Researchers demonstrated the feasibility of taking over a enterprise network and abusing that access to exfiltrate data using just a fax number.
On 12 August, Yaniv Balmas and Eyal Itkin of Check Point's malware research team presented their findings
on fax security at DEF CON 26 in Las Vegas. They wanted to see if it was possible to attack an all-in-one printer by simply sending a maliciously crafted fax using a known fax number.
The researchers began by doing some recon of their target printer. In the process, they discovered CVE 2017-9765
, otherwise known as "Devil’s Ivy.” Exploitation of this gSOAP debugging vulnerability makes it possible for an attacker to assume full control over the target device.
At that point, Balmas and Itkin began searching for attack vectors. Their efforts led them to discover two vulnerabilities in the printer, including a stack-based buffer-overflow flaw which affects a DHT marker used to decode the data frames of a file. The duo eventually decided to exploit that weakness by implementing a basic Turing Machine that reads the fax and responds accordingly.
Balmas and Itkin didn't stop at just compromising the all-in-one printer, however. With the help of other members on Check Point's malware research team, they decided to use their Turing Machine to leverage DoublePulsar and EternalBlue, the same NSA tools exploited by WannaCry ransomware in May 2017
. This modified payload, in turn, allowed the researchers to not only assume full control of the printer but to also attack and compromise a victim computer connected to the same network as the printer.
A video of this exploit is available below.
The pair of researchers told ZDNet that their findings demonstrate how attackers can use fax machines as an infiltration vector into enterprises:
This new vector poses a serious threat to organizations who may well not be aware of how accessible their entire network is, and how all their most sensitive information may be exposed, via a piece of equipment that is still sitting on the shelf collecting dust.
As a result, they urged the security community to look into how modern network architectures handle technologies like fax machines and machines.
Check Point's researchers presented their research in coordination with HP Inc., with whom they worked to develop patches for the newly discovered vulnerabilities.