Bugtraq mailing list archives
Re: vulnerabilities of postscript printers
From: Glynn Clements <glynn.clements () virgin net>
Date: Sat, 24 Jan 2004 02:56:26 +0000
Darren Reed wrote:
During one of our security reviews the following situation was uncovered. What are your thoughts? Suppose a postscript printer has multiple interfaces connected to different networks, is there a way to leverage PostScript to create a vulnerability such as. 1. Allow an attacker log in to the printer and then gain access to the other network? 2. Create a postscipt program to send copies of printouts to one of the interfaces? 3. What if one of the interfaces is a JetDirect connected via a parallel port? It has been suggested that PostScript is very powerful and can be used to accomplish a number of general purpose computing tasks including copying data from one port to another and examining memory. Since the parallel interface is bidirectional what is keeping data from being send from the printer to the network, breaching security. My preliminary web searches do not reveal much in the way of postscript printer vulnerabilities.First, remember that postscript has been designed for rendering images on a page. It has -no- native networking comands nor ability to talk to any peripheral.
PostScript has the ability to read/write named files, and nothing prohibits an implementation from making peripheral devices or ports accessible as named files. E.g. using GhostScript on Linux, the following trivial PostScript program sends a WAV file (or the first 20kb thereof) to the sound card: (/dev/dsp) (w) file dup (foo.wav) (r) file 20000 string readstring pop writestring flushfile [The -dSAFER switch disables file access, and should be used when running gs on "untrusted" PostScript files.] Hopefully, embedded implementations won't provide access to anything risky, but the possibility isn't completely out of the question. -- Glynn Clements <glynn.clements () virgin net>
Current thread:
- vulnerabilities of postscript printers Bob Kryger (Jan 22)
- Re: vulnerabilities of postscript printers Darren Reed (Jan 23)
- Re: vulnerabilities of postscript printers Jim Knoble (Jan 24)
- Re: vulnerabilities of postscript printers der Mouse (Jan 24)
- Re: vulnerabilities of postscript printers Michael Zimmermann (Jan 24)
- Re: vulnerabilities of postscript printers Elizabeth Zwicky (Jan 24)
- Re: vulnerabilities of postscript printers Darren Reed (Jan 24)
- Re: vulnerabilities of postscript printers Stephen Samuel (Jan 24)
- Re: vulnerabilities of postscript printers Glynn Clements (Jan 24)
- Re: vulnerabilities of postscript printers Nate Eldredge (Jan 24)
- Re: vulnerabilities of postscript printers Darren Reed (Jan 23)
- Re: vulnerabilities of postscript printers der Mouse (Jan 23)
- Re: vulnerabilities of postscript printers Michael Zimmermann (Jan 24)
- Re: vulnerabilities of postscript printers der Mouse (Jan 24)
- Re: vulnerabilities of postscript printers Michael Zimmermann (Jan 24)
- Re: vulnerabilities of postscript printers der Mouse (Jan 24)
- Re: vulnerabilities of postscript printers Michael Zimmermann (Jan 24)
- <Possible follow-ups>
- Re: vulnerabilities of postscript printers Thomas M. Payerle (Jan 24)
- Re: vulnerabilities of postscript printers Bob Beck (Jan 24)
- Re: vulnerabilities of postscript printers Theo de Raadt (Jan 24)