Security Researcher | Pwn2Own 2018, 2021, 2022, 2024 | Tweets about 0day, OS, mobile and embedded security.
2 subscribers
Oct 12 • 15 tweets • 6 min read
Applying LLMs for security related tasks has been a hot topic recently.
Here's a thread of certain material which caught my eye! 🧵 1/ eyeballvul: a future-proof benchmark for vulnerability detection in the wild by @timotheechauvin
The amount of free training courses available these days for #cybersecurity is wild. People ask me if its worth paying for a specific course? First, have you seen all the free material out there?
Lets dig into a selection! 👇 1/ Modern Binary Exploitation by @RPISEC. This was a university course developed and run solely by students to teach skills in vulnerability research, reverse engineering, and binary exploitation.
Continuing on from my previous thread on remote exploits (macOS/Linux) here is the eagerly antipated Windows version!
A small selection from multiple areas!
#cybersecurity #windows
TCP/IP
1/ ICMPv6 Router Advertisement packets by @0vercl0k
A remote kernel DoS vulnerability when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. Patch diffing, reverse engineering tcpip.sys and creating a POC.doar-e.github.io/blog/2021/04/1…
Dec 4, 2023 • 13 tweets • 3 min read
Jailbreaking the Sonos Era 100
The Era 100 is Sonos’s flagship device, released on March 28th 2023 and is a notable step up from the Sonos One. @NCCGroupInfosec found multiple weaknesses within the bootloader which could lead to full compromise
#sonos research.nccgroup.com/2023/12/04/sho… 2/ According to Sonos, the issues reported were patched in an update released on the 15th of November with no CVE issued or public details of the security weakness. Users of Sonos devices should ensure to apply any recent updates to remediate the risk.
Apr 2, 2023 • 7 tweets • 4 min read
Everyone knows that a firewall is meant to provide network security. However, what happens if that appliance has vulnerabilities on your external perimeter?
Here’s 5 firewall and VPN exploit research from the past: 1/ Cisco - @saidelike found and exploited a pre-auth RCE vuln in Cisco ASA firewalls recon.cx/2018/brussels/…
Mar 4, 2023 • 12 tweets • 2 min read
Want to know how to find bugs through fuzzing others miss? 10 insights from practical experience 👇 1/ Identify fresh attack surface - if there’s a public tool out there it’s likely either been published when it stops finding bugs or the vendor themselves are running at a scale you can’t match and your issues will likely become dupes.
Feb 8, 2023 • 19 tweets • 12 min read
At the end of last year I decide to take a look into consumer router security (Netgear, TP-Link, Synology) and dam was there a lot of great previous research! Here are some articles which practically demonstrate RCE from a LAN or WAN perspective:
Netgear Routers
Aug 7, 2022 • 6 tweets • 2 min read
Struggling to keep up with recent security research or want some helpful tips? Here’s some threads I have created which may help you 👇 1/ Bug Hunting in Hard Targets -
🔥 Like Windows Kernel exploitation? Your in luck! 10 items of Windows kernel exploit research from 2020/2021 🧵
🔥 1/ sstic.org/media/SSTIC202… by @OnlyTheDuck@paulfariello - The most complete and recent overview of the Windows Kernel Segment Heap from an exploitation perspective.
Jul 28, 2022 • 6 tweets • 1 min read
1/ As someone who has reviewed hundreds of CVs for job applications in the past, I just want to highlight some personal tips for vulnerability researchers in order to maximise their applications (i.e. outside typical career history and education). 🧵 2/ Tailor your CV to the role your applying for - If you don't quite have the experience in one area, then show what you have done which is similar and transferable.
Jul 24, 2022 • 10 tweets • 4 min read
I am often asked what books have had the most impact to me in security. This is a really tough question as I have read so many, however, here are some I have have on my shelf and why they were important to me👇 1/ The C Programming Language by K&R - Now I wouldn’t recommend learning C as a first language, a significant amount of the software is still written in C. To understand low level / OS security you really need to understand it. To the point, but past exp programming helpful.
Jun 19, 2022 • 12 tweets • 3 min read
✍️ 1/ Want to learn how to bug hunt in hard targets and find high impact issues? Here’s a short Sunday 🧵for those starting out and some general thoughts from over the years on software security:
✍️ 2/ Developer mindset vs Adversarial mindset - Code review as a bug hunter is often different from code reviewing as part of feature change. As a bug hunter you are only focusing on how to circumvent a control or use in a way it was not intended. Learning this mindset is key
Jun 10, 2022 • 11 tweets • 7 min read
🔥 1/ In the last 6 months working on Linux kernel bug hunting/exploitation there has been a number of key resources which have been super useful (coming from a macOS/Windows background) to understand the state of things in 2022 🚀.
Here's a short🧵 to recognise this + thoughts:
🔥 2/ Understanding and Improving Linux Kernel Exploit Reliability usenix.org/system/files/s… by @ky1ebot (+others)
Developing memory corruption exploits is an art and the more complex an exploit, often the reliable goes down. This paper evaluate past methods and a new method.
Dec 20, 2021 • 19 tweets • 11 min read
1/18 As 2021 is starting to come towards and end, now seems to be good time to look back at all the great macOS vulnerability research / exploit development published during the year! Tried to keep to macOS mainly but obviously there's some crossover with iOS research too. 🧵
2/18 New Attack Surface in Safari: Using Just One Web Audio Vulnerability to Rule Safari - JunDong Xie
• WebAudio attack surface - parsing/decoding
• 15+ OOB read bugs and 10+ OOB writes
• Bypassing Safari heap isolation, ASLR and achieve arb code exec i.blackhat.com/asia-21/Friday…