In 2022, I started doing enough public work that I decided I’d start keeping track of it all in one place. Here you go!
I’m going to update this from time to time, on a best-effort basis. I probably also missed stuff.
2024
Vulnerabilities I Analyzed
- Ivanti Connect Secure (ICS) Command Injection - analysis
2023
Vulnerabilities I Discovered
- Multiple vulnerabilities in Rocket Software UniData and UniVerse - analysis blog
- Protocol implementation
- Metasploit modules for CVE-2023-28502 and CVE-2023-28503
- Vulnerabilities:
- CVE-2023-28501: Pre-authentication heap buffer overflow in
unirpcdservice - CVE-2023-28502: Pre-authentication stack buffer overflow in
udadmin_serverservice - CVE-2023-28503: Authentication bypass in
libunidata.so’sdo_log_on_user()function - CVE-2023-28504: Pre-authentication stack buffer overflow in
libunidata.so’sU_rep_rpc_server_submain() - CVE-2023-28505: Post-authentication buffer overflow in
libunidata.so’sU_get_string_value()function - CVE-2023-28506: Post-authentication stack buffer overflow in
udapi_slaveexecutable - CVE-2023-28507: Pre-authentication memory exhaustion in LZ4 decompression in
unirpcdservice - CVE-2023-28508: Post-authentication heap overflow in
udsubservice - CVE-2023-28509: Weak protocol encryption
- CVE-2023-28501: Pre-authentication heap buffer overflow in
- Multiple vulnerabilities in Globalscape EFT - analysis blog
- Protocol implementation + proofs of concept
- Vulnerabilities:
- CVE-2023-2989 - Authentication bypass via out-of-bounds memory read (vendor advisory)
- CVE-2023-2990 - Denial of service due to recursive DeflateStream (vendor advisory)
- CVE-2023-2991 - Remote hard drive serial number disclosure (vendor advisory) (not currently fixed)
- Additional issue - Password leak due to insecure default configuration (vendor advisory)
- CVE-2023-4528 - Deserialization JSCAPE MFT leading to RCE (part of an ongoing file transfer project) (disclosure blog / vendor advisory)
- Multiple vulnerabilities in Titan MFT and Titan SFTP - disclosure blog / vendor advisory / tooling
- CVE-2023-45685: Authenticated remote code execution via “zip slip”
- CVE-2023-45686: Authenticated remote code execution via WebDAV path traversal
- CVE-2023-45687: Session fixation on Remote Administration Server
- CVE-2023-45688: Information disclosure via path traversal on FTP
- CVE-2023-45689: Information disclosure via path traversal in admin interface
- CVE-2023-45690: Information leak via world-readable database + logs
N-day analyses
These are writeups / analyses / PoCs I wrote based on publicly known bugs, public proof of concepts, patch diffing, vendor advisories, forum posts, etc. The core vulnerabilities are not my original work.
- CVE-2023-0669 - Remote code execution in Fortra GoAnywhere MFC via unsafe deserialization (and hardcoded crypto keys) - AttackerKB analysis / Metasploit module
- Media: Dark Reading / The Stack / Security Week
- CVE-2022-47966 - Remote code execution in multiple ManageEngine products, including ADSelfService Plus, due to unsafe deserialization in an outdated XML library - AttackerKB
- Media: The Hacker News / Bleeping Computer / Security Week
- CVE-2022-47986 - Ruby deserialization vulnerability in IBM Aspera Faspex server - AttackerKB
- Media: Help Net Security / Ars Technica / SC Media
- CVE-2023-25690 - Request smuggling in Apache’s
mod_rewrite- AttackerKB - CVE-2023-34362 - SQL injection, header smuggling, session injection, and .net deserialization issues in MOVEit file transfer - AttackerKB
- CVE-2023-20887 - Command injection in VMware Aria Operations for Newtorks - AttackerKB
- CVE-2023-3519 - Stack-based buffer overflow in Citrix ADC - AttackerKB
- CVE-2023-34124 / CVE-2023-34133 / CVE-2023-34132 / CVE-2023-34127 - Multiple vulnerabilities culminating in RCE in SonicWall Global Management System (GMS) - AttackerKB / Metasploit module
- CVE-2023-36845 / CVE-2023-36846 / CVE-2023-36844 / CVE-2023-36847 - Multiple vulnerabilities in Juniper J-Web culminating in RCE as root - AttackerKB / Rapid7 ETR blog
- Media: infoRisk Today
- OwnCloud vulnerabilities
- CVE-2023-49103 - information disclosure - high-level write-up / technical write-up
- CVE-2023-49105 - auth bypass - high-level write-up / technical write-up
- CVE-2022-1471 - SnakeYAML Deserialization - technical write-up
2022
Vulnerabilities I Discovered
- Multiple vulnerabilities in F5 BIG-IP and F5 BIG-IQ - analysis blog
- Vulnerabilities:
- CVE-2022-41622 - Remote code execution in F5 BIG-IP and BIG-IQ due to cross-site request forgery and SELinux bypass - Metasploit module
- CVE-2022-41800 - Authenticated remote code in F5 BIG-IP and BIG-IQ due to injection in an RPM specification file - Metasploit module
- (No CVE) - Privilege escalation in F5 BIG-IP and BIG-IQ due to bad file permissions on database socket - Metasploit module
- Media coverage: Tech Target / Portswigger / Securityweek
- Vulnerabilities:
- Format string vulnerability in F5 BIG-IP - analysis blog
- CVE-2022-27511 and CVE-2022-27512 (patch bypass) - Denial of service vulnerability in FlexNet Licensing Server affecting Citrix ADM (among other things) - analysis blog
- (I didn’t find the original CVEs, but I bypassed the patch for one of them)
N-day analyses
These are writeups / analyses / PoCs I wrote based on publicly known bugs, public proof of concepts, patch diffing, vendor advisories, forum posts, etc. The core vulnerabilities are not my original work.
- CVE-2022-36804 - Remote Code Execution in Atlassian Bitbucket - AttackerKB analysis / high level blog
- CVE-2015-1197 - Path traversal vulnerability in
cpiocontinuing to affect most major Linux distros - AttackerKB analysis / Personal blog - CVE-2022-41352 - Remote code execution in Zimbra due to path traversal in
cpio(CVE-2015-1197) - AttackerKB analysis / Metasploit module- Media coverage: Dark Reading / Ars Technica / IT World Canada / Security Affairs / Digital Journal
- CVE-2022-30333 - Path traversal in
unrarthat is exploitable for remote code execution in Zimbra - AttackerKB analysis / Metasploit Module - CVE-2022-37393 - Local privilege escalation in Zimbra due to bad
sudoconfiguration - AttackerKB analysis / Metasploit module - CVE-2022-27924 - Authentication bypass in Zimbra due to
memcachedpoisoning - AttackerKB analysis - CVE-2022-27925 / CVE-2022-37042 - Remote code execution in Zimbra due to a combination of ZIP-based path traversal (CVE-2022-27925) and authentication bypass (CVE-2022-37042) - AttackerKB analysis / Metasploit module
- CVE-2022-3569 - Local privilege escalation in Zimbra due to bad
sudoconfiguration - Metasploit module - CVE-2022-1388 - Remote code execution in F5 due to authentication bypass - AttackerKB analysis
- CVE-2022-40684 - Remote code execution in FortiOS due to header injection in proxied traffic - AttackerKB analysis
- CVE-2022-28219 - Remote code execution in ManageEngine ADAudit Plus due to a combination of unsafe deserialization and XXE - AttackerKB analysis / Metasploit module
- CVE-2022-29799 - “NimbusPwn” - what I’m calling a “horizontal privilege escalation” vulnerability, meaning you can escalate to the same privileges you have - AttackerKB analysis
- CVE-2022-3602 - 4-byte buffer overflow in OpenSSL’s Punycode parser - AttackerKB analysis / simple PoC
- CVE-2022-3786 - Buffer overflow (with
.characters) in OpenSSL’s Punycode parser - AttackerKB analysis / simple PoC - CVE-2022-22954 - Remote code execution due to template injection in VMWare Workspace ONE - AttackerKB analysis
Tools, projects, code releases, etc.
- BSides San Francisco CTF - I was a co-lead and challenge author
- refreshing-mcp-tool - A tool for working with F5’s internal database protocol (MCP or Master Control Program)
- refreshing-soap-exploit - A tool for testing a SOAP-based CSRF vulnerability in F5 BIG-IP and BIG-IQ
- Metasploit module for pulling data from F5’s MCP socket
- doltool - An implementation of the FlexLM licensing server’s protocol
Pre-2022 work
I’m not including stuff from my blog, you can see everything there!
- CVE-2018-15442 (aka “WebExec”) - a remote code execution vulnerability in the WebEx Update Service - high-level writeup / detailed blog / Metasploit modules
- BSides San Francisco lead / co-lead / challenge dev / etc - 2021 / 2020 / 2019 / 2018 / 2017
- hash_extender - a tool for exploiting most types of hash-length extension attacks
- dnscat2 - a TCP-over-DNS tunneling tool
- mandrake - a tool for instrumenting x64 assembly or shellcode
- terraria-research-tracker - a tool for parsing Terraria’s savefiles
- cryptorama - teaching tools / labs for common cryptographic vulnerabilities
- poracle - a padding oracle exploit tool
- dnsutils - a Ruby gem for creating and capturing a variety of DNS traffic
- A whole pile of Nmap scripts and libraries:
- broadcast-dropbox-listener.nse
- dhcp-discover.nse
- http-enum.nse
- http-exif-spider.nse
- http-headers.nse
- http-iis-webdav-vuln.nse
- http-malware-host.nse
- http-vmware-path-vuln.nse
- http-vuln-cve2013-7091.nse
- irc-unrealircd-backdoor.nse
- nbstat.nse
- p2p-conficker.nse
- smb-brute.nse
- smb-enum-domains.nse
- smb-enum-groups.nse
- smb-enum-processes.nse
- smb-enum-sessions.nse
- smb-enum-shares.nse
- smb-enum-users.nse
- smb-flood.nse
- smb-os-discovery.nse
- smb-psexec.nse
- smb-security-mode.nse
- smb-server-stats.nse
- smb-system-info.nse
- smb-vuln-conficker.nse
- smb-vuln-cve2009-3103.nse
- smb-vuln-ms06-025.nse
- smb-vuln-ms07-029.nse
- smb-vuln-ms08-067.nse
- smb-vuln-regsvc-dos.nse
- smb-vuln-webexec.nse
- smb-webexec-exploit.nse
SUPER old
- unickspoofer - a hack (that I wrote in Visual Basic 6!!!) to change your in-game name in Startcraft, Warcraft 2, and Diablo 2 (supports colours and illegal names; hilarity often ensued)
- operation-status - a set of cheats for Starcraft that have long since stopped working (and were never very stable to begin with)
- d2plugin and d2plugin2 - a set of cheaps for Diablo 2 that have long since stopped working (I’m not sure which one is better, if either, so I’m just linking both)
Talks
I’ve saved basically every talk I ever gave! A bunch of these weren’t public, and now they are. The older ones look soooo bad. But, enjoy!
- 2023-05 UniData UniRPC Vulnerabilities @ NorthSec Montreal
- 2022-12 F5 BIG-IP Vulnerabilities @ Hushcon Seattle
- 2022-08 From Vuln to CTF @ BSides Las Vegas
- 2022-02 HHC Shellcode Primre @ Montrehack - largely a walkthrough of a challenge from Holiday Hack Challenge
- 2020-10 Reverse Engineering @ DCA10 - I have no memory of writing or giving this talk, or what DCA10 is!
- 2020-06 Crypto: You’re Doing it Wrong @ PuPPy (Puget Sound Python group) - I wrote this, but due to the SPD protests/riots in Seattle, the event was cancelled
- 2018-11 WebExec: Finding an 0-day in a Pentest @ The Long Con
- 2018-05 Video Games @ NorthSec
- 2017-04 CTF Workshop @ Skullspace - Mostly a workshop
- 2016-12 Using DNS for Pentesting @ DC204
- 2016-11 Hash Extension attacks @ SANS (lightning talk)
- 2016-01 Evil DNS Tricks @ Shmoocon Firetalk
- 2015-11 Pentesting with DNS @ SANS Pentest Summit
- 2015-06 The Anatomy of a Vulnerability @ Sharkfest
- 2014-11 Vulnerability War Stories @ UofM Comp Sci
- 2014-09 DNS: More than Just Names @ Derbycon
- 2014-06 DNS @ BSides Quebec
- 2013-06 Why is Crypto so Hard? @ Sharkfest
- 2013-02 Crypto: You’re Doing it Wrong @ Shmoocon [video]
- 2012-06 Secrets of Vulnerability Scanning @ Sharkfest
- 2012-02 Introduction to SkullSpace and Hackerspaces @ Winnipeg Code Camp
- 2011-11 Introduction to SkullSpace and Hackerspaces @ SkullSpace
- 2011-11 Introduction to SkullSpace and Hackerspaces @ IPAM
- 2011-10 Introduction to SkullSpace and Hackerspaces @ UofM
- 2011-10 Advanced Nmap Scripting @ DerbyCon
- 2011-06 Writing Wireshark Dissectors @ Sharkfest
- 2011-03 Introducing SkullSpace @ UofM
- 2011-02 Stupid Mistakes Made by Smart People @ Winnipeg Code Camp - This is one of my favourite early talks!
- 2010-11 Passwords in the Wild @ IPAM
- 2010-11 Passwords in the Wild @ Deepsec
- 2010-11 The Nmap Scripting Engine @ BSides Ottawa - I gave this talk with no shoes on, because I got stuck in torrential rain… the conference organizers still remind me of that
- 2010-02 VMWare Guest stealing @ IPAM
- 2009-10 Nmap Scripts for Windows @ Toorcon - My first conference talk!
- 2009-07 Introduction to Pentesting @ A company in Calgary that probably doesn’t exist anymore
- 2009-05 Lifecycle of a Stolen Identity @ a MLM company I won’t name
- 2009-01 Introduction to Pentesting @ IPAM - my first (saved) talk, given to a local infosec group in Winnipeg, sorta summarizing what I learned in SANS560