Full Disclosure mailing list archives

Re: Re: vulnerabilities of postscript printers

From: Ka <ka () khidr net>
Date: Sat, 24 Jan 2004 04:25:11 +0100

At Samstag, 24. Januar 2004 02:46 Valdis.Kletnieks () vt edu wrote:

For that matter, if the printer has a disk, and a "printout" from
the insecure net can get the system password, is it able to scavenge
data from old jobs off the disk?  Most modern multi-user operating
systems manage to do this correctly, but there's still the occasional
screw-up (how many times have we seen "Program XYZ embeds random
data in files" exposures?)


I don't know. But new jobs (from other users) could be copied to disk easily,
if one has the system password. You would just replace (overlay) system
operators with your own versions, which first duplicate and write the data 
to disk and then call the original (overlayed) operator. The printer would
show identical behaviour -- except for being a little slower. And a special
"print job" of yours will deliver the stored data back ("invisibly" over the 
communication-line, parallel- or usb-cable, not on paper) and cleanup 
your "dump" file again.

If the printer has no disk but a lot of memory, you could do the dump into
virtual memory. At least with short print jobs that should be possible.
And as your retrieval job need not print anything, you may use it
to poll the printer for new "dumps" rather often and in short intervalls.


Henry Spemcer from the university of toronto said:
(http://yarchive.net/risks/postscript_password.html)

<quote>
"The default password as shipped is 0.  Very few printer owners bother
to change this.  The problem is that there is significant incentive
*not* to change it... because the PostScript code from a good many
badly-written but legitimate applications tries password 0 and will fail
if it has been changed!  Typically, all the application uses it for is
to set some parameters back to reasonable defaults -- whether the printer
owner wants it that way or not -- but the code makes no attempt to cope
with the possibility of a non-standard password forbidding such changes."

"Believe it or not, there are people who will defend the idea that you should
leave your printer's password unchanged so that programs can mess with its
parameters however they please."
</quote>


ka

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: vulnerabilities of postscript printers Michael Zimmermann (Jan 23)
- Re: Re: vulnerabilities of postscript printers Valdis . Kletnieks (Jan 23)
  - Re: Re: vulnerabilities of postscript printers Ka (Jan 23)
    - RE: Re: vulnerabilities of postscript printers Chris DeVoney (Jan 25)
- Re: Re: vulnerabilities of postscript printers Darren Reed (Jan 23)
  - Re: Re: vulnerabilities of postscript printers Michael Zimmermann (Jan 26)
- <Possible follow-ups>
- Re: vulnerabilities of postscript printers Michael Zimmermann (Jan 24)
  - Re: vulnerabilities of postscript printers der Mouse (Jan 24)