Its been almost a year since this firmware process hack was first discussed at CarolinaCon by percX. PercX has finally finished up his tutorial/white paper on the subject. In this paper he discusses the hack in-depth. Covering the step by step process around how to gain root level access to high end Xerox MFP devices, how the firmware signing process works, and how to protect yourself from this attack.  The paper can be downloaded by clicking here.


I got a very interesting note from Ryan Reynolds and Jonathan Claudius, who will be presenting at BlackHat and Defcon 20 in a few weeks. They discovered that, in certain circumstances, the hashes returned by tools like fgdump3 (which is a very limited “ask-and-you-shall-receive” research version I unveiled at ToorCon 2011) as well as HashDump are wrong. They have a proposed patch to HashDump, and I will be incorporating it into the fgdump3 branch as well.



So does this affect fgdump2/2.1?

No – this only affects versions pulling their values right from the registry (which version 3 is doing).


Where is fgdump3 anyway?

I unofficially/quietly released version 3 at ToorCon last year. However, speed issues continued to plague me (changing permissions on the keys is SLOW), and I started looking for a new solution. Right now, the NEW fgdump3 is about 80% done, and combines the old injection method, the registry method, and a new “super s3kr1t” method that looks to work well, and quickly I might add. I have yet to finish the new version (about 80% complete), but I’m going to see if I can pound this out before DC 20 in time for their presentation. It will be ultra-beta, but something to play with.


How can I get a copy to play with?

I can send you the old fgdump3 if you want to play with the registry method – email me at if you like. It’s unsupported and may cause nausea, but feel free to give it a shot. :)



Medusa 2.1 is now available for public download.

What is Medusa? Medusa is a speedy, massively parallel, modular, login brute-forcer for network services created by the geeks at It currently has modules for the following services: AFP, CVS, FTP, HTTP, IMAP, MS-SQL, MySQL, NCP (NetWare), NNTP, PcAnywhere, POP3, PostgreSQL, rexec, rlogin, rsh, SMB, SMTP (AUTH/VRFY), SNMP, SSHv2, SVN, Telnet, VmAuthd, VNC. It also includes a basic web form module and a generic wrapper module for external scripts.

While Medusa was designed to serve the same purpose as THC-Hydra, there are several significant differences. For a brief comparison, see:

This release does not introduce any major changes to the core of the application, however, it does include two years worth of bug-fixes throughout the code base and numerous incremental improvements.




PercX will be presenting more printer hacking at the Oslo, Norway security conference  HackCon  on March 28th  “From Printer to Pwnd – Leveraging Multifunction Printers During Penetration Testing”. During his presentation he will also be discussing a new ‘simple’ attack against printer firmware update process on high end business MFP devices to gain root level access. This will also coincide with an updated release of PRAEDA that will contain updates to the dispatcher, allowing NMAP .gnmap as target input.