lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200401240504.i0O54NDg014976@caligula.anu.edu.au>
From: avalon at caligula.anu.edu.au (Darren Reed)
Subject: Re: vulnerabilities of postscript printers

To put my comments in perspective, I immersed myself in postscript at a
time when "level 2" was new and there it not really documented.

In some mail from Michael Zimmermann, sie said:
> At Freitag, 23. Januar 2004 06:01 Darren Reed wrote:
> > First, remember that postscript has been designed for rendering images
> > on a page.  It has -no- native networking comands nor ability to talk
> > to any peripheral.
> 
> This statement is misleading. PostScript allows reading and writing of files
> for example, if the printer has a disk installed (and some have -- to store 
> jobs, fonts, forms and of course system-software). It should also be noted, 
> that a PostScript printer establishes a two-way communication with the 
> driver. This stdin and stderr files can be access by the user programm
> (i.e. by the print-job transmitted to the printer).
> Using a special "print"-driver gives me a user "shell" for an apple
> and an egg. Every driver writer for PostScript printer knows that,
> it's part of the PostScript bibles (I think, in the third book).

Yup and stdout & stderr are very useful.  Lets you find out, easily,
how many pages were printed.  Also allows "interactive".  But this
is all "so-what" type material...

> Often the system-level is only a password away (if the administrator
> has set it at all, which I doubt). Hence a null password or the factory 
> default would be a good guess. And I have seen the only possible
> password type to be an <integer>. Brute force at night with an
> automatic script running on my PC should not be too difficult.

See here you've taken a step I don't believe possible - with postscript.
For reference I downloaded the blue book and read through there operator
summary last night and there is no "password" or "login" in postscript.
Often postscript printers have a telnet facility if they have a network
card but that's quite separate, I believe.  Kind of like how such
printers will usually also do SNMP and/or appletalk and/or whatever other
networking stuff has been put in them.

> The network communication is part of the system-level, and this
> is usually also partly written in PostScript, but at least accessible
> from the PostScript level.

And you have an example of this ?

For it to be accessible via postscript, I imagine it might take
some special filename...

All that said and done, there's still no replacing a postscript printer
for printing quality, IMHO :)

Darren


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ