Lexmark printers implement a custom closed source PostScript stack called `pagemaker` that NCC Group’s Exploit Development Group exploited two different times during the Pwn2Own Toronto 2022 contest.
This talk will cover some internals of the Lexmark PostScript stack, an introduction to the PostScript language and related functionality required to understand exploitation of the discovered bugs, the mitigations implemented by the `pagemaker` service, how the service is sandboxed, a brief overview of how the bugs were found, and how we were able to exploit it to achieve pre-auth remote code execution once using an out-of-bounds read and a second time using a type confusion bug.