It’s a bit late but here’s my in depth (read: LONG) look at CVE-2020-0601 with all the details of how cert chain validation happens in CryptoAPI and where things went wrong. #curveball
Mini pro-tip for Java reversing:
JD-GUI is my preferred decompiler if I want to attach a debugger since it preserves line numbers.
CFR tends to provide much more reasonable code output, especially when dealing with inner classes, but doesn't fix up line numbers for debugging. Much better for static analysis though.
ZDI just disclosed 118 vulnerabilities in Cisco DCNM covering 12 CVEs and corresponding with Cisco's advisories released yesterday.
Very much looking forward to being able to share some bigger research in 2020 and maybe even some conference talks. Also starting a non-profit, creating reversing workshops, and all sorts of other fun stuff.
Finally, I found my first 2 CVEs this year, an HTTP/2 DoS in Tomcat: https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.20
And an unauthenticated potential RCE in Windows Deployment Services: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0603
Here's an abridged version of one of our vulnerability reports for quite possibly one of the silliest vulns I worked on this year, the IOS XE REST API auth bypass:
Here's my analysis of a Windows DHCP Server vuln, though I don't personally agree with the "analysis of it's exploitability" title. It'd be tough as nails to exploit (probably) but we don't spend extensive time on that sort of thing:
Since I feel like Mastodon is the best place to toot my own horn (HA) and my professional life is one of the few parts of 2019 I actually liked, I'm gonna post my research from the last year that's been made public in some way:
Here's a blog post about a Linux kernel race condition that I wrote because unnamed infosec blogs had our customers freaking out about a non-issue:
So I’ve gone and created a vulnerability research room on Matrix if anyone cares to join. Pretty lonely in there at the moment but looking to start a positive place to share tips and tricks and ask questions.
49% of workers, when forced to update their password, reuse the same one with just a minor change.
Hackin’, Drum & Bass aficionado, watcher of motorcycle racing. he/him #TeamADHD and other neurodivergent things. Habitual right-clicker. Researcher @ Veracode
A Mastodon instance for info/cyber security-minded people.