Ron's CV

From 2022 - 2023, I worked at Rapid7 where I disclosed / analyzed a lot of vulns, and wrote about it publicly. I decided to start compiling all my writing in one place.

In 2023, I started at GreyNoise. I continued to write a decent amount, so I update this page on a best-effort basis. Let me know if you see something missing!

2024

Analyses / miscellaneous blogs

Talks

Tools, projects, code releases, etc.

2023

Vulnerabilities I Discovered

  • Multiple vulnerabilities in Rocket Software UniData and UniVerse - analysis blog
    • Protocol implementation
    • Metasploit modules for CVE-2023-28502 and CVE-2023-28503
    • Vulnerabilities:
      • CVE-2023-28501: Pre-authentication heap buffer overflow in unirpcd service
      • CVE-2023-28502: Pre-authentication stack buffer overflow in udadmin_server service
      • CVE-2023-28503: Authentication bypass in libunidata.so’s do_log_on_user() function
      • CVE-2023-28504: Pre-authentication stack buffer overflow in libunidata.so’s U_rep_rpc_server_submain()
      • CVE-2023-28505: Post-authentication buffer overflow in libunidata.so’s U_get_string_value() function
      • CVE-2023-28506: Post-authentication stack buffer overflow in udapi_slave executable
      • CVE-2023-28507: Pre-authentication memory exhaustion in LZ4 decompression in unirpcd service
      • CVE-2023-28508: Post-authentication heap overflow in udsub service
      • CVE-2023-28509: Weak protocol encryption
  • Multiple vulnerabilities in Globalscape EFT - analysis blog
  • CVE-2023-4528 - Deserialization JSCAPE MFT leading to RCE (part of an ongoing file transfer project) (disclosure blog / vendor advisory)
  • Multiple vulnerabilities in Titan MFT and Titan SFTP - disclosure blog / vendor advisory / tooling
    • CVE-2023-45685: Authenticated remote code execution via “zip slip”
    • CVE-2023-45686: Authenticated remote code execution via WebDAV path traversal
    • CVE-2023-45687: Session fixation on Remote Administration Server
    • CVE-2023-45688: Information disclosure via path traversal on FTP
    • CVE-2023-45689: Information disclosure via path traversal in admin interface
    • CVE-2023-45690: Information leak via world-readable database + logs

N-day analyses

These are writeups / analyses / PoCs I wrote based on publicly known bugs, public proof of concepts, patch diffing, vendor advisories, forum posts, etc. The core vulnerabilities are not my original work.

Tools, projects, code releases, etc.

Talks / presentations

2022

Vulnerabilities I Discovered

  • Multiple vulnerabilities in F5 BIG-IP and F5 BIG-IQ - analysis blog
    • Vulnerabilities:
      • CVE-2022-41622 - Remote code execution in F5 BIG-IP and BIG-IQ due to cross-site request forgery and SELinux bypass - Metasploit module
      • CVE-2022-41800 - Authenticated remote code in F5 BIG-IP and BIG-IQ due to injection in an RPM specification file - Metasploit module
      • (No CVE) - Privilege escalation in F5 BIG-IP and BIG-IQ due to bad file permissions on database socket - Metasploit module
    • Media coverage: Tech Target / Portswigger / Securityweek
  • Format string vulnerability in F5 BIG-IP - analysis blog
  • CVE-2022-27511 and CVE-2022-27512 (patch bypass) - Denial of service vulnerability in FlexNet Licensing Server affecting Citrix ADM (among other things) - analysis blog
    • (I didn’t find the original CVEs, but I bypassed the patch for one of them)

N-day analyses

These are writeups / analyses / PoCs I wrote based on publicly known bugs, public proof of concepts, patch diffing, vendor advisories, forum posts, etc. The core vulnerabilities are not my original work.

Tools, projects, code releases, etc.

Talks / presentations

Pre-2022 work

I’m not including stuff from my blog, you can see everything there!

SUPER old

  • unickspoofer - a hack (that I wrote in Visual Basic 6!!!) to change your in-game name in Startcraft, Warcraft 2, and Diablo 2 (supports colours and illegal names; hilarity often ensued)
  • operation-status - a set of cheats for Starcraft that have long since stopped working (and were never very stable to begin with)
  • d2plugin and d2plugin2 - a set of cheaps for Diablo 2 that have long since stopped working (I’m not sure which one is better, if either, so I’m just linking both)

Talks

I’ve saved basically every talk I ever gave! A bunch of these weren’t public, and now they are. The older ones look soooo bad. But, enjoy!