[Full-Disclosure] Re: vulnerabilities of postscript printers
ka at khidr.net
Sat Jan 24 03:25:11 GMT 2004
At Samstag, 24. Januar 2004 02:46 Valdis.Kletnieks at vt.edu wrote:
> For that matter, if the printer has a disk, and a "printout" from
> the insecure net can get the system password, is it able to scavenge
> data from old jobs off the disk? Most modern multi-user operating
> systems manage to do this correctly, but there's still the occasional
> screw-up (how many times have we seen "Program XYZ embeds random
> data in files" exposures?)
I don't know. But new jobs (from other users) could be copied to disk easily,
if one has the system password. You would just replace (overlay) system
operators with your own versions, which first duplicate and write the data
to disk and then call the original (overlayed) operator. The printer would
show identical behaviour -- except for being a little slower. And a special
"print job" of yours will deliver the stored data back ("invisibly" over the
communication-line, parallel- or usb-cable, not on paper) and cleanup
your "dump" file again.
If the printer has no disk but a lot of memory, you could do the dump into
virtual memory. At least with short print jobs that should be possible.
And as your retrieval job need not print anything, you may use it
to poll the printer for new "dumps" rather often and in short intervalls.
Henry Spemcer from the university of toronto said:
"The default password as shipped is 0. Very few printer owners bother
to change this. The problem is that there is significant incentive
*not* to change it... because the PostScript code from a good many
badly-written but legitimate applications tries password 0 and will fail
if it has been changed! Typically, all the application uses it for is
to set some parameters back to reasonable defaults -- whether the printer
owner wants it that way or not -- but the code makes no attempt to cope
with the possibility of a non-standard password forbidding such changes."
"Believe it or not, there are people who will defend the idea that you should
leave your printer's password unchanged so that programs can mess with its
parameters however they please."
Full-Disclosure is hosted and sponsored by Secunia.