BSides Canberra 2026

Rick de Jager

Rick is a full-time security researcher at v12.sh and a member of the Pwn2Own team “PHP Hooligans.” He has competed in five editions of Pwn2Own, exploiting a wide range of targets including routers, printers, and automotive systems. Outside of Pwn2Own, Rick is an avid CTF player, having competed as part of 0rganizers and ICC’s Team Europe.


Session

09-25
12:00
25min
Chasing Shadows: Portable Memory Corruption in Ghostscript
Rick de Jager

Ghostscript is one of the most ubiquitous PostScript interpreters in the world. Even if you never run it directly, your systems probably do: rendering thumbnails, converting documents, previewing uploads, or handling images that quietly become PostScript somewhere along the way.

Ghostscript is also a C codebase with roots in the late 1980s, which means there is still plenty of room for memory corruption when parsing untrusted input.

In this talk, we will walk through two heap corruption bugs we discovered in Ghostscript and show how we turned them into reliable memory read/write primitives callable from PostScript. Rather than relying on fixed offsets, the exploit uses those primitives to scan Ghostscript’s address space at runtime, locate the internal structures needed for the attack, and construct a data-only sandbox escape from PARANOIDSAFER that works across multiple versions and builds.

We will then zoom out and look at where this kind of bug can actually be exploited. Thumbnailers, ImageMagick, LibreOffice, web applications, and document-processing pipelines all have different file formats and integration points, but the sink is often the same PostScript interpreter.

Main Track
Main Track