lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 28 Jan 2004 09:12:58 +1100
From: Ian Farquhar - Network Security Group <Ian.Farquhar@....COM>
To: der Mouse <mouse@...ents.Montreal.QC.CA>
Cc: bugtraq@...urityfocus.com
Subject: Re: vulnerabilities of postscript printers


der Mouse wrote:
> Third, it would not be easy to usurp control of the printer's CPU to
> start with.  PostScript jobs are run in a relatively restricted
> virtual-machine environment, and it is difficult for a job to affect
> the environment provided for future jobs - generally, it needs to
> provide the correct value for a 32-bit "password".  (Such things can be
> set insecurely, certainly, but that's no different, really, from having
> a Unix box with root's password set to "root": it's admin error.)

The undocumented, machine-specific cexec interface allows the 
downloading and execution of binary images which are run by the RIP CPU. 
  It's purpose, I was told, was to allow drivers to patch bugs in the 
firmware if needed, but it's most (in)famous use was Apple's Laserwriter 
bitmap smoothing code which ran natively on the LW's 68000 for speed.

If you could figured out the cexec encryption - and I'd bet money it was 
very similar to the now-documented eexec encryption - running code 
natively on the RIP's CPU would be fairly easy.

It's been several years since I looked, but cexec was present on most 
"genuine Adobe" firmwares I investigated.

-- 
Ian Farquhar
Senior Network Security Engineer
Network Security Group
Sun Microsystems
Level 2, 828 Pacific Hwy
Gordon, NSW, 2072
Australia

Email:  ian.farquhar@....com
Phone:  +61 2 9498 0470 (External)
Phone:  57470 (Sun Internal)
Mobile: +61 414 967 178
Fax:    +61 2 9498 0460

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ