Re: vulnerabilities of postscript printers

From: Thomas M. Payerle (payerle_at_physics.umd.edu)
Date: 01/23/04

  • Next message: Mandrake Linux Security Team: "MDKSA-2004:004 - Updated slocate packages fix vulnerability"
    Date: Fri, 23 Jan 2004 13:52:42 -0500 (EST)
    To: bugtraq@securityfocus.com
    
    

    On Thu, 22 Jan 2004, Bob Kryger wrote:

    > During one of our security reviews the following situation was
    > uncovered. What are your thoughts?
    >
    > Suppose a postscript printer has multiple interfaces connected to
    > different networks, is there a way to leverage PostScript to create a
    > vulnerability such as.
    >
    > 1. Allow an attacker log in to the printer and then gain access to the
    > other network?
    > 2. Create a postscipt program to send copies of printouts to one of the
    > interfaces?
    > 3. What if one of the interfaces is a JetDirect connected via a parallel
    > port?
    >
    > It has been suggested that PostScript is very powerful and can be used
    > to accomplish a number of general purpose computing tasks including
    > copying data from one port to another and examining memory. Since the
    > parallel interface is bidirectional what is keeping data from being send
    > from the printer to the network, breaching security.
    >
    > My preliminary web searches do not reveal much in the way of postscript
    > printer vulnerabilities.
    >
    > Thanks
    > Bob
    >
    >
    You may want to look at
    http://members.cox.net/ltlw0lf/printers/printers.pdf
    by Dennis Mattison.
    (I ran across it once, somewhat interesting. Below are my recollections of
    what was in it; though admittedly its been about 6 months since I read it.)

    I do not believe it addressed any vulnerabilities due to the power of the
    Postscript language. I am not well versed in Postscript language, but
    am inclined to believe that this is limited.

    However, the vulnerabilities in the printer OS are addressed in the above
    paper, as well as some nasty stuff that can be done via PCL and related
    languages (again, I don't recall any PS specific exploits). The threats
    did not really bother me from a practical matter (from the principal of the
    lowest hanging fruit, I have quite a few issues which are much more exploitable
    ).

    However, it sounds like you have a much more stringent security posture, and
    some of the issues in the paper (and while I did not confirm, the author
    seemed to know what he was talking about and the conclusions did not seem
    unreasonable). In particular, he claims that several printer vendors have
    backdoors in the printers with no password protection, and other blatant
    security holes that would be completely unacceptable in just about any other
    network device.

    There appears to be a significant potential for rewriting the printer embedded
    OS, allowing just about anything. Even short of that, there seems to be
    potential for using a printer as a presence on your subnet, and presumably in
    re to (1), to a more protected subnet if dual hosted. The paper actually
    describes several scenarios for "wiretapping" print jobs.

    Unfortunately, if I recall correctly, there wasn't a tremendous amount that
    one could do about it, other than maybe yell at vendors (which does not do
    much for short term). Also, it sounded like HP was one of the more security
    conscious vendors.

    Tom Payerle
    Dept of Physics payerle@physics.umd.edu
    University of Maryland (301) 405-6973
    College Park, MD 20742-4111 Fax: (301) 314-9525

    Tom Payerle
    Dept of Physics payerle@physics.umd.edu
    University of Maryland (301) 405-6973
    College Park, MD 20742-4111 Fax: (301) 314-9525


  • Next message: Mandrake Linux Security Team: "MDKSA-2004:004 - Updated slocate packages fix vulnerability"

    Relevant Pages

    • vulnerabilities of postscript printers
      ... During one of our security reviews the following situation was ... Suppose a postscript printer has multiple interfaces connected to ... from the printer to the network, ...
      (Bugtraq)
    • Re: Printing to a HP printer produces multiple pages of garbage text
      ... you need to tell your network administrator to install the PostScript ... you have the wrong printer driver installed. ... If you're sending from a Mac, you almost certainly are sending PostScript. ...
      (microsoft.public.mac.office.word)
    • Re: vulnerabilities of postscript printers
      ... >> Suppose a postscript printer has multiple interfaces connected to ... >> from the printer to the network, breaching security. ... write a PostScript program that deletes all your files. ...
      (Bugtraq)
    • Re: Printing to a HP printer produces multiple pages of garbage text
      ... and that pc is not a mac .. ... you need to tell your network administrator to install the PostScript ... you have the wrong printer driver installed. ... If you're sending from a Mac, you almost certainly are sending PostScript. ...
      (microsoft.public.mac.office.word)
    • Re: vulnerabilities of postscript printers
      ... :> Suppose a postscript printer has multiple interfaces connected to ... :> from the printer to the network, ... use to make the interpreter "safer"; how much safer is left to those who ...
      (Bugtraq)