Bugtraq mailing list archives
Re: vulnerabilities of postscript printers
From: Ian Farquhar - Network Security Group <Ian.Farquhar () Sun COM>
Date: Wed, 28 Jan 2004 09:12:58 +1100
der Mouse wrote:
Third, it would not be easy to usurp control of the printer's CPU to start with. PostScript jobs are run in a relatively restricted virtual-machine environment, and it is difficult for a job to affect the environment provided for future jobs - generally, it needs to provide the correct value for a 32-bit "password". (Such things can be set insecurely, certainly, but that's no different, really, from having a Unix box with root's password set to "root": it's admin error.)
The undocumented, machine-specific cexec interface allows the downloading and execution of binary images which are run by the RIP CPU. It's purpose, I was told, was to allow drivers to patch bugs in the firmware if needed, but it's most (in)famous use was Apple's Laserwriter bitmap smoothing code which ran natively on the LW's 68000 for speed.
If you could figured out the cexec encryption - and I'd bet money it was very similar to the now-documented eexec encryption - running code natively on the RIP's CPU would be fairly easy.
It's been several years since I looked, but cexec was present on most "genuine Adobe" firmwares I investigated.
-- Ian Farquhar Senior Network Security Engineer Network Security Group Sun Microsystems Level 2, 828 Pacific Hwy Gordon, NSW, 2072 Australia Email: ian.farquhar () sun com Phone: +61 2 9498 0470 (External) Phone: 57470 (Sun Internal) Mobile: +61 414 967 178 Fax: +61 2 9498 0460
Current thread:
- Re: vulnerabilities of postscript printers, (continued)
- Re: vulnerabilities of postscript printers Elizabeth Zwicky (Jan 24)
- Re: vulnerabilities of postscript printers Darren Reed (Jan 24)
- Re: vulnerabilities of postscript printers Stephen Samuel (Jan 24)
- Re: vulnerabilities of postscript printers Elizabeth Zwicky (Jan 24)
- Re: vulnerabilities of postscript printers Glynn Clements (Jan 24)
- Re: vulnerabilities of postscript printers Nate Eldredge (Jan 24)
- Re: vulnerabilities of postscript printers der Mouse (Jan 23)
- Re: vulnerabilities of postscript printers Michael Zimmermann (Jan 24)
- Re: vulnerabilities of postscript printers der Mouse (Jan 24)
- Re: vulnerabilities of postscript printers Michael Zimmermann (Jan 24)
- Re: vulnerabilities of postscript printers der Mouse (Jan 24)
- Re: vulnerabilities of postscript printers Michael Zimmermann (Jan 24)
- Re: vulnerabilities of postscript printers Theo de Raadt (Jan 24)