Firmware Extract 26
Analysis • We also try some previous works • TREASURE CHEST PARTY QUEST: FROM DOOM TO EXPLOIT • by Synacktiv • Hacking Canon Pixma Printers – Doomed Encryption • by Contextis research Canon - Firmware Extract 27
Analysis • We also try some previous works • TREASURE CHEST PARTY QUEST: FROM DOOM TO EXPLOIT • by Synacktiv • Hacking Canon Pixma Printers – Doomed Encryption • by Contextis research • But it cannot extract the firmware :( Canon - Firmware Extract 28
• We can find some information from obfuscated firmware Analysis Canon - Firmware Extract 29 Size Magic
We decide to use this patten to search other firmwares without obfuscated 30
Analysis • We need to download other firmwares from Canon official website • Original firmware download URL is Canon - Firmware Extract 31 https://pdisp01.c- wss.com/gdl/WWUFORedirectTarget.do?id=MDQwMDAwNDc1Mj A1&cmp=Z01&lang=EN
Analysis Canon - Firmware Extract 32 https://pdisp01.c- wss.com/gdl/WWUFORedirectTarget.do?id=MDQwMDAwNDc1Mj A1&cmp=Z01&lang=EN 040000475205
Analysis Canon - Firmware Extract 34 https://pdisp01.c- wss.com/gdl/WWUFORedirectTarget.do?id=MDQwMDAwNDc1Mj A1&cmp=Z01&lang=EN 040000475205 Type Ordinal Number Version Pdf,firmware … Other model Firmware version
Analysis • We can list all versions of firmware • V2.01 • V4.02 • V6.03 • V9.03 !? • V10.02 !? Canon - Firmware Extract 35
But all versions are obfuscated 😭 36
Let’s download all models 37
Analysis • The total file size is 130GB • grep NCFW and some plaintext Canon - Firmware Extract 38
Analysis • WG7000 Series is not obfuscated ! • We analyze the firmware of WG7000 to find the key function Canon - Firmware Extract 39
Analysis • Try to use the same function to deobfuscate the firmware of MF644CDW • Bingo ! Canon - Firmware Extract 40 Plaintext message
Analysis • Image Base Address • We spent some time looking for image base address of firmware • rbasefind Canon - Firmware Analysis 41
• Original base is 0x40b00000 • It doesn’t seem to be the correct base Analysis Canon - Firmware Analysis 42 Should be strings
Analysis • Image Base Address • We can find a correct function and debug message to adjust to the correct offset • We found the base is 0x40affde0 Canon - Firmware Analysis 43
Analysis Canon - Firmware Analysis 44
Analysis • Canon MF644CDW • OS - DryOSV2 • Customized RTOS by Canon • ARMv7 32bit little-endian • Linked with application code into a single image • Kernel • Service • … Canon - Firmware Analysis 45
HP 46
Analysis • Relatively easy • Binwalk -Z • Take about 3 - 4 days • It will get correct firmware ! • Other part is similar to Canon HP - Firmware Extract 47
Analysis • HP - MFP M283fdw • OS • RTOS - Modify from ThreadX/Green Hills • ARM11 Mixed-endian • Code - little-endian • Data - Big-endian HP - Firmware Analysis 48
Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 49
Attack Surface Service Port Description RUI TCP 80 Web interface PDL TCP 9100 Page Description Language PJL TCP 9100 Printer Job Language IPP TCP 631 Internet Printing Protocol LPD TCP 515 Line Printer Daemon Protocol SNMP UDP 161 Simple Network Management Protocol 50 • Nowadays, there are many services enabled by default
Attack Surface • Nowadays, there are many services enabled by default Service Port Description SLP TCP 427 Service Location Protocol mDNS UDP 5353 Multicast DNS LLMNR UDP 5355 Link-Local Multicast Name Resolution … … … 51
Attack Surface • After we evaluate the overall architecture, we decide to focus on service discovery and DNS series of services • SLP • mDNS • LLMNR 52
Such protocols implemented by manufacturer themselves are often prone to vulnerabilities 53
Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 55
Hacking Canon Printer 56
Hacking printers at Pwn2Own • SLP is a service discovery protocol that allows computers and other devices to find services in local area network Service Location Protocol 57
Hacking printers at Pwn2Own • SLP Architecture without Directory Agent Canon - SLP 58 User Agent Client Service Agent Printer
Hacking printers at Pwn2Own • SLP Architecture without Directory Agent Canon - SLP 59 User Agent Client Service Agent Printer Unicast/Multicast Service Request Attribute Request
Hacking printers at Pwn2Own • SLP Architecture without Directory Agent Canon - SLP 60 User Agent Client Service Agent Printer Unicast Service Reply Attribute Reply
Hacking printers at Pwn2Own • SLP Packet Structure Canon - SLP 61 Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31 Version Function-Id Length Length, contd. O F R Reserved Next Ext Offset Next Ext Offset, contd. XID Language Tag Length Language Tag (Variable) Payload (Variable)
Hacking printers at Pwn2Own • Canon only implemented service request and attribute request Canon - SLP 62 Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31 Version Function-Id Length Length, contd. O F R Reserved Next Ext Offset Next Ext Offset, contd. XID Language Tag Length Language Tag (Variable) Payload (Variable) Function Code Message Type 1 6 Service Request Attribute Request
Hacking printers at Pwn2Own • Attribute Request (AttrRqst) • Allow a User Agent to discover attributes of given service (by supplying its URL) or for entire device type Canon - SLP 63 https://www.ietf.org/rfc/rfc2608.txt
Hacking printers at Pwn2Own • Attribute Request (AttrRqst) Canon - SLP 64 Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31 Version Function-Id Length Length, contd. O F R Reserved Next Ext Offset Next Ext Offset, contd. XID Language Tag Length Language Tag (Variable) Payload (Variable) … … Length of <scope-list> <scope-list> string (Variable) … … Length of URL URL (Variable) https://www.ietf.org/rfc/rfc2608.txt
Hacking printers at Pwn2Own • There is a vulnerability when Canon is parsing the body of AttrRqst • It will convert escape character to character Canon - Vulnerability 65 ¥41 A
Hacking printers at Pwn2Own • There is a vulnerability when Canon is parsing the body of AttrRqst Canon - Vulnerability 66
Hacking printers at Pwn2Own • There is a stack overflow when Canon is parsing the body of AttrRqst Canon - Vulnerability 67
Hacking printers at Pwn2Own • There is a stack overflow when Canon is parsing the body of AttrRqst Canon - Vulnerability 68 Although there is validation in normal case
Hacking printers at Pwn2Own • There is a stack overflow when Canon is parsing the body of AttrRqst Canon - Vulnerability 69 No validation in escaping case
Hacking printers at Pwn2Own • Protection • No Stack Guard • No DEP • No ASLR Canon - Exploitation 70 image: Flaticon.com
Hacker Friendly :) 71
We just need to find a buffer to store our shellcode and return to it 72
Hacking printers at Pwn2Own • BJNP • A service discovery protocol designed by Canon • Exploited by Synacktiv • It will store session data on the global buffer Canon - Exploitation 73
Hacking printers at Pwn2Own • Exploit Step Canon - Exploitation 74
Hacking printers at Pwn2Own • Exploit Step • Use BJNP to store our shellcode on a global buffer Canon - Exploitation 75
Hacking printers at Pwn2Own • Exploit Step • Use BJNP to store our shellcode on a global buffer • Trigger stack overflow in SLP and overwrite return address Canon - Exploitation 76
Hacking printers at Pwn2Own • Exploit Step • Use BJNP to store our shellcode on a global buffer • Trigger stack overflow in SLP and overwrite return address • Return to the global buffer Canon - Exploitation 77
Hacking printers at Pwn2Own • Require you to prove that you have pwned the target • In terms of printer, we choose to print "DEVCORE logo" on the LCD screen at first Pwn2Own Austin 2021 78
But we spent a lot of time looking for it … 79
Hacking printers at Pwn2Own • Require you to prove that you have pwned the target • In terms of printer, we choose to print "DEVCORE logo" on the LCD screen • In the end, due to time constraints, we finally only chose to print the message on the screen Pwn2Own Austin 2021 80
Hacking printers at Pwn2Own Pwn2Own Austin 2021 84 http://youtu.be/vQbQImZ3XRw?t=18405
Hacking printers at Pwn2Own • Debugger ? • If we want to debug it, we need to have a debug console • Need to teardown the printer • Use an old exploit to install customized debugger • Need to downgrade the printer Canon - Exploitation 85
Hacking printers at Pwn2Own • But we are too lazy, we just use sleep debug to debug it :) Canon - Exploitation 86 ROP/shellcode Do something Sleep Reboot
Hacking HP Printer 87
Hacking printers at Pwn2Own • LLMNR is very similar to mDNS. It provides base name resolution on the same local link Link-Local Multicast Name Resolution 88
Hacking printers at Pwn2Own • LLMNR protocol HP - LLMNR 89 Client A Client B Client C Client D Multicast Address of Client C ? Send requests to 224.0.0.252 Address of Client C ? Address of Client C ?
Hacking printers at Pwn2Own • LLMNR protocol HP - LLMNR 90 Client A Client B Client C Client D Response from Client C LLMNR Response
Hacking printers at Pwn2Own • LLMNR Header (Base on DNS header format) HP - LLMNR 91 Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31 ID Flags QDCOUNT ANCOUNT NSCOUNT ARCOUNT Queries (Variable)
Hacking printers at Pwn2Own • LLMNR queries use the same format as DNS query HP - LLMNR 92 Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31 ID Flags QDCOUNT ANCOUNT NSCOUNT ARCOUNT Queries (Variable) 0x3 www 0x6 google 0x3 com 0 Type Class … 0xc0 0xd
Hacking printers at Pwn2Own • There is a stack overflow when LLMNR is parsing the queries HP - Vulnerability 93
Hacking printers at Pwn2Own • There is a stack overflow when LLMNR is parsing the queries HP - Vulnerability 94 Fixed size buffer on stack
Hacking printers at Pwn2Own • There is a stack overflow when LLMNR is parsing the queries HP - Vulnerability 95 Without any length verification
We tried to exploit it in the similar way as Canon, but … 96
Hacking printers at Pwn2Own • Protection • No Stack Guard • XN (DEP) • Memory Protect Unit (MPU) • No ASLR HP - Exploitation 97 image: Flaticon.com
Hacking printers at Pwn2Own • Some limits in this vulnerability • We can only overflow about 0x100 bytes • Null terminated • XN(DEP) and MPU • Preventing us from executing shellcode HP - Exploitation 98 image: Flaticon.com
Hacker not Friendly ? image: Flaticon.com Can be bypassed ? How to implement it ? 99
Hacking printers at Pwn2Own • Let's delve into HP RTOS HP - Exploitation 100
Hacking printers at Pwn2Own • Let's delve into HP RTOS • Linked with application code into a single image HP - Exploitation 101
Hacking printers at Pwn2Own • Let's delve into HP RTOS • Linked with application code into a single image • Many tasks run • in the same virtual address space • in kernel-mode HP - Exploitation 102
MMU 103
Hacking printers at Pwn2Own • MMU in HP M283fdw • Use one-level page table translation • Translation table entry for translating a 1MB section • Translation table is located at 0x4003c000 HP - Exploitation 104
Hacking printers at Pwn2Own HP - MMU 105 Page index 31 20 12 11 10 9 8 7 6 5 4 3 2 1 0 13 Index into first level table 14 15 16 17 18 19 Virtual Address TTBR Translation Table Entry Translation Table Physical Memory
Hacking printers at Pwn2Own HP - MMU 106 Page index 31 20 12 11 10 9 8 7 6 5 4 3 2 1 0 13 Index into first level table 14 15 16 17 18 19 Virtual Address TTBR Translation Table Entry Translation Table Physical Memory 0 31 20 12 11 10 9 8 7 6 5 4 3 2 1 0 13 1 B C XN Domain P AP TEX AP X S nG 0 0 Section Address 14 15 16 17 18 19
Hacking printers at Pwn2Own • MMU in HP M283fdw • Translation table is on known address • We can bypass XN through modifying translation table entry ! HP - Exploitation 107
Hacking printers at Pwn2Own • MMU in HP M283fdw • Translation table is on known address • We can bypass XN through modifying translation table entry ! • But it's protected by Memory Protection Unit(MPU) HP - Exploitation 108
MPU 109
Hacking printers at Pwn2Own • Memory Protection Unit • The MPU enables you to partition memory into regions and set individual protection attributes for each regions • Enable when booting HP - Exploitation 110 Physical Memory Region 0 (Page Table, Code) Region 1 (Data) Region … Read only RW
Hacking printers at Pwn2Own • Memory Protection Unit HP - Exploitation 111 Physical Memory Region 0 (Page Table, Code) Region 1 (Data) Region … Read only RW Write access
Hacking printers at Pwn2Own • Memory Protection Unit • The MPU is configured by a series of memory mapped register in System Control Spaces • MPU_CTRL 0xE0400304 HP - Exploitation 112 MPU_TYPE MPU_CTRL MPU_RNR … … MPU registers
We can easily use ROP to overwrite it with 0 to disable MPU 113
Hacking printers at Pwn2Own • After we disable MPU and overwrite translation table entry • We can modify any code page • Modify the code of LPD(Line Printer Daemon) in order to read our payload to specific address • Convert LPD to Debug Console HP - Exploitation 114
Hacking printers at Pwn2Own • After we disable MPU and overwrite translation table entry • We must invalidate • Translation Lookaside Buffer • D-cache and I-cache HP - Exploitation 115
Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address HP - Exploitation 116
Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address • ROP to disable MPU HP - Exploitation 117
Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address • ROP to disable MPU • ROP to modify translation table entry HP - Exploitation 118
Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address • ROP to disable MPU • ROP to modify translation table entry • Flush TLB HP - Exploitation 119
Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address • ROP to disable MPU • ROP to modify translation table entry • Flush TLB • ROP to invalidate I-cache and D-cache HP - Exploitation 120
Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address • ROP to disable MPU • ROP to modify translation table entry • Flush TLB • ROP to invalidate I-cache and D-cache • ROP to modify code of LPD HP - Exploitation 121
Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address • ROP to disable MPU • ROP to modify translation table entry • Flush TLB • ROP to invalidate I-cache and D-cache • ROP to modify code of LPD • Use modified LPD to read our shellcode and jump to shellcode HP - Exploitation 122
Hacking printers at Pwn2Own • Require you to prove that you have pwned the target • Originally, we just wanted to print the message on the LCD screen Pwn2Own Austin 2021 123
Hacking printers at Pwn2Own • Require you to prove that you have pwned the target • Originally, we just wanted to print the message on the LCD screen • But luckily, we later saw that a little bit like the DEVCORE logo can be printed • Just modify the string and trigger printer test Pwn2Own Austin 2021 124
125
Hacking printers at Pwn2Own Pwn2Own Austin 2021 126
Hacking printers at Pwn2Own • Debug Console Pwn2Own Austin 2021 127
Hacking printers at Pwn2Own • Result Pwn2Own Austin 2021 128
Hacking printers at Pwn2Own • After we have code execution • We can • Steal Credential • Lateral movement • Hard to detect • … Exploitation 129
Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 130
Mitigation • Update • Canon and HP printer have been patched, please update to the latest 131
Mitigation • Update • Canon and HP printer have been patched, please update to the latest • Disable unused service • The attack surface of printer is too huge • Many services are opened by default 132
Mitigation • Update • Canon and HP printer have been patched, please update to the latest • Disable unused service • The attack surface of printer is too huge • Many services are opened by default • Firewall 133
Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 134
Conclusion • Discovery and DNS series services are weak in printer • Printer is still a good target for red team 135
Reference • https://labs.withsecure.com/assets/BlogFiles/Printing-Shellz.pdf • https://foxglovesecurity.com/2017/11/20/a-sheep-in-wolfs-clothing-finding- rce-in-hps-printer-fleet/ • https://research.checkpoint.com/2018/sending-fax-back-to-the-dark-ages/ 136
Thank you for listening @scwuaptx 137

Recommended

[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛CODE BLUE
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也CODE BLUE
 
Firefoxの倒し方 by 西村 宗晃 (にしむねあ)
Firefoxの倒し方 by 西村 宗晃 (にしむねあ)Firefoxの倒し方 by 西村 宗晃 (にしむねあ)
Firefoxの倒し方 by 西村 宗晃 (にしむねあ)CODE BLUE
 
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...CODE BLUE
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingGoutham Shetty
 
暗号技術入門 秘密の国のアリス 総集編
暗号技術入門 秘密の国のアリス 総集編暗号技術入門 秘密の国のアリス 総集編
暗号技術入門 秘密の国のアリス 総集編京大 マイコンクラブ
 
[CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼
[CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼 [CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼
[CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼 CODE BLUE
 
CyberChefの使い方(HamaCTF2019 WriteUp編)
CyberChefの使い方(HamaCTF2019 WriteUp編)CyberChefの使い方(HamaCTF2019 WriteUp編)
CyberChefの使い方(HamaCTF2019 WriteUp編)Shota Shinogi
 

Recommended

[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛CODE BLUE
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也CODE BLUE
 
Firefoxの倒し方 by 西村 宗晃 (にしむねあ)
Firefoxの倒し方 by 西村 宗晃 (にしむねあ)Firefoxの倒し方 by 西村 宗晃 (にしむねあ)
Firefoxの倒し方 by 西村 宗晃 (にしむねあ)CODE BLUE
 
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...CODE BLUE
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingGoutham Shetty
 
暗号技術入門 秘密の国のアリス 総集編
暗号技術入門 秘密の国のアリス 総集編暗号技術入門 秘密の国のアリス 総集編
暗号技術入門 秘密の国のアリス 総集編京大 マイコンクラブ
 
[CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼
[CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼 [CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼
[CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼 CODE BLUE
 
CyberChefの使い方(HamaCTF2019 WriteUp編)
CyberChefの使い方(HamaCTF2019 WriteUp編)CyberChefの使い方(HamaCTF2019 WriteUp編)
CyberChefの使い方(HamaCTF2019 WriteUp編)Shota Shinogi
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault
 
PWNの超入門 大和セキュリティ神戸 2018-03-25
PWNの超入門 大和セキュリティ神戸 2018-03-25PWNの超入門 大和セキュリティ神戸 2018-03-25
PWNの超入門 大和セキュリティ神戸 2018-03-25Isaac Mathis
 
Use After Free 脆弱性攻撃を試す
Use After Free 脆弱性攻撃を試すUse After Free 脆弱性攻撃を試す
Use After Free 脆弱性攻撃を試すmonochrojazz
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
犬でもわかる公開鍵暗号
犬でもわかる公開鍵暗号犬でもわかる公開鍵暗号
犬でもわかる公開鍵暗号akakou
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute forcevishalgohel12195
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical HackingRaghav Bisht
 
Arxan導入前後で変わったこと
Arxan導入前後で変わったことArxan導入前後で変わったこと
Arxan導入前後で変わったことYusuke Shirakawa
 
TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020MITRE - ATT&CKcon
 
Red team Engagement
Red team EngagementRed team Engagement
Red team EngagementIndranil Banerjee
 
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
 
最近のやられアプリを試してみた
最近のやられアプリを試してみた最近のやられアプリを試してみた
最近のやられアプリを試してみたzaki4649
 
スマホアプリのSSLサーバ証明書の検証不備について
スマホアプリのSSLサーバ証明書の検証不備についてスマホアプリのSSLサーバ証明書の検証不備について
スマホアプリのSSLサーバ証明書の検証不備についてShunsuke Taniguchi
 
CTF for ビギナーズ バイナリ講習資料
CTF for ビギナーズ バイナリ講習資料CTF for ビギナーズ バイナリ講習資料
CTF for ビギナーズ バイナリ講習資料SECCON Beginners
 
初心者がRSA暗号を教わったら自力でCTFの問題が解けるようになった話
初心者がRSA暗号を教わったら自力でCTFの問題が解けるようになった話初心者がRSA暗号を教わったら自力でCTFの問題が解けるようになった話
初心者がRSA暗号を教わったら自力でCTFの問題が解けるようになった話mariydi1
 
Master Canary Forging: 新しいスタックカナリア回避手法の提案 by 小池 悠生 - CODE BLUE 2015
Master Canary Forging: 新しいスタックカナリア回避手法の提案 by 小池 悠生 - CODE BLUE 2015Master Canary Forging: 新しいスタックカナリア回避手法の提案 by 小池 悠生 - CODE BLUE 2015
Master Canary Forging: 新しいスタックカナリア回避手法の提案 by 小池 悠生 - CODE BLUE 2015CODE BLUE
 
CTF超入門 (for 第12回セキュリティさくら)
CTF超入門 (for 第12回セキュリティさくら)CTF超入門 (for 第12回セキュリティさくら)
CTF超入門 (for 第12回セキュリティさくら)kikuchan98
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingTharindu Kalubowila
 
ウェブセキュリティのありがちな誤解を解説する
ウェブセキュリティのありがちな誤解を解説するウェブセキュリティのありがちな誤解を解説する
ウェブセキュリティのありがちな誤解を解説するHiroshi Tokumaru
 
インサイドShell:.NETハッキング技術を応用したPowerShell可視性の向上 by 丹田 賢
インサイドShell:.NETハッキング技術を応用したPowerShell可視性の向上 by 丹田 賢インサイドShell:.NETハッキング技術を応用したPowerShell可視性の向上 by 丹田 賢
インサイドShell:.NETハッキング技術を応用したPowerShell可視性の向上 by 丹田 賢CODE BLUE
 
Kubernetes Robotics Edge Cluster System
Kubernetes Robotics Edge Cluster SystemKubernetes Robotics Edge Cluster System
Kubernetes Robotics Edge Cluster SystemTomoya Fujita
 
SFBigAnalytics_20190724: Monitor kafka like a Pro
SFBigAnalytics_20190724: Monitor kafka like a ProSFBigAnalytics_20190724: Monitor kafka like a Pro
SFBigAnalytics_20190724: Monitor kafka like a ProChester Chen
 

More Related Content

What's hot

AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault
 
PWNの超入門 大和セキュリティ神戸 2018-03-25
PWNの超入門 大和セキュリティ神戸 2018-03-25PWNの超入門 大和セキュリティ神戸 2018-03-25
PWNの超入門 大和セキュリティ神戸 2018-03-25Isaac Mathis
 
Use After Free 脆弱性攻撃を試す
Use After Free 脆弱性攻撃を試すUse After Free 脆弱性攻撃を試す
Use After Free 脆弱性攻撃を試すmonochrojazz
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
犬でもわかる公開鍵暗号
犬でもわかる公開鍵暗号犬でもわかる公開鍵暗号
犬でもわかる公開鍵暗号akakou
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute forcevishalgohel12195
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical HackingRaghav Bisht
 
Arxan導入前後で変わったこと
Arxan導入前後で変わったことArxan導入前後で変わったこと
Arxan導入前後で変わったことYusuke Shirakawa
 
TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020MITRE - ATT&CKcon
 
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
 
最近のやられアプリを試してみた
最近のやられアプリを試してみた最近のやられアプリを試してみた
最近のやられアプリを試してみたzaki4649
 
スマホアプリのSSLサーバ証明書の検証不備について
スマホアプリのSSLサーバ証明書の検証不備についてスマホアプリのSSLサーバ証明書の検証不備について
スマホアプリのSSLサーバ証明書の検証不備についてShunsuke Taniguchi
 
CTF for ビギナーズ バイナリ講習資料
CTF for ビギナーズ バイナリ講習資料CTF for ビギナーズ バイナリ講習資料
CTF for ビギナーズ バイナリ講習資料SECCON Beginners
 
初心者がRSA暗号を教わったら自力でCTFの問題が解けるようになった話
初心者がRSA暗号を教わったら自力でCTFの問題が解けるようになった話初心者がRSA暗号を教わったら自力でCTFの問題が解けるようになった話
初心者がRSA暗号を教わったら自力でCTFの問題が解けるようになった話mariydi1
 
Master Canary Forging: 新しいスタックカナリア回避手法の提案 by 小池 悠生 - CODE BLUE 2015
Master Canary Forging: 新しいスタックカナリア回避手法の提案 by 小池 悠生 - CODE BLUE 2015Master Canary Forging: 新しいスタックカナリア回避手法の提案 by 小池 悠生 - CODE BLUE 2015
Master Canary Forging: 新しいスタックカナリア回避手法の提案 by 小池 悠生 - CODE BLUE 2015CODE BLUE
 
CTF超入門 (for 第12回セキュリティさくら)
CTF超入門 (for 第12回セキュリティさくら)CTF超入門 (for 第12回セキュリティさくら)
CTF超入門 (for 第12回セキュリティさくら)kikuchan98
 
ウェブセキュリティのありがちな誤解を解説する
ウェブセキュリティのありがちな誤解を解説するウェブセキュリティのありがちな誤解を解説する
ウェブセキュリティのありがちな誤解を解説するHiroshi Tokumaru
 
インサイドShell:.NETハッキング技術を応用したPowerShell可視性の向上 by 丹田 賢
インサイドShell:.NETハッキング技術を応用したPowerShell可視性の向上 by 丹田 賢インサイドShell:.NETハッキング技術を応用したPowerShell可視性の向上 by 丹田 賢
インサイドShell:.NETハッキング技術を応用したPowerShell可視性の向上 by 丹田 賢CODE BLUE
 

What's hot (20)

AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
 
PWNの超入門 大和セキュリティ神戸 2018-03-25
PWNの超入門 大和セキュリティ神戸 2018-03-25PWNの超入門 大和セキュリティ神戸 2018-03-25
PWNの超入門 大和セキュリティ神戸 2018-03-25
 
Use After Free 脆弱性攻撃を試す
Use After Free 脆弱性攻撃を試すUse After Free 脆弱性攻撃を試す
Use After Free 脆弱性攻撃を試す
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
犬でもわかる公開鍵暗号
犬でもわかる公開鍵暗号犬でもわかる公開鍵暗号
犬でもわかる公開鍵暗号
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute force
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
 
Arxan導入前後で変わったこと
Arxan導入前後で変わったことArxan導入前後で変わったこと
Arxan導入前後で変わったこと
 
TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020
 
Red team Engagement
Red team EngagementRed team Engagement
Red team Engagement
 
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
 
最近のやられアプリを試してみた
最近のやられアプリを試してみた最近のやられアプリを試してみた
最近のやられアプリを試してみた
 
スマホアプリのSSLサーバ証明書の検証不備について
スマホアプリのSSLサーバ証明書の検証不備についてスマホアプリのSSLサーバ証明書の検証不備について
スマホアプリのSSLサーバ証明書の検証不備について
 
CTF for ビギナーズ バイナリ講習資料
CTF for ビギナーズ バイナリ講習資料CTF for ビギナーズ バイナリ講習資料
CTF for ビギナーズ バイナリ講習資料
 
初心者がRSA暗号を教わったら自力でCTFの問題が解けるようになった話
初心者がRSA暗号を教わったら自力でCTFの問題が解けるようになった話初心者がRSA暗号を教わったら自力でCTFの問題が解けるようになった話
初心者がRSA暗号を教わったら自力でCTFの問題が解けるようになった話
 
Master Canary Forging: 新しいスタックカナリア回避手法の提案 by 小池 悠生 - CODE BLUE 2015
Master Canary Forging: 新しいスタックカナリア回避手法の提案 by 小池 悠生 - CODE BLUE 2015Master Canary Forging: 新しいスタックカナリア回避手法の提案 by 小池 悠生 - CODE BLUE 2015
Master Canary Forging: 新しいスタックカナリア回避手法の提案 by 小池 悠生 - CODE BLUE 2015
 
CTF超入門 (for 第12回セキュリティさくら)
CTF超入門 (for 第12回セキュリティさくら)CTF超入門 (for 第12回セキュリティさくら)
CTF超入門 (for 第12回セキュリティさくら)
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
ウェブセキュリティのありがちな誤解を解説する
ウェブセキュリティのありがちな誤解を解説するウェブセキュリティのありがちな誤解を解説する
ウェブセキュリティのありがちな誤解を解説する
 
インサイドShell:.NETハッキング技術を応用したPowerShell可視性の向上 by 丹田 賢
インサイドShell:.NETハッキング技術を応用したPowerShell可視性の向上 by 丹田 賢インサイドShell:.NETハッキング技術を応用したPowerShell可視性の向上 by 丹田 賢
インサイドShell:.NETハッキング技術を応用したPowerShell可視性の向上 by 丹田 賢
 

Similar to [cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by An-Jie Yang

Kubernetes Robotics Edge Cluster System
Kubernetes Robotics Edge Cluster SystemKubernetes Robotics Edge Cluster System
Kubernetes Robotics Edge Cluster SystemTomoya Fujita
 
SFBigAnalytics_20190724: Monitor kafka like a Pro
SFBigAnalytics_20190724: Monitor kafka like a ProSFBigAnalytics_20190724: Monitor kafka like a Pro
SFBigAnalytics_20190724: Monitor kafka like a ProChester Chen
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar Santhosh Kumar
 
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...Odinot Stanislas
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 networkidsecconf
 
idsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkidsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkAmmar WK
 
Webinar: STM32WB - microcontrolador dual-core certificado BLE 5.0
Webinar: STM32WB - microcontrolador dual-core certificado BLE 5.0Webinar: STM32WB - microcontrolador dual-core certificado BLE 5.0
Webinar: STM32WB - microcontrolador dual-core certificado BLE 5.0Embarcados
 
Demystifying Binary Reverse Engineering - Pixels Camp
Demystifying Binary Reverse Engineering - Pixels CampDemystifying Binary Reverse Engineering - Pixels Camp
Demystifying Binary Reverse Engineering - Pixels CampAndré Baptista
 
2018 02 20-jeg_index
2018 02 20-jeg_index2018 02 20-jeg_index
2018 02 20-jeg_indexChester Chen
 
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...PROIDEA
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
Using VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear ContainersUsing VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear ContainersMichelle Holley
 
The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]Mahmoud Hatem
 
Serving Deep Learning Models At Scale With RedisAI: Luca Antiga
Serving Deep Learning Models At Scale With RedisAI: Luca AntigaServing Deep Learning Models At Scale With RedisAI: Luca Antiga
Serving Deep Learning Models At Scale With RedisAI: Luca AntigaRedis Labs
 
Advanced Internet of Things firmware engineering with Thingsquare and Contiki...
Advanced Internet of Things firmware engineering with Thingsquare and Contiki...Advanced Internet of Things firmware engineering with Thingsquare and Contiki...
Advanced Internet of Things firmware engineering with Thingsquare and Contiki...Adam Dunkels
 
Tool Up Your LAMP Stack
Tool Up Your LAMP StackTool Up Your LAMP Stack
Tool Up Your LAMP StackLorna Mitchell
 
Up and running with Raspberry Pi
Up and running with Raspberry PiUp and running with Raspberry Pi
Up and running with Raspberry PiShahed Mehbub
 

Similar to [cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by An-Jie Yang (20)

Kubernetes Robotics Edge Cluster System
Kubernetes Robotics Edge Cluster SystemKubernetes Robotics Edge Cluster System
Kubernetes Robotics Edge Cluster System
 
SFBigAnalytics_20190724: Monitor kafka like a Pro
SFBigAnalytics_20190724: Monitor kafka like a ProSFBigAnalytics_20190724: Monitor kafka like a Pro
SFBigAnalytics_20190724: Monitor kafka like a Pro
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 network
 
idsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkidsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 network
 
Webinar: STM32WB - microcontrolador dual-core certificado BLE 5.0
Webinar: STM32WB - microcontrolador dual-core certificado BLE 5.0Webinar: STM32WB - microcontrolador dual-core certificado BLE 5.0
Webinar: STM32WB - microcontrolador dual-core certificado BLE 5.0
 
Demystifying Binary Reverse Engineering - Pixels Camp
Demystifying Binary Reverse Engineering - Pixels CampDemystifying Binary Reverse Engineering - Pixels Camp
Demystifying Binary Reverse Engineering - Pixels Camp
 
2018 02 20-jeg_index
2018 02 20-jeg_index2018 02 20-jeg_index
2018 02 20-jeg_index
 
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
 
Using VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear ContainersUsing VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear Containers
 
The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]
 
TMS320DM8148 Embedded Linux
TMS320DM8148 Embedded LinuxTMS320DM8148 Embedded Linux
TMS320DM8148 Embedded Linux
 
Serving Deep Learning Models At Scale With RedisAI: Luca Antiga
Serving Deep Learning Models At Scale With RedisAI: Luca AntigaServing Deep Learning Models At Scale With RedisAI: Luca Antiga
Serving Deep Learning Models At Scale With RedisAI: Luca Antiga
 
Advanced Internet of Things firmware engineering with Thingsquare and Contiki...
Advanced Internet of Things firmware engineering with Thingsquare and Contiki...Advanced Internet of Things firmware engineering with Thingsquare and Contiki...
Advanced Internet of Things firmware engineering with Thingsquare and Contiki...
 
Tool up your lamp stack
Tool up your lamp stackTool up your lamp stack
Tool up your lamp stack
 
Tool Up Your LAMP Stack
Tool Up Your LAMP StackTool Up Your LAMP Stack
Tool Up Your LAMP Stack
 
Up and running with Raspberry Pi
Up and running with Raspberry PiUp and running with Raspberry Pi
Up and running with Raspberry Pi
 

More from CODE BLUE

[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo PupilloCODE BLUE
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫CODE BLUE
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka CODE BLUE
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
 
[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...CODE BLUE
 
[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...
[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...
[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...CODE BLUE
 
[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...
[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...
[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...CODE BLUE
 

More from CODE BLUE (20)

[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
 
[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...
 
[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...
[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...
[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...
 
[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...
[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...
[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...
 

Recently uploaded

CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...henrik385807
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...Sheetaleventcompany
 
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...NETWAYS
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Delhi Call girls
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxNikitaBankoti2
 
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024eCommerce Institute
 
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxGenesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxFamilyWorshipCenterD
 
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...NETWAYS
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesPooja Nehwal
 
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )Pooja Nehwal
 
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfCTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfhenrik385807
 
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStrSaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStrsaastr
 
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...NETWAYS
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Hasting Chen
 
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AIMicrosoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AITatiana Gurgel
 
Motivation and Theory Maslow and Murray pdf
Motivation and Theory Maslow and Murray pdfMotivation and Theory Maslow and Murray pdf
Motivation and Theory Maslow and Murray pdfakankshagupta7348026
 
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...NETWAYS
 
call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@vikas rana
 
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxmohammadalnahdi22
 

Recently uploaded (20)

CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
 
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
 
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
 
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxGenesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
 
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
 
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
 
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfCTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
 
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStrSaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
 
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
 
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AIMicrosoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AI
 
Motivation and Theory Maslow and Murray pdf
Motivation and Theory Maslow and Murray pdfMotivation and Theory Maslow and Murray pdf
Motivation and Theory Maslow and Murray pdf
 
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
 
call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@
 
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
 

[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by An-Jie Yang

  • 1. Your printer is not your printer ! - Hacking Printers at Pwn2Own Angelboy angelboy@chroot.org @scwuaptx 1
  • 2. Whoami • Angelboy (An-Jie Yang) • Researcher at DEVCORE • Ex-CTF Player • HITCON / 217 • Chroot • Pwn2Own • 2020 Tokyo/2021 Austin • Co-founder of pwnable.tw • Speaker • HITB GSEC 2018/AVTokyo 2018/VXCON/HITCON 2
  • 3. Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 3
  • 4. Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 4
  • 5. 5
  • 6. Introduction • In the early days • to use the printer, it was necessary to • Use IEEE1284 or USB to connect to the Computer • Install Printer driver before printing • Usually only a single printer feature Printer 6
  • 7. Introduction • Nowadays • Printer can provide a variety of services which make printer not only more convenient but also closer to IoT • It can be found immediately when connected to intranet Printer - IoT 7 image: Flaticon.com
  • 10. 10
  • 12. Introduction • Red Team • Printer is one of the most common devices in the intranet Motivation 12
  • 13. Introduction • Red Team • Printer is one of the most common devices in the intranet • Good target to hide our actions Motivation 13
  • 14. Introduction • Red Team • Printer is one of the most common devices in the intranet • Good target to hide our actions • Sometimes integrate with Active Directory Motivation 14
  • 15. Introduction • Pwn2Own 2021 Austin Motivation 15
  • 16. We thought they were trivial at first, but … 16 `ls` ; /bin/usr/id ; %0Acat%20/etc/passwd
  • 19. 19
  • 20. 20
  • 21. We will focus on Canon and HP in this talk 21
  • 22. Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 22
  • 23. Analysis • At the beginning, we thought we need to …… 23
  • 24. In fact, we didn’t tear down any of them ! 24
  • 26. Analysis • Firmware version v6.03 • From Canon official • At the beginning, we use binwalk • But the firmware is obfuscated • We cannot use IDA directly Canon - Firmware Extract 26
  • 27. Analysis • We also try some previous works • TREASURE CHEST PARTY QUEST: FROM DOOM TO EXPLOIT • by Synacktiv • Hacking Canon Pixma Printers – Doomed Encryption • by Contextis research Canon - Firmware Extract 27
  • 28. Analysis • We also try some previous works • TREASURE CHEST PARTY QUEST: FROM DOOM TO EXPLOIT • by Synacktiv • Hacking Canon Pixma Printers – Doomed Encryption • by Contextis research • But it cannot extract the firmware :( Canon - Firmware Extract 28
  • 29. • We can find some information from obfuscated firmware Analysis Canon - Firmware Extract 29 Size Magic
  • 30. We decide to use this patten to search other firmwares without obfuscated 30
  • 31. Analysis • We need to download other firmwares from Canon official website • Original firmware download URL is Canon - Firmware Extract 31 https://pdisp01.c- wss.com/gdl/WWUFORedirectTarget.do?id=MDQwMDAwNDc1Mj A1&cmp=Z01&lang=EN
  • 32. Analysis Canon - Firmware Extract 32 https://pdisp01.c- wss.com/gdl/WWUFORedirectTarget.do?id=MDQwMDAwNDc1Mj A1&cmp=Z01&lang=EN 040000475205
  • 33. Analysis Canon - Firmware Extract 34 https://pdisp01.c- wss.com/gdl/WWUFORedirectTarget.do?id=MDQwMDAwNDc1Mj A1&cmp=Z01&lang=EN 040000475205 Type Ordinal Number Version Pdf,firmware … Other model Firmware version
  • 34. Analysis • We can list all versions of firmware • V2.01 • V4.02 • V6.03 • V9.03 !? • V10.02 !? Canon - Firmware Extract 35
  • 35. But all versions are obfuscated 😭 36
  • 36. Let’s download all models 37
  • 37. Analysis • The total file size is 130GB • grep NCFW and some plaintext Canon - Firmware Extract 38
  • 38. Analysis • WG7000 Series is not obfuscated ! • We analyze the firmware of WG7000 to find the key function Canon - Firmware Extract 39
  • 39. Analysis • Try to use the same function to deobfuscate the firmware of MF644CDW • Bingo ! Canon - Firmware Extract 40 Plaintext message
  • 40. Analysis • Image Base Address • We spent some time looking for image base address of firmware • rbasefind Canon - Firmware Analysis 41
  • 41. • Original base is 0x40b00000 • It doesn’t seem to be the correct base Analysis Canon - Firmware Analysis 42 Should be strings
  • 42. Analysis • Image Base Address • We can find a correct function and debug message to adjust to the correct offset • We found the base is 0x40affde0 Canon - Firmware Analysis 43
  • 44. Analysis • Canon MF644CDW • OS - DryOSV2 • Customized RTOS by Canon • ARMv7 32bit little-endian • Linked with application code into a single image • Kernel • Service • … Canon - Firmware Analysis 45
  • 45. HP 46
  • 46. Analysis • Relatively easy • Binwalk -Z • Take about 3 - 4 days • It will get correct firmware ! • Other part is similar to Canon HP - Firmware Extract 47
  • 47. Analysis • HP - MFP M283fdw • OS • RTOS - Modify from ThreadX/Green Hills • ARM11 Mixed-endian • Code - little-endian • Data - Big-endian HP - Firmware Analysis 48
  • 48. Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 49
  • 49. Attack Surface Service Port Description RUI TCP 80 Web interface PDL TCP 9100 Page Description Language PJL TCP 9100 Printer Job Language IPP TCP 631 Internet Printing Protocol LPD TCP 515 Line Printer Daemon Protocol SNMP UDP 161 Simple Network Management Protocol 50 • Nowadays, there are many services enabled by default
  • 50. Attack Surface • Nowadays, there are many services enabled by default Service Port Description SLP TCP 427 Service Location Protocol mDNS UDP 5353 Multicast DNS LLMNR UDP 5355 Link-Local Multicast Name Resolution … … … 51
  • 51. Attack Surface • After we evaluate the overall architecture, we decide to focus on service discovery and DNS series of services • SLP • mDNS • LLMNR 52
  • 52. Such protocols implemented by manufacturer themselves are often prone to vulnerabilities 53
  • 53. Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 55
  • 55. Hacking printers at Pwn2Own • SLP is a service discovery protocol that allows computers and other devices to find services in local area network Service Location Protocol 57
  • 56. Hacking printers at Pwn2Own • SLP Architecture without Directory Agent Canon - SLP 58 User Agent Client Service Agent Printer
  • 57. Hacking printers at Pwn2Own • SLP Architecture without Directory Agent Canon - SLP 59 User Agent Client Service Agent Printer Unicast/Multicast Service Request Attribute Request
  • 58. Hacking printers at Pwn2Own • SLP Architecture without Directory Agent Canon - SLP 60 User Agent Client Service Agent Printer Unicast Service Reply Attribute Reply
  • 59. Hacking printers at Pwn2Own • SLP Packet Structure Canon - SLP 61 Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31 Version Function-Id Length Length, contd. O F R Reserved Next Ext Offset Next Ext Offset, contd. XID Language Tag Length Language Tag (Variable) Payload (Variable)
  • 60. Hacking printers at Pwn2Own • Canon only implemented service request and attribute request Canon - SLP 62 Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31 Version Function-Id Length Length, contd. O F R Reserved Next Ext Offset Next Ext Offset, contd. XID Language Tag Length Language Tag (Variable) Payload (Variable) Function Code Message Type 1 6 Service Request Attribute Request
  • 61. Hacking printers at Pwn2Own • Attribute Request (AttrRqst) • Allow a User Agent to discover attributes of given service (by supplying its URL) or for entire device type Canon - SLP 63 https://www.ietf.org/rfc/rfc2608.txt
  • 62. Hacking printers at Pwn2Own • Attribute Request (AttrRqst) Canon - SLP 64 Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31 Version Function-Id Length Length, contd. O F R Reserved Next Ext Offset Next Ext Offset, contd. XID Language Tag Length Language Tag (Variable) Payload (Variable) … … Length of <scope-list> <scope-list> string (Variable) … … Length of URL URL (Variable) https://www.ietf.org/rfc/rfc2608.txt
  • 63. Hacking printers at Pwn2Own • There is a vulnerability when Canon is parsing the body of AttrRqst • It will convert escape character to character Canon - Vulnerability 65 ¥41 A
  • 64. Hacking printers at Pwn2Own • There is a vulnerability when Canon is parsing the body of AttrRqst Canon - Vulnerability 66
  • 65. Hacking printers at Pwn2Own • There is a stack overflow when Canon is parsing the body of AttrRqst Canon - Vulnerability 67
  • 66. Hacking printers at Pwn2Own • There is a stack overflow when Canon is parsing the body of AttrRqst Canon - Vulnerability 68 Although there is validation in normal case
  • 67. Hacking printers at Pwn2Own • There is a stack overflow when Canon is parsing the body of AttrRqst Canon - Vulnerability 69 No validation in escaping case
  • 68. Hacking printers at Pwn2Own • Protection • No Stack Guard • No DEP • No ASLR Canon - Exploitation 70 image: Flaticon.com
  • 70. We just need to find a buffer to store our shellcode and return to it 72
  • 71. Hacking printers at Pwn2Own • BJNP • A service discovery protocol designed by Canon • Exploited by Synacktiv • It will store session data on the global buffer Canon - Exploitation 73
  • 72. Hacking printers at Pwn2Own • Exploit Step Canon - Exploitation 74
  • 73. Hacking printers at Pwn2Own • Exploit Step • Use BJNP to store our shellcode on a global buffer Canon - Exploitation 75
  • 74. Hacking printers at Pwn2Own • Exploit Step • Use BJNP to store our shellcode on a global buffer • Trigger stack overflow in SLP and overwrite return address Canon - Exploitation 76
  • 75. Hacking printers at Pwn2Own • Exploit Step • Use BJNP to store our shellcode on a global buffer • Trigger stack overflow in SLP and overwrite return address • Return to the global buffer Canon - Exploitation 77
  • 76. Hacking printers at Pwn2Own • Require you to prove that you have pwned the target • In terms of printer, we choose to print "DEVCORE logo" on the LCD screen at first Pwn2Own Austin 2021 78
  • 77. But we spent a lot of time looking for it … 79
  • 78. Hacking printers at Pwn2Own • Require you to prove that you have pwned the target • In terms of printer, we choose to print "DEVCORE logo" on the LCD screen • In the end, due to time constraints, we finally only chose to print the message on the screen Pwn2Own Austin 2021 80
  • 79. Hacking printers at Pwn2Own Pwn2Own Austin 2021 84 http://youtu.be/vQbQImZ3XRw?t=18405
  • 80. Hacking printers at Pwn2Own • Debugger ? • If we want to debug it, we need to have a debug console • Need to teardown the printer • Use an old exploit to install customized debugger • Need to downgrade the printer Canon - Exploitation 85
  • 81. Hacking printers at Pwn2Own • But we are too lazy, we just use sleep debug to debug it :) Canon - Exploitation 86 ROP/shellcode Do something Sleep Reboot
  • 83. Hacking printers at Pwn2Own • LLMNR is very similar to mDNS. It provides base name resolution on the same local link Link-Local Multicast Name Resolution 88
  • 84. Hacking printers at Pwn2Own • LLMNR protocol HP - LLMNR 89 Client A Client B Client C Client D Multicast Address of Client C ? Send requests to 224.0.0.252 Address of Client C ? Address of Client C ?
  • 85. Hacking printers at Pwn2Own • LLMNR protocol HP - LLMNR 90 Client A Client B Client C Client D Response from Client C LLMNR Response
  • 86. Hacking printers at Pwn2Own • LLMNR Header (Base on DNS header format) HP - LLMNR 91 Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31 ID Flags QDCOUNT ANCOUNT NSCOUNT ARCOUNT Queries (Variable)
  • 87. Hacking printers at Pwn2Own • LLMNR queries use the same format as DNS query HP - LLMNR 92 Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31 ID Flags QDCOUNT ANCOUNT NSCOUNT ARCOUNT Queries (Variable) 0x3 www 0x6 google 0x3 com 0 Type Class … 0xc0 0xd
  • 88. Hacking printers at Pwn2Own • There is a stack overflow when LLMNR is parsing the queries HP - Vulnerability 93
  • 89. Hacking printers at Pwn2Own • There is a stack overflow when LLMNR is parsing the queries HP - Vulnerability 94 Fixed size buffer on stack
  • 90. Hacking printers at Pwn2Own • There is a stack overflow when LLMNR is parsing the queries HP - Vulnerability 95 Without any length verification
  • 91. We tried to exploit it in the similar way as Canon, but … 96
  • 92. Hacking printers at Pwn2Own • Protection • No Stack Guard • XN (DEP) • Memory Protect Unit (MPU) • No ASLR HP - Exploitation 97 image: Flaticon.com
  • 93. Hacking printers at Pwn2Own • Some limits in this vulnerability • We can only overflow about 0x100 bytes • Null terminated • XN(DEP) and MPU • Preventing us from executing shellcode HP - Exploitation 98 image: Flaticon.com
  • 94. Hacker not Friendly ? image: Flaticon.com Can be bypassed ? How to implement it ? 99
  • 95. Hacking printers at Pwn2Own • Let's delve into HP RTOS HP - Exploitation 100
  • 96. Hacking printers at Pwn2Own • Let's delve into HP RTOS • Linked with application code into a single image HP - Exploitation 101
  • 97. Hacking printers at Pwn2Own • Let's delve into HP RTOS • Linked with application code into a single image • Many tasks run • in the same virtual address space • in kernel-mode HP - Exploitation 102
  • 99. Hacking printers at Pwn2Own • MMU in HP M283fdw • Use one-level page table translation • Translation table entry for translating a 1MB section • Translation table is located at 0x4003c000 HP - Exploitation 104
  • 100. Hacking printers at Pwn2Own HP - MMU 105 Page index 31 20 12 11 10 9 8 7 6 5 4 3 2 1 0 13 Index into first level table 14 15 16 17 18 19 Virtual Address TTBR Translation Table Entry Translation Table Physical Memory
  • 101. Hacking printers at Pwn2Own HP - MMU 106 Page index 31 20 12 11 10 9 8 7 6 5 4 3 2 1 0 13 Index into first level table 14 15 16 17 18 19 Virtual Address TTBR Translation Table Entry Translation Table Physical Memory 0 31 20 12 11 10 9 8 7 6 5 4 3 2 1 0 13 1 B C XN Domain P AP TEX AP X S nG 0 0 Section Address 14 15 16 17 18 19
  • 102. Hacking printers at Pwn2Own • MMU in HP M283fdw • Translation table is on known address • We can bypass XN through modifying translation table entry ! HP - Exploitation 107
  • 103. Hacking printers at Pwn2Own • MMU in HP M283fdw • Translation table is on known address • We can bypass XN through modifying translation table entry ! • But it's protected by Memory Protection Unit(MPU) HP - Exploitation 108
  • 105. Hacking printers at Pwn2Own • Memory Protection Unit • The MPU enables you to partition memory into regions and set individual protection attributes for each regions • Enable when booting HP - Exploitation 110 Physical Memory Region 0 (Page Table, Code) Region 1 (Data) Region … Read only RW
  • 106. Hacking printers at Pwn2Own • Memory Protection Unit HP - Exploitation 111 Physical Memory Region 0 (Page Table, Code) Region 1 (Data) Region … Read only RW Write access
  • 107. Hacking printers at Pwn2Own • Memory Protection Unit • The MPU is configured by a series of memory mapped register in System Control Spaces • MPU_CTRL 0xE0400304 HP - Exploitation 112 MPU_TYPE MPU_CTRL MPU_RNR … … MPU registers
  • 108. We can easily use ROP to overwrite it with 0 to disable MPU 113
  • 109. Hacking printers at Pwn2Own • After we disable MPU and overwrite translation table entry • We can modify any code page • Modify the code of LPD(Line Printer Daemon) in order to read our payload to specific address • Convert LPD to Debug Console HP - Exploitation 114
  • 110. Hacking printers at Pwn2Own • After we disable MPU and overwrite translation table entry • We must invalidate • Translation Lookaside Buffer • D-cache and I-cache HP - Exploitation 115
  • 111. Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address HP - Exploitation 116
  • 112. Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address • ROP to disable MPU HP - Exploitation 117
  • 113. Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address • ROP to disable MPU • ROP to modify translation table entry HP - Exploitation 118
  • 114. Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address • ROP to disable MPU • ROP to modify translation table entry • Flush TLB HP - Exploitation 119
  • 115. Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address • ROP to disable MPU • ROP to modify translation table entry • Flush TLB • ROP to invalidate I-cache and D-cache HP - Exploitation 120
  • 116. Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address • ROP to disable MPU • ROP to modify translation table entry • Flush TLB • ROP to invalidate I-cache and D-cache • ROP to modify code of LPD HP - Exploitation 121
  • 117. Hacking printers at Pwn2Own • Exploit Step • Trigger stack overflow in LLMNR and overwrite return address • ROP to disable MPU • ROP to modify translation table entry • Flush TLB • ROP to invalidate I-cache and D-cache • ROP to modify code of LPD • Use modified LPD to read our shellcode and jump to shellcode HP - Exploitation 122
  • 118. Hacking printers at Pwn2Own • Require you to prove that you have pwned the target • Originally, we just wanted to print the message on the LCD screen Pwn2Own Austin 2021 123
  • 119. Hacking printers at Pwn2Own • Require you to prove that you have pwned the target • Originally, we just wanted to print the message on the LCD screen • But luckily, we later saw that a little bit like the DEVCORE logo can be printed • Just modify the string and trigger printer test Pwn2Own Austin 2021 124
  • 120. 125
  • 121. Hacking printers at Pwn2Own Pwn2Own Austin 2021 126
  • 122. Hacking printers at Pwn2Own • Debug Console Pwn2Own Austin 2021 127
  • 123. Hacking printers at Pwn2Own • Result Pwn2Own Austin 2021 128
  • 124. Hacking printers at Pwn2Own • After we have code execution • We can • Steal Credential • Lateral movement • Hard to detect • … Exploitation 129
  • 125. Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 130
  • 126. Mitigation • Update • Canon and HP printer have been patched, please update to the latest 131
  • 127. Mitigation • Update • Canon and HP printer have been patched, please update to the latest • Disable unused service • The attack surface of printer is too huge • Many services are opened by default 132
  • 128. Mitigation • Update • Canon and HP printer have been patched, please update to the latest • Disable unused service • The attack surface of printer is too huge • Many services are opened by default • Firewall 133
  • 129. Agenda • Introduction • Analysis • Attack Surface • Hacking printers at Pwn2Own • Mitigation • Conclusion 134
  • 130. Conclusion • Discovery and DNS series services are weak in printer • Printer is still a good target for red team 135
  • 132. Thank you for listening @scwuaptx 137