Description: "Exploiting faulty firmware patch services to compromise MFP Devices" An in depth examination of the patch/upgrade process on Xerox Multifunction devices, for the purpose of exploitation. By taking advantage of faulty patch/upgrade design we will show how an attacker can gain root level access privileges on MFP devices. We will start our discussion by examining historical research, and methods used in the past to compromise MFP devices in relationship to our attack method. Following from there we will discuss the steps I took during my research. This will include the evaluation of patch and firmware packages built using Xerox Downloadable modules (DLM) format. Examining Xerox patch process, including how they are obtained and deployed. We will Also discuss the structure and extraction of data from DLMs. Leveraging this information we will demonstrate how an attacker could easily create their own rogue DLMs and deploy them to take aver a Xerox MFP device with root level privileges without needing to authenticate. In conclusion we will discuss methods that could be used to reduce or mitigate the risk caused by these issues.
Deral Heiland CISSP, serves as a Senior Security Engineer where he is responsible for security assessments, and consulting for corporations and government agencies. In addition, Deral is the founder of Ohio Information Security Forum a not for profit organization.
Latest from the SecurityTube Blog:
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
Original Source: http://www.youtube.com/watch?feature=player_embedded&v=6LC2oofBwI0