Lucas Sifoni

35c3 Leipzig notes - What the Fax ?


I had the pleasure to go to the 35th edition of the Chaos Communication Congress. Here are some notes of some talks.

What the fax - Borg - 20h50 27/12

software dev in security industry, interested in faxes Yaniv Balmas + Eyal Itkin Alexander Bain, 1846 : transmission of an image on copper wire All-in-one printers are (still) vulnerable : Multiple connectivity solutions, phone lines, and embedded software. Fax as a pivot to LAN

Obtaining the firmware

Target : OfficeJet (40% of the market), cheapest printer. Firmware extraction à la dark_alex ? Main CPU : no specs, no datasheet Fax Modem : CSP1040

Exposed JTAG & serial debug interfaces - JTAG is disabled. A serial terminal is exposed - and doesn’t understand anything.

Extracting the firmware (update) from HP’s public FTP. How do you even upgrade a cheap HP’s printer firmware ? => You print it (seriously).

The file has the PJL header, it should be a valid PrintJob Language. After decompression (with a method specific to plaintext printjobs), they got the firmware.

The firmware code was compressed with a basic algorithm found before in prior art in the name of Commander Keen

HP Printers contain a whole copy of spidermonkey (Firefox’s JS implementation) & make calls to an abandoned (until then) domain There’s a hardware watchdog preventing debugging by rebooting the printer.

Exploitation of a buffer overflow vulnerability by sending > 2GB to the printer. It took 7 minutes. Every 2 minutes after debugger injection, the printer crashed.

Previous post : 2D SVG shapes to lead-type 3D models ? A failing attempt.
Next post : 35c3 Leipzig notes - Symbiflow : GCC for FPGAs ?