Re: vulnerabilities of postscript printers

From: Ian Farquhar - Network Security Group (Ian.Farquhar_at_Sun.COM)
Date: 01/27/04

  • Next message: Stefan Esser: "GAIM Patch update"
    Date: Wed, 28 Jan 2004 09:12:58 +1100
    To: der Mouse <mouse@Rodents.Montreal.QC.CA>

    der Mouse wrote:
    > Third, it would not be easy to usurp control of the printer's CPU to
    > start with. PostScript jobs are run in a relatively restricted
    > virtual-machine environment, and it is difficult for a job to affect
    > the environment provided for future jobs - generally, it needs to
    > provide the correct value for a 32-bit "password". (Such things can be
    > set insecurely, certainly, but that's no different, really, from having
    > a Unix box with root's password set to "root": it's admin error.)

    The undocumented, machine-specific cexec interface allows the
    downloading and execution of binary images which are run by the RIP CPU.
      It's purpose, I was told, was to allow drivers to patch bugs in the
    firmware if needed, but it's most (in)famous use was Apple's Laserwriter
    bitmap smoothing code which ran natively on the LW's 68000 for speed.

    If you could figured out the cexec encryption - and I'd bet money it was
    very similar to the now-documented eexec encryption - running code
    natively on the RIP's CPU would be fairly easy.

    It's been several years since I looked, but cexec was present on most
    "genuine Adobe" firmwares I investigated.

    Ian Farquhar
    Senior Network Security Engineer
    Network Security Group
    Sun Microsystems
    Level 2, 828 Pacific Hwy
    Gordon, NSW, 2072
    Phone:  +61 2 9498 0470 (External)
    Phone:  57470 (Sun Internal)
    Mobile: +61 414 967 178
    Fax:    +61 2 9498 0460

  • Next message: Stefan Esser: "GAIM Patch update"

    Relevant Pages

    • Re: OT: Steve Jobs just died
      ... Jobs was good. ... and a genius in industrial design. ...   ... The monolithic CPU on a chip would have amazed him. ...
    • Re: CPU time differences for the same job
      ... I have had a lot of one-hour+ jobs using less than 2 minutes of CPU. ... So, even if I double the speed of the CPU, I have improved these long running jobs by one minute. ... Microseconds don't count, any more. ... I got a call from the operators telling me that the SMF address space was filling up faster than SMF could write the records. ...
    • Re: Threaded Perl Processes Going to Sleep Simultaneously??? Why?
      ... all your jobs will block waiting for it to come back. ... posting here have 16+ CPU boxes sitting around). ... though, it could just freeze up for a few seconds (or even minutes, I've ... I think this post continuing on a perl forum may be ...
    • RE: limiting CPU access per user
      ... The tools are really meant to schedule jobs across many machines, ... user jobs to one CPU on a single system with similar ease. ... then dplace it to a certain CPUcomes to mind. ... If it's not going to be a wrapper script, then that could form part of ...
    • Re: WRKSYSTS Page Fault Values
      ... that you have too many because your disk & CPU utilisisatons are so low). ... Ten batch jobs. ... Batch jobs reading huge files from beginning to end (especially indexed ... of async i/o ...