Re: vulnerabilities of postscript printers

["Thomas M. Payerle" <payerle () physics umd edu>]

On Thu, 22 Jan 2004, Bob Kryger wrote:

> During one of our security reviews the following situation was
> uncovered. What are your thoughts?
>
> Suppose a postscript printer has multiple interfaces connected to
> different networks, is there a way to leverage PostScript to create a
> vulnerability such as.
>
> 1. Allow an attacker log in to the printer and then gain access to the
> other network?
> 2. Create a postscipt program to send copies of printouts to one of the
> interfaces?
> 3. What if one of the interfaces is a JetDirect connected via a parallel
> port?
>
> It has been suggested that PostScript is very powerful and can be used
> to accomplish a number of general purpose computing tasks including
> copying data from one port to another and examining memory. Since the
> parallel interface is bidirectional what is keeping data from being send
> from the printer to the network, breaching security.
>
> My preliminary web searches do not reveal much in the way of postscript
> printer vulnerabilities.
>
> Thanks
> Bob
You may want to look at
http://members.cox.net/ltlw0lf/printers/printers.pdf
by Dennis Mattison.
(I ran across it once, somewhat interesting.  Below are my recollections of
what was in it; though admittedly its been about 6 months since I read it.)

I do not believe it addressed any vulnerabilities due to the power of the
Postscript language.  I am not well versed in Postscript language, but
am inclined to believe that this is limited.

However, the vulnerabilities in the printer OS are addressed in the above
paper, as well as some nasty stuff that can be done via PCL and related
languages (again, I don't recall any PS specific exploits).  The threats
did not really bother me from a practical matter (from the principal of the
lowest hanging fruit, I have quite a few issues which are much more exploitable
).

However, it sounds like you have a much more stringent security posture, and
some of the issues in the paper (and while I did not confirm, the author
seemed to know what he was talking about and the conclusions did not seem
unreasonable).  In particular, he claims that several printer vendors have
backdoors in the printers with no password protection, and other blatant
security holes that would be completely unacceptable in just about any other
network device.

There appears to be a significant potential for rewriting the printer embedded
OS, allowing just about anything.  Even short of that, there seems to be
potential for using a printer as a presence on your subnet, and presumably in
re to (1), to a more protected subnet if dual hosted.  The paper actually
describes several scenarios for "wiretapping" print jobs.

Unfortunately, if I recall correctly, there wasn't a tremendous amount that
one could do about it, other than maybe yell at vendors (which does not do
much for short term).  Also, it sounded like HP was one of the more security
conscious vendors.

Tom Payerle
Dept of Physics                         payerle () physics umd edu
University of Maryland                  (301) 405-6973
College Park, MD 20742-4111             Fax: (301) 314-9525




Tom Payerle
Dept of Physics                         payerle () physics umd edu
University of Maryland                  (301) 405-6973
College Park, MD 20742-4111             Fax: (301) 314-9525