Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

Comment Re:How exactly does this work? (Score 1) 77

L(should have)GT: https://research.checkpoint.com/sending-fax-back-to-the-dark-ages/

I attended this talk yesterday, and it was by far the best talk I attended at defcon26. The researchers did some amazing work to get this exploit. You can get the full tail of hackery at the link above, but here's my (probably/mostly correct) summary:
 

  • At some point, the fax standard was amended to include support for JPGs, in order to allow full-color faxes
  • As the researchers wrote in the above-linked blog article, "For some unknown reason, firmware developers tend to re-implement modules that are already implemented in major popular open sources. This means that instead of using libjpeg [ref.13], the developers implemented their own JPEG parser."
  • When the All-in-One device receives a JPG fax, it stores the whole JPG file in local storage (on disk, essentially). This differs from how it processes TIFF files, where the headers and image data are separated. Because the whole JPG file is stored as a normal file, it gives the attacker a platform from which to operate.
  • The firmware-developer-implemented JPG parser has a number of bugs, including buffer overflow vulnerabilities in the COM (CVE-2018-5925) and DHT (CVE-2018-5924) markers. It turned out the bug in the DHT marker parser was the easier one to exploit.
  • Exploiting the DHT marker parser buffer overflow gets them arbitrary code execution. The code they want to execute is stored in the remainder of the JPG file. Because the OS on these All-in-One devices has no security controls and everything runs with highest privileges, they were able to use this ability to overwrite the LCD screen (to visually prove pwnage) and then to use the Eternal Blue and Double Pulsar (which they managed to squeeze into the ~4000 byte payload they had available in the JPG file) exploits to start attacking other hosts on the network. Since these All-in-One devices tend to be connected to the office network (else, it's hard to print on them), this presents an excellent jumping off point for attacks.

All in all (all-in-one?) this was some amazing research and the full article is well worth a read.

Comment Commercially available for some time... (Score 4, Informative) 100

All of the major WiFi equipment vendors (Cisco, Aruba, etc.) have offered this for some time -- though they don't claim anywhere near the MIT Lab's level of accuracy. For instance, Aruba calls their offering "ALE" or Aruba Location Engine. It sits as a separate virtual appliance and communicates to the central WiFi controller (AirWave in their parlance) or to the individual APs if they are operating in autonomous mode. It gets signal strength indications for each WiFi and bluetooth antenna in range of the APs (note: *not* just those devices that are Associated with the WiFi networks served by said APs) and feeds that into ALE. From there, you can map out the devices. Both Cisco and Aruba's products have very extensive APIs to access this info. Maybe they can enhance their offerings with MIT's new technology and get the location resolution improved a bit. For now, in the wild, it's often difficult to get a station (i.e. device) location down to better than a range of 3-10 meters.

Slashdot Top Deals

Kill Ugly Processor Architectures - Karl Lehenbauer

Working...