[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040123184556.GD24180@crawfish.ais.com>
Date: Fri, 23 Jan 2004 13:45:56 -0500
From: Jim Knoble <jmknoble@...ox.com>
To: bugtraq@...urityfocus.com
Subject: Re: vulnerabilities of postscript printers
Circa 2004-01-23 16:01:02 +1100 dixit Darren Reed:
: In some mail from Bob Kryger, sie said:
: > Suppose a postscript printer has multiple interfaces connected to
: > different networks, is there a way to leverage PostScript to create a
: > vulnerability such as.
: >
: > 1. Allow an attacker log in to the printer and then gain access to the
: > other network?
: > 2. Create a postscipt program to send copies of printouts to one of the
: > interfaces?
: > 3. What if one of the interfaces is a JetDirect connected via a parallel
: > port?
: >
: > It has been suggested that PostScript is very powerful and can be used
: > to accomplish a number of general purpose computing tasks including
: > copying data from one port to another and examining memory. Since the
: > parallel interface is bidirectional what is keeping data from being send
: > from the printer to the network, breaching security.
:
: First, remember that postscript has been designed for rendering images
: on a page. It has -no- native networking comands nor ability to talk
: to any peripheral. Most often, the 'general purpose' tasks have been
: to do things like write a postscript program to calculate pi or things
: like that. I've never heard of anyone suggesting you could copy data
: from one port to another, if only because there's no such thing as an
: open file in postscript.
False. Have a look at Adobe's 'PostScript Language Reference, Third
Edition':
http://partners.adobe.com/asn/developer/PDFS/TN/PLRM.pdf
Specifically, in section 3.8, 'File Input and Output'. For example:
3.8.1 Basic File Operators
A PostScript file object represents a file. The file operators take
a file object as an operand to read or write characters. Ignoring
for the moment how a file object comes into existence, the file
operators include the following:
* read reads the next character from an input file.
* write appends a character to an output file.
* readstring, readline, and writestring transfer the contents of
strings to and from files.
* readhexstring and writehexstring read and write binary data
represented in the file by hexadecimal notation.
* token scans characters from an input file according to the
PostScript language syntax rules.
* exec, applied to an input file, causes the PostScript
interpreter to execute a PostScript program from that file.
[formatting errors mine]. Keep on reading the PDF for instructions on
how to create a file object....
PostScript Level 3 is powerful and rather generalized stack-based
language. Think ghostscript <http://www.ghostscript.com/> embedded into
a printer, some of which (notably CJKV-language printers with rather
large fontsets) even come complete with hard disk drives. Recall that
the ghostscript interpreter comes with command-line arguments you can
use to make the interpreter "safer"; how much safer is left to those who
prefer to inspect the code.
[...]
: All that's not to say that a postscript engine is ever perfect...I'm
: sure everyone who's had a postscript printer can tell of print jobs
: that have "crashed the printer".
Many of the "crash the printer" jobs actually overflow the PostScript
stack.
: Maybe you can buffer overflow one, but what OS are they running in
: there? It's not likely to be anything you'll have libraries for and
: maybe not even a CPU you're familiar with.
Doesn't matter. If the interpreter isn't properly locked down, all bets
are off.
--
jim knoble | jmknoble@...ox.com | http://www.pobox.com/~jmknoble/
(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)
.....................................................................
:"The methods now being used to merchandise the political candidate :
: as though he were a deodorant positively guarantee the electorate :
: against ever hearing the truth about anything." --Aldous Huxley :
:...................................................................:
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists