lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <40101A67.2090804@panix.com>
Date: Thu, 22 Jan 2004 13:45:59 -0500
From: Bob Kryger <bobk@...ix.com>
To: bugtraq@...urityfocus.com
Subject: vulnerabilities of postscript printers


During one of our security reviews the following situation was 
uncovered. What are your thoughts?

Suppose a postscript printer has multiple interfaces connected to 
different networks, is there a way to leverage PostScript to create a 
vulnerability such as.

1. Allow an attacker log in to the printer and then gain access to the 
other network?
2. Create a postscipt program to send copies of printouts to one of the 
interfaces?
3. What if one of the interfaces is a JetDirect connected via a parallel 
port?

It has been suggested that PostScript is very powerful and can be used 
to accomplish a number of general purpose computing tasks including 
copying data from one port to another and examining memory. Since the 
parallel interface is bidirectional what is keeping data from being send 
from the printer to the network, breaching security.

My preliminary web searches do not reveal much in the way of postscript 
printer vulnerabilities.

Thanks
Bob



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ