• DEFCON29 RTV CTF

    August 2021
    I played the DEFCON29 (2021) Red Team Village CTF online with team “Son of Anton”. After qualifying in 4th place we then came 4th in the finals 🏅…
  • Google CTF 2020 Writeup

    August 2020
    The Google CTF was hard, so I don’t feel so bad about only solving easy challenges. Writeup also available as a Gist…
  • DEFCON:SM Car Hacking

    August 2020
    Had some fun with the Car Hacking Village at this year’s remote DEFCON Safe Mode. There seems to be a growing interest in automotive security which I’ve completely ignored until now, but decided to watch a beginner talk Cluster Fuzz by @mintynet about fuzzing the CAN bus…
  • Python tarfile infinite loop DoS

    July 2020
    The python tarfile module can end up in an infinite loop when opening maliciously malformed tar files. I came across Denial of Service bug bpo39017 when browsing the python bug tracker for security issues (I didn’t discover this bug myself). The error-reproducing zipfile the reporter uploaded is direct from the fuzzer, but I wanted to understand and isolate the issue by making the smallest tarfile which reproduces the bug…
  • SocketIO / EngineIO DoS

    May 2020
    Quite a while ago, I reported an application Denial of Service vulnerability in the Socket.IO / Engine.IO parser implementations in nodejs and python. A single HTTP POST request can cause extreme CPU and memory usage, but in nodejs, a single HTTP POST request can even kill the server with a Javascript heap out of memory fatal error…
  • v380 IPcam: Firmware patching

    April 2020
    I made some progress: Running code from a micro SD card as root Downloading camera firmware Writing custom firmware patches Finding the root password hash Changing the root password…
  • v380 IPcam: Move with SOAP

    March 2020
    You can remotely pan/tilt the camera so it points away from the crown jewels while you move in to steal them…
  • SecTalks CTF: ROP + ASLR = 500¥

    March 2020
    This is a write-up for a difficult Sectalks CTF challenge set by tamas which took me many hours to solve…
  • Jenkins UDP ping-pong (CVE‑2020‑2100)

    February 2020
    A Jenkins CVE caught my eye despite being just a DoS…
  • User-agent parsing REDoS (CVE‑2020‑5243)

    February 2020
    Due to my research into Regular Expression Denial-of-Service (REDoS), I found and (after bug bounties) finally publicly reported CVE-2020-5243 in uap-core. Dependent packages uap-python, uap-ruby, etc are/were vulnerable…
  • Exploit Grafana (CVE‑2019‑15043)

    December 2019
    Grafana is a monitoring dashboard used to display metrics. It’s used by many infrastructure and development teams…
  • Two REDoS vulns in cpython

    November 2019
    I ran my top-secret REDoS-finding engine over the python code in cpython and found two remotely-exploitable vulnerabilities. Making a request to a malicious web server leads to denial of service (approximately infinite CPU time)…
  • Apache Zeppelin Vulnerability + Metasploit

    May 2019
    Apache Zeppelin is a “Web-based notebook that enables data-driven, interactive data analytics and collaborative documents…” which is very similar to Jupyter notebook. Notebook servers offer polyglot Remote Code Execution (RCE) by design, so gaining access to one would make pwning the entire Hadoop cluster and all its data fairly simple…
  • Your S3 buckets are leaking

    May 2019
    Think you set your S3 bucket policies correctly? Nothing accidentally public? Trust but verify…
  • What The Fuzz

    January 2019
    I wrote a blog post about my experiences fuzz-testing external and internal APIs, and covered some python and Postgres oddities…
  • Man-in-the-middling Android apps

    January 2019
    This is a walk-through of how I go about investigating Android apps. I’m not a subject matter expert, so take everything here with a pinch of salt. As a case-study, I’ll look at the Railcards app which aims to replace physical railcards with ones which can run out of battery…
  • Avoiding injection with taint analysis

    September 2018
    One simple way to improve the robustness of any code base is static analysis. It’s not widely used because it carries a (regrettably well-deserved) reputation for being a noisy, blunt instrument, but with small tweaks static analysis can become part of the common development process. In this post, I will explain how we use it to improve the security of our code…
  • v380 IPcam: Hardware Hackz

    February 2018
    At SecTalks, blinken ran a Hardware Hacking 101 session where we investigated a Chinese IPcam “WiFi Smart Net Camera” v380…
  • Pebble Bike Sharer

    April 2016
    I like automated city bike rental services. My new watch app for finding a bike within a city bike share scheme is available on the Pebble app store…
  • Chinese character of the day 倀

    February 2016
    I accidentally came across this character while evaluating the KEY Chinese-French dictionary for Pleco (hence the French translation above)…
  • Slack Bingo bot

    February 2016
    Companies love Slack, and lots of services integrate via their API. While slash commands are simple web hooks, bots can listen in to the conversations taking place on a channel and participate. Meet @bingo! Add your buzzword to the list, and whoever mentions the word in the channel first will get the bingo. It’s a really simple unintelligent bot…
  • Pebble 新年快乐

    January 2016
    My new watch face for celebrating year of the monkey is available on the Pebble app store. It displays the date and day of the week in Chinese characters, along with the year’s zodiac animal. The design ended up being too cluttered, maybe a little ugly, but being a sinophile I quite like it. I just wanted a watch face with the date / weekday in Chinese characters, but with the time still in easy-(for me)-to-read Arabic numerals…
  • They Have Your Info

    December 2014
    Project abandoned, sorry…
  • Xbox 360 Live Gamercard

    January 2010
    Several years back I was an avid Xbox 360 fanboy. I had also just made a couple of Facebook apps as a freelancer. At the time, there was an unofficial Xbox Live Facebook app which just showed an image containing your gamertag, picture, score and recent games as a section on your profile. This data came from a now-defunct website which was a member of Microsoft’s Xbox Community Developer Program (XCDP). Only XCDP members were allowed access to the Xbox Live API…

[blog by caller] Correspondence welcome at ℬ㏒ {@} ㎈ℓℯℛ.ⓧⓨℤ