Re: vulnerabilities of postscript printers

From: Jim Knoble (jmknoble_at_pobox.com)
Date: 01/23/04

  • Next message: Michael Zimmermann: "Re: vulnerabilities of postscript printers" 
    Date: Fri, 23 Jan 2004 13:45:56 -0500
To: bugtraq@securityfocus.com

    Circa 2004-01-23 16:01:02 +1100 dixit Darren Reed:

    : In some mail from Bob Kryger, sie said:
    : > Suppose a postscript printer has multiple interfaces connected to
    : > different networks, is there a way to leverage PostScript to create a
    : > vulnerability such as.
    : >
    : > 1. Allow an attacker log in to the printer and then gain access to the
    : > other network?
    : > 2. Create a postscipt program to send copies of printouts to one of the
    : > interfaces?
    : > 3. What if one of the interfaces is a JetDirect connected via a parallel
    : > port?
    : >
    : > It has been suggested that PostScript is very powerful and can be used
    : > to accomplish a number of general purpose computing tasks including
    : > copying data from one port to another and examining memory. Since the
    : > parallel interface is bidirectional what is keeping data from being send
    : > from the printer to the network, breaching security.
    :
    : First, remember that postscript has been designed for rendering images
    : on a page. It has -no- native networking comands nor ability to talk
    : to any peripheral. Most often, the 'general purpose' tasks have been
    : to do things like write a postscript program to calculate pi or things
    : like that. I've never heard of anyone suggesting you could copy data
    : from one port to another, if only because there's no such thing as an
    : open file in postscript.

    False. Have a look at Adobe's 'PostScript Language Reference, Third
    Edition':

        http://partners.adobe.com/asn/developer/PDFS/TN/PLRM.pdf

    Specifically, in section 3.8, 'File Input and Output'. For example:

        3.8.1 Basic File Operators

        A PostScript file object represents a file. The file operators take
        a file object as an operand to read or write characters. Ignoring
        for the moment how a file object comes into existence, the file
        operators include the following:

        * read reads the next character from an input file.
        * write appends a character to an output file.
        * readstring, readline, and writestring transfer the contents of
          strings to and from files.
        * readhexstring and writehexstring read and write binary data
          represented in the file by hexadecimal notation.
        * token scans characters from an input file according to the
          PostScript language syntax rules.
        * exec, applied to an input file, causes the PostScript
          interpreter to execute a PostScript program from that file.

    [formatting errors mine]. Keep on reading the PDF for instructions on
    how to create a file object....

    PostScript Level 3 is powerful and rather generalized stack-based
    language. Think ghostscript <http://www.ghostscript.com/> embedded into
    a printer, some of which (notably CJKV-language printers with rather
    large fontsets) even come complete with hard disk drives. Recall that
    the ghostscript interpreter comes with command-line arguments you can
    use to make the interpreter "safer"; how much safer is left to those who
    prefer to inspect the code.

      [...]

    : All that's not to say that a postscript engine is ever perfect...I'm
    : sure everyone who's had a postscript printer can tell of print jobs
    : that have "crashed the printer".

    Many of the "crash the printer" jobs actually overflow the PostScript
    stack.

    : Maybe you can buffer overflow one, but what OS are they running in
    : there? It's not likely to be anything you'll have libraries for and
    : maybe not even a CPU you're familiar with.

    Doesn't matter. If the interpreter isn't properly locked down, all bets
    are off. 

    -- 
jim knoble  |  jmknoble@pobox.com  |  http://www.pobox.com/~jmknoble/
(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)
 .....................................................................
 :"The methods now being used to merchandise the political candidate :
 : as though he were a deodorant positively guarantee the electorate :
 : against ever hearing the truth about anything."   --Aldous Huxley :
 :...................................................................:

  • Next message: Michael Zimmermann: "Re: vulnerabilities of postscript printers"

    Relevant Pages

    • Re: vulnerabilities of postscript printers
      ... > Suppose a postscript printer has multiple interfaces connected to ... > from the printer to the network, breaching security. ...
      (Bugtraq)
    • vulnerabilities of postscript printers
      ... During one of our security reviews the following situation was ... Suppose a postscript printer has multiple interfaces connected to ... from the printer to the network, ...
      (Bugtraq)
    • Re: Printing to a HP printer produces multiple pages of garbage text
      ... you need to tell your network administrator to install the PostScript ... you have the wrong printer driver installed. ... If you're sending from a Mac, you almost certainly are sending PostScript. ...
      (microsoft.public.mac.office.word)
    • Re: Printing to a HP printer produces multiple pages of garbage text
      ... and that pc is not a mac .. ... you need to tell your network administrator to install the PostScript ... you have the wrong printer driver installed. ... If you're sending from a Mac, you almost certainly are sending PostScript. ...
      (microsoft.public.mac.office.word)
    • Re: Printing - what I see is not what I get
      ... If a TrueType, PostScript ... If a network printer, how is it ... Samsung, by an add-on provided by a 3rd party, by a print server of some ... email to oshea dot j dot j at gmail dot com. ...
      (comp.sys.mac.system)