[Full-Disclosure] Re: vulnerabilities of postscript printers
avalon at caligula.anu.edu.au
Sat Jan 24 05:04:21 GMT 2004
To put my comments in perspective, I immersed myself in postscript at a
time when "level 2" was new and there it not really documented.
In some mail from Michael Zimmermann, sie said:
> At Freitag, 23. Januar 2004 06:01 Darren Reed wrote:
> > First, remember that postscript has been designed for rendering images
> > on a page. It has -no- native networking comands nor ability to talk
> > to any peripheral.
> This statement is misleading. PostScript allows reading and writing of files
> for example, if the printer has a disk installed (and some have -- to store
> jobs, fonts, forms and of course system-software). It should also be noted,
> that a PostScript printer establishes a two-way communication with the
> driver. This stdin and stderr files can be access by the user programm
> (i.e. by the print-job transmitted to the printer).
> Using a special "print"-driver gives me a user "shell" for an apple
> and an egg. Every driver writer for PostScript printer knows that,
> it's part of the PostScript bibles (I think, in the third book).
Yup and stdout & stderr are very useful. Lets you find out, easily,
how many pages were printed. Also allows "interactive". But this
is all "so-what" type material...
> Often the system-level is only a password away (if the administrator
> has set it at all, which I doubt). Hence a null password or the factory
> default would be a good guess. And I have seen the only possible
> password type to be an <integer>. Brute force at night with an
> automatic script running on my PC should not be too difficult.
See here you've taken a step I don't believe possible - with postscript.
For reference I downloaded the blue book and read through there operator
summary last night and there is no "password" or "login" in postscript.
Often postscript printers have a telnet facility if they have a network
card but that's quite separate, I believe. Kind of like how such
printers will usually also do SNMP and/or appletalk and/or whatever other
networking stuff has been put in them.
> The network communication is part of the system-level, and this
> is usually also partly written in PostScript, but at least accessible
> from the PostScript level.
And you have an example of this ?
For it to be accessible via postscript, I imagine it might take
some special filename...
All that said and done, there's still no replacing a postscript printer
for printing quality, IMHO :)
Full-Disclosure is hosted and sponsored by Secunia.