lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 24 Jan 2004 02:56:26 +0000
From: Glynn Clements <glynn.clements@...gin.net>
To: Darren Reed <avalon@...igula.anu.edu.au>
Cc: bobk@...ix.com (Bob Kryger), bugtraq@...urityfocus.com
Subject: Re: vulnerabilities of postscript printers



Darren Reed wrote:

> > During one of our security reviews the following situation was 
> > uncovered. What are your thoughts?
> > 
> > Suppose a postscript printer has multiple interfaces connected to 
> > different networks, is there a way to leverage PostScript to create a 
> > vulnerability such as.
> > 
> > 1. Allow an attacker log in to the printer and then gain access to the 
> > other network?
> > 2. Create a postscipt program to send copies of printouts to one of the 
> > interfaces?
> > 3. What if one of the interfaces is a JetDirect connected via a parallel 
> > port?
> > 
> > It has been suggested that PostScript is very powerful and can be used 
> > to accomplish a number of general purpose computing tasks including 
> > copying data from one port to another and examining memory. Since the 
> > parallel interface is bidirectional what is keeping data from being send 
> > from the printer to the network, breaching security.
> > 
> > My preliminary web searches do not reveal much in the way of postscript 
> > printer vulnerabilities.
> 
> First, remember that postscript has been designed for rendering images
> on a page.  It has -no- native networking comands nor ability to talk
> to any peripheral.

PostScript has the ability to read/write named files, and nothing
prohibits an implementation from making peripheral devices or ports
accessible as named files. E.g. using GhostScript on Linux, the
following trivial PostScript program sends a WAV file (or the first
20kb thereof) to the sound card:

	(/dev/dsp) (w) file dup
	(foo.wav) (r) file
	20000 string readstring pop
	writestring flushfile

[The -dSAFER switch disables file access, and should be used when
running gs on "untrusted" PostScript files.]

Hopefully, embedded implementations won't provide access to anything
risky, but the possibility isn't completely out of the question.

-- 
Glynn Clements <glynn.clements@...gin.net>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ