F

🖨️ Bambuzle 🏴‍☠️

Bambuzle is PoC malware (written in Bash) targeting Linux machines running the Bambu Lab Studio slicer software to control Bambu Lab 3D printers. When executed the payload exfiltrates the target's Bambu Studio slicer software (BSSS) configuration files and drops them to an attacker controlled Discord webhook. Once the files have been exfiltrated the attacker can import the target machine (TM) files to the attack machine (AM) environment. After being imported, when BSSS is ran on the AM it loads the TM user profile WITH authentication and allows the attacker to have full remote access over the target's 3D printer (assuming the target was a cloud services user).

The attacker can then (not all encompassing):

1. Send print commands
2. Access the IP camera/view live footage of the target's environment
3. View private data within the BSSS used by the target's account (explained below)
4. Control settings such as increasing the temperature of the heat bed and hot end

Access to the target's 3D printer is not required, the payload only utilizes the TM (the Linux computer running the BSSS used for controlling the printer) as the attack vector.

⚠️ Bambuzle is PoC and is NOT to be used in any illegal or unethical manner ⚠️

🧪 Test Environment

Operating Systems:

1. Pop!_OS 22.04
2. Ubuntu 22.04.5

Bambu Studio Slicer Software

1. Bambu_Studio_ubuntu-22.04_PR-8583.AppImage

Hardware

1. Bambu Lab A1 Printer with AMS

---

📝 Understanding The Bambu Studio Slicer File System And Vulnerability

On Linux file systems Bambu Studio slicer software (BSSS) has two locations for storing the targeted configuration directories/files:

1. /home/$USER/.config/BambuStudio
2. /home/$USER/.local/share/bambu-studio

BambuStudio

The BambuStudio directory in particular holds a large amount of configuration files for the BSSS. Importantly, the /home/$USER/.config/BambuStudio/BambuStudio.conf file holds "access code" parameters in plain text at the top-most and bottom-most sections of the file:

{
    "access_code": {
        "04327A828845022": "94731588"

For cloud access, cloning this code in itself is not enough to grant remote access. However, if the target printer is in LAN only mode, this code (94731588) is the user_access code generated by the printer itself and enetered into the BSSS when connecting to the printer. An attacker on the LAN can use this code when prompted in BSSS when attempting to connect to the printer and successfully gain access to the printer, controlling it. Additionally, this code can be used to access the sftp server ran on Port 990 in LAN only mode with the credentials bblp:94731588. This will give the attacker access to the root file system of the sftp server.

bambu-studio

The bambu-studio directory holds additional configuration files.

Remote Cloud Access

For an attacker to gain remote access to the printer, both /home/$USER/.config/BambuStudio and /home/$USER/.local/share/bambu-studio directories must be copied and then imported into the attacker's environment. In other words, if an attacker can copy these directories from the TM and then replace the directories on the AM with them, the target's BSSS account will be imported/authenticated allowing the attacker complete control over their printer.

Target Private Data Access

Once an attacker has successfully imported the TM BSSS profile into the AM environment, they now have access to additional private data within the BSSS. The following data points are some exmaples of what can be found (not all encompassing):

1. Account private email
2. Gender
3. Region
4. Display Name
5. Username
6. Account preference settings
7. Notifications
8. Support tickets
9. "My Orders"
10. IP Reports
11. Browsing History
12. Downloads

---

🔄 General Workflow

A general workflow is as follows (a detailed explanation of the payload logic is provided below):

1. Bambuzle malware is executed on the TM
2. BambuStudio and bambu-studio directories are exfiltrated
3. The attacker installs the BSSS on the AM
4. Once installed, the attacker closes BSSS and deletes the BambuStudio and bambu-studio directories, replacing them with the exfiltrated directories from the TM
5. The attacker then re-launches the BSSS and has become an authenticated user and has total remote control over the target's 3D printer

---

💉 Methods of Malware Delivery

Bambuzle does not exploit a machine vulnerability to execute code. As such, the following are prefered methods for payload delivery/execution:

1. Social Engineering the target to execute the payload on the TM
2. Hot Plug attacks against the TM via Hak5 USB Rubbery Ducky

The Scripts & Payloads directory hold all code relevant for machine compromise. Each utilizes the same payload (Bambuzle.sh) code at its' core, but each varies the delivery method depending on use case (explained below). The reconfig.sh file is used to correctly configure the exfiltrated files on the AM to ensure the BSSS environment is correct to allow profile importation/authentication.

---

🏴‍☠️ Scripts/Payloads

1. Bambuzle.sh

2. Bambuzle_Binary.sh

3. Bambuzle_DuckyScript_Payload.txt

4. reconfig.sh

---

📝 Scripts/Payload Explanation & Workflow

Bambuzle.sh

The Bambuzle.sh payload is the core code used in Bambuzle.

Configuration

Defining the attacker's Discord webhook variable is all that is required for payload functionality (line 5 Webhook="https://discord.com/api/webhooks/INSERT_WEBHOOK_HERE").

The script is now ready to execute after granting execution permissions.

Bambuzle Execution Workflow

Once executed, Bambzule will check if the following conditions are present:

1. Internet connectivity - Checks via sending a ping to discord.com
2. Searches the home directory to confirm /home/$user/.config/BambuStudio directory is present
3. Searches the home directory to confirm /home/$user/.local/share/bambu-studio directory is present

If the above conditions are met, Bambuzle will:

1. Tarball the BambuStudio and bambu-studio directories
2. Exfiltrate them to Discord
3. Remove the tarball locally post exfil (to obfuscate)
4. Remove Cronjob entry if present (to obfuscate (explained in else section))
5. Self-destruct the payload (to obfuscate)

elif (if initial conditions are not met):

1. Checks to see if .Bambuzle.sh is present and hidden in home directory (explained in else section)
2. If present, exits (payload continues to lay dormant to be re-ran at boot)

else (if elif conditions are not met):

1. Bambuzle.sh is moved to the target's home directory and renamed ".Bambuzle.sh" (prepended with . to hide the file)
2. Added to execute as a cronjob 60 seconds after machine boot

Summary

Bambuzle.sh creates a payload logic where if the targeted files OR internet connectivity are not present, the payload hides itself and adds itself as a scheduled task to be executed by crontab. With this logic, the payload will exfiltrate (silently in the background) successfully when the files AND internet connectivity are present. If not, the payload will continue to hide and lay dormant only to be executed again on boot. When the conditions are finally met, the files are exfiled, the payload self-destructs, and the crontab listing is removed to obfuscate that machine compromise occurred.

Bambuzle_Binary.sh

The Bambuzle_Binary.sh payload executes the same core code found in Bambuzle.sh, but was designed to be compiled as a binary executable with an outer Bash wrapper (explained below). This was done to obfuscate code as well as increase the probability of success in social engineering attacks.

Configuration

The following is requried for proper configuration:

1. Defining the attacker's Discord webhook variable (line 9 Webhook="https://discord.com/api/webhooks/INSERT_WEBHOOK_HERE")
2. Compile the payload using tools such as shc (shc is legacy and will cause payload to not execute in environments other than what it was compiled in) or bunster or some other tool to acheive compiling Bash scripts. It is suggested to output the compiled binary filename.extension as: Bambu_Studio_ubuntu-22.04_PR-85883.AppImage to increase the chances of success with social engineering (explained in summary).

The script is now ready to execute after granting execution permissions.

Bambuzle_Binary.sh Execution Workflow

Bambuzle_Binary.sh (now compiled as: Bambu_Studio_ubuntu-22.04_PR-85883.AppImage) contains an outer Bash wrapper that performs the following actions during execution:

1. Builds Bambuzle.sh payload:

# Using wrapper to create persistent inner script/payload:
cat << 'EOF_P_P' > /home/$USER/.TempBambuzle.sh
#!/bin/bash
#Bambuzle

(this is the core payload that executes the actions explained in the Bambuzle.sh section)

2. Grants execution permissions to the Bambuzle.sh payload once built
3. Executes the payload
4. Downloads the official BSSS from the Bambu Lab Github and "swaps" it with the initial Bambuzle.sh binary payload (Bambu_Studio_ubuntu-22.04_PR-85883.AppImage)
5. Grants execution permissions
6. Executes the official BSSS
7. Self-destructs Bambuzle binary payload (to obfuscate)

Summary

The Bambuzle_Binary was created in order to appear and execute like the official BSSS Bambu_Studio_ubuntu-22.04_PR-8583.AppImage. By formatting the Bambuzle_Binary filename.extension as Bambu_Studio_ubuntu-22.04_PR-85883.AppImage (an extra 8 is added to the end of the release number), it appears to the target they are executing the official BSSS. The code being compiled also means the target cannot inspect and identify malicious code inside of the binary. Once executed, the Bash wrapper does the heavy lifting of building and executing the Bambuzle.sh payload silently. Once Bambuzle.sh is built and executed, the official BSSS is downloaded via the Bash wrapper, but is prepended with . to obfuscate the initial downloaded. This was done intentionally as partially downloaded files will populate a desktop shortcut during the download process before the file has been fully downloaded. This would cause two Bambu_Studio_ubuntu-22.04_PR-85883.AppImage to be present in the same location (the binary payload and the official BSSS being downloaded) raising suspicion to the target. Once the official BSSS is downloaded, it moves to the same location as the binary payload while simultaneously being granted execution permissions, executing (the official BSSS), and finally self destructing the binary payload. This causes the binary payload to be "swapped" with the official BSSS after it has built and executed its inner Bambuzle.sh payload.

From the target's perspective they have executed the "official" BSSS, as once the binary payload is executed the official BSSS is eventually downloaded and executed. Time from initial binary payload execution to official BSSS runtime is approximately 4-5 seconds.

Bambuzle_DuckyScript_Payload.txt

Bambuzle_DuckyScript_Payload.txt is simply a DuckyScript coded variant of the Bambuzle.sh payload to allow an attacker to inject the payload via hot plug attack (tested with Hak5 USB Rubber Ducky).

Configuration

Defining the attacker's Discord webhook variable is all that is required for payload functionality (line 5 DEFINE #WEBHOOK https://discord.com/api/webhooks/INSERT_WEBHOOK_HERE)

The payload is now ready to be injected.

Bambuzle_DuckyScript_Payload.txt Execution Workflow

The Bambuzle_DuckyScript_Payload.txt payload once injected via hot plug attack will:

1. Open terminal
2. UNSET the Bash history to prevent code from being logged in the .bash_history file
3. Build Bambuzle.sh
4. Grant execution permissions to payload
5. Execute payload
6. Close the terminal window (to obfuscate activity)

Summary

Bambuzle_DuckyScript_Payload.txt is simply a method in which to inject the Bambuzle.sh payload via hot plug attack while maintaining awareness to obfuscate the interaction with the TM terminal.

reconfig.sh

reconfig.sh is a simple Bash script to manage the importation of the exfiltrated configuration files from the TM to the AM environment for the BSSS. Due to file size limits of Discord webhooks, if an attacker were to exfiltrate both the BambuStudio and bambu-studio directories fully it would exceed the limit, thus no exfiltration. Because of this, the largest directory (plugins) inside of the /home/$USER/.config/BambuStudio directory is excluded from the to-be exfiltrated tarball. The plugin directory is not unique (afaik) for the purposes of cloning the TM profile in order to gain authentication, thus is excluded. The attacker will utilize the plugins directory already present locally in their AM environment when importing the exfiltrated directories (explained next).

Configuration

The attacker's AM environment must be configured in order to prepare for the importation of the exfiled TM BSSS directories:

1. Download the official Bambu_Studio_ubuntu-22.04_PR-8583.AppImage
2. Install
3. Close BSSS
4. Move exfiltrated tarball .Bambuzle.tar.gz to home directory
5. Remove the prepended . from the tarball filename (so it is no longer hidden)
6. Move reconfig.sh to home directory
7. Grant execution permissions to reconfig.sh
8. Execute

reconfig.sh Execution Workflow

Once Bambuzle.tar.gz and config.sh are both in the AM home directory and config.sh is executed:

1. Bambuzle.tar.gz is extracted
2. The AM /home/$USER/.config/BambuStudio/plugins directory is moved to the home directory for temporary storage
3. The plugins directory is moved to the exfiltrated /home/$USER/.config/BambuStudio directory
4. The AM BambuStudio directory is removed and replaced with the exfiltrated BambuStudio directory
5. The AM bambu-studio directory is removed and replaced with the exfiltrated bambu-studio directory
6. The original extracted, exfiltrated directory is removed
7. Bambuzle.tar.gz is left in the AM home folder to allow being backed-up if the attacker chooses to

Once complete the attacker can open the BSSS and have complete authenticated remote access to the target's 3D printer.

Summary

reconfig.sh simplifies the replacing of the AM BSSS environment with the exfiltrated TM environment.