| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 24 Jan 2004 01:47:12 +0100 From: Michael Zimmermann <zim@...aa.de> To: Darren Reed <avalon@...igula.anu.edu.au> Cc: bugtraq@...urityfocus.com Subject: Re: vulnerabilities of postscript printers At Freitag, 23. Januar 2004 06:01 Darren Reed wrote: > First, remember that postscript has been designed for rendering images > on a page. It has -no- native networking comands nor ability to talk > to any peripheral. This statement is misleading. PostScript allows reading and writing of files for example, if the printer has a disk installed (and some have -- to store jobs, fonts, forms and of course system-software). It should also be noted, that a PostScript printer establishes a two-way communication with the driver. This stdin and stderr files can be access by the user programm (i.e. by the print-job transmitted to the printer). Using a special "print"-driver gives me a user "shell" for an apple and an egg. Every driver writer for PostScript printer knows that, it's part of the PostScript bibles (I think, in the third book). Often the system-level is only a password away (if the administrator has set it at all, which I doubt). Hence a null password or the factory default would be a good guess. And I have seen the only possible password type to be an <integer>. Brute force at night with an automatic script running on my PC should not be too difficult. The network communication is part of the system-level, and this is usually also partly written in PostScript, but at least accessible from the PostScript level. Hence the question is: how secure is the job-environment, the "monitor" or "print spooler" under which the "normal" print-jobs run. This basic software is loaded from the printers eprom and/or disk and/or from the computer initializing the printer. Additionally there is often a way to change the system dictionary with the correct "system" password (depending on the implementation). Add to this the possibility to reprogram basic I/O routines via burning a new eeprom, if the printer has the ability for eeprom-software-update, and you are part of all attached networks and not even bound by the PostScript semantics (though that is not a great bondage anyway). Bob Kryger had asked (and my answers are): > 1. Allow an attacker log in to the printer and then gain > access to the other network? Login is easy. Reaching system level may be more difficult (or also easy). Complete access to the other network (with the ability to send any packet or sniff the other network) is much work, but not impossible. Everything depends on the printer. > 2. Create a postscipt program to send copies of printouts > to one of the interfaces? Probably the easiest goal of them all. Depending on the printer. > 3. What if one of the interfaces is a JetDirect connected > via a parallel port? I assume it would be no hindrance. But the question is, how much filtering is done in the JetDirect, wether it allows the printer to initiate a (say tcp-) connection etc. Then (and only then) it would act as a one-directional firewall. But then the intruder has at least access to the printer and it's data and can obtain copies of the print-jobs (after intermediate storage in the printers virtual memory or disk and through regular polling). Conclusion: Security critical networks should not share printers with insecure nets - no physical connection should be there. And a PostScript printer is a possible "tunnel" and can even be "owned" - depending on it's hardware + software situation. Greetings Michael -- Michael Zimmermann Vegaa Safety and Security for Internet Services
Powered by blists - more mailing lists