Exploiting the Lexmark PostScript Stack


August 24, 2023




Track 1
Lexmark printers implement a custom closed source PostScript stack called `pagemaker` that NCC Group’s Exploit  Development Group exploited two different times during the Pwn2Own Toronto 2022 contest.
This talk will cover some internals of the Lexmark PostScript stack, an introduction to the PostScript language and related functionality required to understand exploitation of the discovered bugs, the mitigations implemented by the `pagemaker` service, how the  service is sandboxed, a brief overview of how the bugs were found, and how we were able to exploit it to achieve pre-auth remote code execution once using an out-of-bounds read and a second time using a type confusion bug.

Exploit Development

NCC Group

I’ve been working in the industry and interested in exploit development for over 20 years. I currently work for the Exploit Development Group (EDG) at NCC Group. In the past I also worked for BlackBerry and Symantec (previously SecurityFocus). I’ve published previous research blogs on exploiting Xen, Windows kernel, Cisco devices, Android, etc. Lately I’ve been focusing on exploiting embedded devices and the Linux kernel.