From 2022 - 2023, I worked at Rapid7 where I disclosed / analyzed a lot of vulns, and wrote about it publicly. I decided to start compiling all my writing in one place.

In 2023, I started at GreyNoise. I continued to write a decent amount, so I update this page on a best-effort basis. Let me know if you see something missing!

2024

Analyses / miscellaneous blogs

Ivanti Connect Secure (ICS) Command Injection - analysis
CVE-2022-41800 - F5 BIG-IP - honeypot analysis
CVE-2022-1471 - SnakeYAML deserialization - analysis
F5 BIG-IP wrap-up - analysis
CVE-2021-44529 - Ivanti ICS - analysis
CVE-2023-22527 - Confluence template injection - analysis
CVE-2024-24919 - Check Point Quantum path traversal - honeypot analysis
CVE-2024-28995 - SolarSinds Serv-U path traversal - honeypot analysis
- Media coverage: SC Media / Security Week / The Hacker News

Talks

2024-05 Finding Signals in the (Grey) Noise @ NorthSec Montreal

Tools, projects, code releases, etc.

BSides San Francisco CTF - I was a co-lead and challenge author

2023

Vulnerabilities I Discovered

Multiple vulnerabilities in Rocket Software UniData and UniVerse - analysis blog
- Protocol implementation
- Metasploit modules for CVE-2023-28502 and CVE-2023-28503
- Vulnerabilities:
  - CVE-2023-28501: Pre-authentication heap buffer overflow in unirpcd service
  - CVE-2023-28502: Pre-authentication stack buffer overflow in udadmin_server service
  - CVE-2023-28503: Authentication bypass in libunidata.so’s do_log_on_user() function
  - CVE-2023-28504: Pre-authentication stack buffer overflow in libunidata.so’s U_rep_rpc_server_submain()
  - CVE-2023-28505: Post-authentication buffer overflow in libunidata.so’s U_get_string_value() function
  - CVE-2023-28506: Post-authentication stack buffer overflow in udapi_slave executable
  - CVE-2023-28507: Pre-authentication memory exhaustion in LZ4 decompression in unirpcd service
  - CVE-2023-28508: Post-authentication heap overflow in udsub service
  - CVE-2023-28509: Weak protocol encryption
Multiple vulnerabilities in Globalscape EFT - analysis blog
- Protocol implementation + proofs of concept
- Vulnerabilities:
  - CVE-2023-2989 - Authentication bypass via out-of-bounds memory read (vendor advisory)
  - CVE-2023-2990 - Denial of service due to recursive DeflateStream (vendor advisory)
  - CVE-2023-2991 - Remote hard drive serial number disclosure (vendor advisory) (not currently fixed)
  - Additional issue - Password leak due to insecure default configuration (vendor advisory)
CVE-2023-4528 - Deserialization JSCAPE MFT leading to RCE (part of an ongoing file transfer project) (disclosure blog / vendor advisory)
Multiple vulnerabilities in Titan MFT and Titan SFTP - disclosure blog / vendor advisory / tooling
- CVE-2023-45685: Authenticated remote code execution via “zip slip”
- CVE-2023-45686: Authenticated remote code execution via WebDAV path traversal
- CVE-2023-45687: Session fixation on Remote Administration Server
- CVE-2023-45688: Information disclosure via path traversal on FTP
- CVE-2023-45689: Information disclosure via path traversal in admin interface
- CVE-2023-45690: Information leak via world-readable database + logs

N-day analyses

These are writeups / analyses / PoCs I wrote based on publicly known bugs, public proof of concepts, patch diffing, vendor advisories, forum posts, etc. The core vulnerabilities are not my original work.

CVE-2023-0669 - Remote code execution in Fortra GoAnywhere MFC via unsafe deserialization (and hardcoded crypto keys) - AttackerKB analysis / Metasploit module
- Media: Dark Reading / The Stack / Security Week
CVE-2022-47966 - Remote code execution in multiple ManageEngine products, including ADSelfService Plus, due to unsafe deserialization in an outdated XML library - AttackerKB
- Media: The Hacker News / Bleeping Computer / Security Week
CVE-2022-47986 - Ruby deserialization vulnerability in IBM Aspera Faspex server - AttackerKB
- Media: Help Net Security / Ars Technica / SC Media
CVE-2023-25690 - Request smuggling in Apache’s mod_rewrite - AttackerKB
CVE-2023-34362 - SQL injection, header smuggling, session injection, and .net deserialization issues in MOVEit file transfer - AttackerKB
CVE-2023-20887 - Command injection in VMware Aria Operations for Newtorks - AttackerKB
CVE-2023-3519 - Stack-based buffer overflow in Citrix ADC - AttackerKB
CVE-2023-34124 / CVE-2023-34133 / CVE-2023-34132 / CVE-2023-34127 - Multiple vulnerabilities culminating in RCE in SonicWall Global Management System (GMS) - AttackerKB / Metasploit module
CVE-2023-36845 / CVE-2023-36846 / CVE-2023-36844 / CVE-2023-36847 - Multiple vulnerabilities in Juniper J-Web culminating in RCE as root - AttackerKB / Rapid7 ETR blog
- Media: infoRisk Today
OwnCloud vulnerabilities
- CVE-2023-49103 - information disclosure - high-level write-up / technical write-up
- CVE-2023-49105 - auth bypass - high-level write-up / technical write-up
CVE-2022-1471 - SnakeYAML Deserialization - technical write-up

Tools, projects, code releases, etc.

BSides San Francisco CTF - I was a co-lead and challenge author

Talks / presentations

2023-05 UniData UniRPC Vulnerabilities @ NorthSec Montreal

2022

Vulnerabilities I Discovered

Multiple vulnerabilities in F5 BIG-IP and F5 BIG-IQ - analysis blog
- Vulnerabilities:
  - CVE-2022-41622 - Remote code execution in F5 BIG-IP and BIG-IQ due to cross-site request forgery and SELinux bypass - Metasploit module
  - CVE-2022-41800 - Authenticated remote code in F5 BIG-IP and BIG-IQ due to injection in an RPM specification file - Metasploit module
  - (No CVE) - Privilege escalation in F5 BIG-IP and BIG-IQ due to bad file permissions on database socket - Metasploit module
- Media coverage: Tech Target / Portswigger / Securityweek
Format string vulnerability in F5 BIG-IP - analysis blog
CVE-2022-27511 and CVE-2022-27512 (patch bypass) - Denial of service vulnerability in FlexNet Licensing Server affecting Citrix ADM (among other things) - analysis blog
- (I didn’t find the original CVEs, but I bypassed the patch for one of them)

N-day analyses

CVE-2022-36804 - Remote Code Execution in Atlassian Bitbucket - AttackerKB analysis / high level blog
CVE-2015-1197 - Path traversal vulnerability in cpio continuing to affect most major Linux distros - AttackerKB analysis / Personal blog
CVE-2022-41352 - Remote code execution in Zimbra due to path traversal in cpio (CVE-2015-1197) - AttackerKB analysis / Metasploit module
- Media coverage: Dark Reading / Ars Technica / IT World Canada / Security Affairs / Digital Journal
CVE-2022-30333 - Path traversal in unrar that is exploitable for remote code execution in Zimbra - AttackerKB analysis / Metasploit Module
CVE-2022-37393 - Local privilege escalation in Zimbra due to bad sudo configuration - AttackerKB analysis / Metasploit module
CVE-2022-27924 - Authentication bypass in Zimbra due to memcached poisoning - AttackerKB analysis
CVE-2022-27925 / CVE-2022-37042 - Remote code execution in Zimbra due to a combination of ZIP-based path traversal (CVE-2022-27925) and authentication bypass (CVE-2022-37042) - AttackerKB analysis / Metasploit module
CVE-2022-3569 - Local privilege escalation in Zimbra due to bad sudo configuration - Metasploit module
CVE-2022-1388 - Remote code execution in F5 due to authentication bypass - AttackerKB analysis
CVE-2022-40684 - Remote code execution in FortiOS due to header injection in proxied traffic - AttackerKB analysis
CVE-2022-28219 - Remote code execution in ManageEngine ADAudit Plus due to a combination of unsafe deserialization and XXE - AttackerKB analysis / Metasploit module
CVE-2022-29799 - “NimbusPwn” - what I’m calling a “horizontal privilege escalation” vulnerability, meaning you can escalate to the same privileges you have - AttackerKB analysis
CVE-2022-3602 - 4-byte buffer overflow in OpenSSL’s Punycode parser - AttackerKB analysis / simple PoC
CVE-2022-3786 - Buffer overflow (with . characters) in OpenSSL’s Punycode parser - AttackerKB analysis / simple PoC
CVE-2022-22954 - Remote code execution due to template injection in VMWare Workspace ONE - AttackerKB analysis

Tools, projects, code releases, etc.

BSides San Francisco CTF - I was a co-lead and challenge author
refreshing-mcp-tool - A tool for working with F5’s internal database protocol (MCP or Master Control Program)
refreshing-soap-exploit - A tool for testing a SOAP-based CSRF vulnerability in F5 BIG-IP and BIG-IQ
Metasploit module for pulling data from F5’s MCP socket
doltool - An implementation of the FlexLM licensing server’s protocol

Talks / presentations

2022-12 F5 BIG-IP Vulnerabilities @ Hushcon Seattle
2022-08 From Vuln to CTF @ BSides Las Vegas
2022-02 HHC Shellcode Primre @ Montrehack - largely a walkthrough of a challenge from Holiday Hack Challenge

Pre-2022 work

I’m not including stuff from my blog, you can see everything there!

CVE-2018-15442 (aka “WebExec”) - a remote code execution vulnerability in the WebEx Update Service - high-level writeup / detailed blog / Metasploit modules
BSides San Francisco lead / co-lead / challenge dev / etc - 2021 / 2020 / 2019 / 2018 / 2017
hash_extender - a tool for exploiting most types of hash-length extension attacks
dnscat2 - a TCP-over-DNS tunneling tool
mandrake - a tool for instrumenting x64 assembly or shellcode
terraria-research-tracker - a tool for parsing Terraria’s savefiles
cryptorama - teaching tools / labs for common cryptographic vulnerabilities
poracle - a padding oracle exploit tool
dnsutils - a Ruby gem for creating and capturing a variety of DNS traffic
A whole pile of Nmap scripts and libraries:

SUPER old

unickspoofer - a hack (that I wrote in Visual Basic 6!!!) to change your in-game name in Startcraft, Warcraft 2, and Diablo 2 (supports colours and illegal names; hilarity often ensued)
operation-status - a set of cheats for Starcraft that have long since stopped working (and were never very stable to begin with)
d2plugin and d2plugin2 - a set of cheaps for Diablo 2 that have long since stopped working (I’m not sure which one is better, if either, so I’m just linking both)

Talks

I’ve saved basically every talk I ever gave! A bunch of these weren’t public, and now they are. The older ones look soooo bad. But, enjoy!

2020-10 Reverse Engineering @ DCA10 - I have no memory of writing or giving this talk, or what DCA10 is!
2020-06 Crypto: You’re Doing it Wrong @ PuPPy (Puget Sound Python group) - I wrote this, but due to the SPD protests/riots in Seattle, the event was cancelled
2018-11 WebExec: Finding an 0-day in a Pentest @ The Long Con
2018-05 Video Games @ NorthSec
2017-04 CTF Workshop @ Skullspace - Mostly a workshop
2016-12 Using DNS for Pentesting @ DC204
2016-11 Hash Extension attacks @ SANS (lightning talk)
2016-01 Evil DNS Tricks @ Shmoocon Firetalk
2015-11 Pentesting with DNS @ SANS Pentest Summit
2015-06 The Anatomy of a Vulnerability @ Sharkfest
2014-11 Vulnerability War Stories @ UofM Comp Sci
2014-09 DNS: More than Just Names @ Derbycon
2014-06 DNS @ BSides Quebec
2013-06 Why is Crypto so Hard? @ Sharkfest
2013-02 Crypto: You’re Doing it Wrong @ Shmoocon [video]
2012-06 Secrets of Vulnerability Scanning @ Sharkfest
2012-02 Introduction to SkullSpace and Hackerspaces @ Winnipeg Code Camp
2011-11 Introduction to SkullSpace and Hackerspaces @ SkullSpace
2011-11 Introduction to SkullSpace and Hackerspaces @ IPAM
2011-10 Introduction to SkullSpace and Hackerspaces @ UofM
2011-10 Advanced Nmap Scripting @ DerbyCon
2011-06 Writing Wireshark Dissectors @ Sharkfest
2011-03 Introducing SkullSpace @ UofM
2011-02 Stupid Mistakes Made by Smart People @ Winnipeg Code Camp - This is one of my favourite early talks!
2010-11 Passwords in the Wild @ IPAM
2010-11 Passwords in the Wild @ Deepsec
2010-11 The Nmap Scripting Engine @ BSides Ottawa - I gave this talk with no shoes on, because I got stuck in torrential rain… the conference organizers still remind me of that
2010-02 VMWare Guest stealing @ IPAM
2009-10 Nmap Scripts for Windows @ Toorcon - My first conference talk!
2009-07 Introduction to Pentesting @ A company in Calgary that probably doesn’t exist anymore
2009-05 Lifecycle of a Stolen Identity @ a MLM company I won’t name
2009-01 Introduction to Pentesting @ IPAM - my first (saved) talk, given to a local infosec group in Winnipeg, sorta summarizing what I learned in SANS560