Research

The following links are some of my past information security research. Not all.

• Advisories
• Exploits

Tools:

---

• Bridgit

  This was a tool I developed to discover src-2018-0027 and re-discover/exploit ZDI-18-332.

Competitions:

---

• Pwn2Own Miami 2022 - Second place with 4 successful wins

  Chris Anastasio and I came back to defend our title and we found multiple vulnerabilities targeting several ICS applications. Unfortunately we didn’t win, but we had heaps of fun!

• Pwn2Own Vancouver 2021 - Partial win against Microsoft Exchange Server

  I found a remote code execution vulnerability that could have been triggered during a MiTM attack which scored a partial win.

• Pwn2Own Miami 2020 - Master of Pwn

  In preperation for this competition, Chris Anastasio and I found multiple vulnerabilities and developed exploits targeting several ICS applications that allowed us to win the competition!

Presentations:

---

Some past presentations that I have shared.

• BlackHat :: USA :: 2022 - IAM Whoever I Say IAM Infiltrating Identity Providers Using 0Click Exploits

  In this presentation I discuss the various vulnerabilities I discovered when auditing VMWare Workspace ONE Access and how they were exploited creatively.

• Defcon 29 :: USA :: 2021 - Don’t Date to Exploit :: An Attack Surface Tour of SharePoint Server

  In this presentation Yuhao, Zhiniang and I discuss the various vulnerabilities we discovered when auditing Microsoft SharePoint Server and reveal some of the hidden attack surfaces.

• Internet Security Conference :: China :: 2020 - Out of Hand :: Attacks Against PHP Environments

  In this presentation I discuss a few interesting primitives in the current PHP environment. The first allows an attacker to achieve an information disclosure using TypeError and the second is how an external entity injection (XXE) vulnerability can be leveraged for deserialization of untrusted data.

• BlueHatIL :: Israel :: 2019 - Postscript Pat and His Black and White Hat

  I discussed how I developed a postscript fuzzer to target Adobe’s postscript engine and uncover many zeroday vulnerabilities.

• BSides :: Mexico :: 2018 - Foxes Among Us

  I discussed how I found a use-after-free vulnerability and chained it together with an uninitialized object vulnerability to achieve reliable exploitation bypassing several operating system mitigations.

• Hack in The Box :: Netherlands :: 2017 - I got 99 trends and a # is all of them

  Roberto and I discussed how we found over 200+ Remote Code Execution vulnerabilities within Trend Micro Software.

• Hack in The Box :: Netherlands :: 2012 - Ghost in the allocator

  Here I demonstrated a new technique/variation for exploitation against the Windows 7 heap manager that abuses the allocation offset mechanism. Additionally, I also presented a likely attack technique against the consumer preview version of the Windows 8 heap manager.

• Ruxcon :: Australia :: 2012 - How to catch a chameleon

  This presentation was about the introduction of a plugin for Immunity Debugger that I developed called heaper that is designed to not only detect a corrupted heap state before out-of-bounds memory access, but was also designed to detect exploitable conditions in past Windows operating systems.

Other blog posts I have written:

---

• VMWare Workspace One Access
• The Synology Improbability
• Auditing the Auditor

Media:

---

Some mentions of my work that are publically available.

• Inside the World’s Highest-Stakes Industrial Hacking Contest
• Critics Hit Out at Cisco After Security Researcher Finds 120+ Vulnerabilities in a Single Product
• One Mans Patch is Another Mans Treasure. A Tale of a Failed HPE Patch
• Exploiting Untrusted Objects Through Deserialization: Analyzing 1 of 100+ HPE Bug Submissions
• Busting Myths in Foxit Reader
• Hackers Tear Apart Trend Micro, Find 200 Vulnerabilities In Just 6 Months