sadowsky@nyu.edu (George Sadowsky) (11/07/90)
At New York University, we are apparently experiencing difficulty with foreign code attacking our laserwriters. We think that code may be being inserted in postscript headers that are sent to Laserwriters and that either: (1) continually write the EEPROM until it wears out; or (2) sets a password inside the Laserwriter that interferes with access. It could also be a bug in postscript, or other phenomenon. Does this sound familiar to anyone? What's the cause of (and fix for) what we are experiencing? George Sadowsky Director, Academic Computing Facility New York University 251 Mercer Street New York, New York 10012-1185 (212) 998-3040
woody@chinacat.Unicom.COM (Woody Baker @ Eagle Signal) (11/11/90)
sadowsky@nyu.edu (George Sadowsky) writes: > At New York University, we are apparently experiencing difficulty with > access. It could also be a bug in postscript, or other phenomenon. > Does this sound familiar to anyone? What's the cause of (and fix for) > what we are experiencing? I have sent this gentleman a bit of code to fix the problem. There has been a fix posted on the virus archives. I have slightly rewritten the fix, so it is more informative, and doesn't take a Postscript Guru to make work 8). Last time I offered the fix over the net, I got inundated with requests. The code that I currently am sending out, is safe. you only can get a printout of your eeprom with it, and a report of exactly what the password is. You then can reset it useing Postscript's normal resetting code. Cheers Woody p.s. The following is a revised version of the password READER code. The hex stuff is ascii encoded 68000 machine code. This one is MUCH cleaner, and NOT encoded like the first one was. This one is my routine with the dangerous i.e. write any location code removed. It also has had a minor bug fix made. (I left out a line that begins the user dictionary) consequently things didnot work just right. That has been fixed. Cheers Woody % % % This code does not change the password of the laserprinter. Instead % it reads the contents of the eeprom and prints it out to the page, % as well as returning it to the com port. You then may use the % normal password setting mechanism in the printer to set the password % to whatever you wish. This modification to the routines make this % far less dangerous, as you cannot alter any location in the eeprom % directly this way. All it allows you to do is to read the eeprom. % What follows is the cexec code. This is 68000 machine language % for Adobe Postscript. It has to be executed from within the context % of an eexec, so we define a procedure named #. that is executed from % a short encrypted string using eexec. This obviates the need to % encrypt the entire program. % % This is intended to be a safe password resetter routine. % % My thanks to Nigel for this idea (only showing you the password)... % % this installs 3 routines. % % printeprom prints the eprom to the page % dumpeprom prints the eprom to the serial link % readpassword reads the password and leaves it on top of the stack. % % readeerom % /#. { userdict begin < 204f3399020e00010402001001fc0012206f000443f9000001e822c822d822d822 d84ef900000092d1f9000001ec20504ed0d1f9000001f020504ed02f08206f0004 3050d1f9000001ec2f500004205f4e7500004e56fffc4eba014e2d40fffc4a806d 0a0cae00000200fffc6d0a487a00e84eba0114584f2f2efffc2079000001f84e90 584f2f004eba012e584f4e5e4e754e56fff0487a00cb4eba0104584f20402f2800 042f104eba00ee20402f2800042f104eba00ca4fef00102d40fff020402d50fff8 2d680004fffc08ee0007fff82f2efffc2f2efff84eba00b4504f4a8066564eba00 ca4eba00ee2d40fff4202efff44eba00da41fa004e4eba00ca661a23fc0026fef4 000001f8487aff46487a00594eba00aa504f6028202efff44eba00ae41fa002a4e ba009e6d0c23fc000001e0000001f860d2487a00394eba0048584f4e5e4e754037 000000000000403d33333333333372616e6765636865636b0076657273696f6e00 726561646565726f6d00756e646566696e65640000307c00744efafea2307c007c 4efafe9a307c008c4efafe92307c009c4efafe8a307c00b44efafe82307c00e04e fafe7a307c00e84efafe72307c01004efafe6a307c011c4efafe624ebafe720004 00004ebafe6a000c00004ebafe6200280000307cffd04efafe4200000000000000 0000000000000000000000000000160024002a00340046007e0108013001340000 > cexec currentfile closefile } def <000000000101> eexec % % prints the eprom back to the serial channel % /dumpeprom { 0 1 511 { dup 16 mod 0 eq { (\n) print flush } if readeerom dup 16 lt { (0) print flush } if 16 ( ) cvrs print ( ) print flush } for (\n) print flush ( current password = ) print readpassword 10 ( ) cvrs print (\n) print flush } def /printeprom { /Courier findfont 12 scalefont setfont 50 750 moveto (Eprom dump ) show 50 700 moveto 0 1 511 { dup 16 mod 0 eq { dup 0 ne { dup ( decimal address= )show 10 ( ) cvrs show }if currentpoint 12 sub exch pop 50 exch moveto } if readeerom dup 16 lt { (0) show } if 16 ( ) cvrs show ( ) show } for 512 ( decimal address= )show 10 ( ) cvrs show currentpoint 12 sub exch pop 50 exch moveto ( current password = ) show readpassword 10 ( ) cvrs show currentpoint 24 sub exch pop 50 exch moveto (Password is in 177-180, SN is 509-512) show currentpoint 12 sub exch pop 50 exch moveto (Normal access eescratch starts at 187) show currentpoint 12 sub exch pop 50 exch moveto (Horizontal margin value long at 169) show currentpoint 12 sub exch pop 50 exch moveto (Vertical margin value long at 173) show currentpoint 12 sub exch pop 50 exch moveto (an empty long at 165) show currentpoint 12 sub exch pop 50 exch moveto (printer name starts at 132-164) show currentpoint 12 sub exch pop 50 exch moveto (if you change the printer name to a long name) show currentpoint 12 sub exch pop 50 exch moveto (and then change it to a short name, the name ) show currentpoint 12 sub exch pop 50 exch moveto (will be null terminated, but the tail of the old) show currentpoint 12 sub exch pop 50 exch moveto (name will still be in the eeprom. You can use )show currentpoint 12 sub exch pop 50 exch moveto (this trick to embed a serial number or id of ) show currentpoint 12 sub exch pop 50 exch moveto (your own in the printer, until someone changes it!) show currentpoint 12 sub exch pop 50 exch moveto (Brought to you, by Woody Baker )show currentpoint 12 sub exch pop 50 exch moveto (Rt.1 Box I, Manor, Tx. 78653 512-272-4511) show showpage } def % % This routine returns the password from the printer % /readpassword { 177 readeerom 24 bitshift 178 readeerom 16 bitshift or 179 readeerom 8 bitshift or 180 readeerom or } def printeprom