Re: vulnerabilities of postscript printers

[Theo de Raadt <deraadt () cvs openbsd org>]

> > > > My god, people attach printers to networks! Postscript is Turing Complete!
> > > Blah blah - you can't open files...
> > Sure you can, RTFM...
>
>    Who cares? if it's a network attached printer there's some sort of
> IP stack in there speaking lpr, and some semblance of an operating
> system.  It's a computer. It has network interfaces, the software is
> certainly full of bugs and sucks, like most other software. It's
> probably exploitable. Why would you treat this device any differently
> than any other network attachable device on your secured network?

I concur.

When is the entire security community going to start realizing that

      - statistics keep showing there is approximately 1 bug in ever
        50-200 lines of code

      - these bugs fall into classes of "programmer error", like
        heap object overflow, stack object overflow, range check
        failure, input mismanagement, race, ...

      - for certain classes, nearly EVERY occurance is exploitable,
        for instance, nearly all stack object overflows are exploitable

      - I am going to estimate that a typical postscript rom is, what,
        2MB of code, probably is generated from about 100,000 lines of
        code.. are we getting the picture?

Hence, I assume that if something has not been specifically audited by
a person who is allowed to and capable of "cleaning the code to make
it paranoid" as they audit, that code will have bugs.

What stuns me is that someone would even need to ask the question of
"is a postscript printer secure", and that numerous people would get
lost in the rats nest of discussing what the postscript langauge is
capable of.  I would bet that most of the security holes in a printer
would be due to crappy low level bugs.

If I can't read the code to confirm that it is crap, I assume that it
is crap.

And I bet there are people actively exploiting printer firmware..