Darren Reed wrote: > > During one of our security reviews the following situation was > > uncovered. What are your thoughts? > > > > Suppose a postscript printer has multiple interfaces connected to > > different networks, is there a way to leverage PostScript to create a > > vulnerability such as. > > > > 1. Allow an attacker log in to the printer and then gain access to the > > other network? > > 2. Create a postscipt program to send copies of printouts to one of the > > interfaces? > > 3. What if one of the interfaces is a JetDirect connected via a parallel > > port? > > > > It has been suggested that PostScript is very powerful and can be used > > to accomplish a number of general purpose computing tasks including > > copying data from one port to another and examining memory. Since the > > parallel interface is bidirectional what is keeping data from being send > > from the printer to the network, breaching security. > > > > My preliminary web searches do not reveal much in the way of postscript > > printer vulnerabilities. > > First, remember that postscript has been designed for rendering images > on a page. It has -no- native networking comands nor ability to talk > to any peripheral. PostScript has the ability to read/write named files, and nothing prohibits an implementation from making peripheral devices or ports accessible as named files. E.g. using GhostScript on Linux, the following trivial PostScript program sends a WAV file (or the first 20kb thereof) to the sound card: (/dev/dsp) (w) file dup (foo.wav) (r) file 20000 string readstring pop writestring flushfile [The -dSAFER switch disables file access, and should be used when running gs on "untrusted" PostScript files.] Hopefully, embedded implementations won't provide access to anything risky, but the possibility isn't completely out of the question. -- Glynn Clements <glynn.clements@virgin.net>
