Exploiting the Lexmark PostScript Stack


August 24, 2023




Track 1
Lexmark printers implement a custom closed source PostScript stack called `pagemaker` that NCC Group’s Exploit  Development Group exploited two different times during the Pwn2Own Toronto 2022 contest.

This talk will cover some internals of the Lexmark PostScript stack, an introduction to the PostScript language and related functionality required to understand exploitation of the discovered bugs, the mitigations implemented by the `pagemaker` service, how the  service is sandboxed, a brief overview of how the bugs were found, and how we were able to exploit it to achieve pre-auth remote code execution once using an out-of-bounds read and a second time using a type confusion bug.