All posts by percX

On March 14, 2013 I released the white paper “Practical Exploitation Using Malicious SSIDs” at Black Europe in Amsterdam. This paper discuses the concept of leveraging SSIDs to inject various attacks into Wireless devices, and management consoles. The type of injection attacks discussed include XSS, CSRF,  and format strings attacks. A copy of the whitepaper can be downloaded from HERE.

Twitter: @percent_x

Its been almost a year since this firmware process hack was first discussed at CarolinaCon by percX. PercX has finally finished up his tutorial/white paper on the subject. In this paper he discusses the hack in-depth. Covering the step by step process around how to gain root level access to high end Xerox MFP devices, how the firmware signing process works, and how to protect yourself from this attack.  The paper can be downloaded by clicking here.


PercX will be presenting more printer hacking at the Oslo, Norway security conference  HackCon  on March 28th  “From Printer to Pwnd – Leveraging Multifunction Printers During Penetration Testing”. During his presentation he will also be discussing a new ‘simple’ attack against printer firmware update process on high end business MFP devices to gain root level access. This will also coincide with an updated release of PRAEDA that will contain updates to the dispatcher, allowing NMAP .gnmap as target input.

While examining a Lexmark X656de multifunction printer awhile back I was pleased to “NOT” find any of the common information leakage vulns like passwords within the html source that you typically find on these type of devices. Which was a good sign. Although with a little more testing it was quickly found that the export setting feature was a total fail. Once I exported the system setting (settingfile.ucf) using the export function, it revealed the plain test password for the SMTP settings .

For the latest advisory on this click here

At Defcon 19 during my presentation we discussed a new attack method against printers. This attack method involved tricking the printer into passing LDAP or SMB credential back to attacker in plain text. We refer to this attack as a Pass-Back-Attack . So its been awhile, but we wanted to release a short tutorial discussing how this attack is performed. A PDF of the Tutorial can be downloaded from here

PercX will being speaking on printers, and embedded device information gathering attacks. Covering how the information is leveraged to gain access to other core network server systems. Also will be discussing the tool Praeda and its features, functions, and future. So join PercX at BSides Delaware. Registration is available here and schedule information is available here. Follow PercX on twitter at @Percent_X

Wow this one was so simple I still cant stop laughing. This was originally released at Shmoocon on January 29 2011 Thought it was time to follow up with an advisory because most end users still do not know about this vulnerability. The authentication on Toshiba eStudio MFP devices is easily bypassed by adding an extra / in the URL after TopAccess.

http://IP Address/TopAccess//Administrator/Setup/ScanToFile/List.htm

For Latest Advisory click here

Really easy as you can see. Iam looking for assistance to better map out devices with this issue. If you have a Toshiba eStudio please check out the request at to give me a hand.