This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
Hack3rcon is West Virginia’s premier information security conference, bringing together leading information security researchers and practitioners from around the country and around the world. With a focus on methodology and information sharing, Hack3rcon seeks to energize the infosec community and provide an engaging and supportive environment to hone our attendees skill while fostering a sense of community and social responsibility.
View analytic
Sunday, October 21 • 10:00am - 10:50am
From Patch to Pwnd

Sign up or log in to save this to your schedule and see who's attending!

"Exploiting faulty firmware patch services to compromise MFP Devices" An in depth examination of the patch/upgrade process on Xerox Multifunction devices, for the purpose of exploitation. By taking advantage of faulty patch/upgrade design we will show how an attacker can gain root level access privileges on MFP devices. We will start our discussion by examining historical research, and methods used in the past to compromise MFP devices in relationship to our attack method. Following from there we will discuss the steps I took during my research. This will include the evaluation of patch and firmware packages built using Xerox Downloadable modules (DLM) format. Examining Xerox patch process, including how they are obtained and deployed. We will Also discuss the structure and extraction of data from DLMs. Leveraging this information we will demonstrate how an attacker could easily create their own rogue DLMs and deploy them to take aver a Xerox MFP device with root level privileges without needing to authenticate. In conclusion we will discuss methods that could be used to reduce or mitigate the risk caused by these issues.

avatar for Deral Heiland

Deral Heiland

Deral Heiland CISSP, serves as a Senior Security Engineer where he is responsible for security assessments, and consulting for corporations and government agencies. In addition, Deral is the founder of Ohio Information Security Forum a not for profit organization that focuses on information security training and education. Deral Is also a member of the foofus.net security team.Deral has presented at... Read More →

Sunday October 21, 2012 10:00am - 10:50am
Main Stage 600 Kanawha Boulevard East, Charleston, WV, United States

Attendees (1)

  • Profile image