{"id":10681,"date":"2022-07-08T02:30:47","date_gmt":"2022-07-08T02:30:47","guid":{"rendered":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/?post_type=session&#038;p=10681"},"modified":"2023-05-26T01:44:37","modified_gmt":"2023-05-26T01:44:37","slug":"exploiting-the-lexmark-postscript-stack","status":"publish","type":"session","link":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/session\/exploiting-the-lexmark-postscript-stack\/","title":{"rendered":"Exploiting the Lexmark PostScript Stack"},"content":{"rendered":"<div style=\"text-align: justify;\">Lexmark printers implement a custom closed source PostScript stack called `pagemaker` that NCC Group&#8217;s Exploit\u00a0 Development Group exploited two different times during the Pwn2Own Toronto 2022 contest.<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">This talk will cover some internals of the Lexmark PostScript stack, an introduction to the PostScript language and related functionality required to understand exploitation of the discovered bugs, the mitigations implemented by the `pagemaker` service, how the\u00a0 service is sandboxed, a brief overview of how the bugs were found, and <strong>how we were able to exploit it to achieve pre-auth remote code execution<\/strong> once using an out-of-bounds read and a second time using a type confusion bug.<\/div>\n","protected":false},"template":"","class_list":["post-10681","session","type-session","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Exploiting the Lexmark PostScript Stack - HITBSecConf2023 - Phuket<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/session\/exploiting-the-lexmark-postscript-stack\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Exploiting the Lexmark PostScript Stack - HITBSecConf2023 - Phuket\" \/>\n<meta property=\"og:description\" content=\"Lexmark printers implement a custom closed source PostScript stack called `pagemaker` that NCC Group&#8217;s Exploit\u00a0 Development Group exploited two different times during the Pwn2Own Toronto 2022 contest. This talk will cover some internals of the Lexmark PostScript stack, an introduction to the PostScript language and related functionality required to understand exploitation of the discovered bugs, [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/session\/exploiting-the-lexmark-postscript-stack\/\" \/>\n<meta property=\"og:site_name\" content=\"HITBSecConf2023 - Phuket\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-26T01:44:37+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/session\/exploiting-the-lexmark-postscript-stack\/\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/session\/exploiting-the-lexmark-postscript-stack\/\",\"name\":\"Exploiting the Lexmark PostScript Stack - HITBSecConf2023 - Phuket\",\"isPartOf\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/#website\"},\"datePublished\":\"2022-07-08T02:30:47+00:00\",\"dateModified\":\"2023-05-26T01:44:37+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/session\/exploiting-the-lexmark-postscript-stack\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/session\/exploiting-the-lexmark-postscript-stack\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/session\/exploiting-the-lexmark-postscript-stack\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Session\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/session\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Exploiting the Lexmark PostScript Stack\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/#website\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/\",\"name\":\"HITBSecConf2023 - Phuket\",\"description\":\"August 22 - 26 @ InterContinental\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Exploiting the Lexmark PostScript Stack - HITBSecConf2023 - Phuket","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/session\/exploiting-the-lexmark-postscript-stack\/","og_locale":"en_US","og_type":"article","og_title":"Exploiting the Lexmark PostScript Stack - HITBSecConf2023 - Phuket","og_description":"Lexmark printers implement a custom closed source PostScript stack called `pagemaker` that NCC Group&#8217;s Exploit\u00a0 Development Group exploited two different times during the Pwn2Own Toronto 2022 contest. This talk will cover some internals of the Lexmark PostScript stack, an introduction to the PostScript language and related functionality required to understand exploitation of the discovered bugs, [&hellip;]","og_url":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/session\/exploiting-the-lexmark-postscript-stack\/","og_site_name":"HITBSecConf2023 - Phuket","article_modified_time":"2023-05-26T01:44:37+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/session\/exploiting-the-lexmark-postscript-stack\/","url":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/session\/exploiting-the-lexmark-postscript-stack\/","name":"Exploiting the Lexmark PostScript Stack - HITBSecConf2023 - Phuket","isPartOf":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/#website"},"datePublished":"2022-07-08T02:30:47+00:00","dateModified":"2023-05-26T01:44:37+00:00","breadcrumb":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/session\/exploiting-the-lexmark-postscript-stack\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/session\/exploiting-the-lexmark-postscript-stack\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/session\/exploiting-the-lexmark-postscript-stack\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/"},{"@type":"ListItem","position":2,"name":"Session","item":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/session\/"},{"@type":"ListItem","position":3,"name":"Exploiting the Lexmark PostScript Stack"}]},{"@type":"WebSite","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/#website","url":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/","name":"HITBSecConf2023 - Phuket","description":"August 22 - 26 @ InterContinental","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/wp-json\/wp\/v2\/session\/10681"}],"collection":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/wp-json\/wp\/v2\/session"}],"about":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/wp-json\/wp\/v2\/types\/session"}],"wp:attachment":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/wp-json\/wp\/v2\/media?parent=10681"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}