On Thu, 22 Jan 2004, Bob Kryger wrote: > During one of our security reviews the following situation was > uncovered. What are your thoughts? > > Suppose a postscript printer has multiple interfaces connected to > different networks, is there a way to leverage PostScript to create a > vulnerability such as. > > 1. Allow an attacker log in to the printer and then gain access to the > other network? > 2. Create a postscipt program to send copies of printouts to one of the > interfaces? > 3. What if one of the interfaces is a JetDirect connected via a parallel > port? > > It has been suggested that PostScript is very powerful and can be used > to accomplish a number of general purpose computing tasks including > copying data from one port to another and examining memory. Since the > parallel interface is bidirectional what is keeping data from being send > from the printer to the network, breaching security. > > My preliminary web searches do not reveal much in the way of postscript > printer vulnerabilities. > > Thanks > Bob > > You may want to look at http://members.cox.net/ltlw0lf/printers/printers.pdf by Dennis Mattison. (I ran across it once, somewhat interesting. Below are my recollections of what was in it; though admittedly its been about 6 months since I read it.) I do not believe it addressed any vulnerabilities due to the power of the Postscript language. I am not well versed in Postscript language, but am inclined to believe that this is limited. However, the vulnerabilities in the printer OS are addressed in the above paper, as well as some nasty stuff that can be done via PCL and related languages (again, I don't recall any PS specific exploits). The threats did not really bother me from a practical matter (from the principal of the lowest hanging fruit, I have quite a few issues which are much more exploitable ). However, it sounds like you have a much more stringent security posture, and some of the issues in the paper (and while I did not confirm, the author seemed to know what he was talking about and the conclusions did not seem unreasonable). In particular, he claims that several printer vendors have backdoors in the printers with no password protection, and other blatant security holes that would be completely unacceptable in just about any other network device. There appears to be a significant potential for rewriting the printer embedded OS, allowing just about anything. Even short of that, there seems to be potential for using a printer as a presence on your subnet, and presumably in re to (1), to a more protected subnet if dual hosted. The paper actually describes several scenarios for "wiretapping" print jobs. Unfortunately, if I recall correctly, there wasn't a tremendous amount that one could do about it, other than maybe yell at vendors (which does not do much for short term). Also, it sounded like HP was one of the more security conscious vendors. Tom Payerle Dept of Physics payerle@physics.umd.edu University of Maryland (301) 405-6973 College Park, MD 20742-4111 Fax: (301) 314-9525 Tom Payerle Dept of Physics payerle@physics.umd.edu University of Maryland (301) 405-6973 College Park, MD 20742-4111 Fax: (301) 314-9525
