<<< Date Index >>>     <<< Thread Index >>>

Re: vulnerabilities of postscript printers



Circa 2004-01-23 16:01:02 +1100 dixit Darren Reed:

: In some mail from Bob Kryger, sie said:
: > Suppose a postscript printer has multiple interfaces connected to 
: > different networks, is there a way to leverage PostScript to create a 
: > vulnerability such as.
: > 
: > 1. Allow an attacker log in to the printer and then gain access to the 
: > other network?
: > 2. Create a postscipt program to send copies of printouts to one of the 
: > interfaces?
: > 3. What if one of the interfaces is a JetDirect connected via a parallel 
: > port?
: > 
: > It has been suggested that PostScript is very powerful and can be used 
: > to accomplish a number of general purpose computing tasks including 
: > copying data from one port to another and examining memory. Since the 
: > parallel interface is bidirectional what is keeping data from being send 
: > from the printer to the network, breaching security.
: 
: First, remember that postscript has been designed for rendering images
: on a page.  It has -no- native networking comands nor ability to talk
: to any peripheral.  Most often, the 'general purpose' tasks have been
: to do things like write a postscript program to calculate pi or things
: like that.  I've never heard of anyone suggesting you could copy data
: from one port to another, if only because there's no such thing as an
: open file in postscript.

False.  Have a look at Adobe's 'PostScript Language Reference, Third
Edition':

    http://partners.adobe.com/asn/developer/PDFS/TN/PLRM.pdf

Specifically, in section 3.8, 'File Input and Output'.  For example:

    3.8.1 Basic File Operators

    A PostScript file object represents a file. The file operators take
    a file object as an operand to read or write characters. Ignoring
    for the moment how a file object comes into existence, the file
    operators include the following:

    * read reads the next character from an input file.
    * write appends a character to an output file.
    * readstring,  readline, and writestring transfer the contents of
      strings to and from files.
    * readhexstring and writehexstring read and write binary data
      represented in the file by hexadecimal notation.
    * token scans characters from an input file according to the
      PostScript language syntax rules.
    * exec, applied to an input file, causes the PostScript
      interpreter to execute a PostScript program from that file. 

[formatting errors mine].  Keep on reading the PDF for instructions on
how to create a file object....

PostScript Level 3 is powerful and rather generalized stack-based
language.  Think ghostscript <http://www.ghostscript.com/> embedded into
a printer, some of which (notably CJKV-language printers with rather
large fontsets) even come complete with hard disk drives.  Recall that
the ghostscript interpreter comes with command-line arguments you can
use to make the interpreter "safer"; how much safer is left to those who
prefer to inspect the code.

  [...]

: All that's not to say that a postscript engine is ever perfect...I'm
: sure everyone who's had a postscript printer can tell of print jobs
: that have "crashed the printer".

Many of the "crash the printer" jobs actually overflow the PostScript
stack.  

: Maybe you can buffer overflow one, but what OS are they running in
: there?  It's not likely to be anything you'll have libraries for and
: maybe not even a CPU you're familiar with.

Doesn't matter.  If the interpreter isn't properly locked down, all bets
are off.

-- 
jim knoble  |  jmknoble@xxxxxxxxx  |  http://www.pobox.com/~jmknoble/
(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)
 .....................................................................
 :"The methods now being used to merchandise the political candidate :
 : as though he were a deodorant positively guarantee the electorate :
 : against ever hearing the truth about anything."   --Aldous Huxley :
 :...................................................................:

Attachment: pgpcTZ9rhj80y.pgp
Description: PGP signature