[33217] in bugtraq
Re: vulnerabilities of postscript printers
daemon@ATHENA.MIT.EDU (Glynn Clements)
Sat Jan 24 13:32:02 2004
From: Glynn Clements <glynn.clements@virgin.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <16401.57050.33561.497185@cerise.nosuchdomain.co.uk>
Date: Sat, 24 Jan 2004 02:56:26 +0000
To: Darren Reed <avalon@caligula.anu.edu.au>
Cc: bobk@panix.com (Bob Kryger), bugtraq@securityfocus.com
In-Reply-To: <200401230501.i0N5120i017266@caligula.anu.edu.au>
Darren Reed wrote:
> > During one of our security reviews the following situation was
> > uncovered. What are your thoughts?
> >
> > Suppose a postscript printer has multiple interfaces connected to
> > different networks, is there a way to leverage PostScript to create a
> > vulnerability such as.
> >
> > 1. Allow an attacker log in to the printer and then gain access to the
> > other network?
> > 2. Create a postscipt program to send copies of printouts to one of the
> > interfaces?
> > 3. What if one of the interfaces is a JetDirect connected via a parallel
> > port?
> >
> > It has been suggested that PostScript is very powerful and can be used
> > to accomplish a number of general purpose computing tasks including
> > copying data from one port to another and examining memory. Since the
> > parallel interface is bidirectional what is keeping data from being send
> > from the printer to the network, breaching security.
> >
> > My preliminary web searches do not reveal much in the way of postscript
> > printer vulnerabilities.
>
> First, remember that postscript has been designed for rendering images
> on a page. It has -no- native networking comands nor ability to talk
> to any peripheral.
PostScript has the ability to read/write named files, and nothing
prohibits an implementation from making peripheral devices or ports
accessible as named files. E.g. using GhostScript on Linux, the
following trivial PostScript program sends a WAV file (or the first
20kb thereof) to the sound card:
(/dev/dsp) (w) file dup
(foo.wav) (r) file
20000 string readstring pop
writestring flushfile
[The -dSAFER switch disables file access, and should be used when
running gs on "untrusted" PostScript files.]
Hopefully, embedded implementations won't provide access to anything
risky, but the possibility isn't completely out of the question.
--
Glynn Clements <glynn.clements@virgin.net>
