Re: vulnerabilities of postscript printers

[Glynn Clements <glynn.clements () virgin net>]

Darren Reed wrote:

> > During one of our security reviews the following situation was 
> > uncovered. What are your thoughts?
> >
> > Suppose a postscript printer has multiple interfaces connected to 
> > different networks, is there a way to leverage PostScript to create a 
> > vulnerability such as.
> >
> > 1. Allow an attacker log in to the printer and then gain access to the 
> > other network?
> > 2. Create a postscipt program to send copies of printouts to one of the 
> > interfaces?
> > 3. What if one of the interfaces is a JetDirect connected via a parallel 
> > port?
> >
> > It has been suggested that PostScript is very powerful and can be used 
> > to accomplish a number of general purpose computing tasks including 
> > copying data from one port to another and examining memory. Since the 
> > parallel interface is bidirectional what is keeping data from being send 
> > from the printer to the network, breaching security.
> >
> > My preliminary web searches do not reveal much in the way of postscript 
> > printer vulnerabilities.
>
> First, remember that postscript has been designed for rendering images
> on a page.  It has -no- native networking comands nor ability to talk
> to any peripheral.

PostScript has the ability to read/write named files, and nothing
prohibits an implementation from making peripheral devices or ports
accessible as named files. E.g. using GhostScript on Linux, the
following trivial PostScript program sends a WAV file (or the first
20kb thereof) to the sound card:

        (/dev/dsp) (w) file dup
        (foo.wav) (r) file
        20000 string readstring pop
        writestring flushfile

[The -dSAFER switch disables file access, and should be used when
running gs on "untrusted" PostScript files.]

Hopefully, embedded implementations won't provide access to anything
risky, but the possibility isn't completely out of the question.

-- 
Glynn Clements <glynn.clements () virgin net>