stephen
@_tsuro
Followers
9,978
Following
529
Media
40
Statuses
1,226
@v8js security, CTFs and CPU vulnz. LCHL. @tsuro @infosec .exchange
Zurich, Switzerland
Joined August 2011
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
#خلصوا_صفقات_الهلال1
• 838697 Tweets
ラピュタ
• 408751 Tweets
Atatürk
• 391804 Tweets
Megan
• 225825 Tweets
Johnny
• 225103 Tweets
Sancho
• 150235 Tweets
MEGTAN IS COMING
• 133896 Tweets
#4MINUTES_EP6
• 128070 Tweets
RM IS COMING
• 127281 Tweets
namjoon
• 120999 Tweets
olivia
• 118822 Tweets
Coco
• 53451 Tweets
Labor Day
• 50588 Tweets
كاس العالم
• 47821 Tweets
ミクさん
• 46553 Tweets
ムスカ大佐
• 41106 Tweets
#フロイニ
• 37547 Tweets
Arteta
• 35129 Tweets
ŹOOĻ記念日
• 24633 Tweets
ミクちゃん
• 22995 Tweets
Javier Acosta
• 22436 Tweets
Día Internacional
• 21751 Tweets
Romney
• 18098 Tweets
Ramírez
• 16983 Tweets
Lolla
• 14892 Tweets
ナウシカ
• 13796 Tweets
Lo Celso
• 12045 Tweets
Sekou Kone
• 11059 Tweets
AFFAIR EP1
• 10504 Tweets
نادي سعودي
• 10392 Tweets
Pinned Tweet
My latest Chrome bug just got derestricted.
Did you know that floats have a minus zero? Turns out if you forget about it, that can mean RCE :).
10
193
646
I made a website:
12
308
980
We open sourced PathAuditor: a tool for Linux that
@rozek_marta
and I worked on this summer.
Tl;dr: you can use it to instrument root daemons and find insecure file access patterns like CVE-2019-3461.
Check out the code:
Blog post:
3
155
381
We just released the challenges of this year's
#GoogleCTF
finals together with a short write up of the intended solutions:
If anything is not clear, feel free to DM me and I can share more details about the challenges.
2
122
365
Here are the slides from my
#Zer0con2019
talk about TurboFan (Chrome's javascript compiler).
If you have any questions, please leave a comment in the slides and I'll try to explain it in the speaker's notes.
0
155
346
We just released v1.0 of kCTF our kubernetes based infrastructure for CTF competitions.
Check it out here:
With kCTF we tried to address to issues we often heard about:
* no experience with k8s
* worry about introducing security issues
(1/3)
2
117
339
We just started the
#v8CTF
: a new exploit bounty program for v8!
* $10,000
* N-day vulnerabilities are in scope, but limited to first submission per deployed v8 version
* unlimited for self-found bugs (on top of regular VRP)
More info here:
1
65
261
We just announced a new bug bounty on a hardened kubernetes cluster.
The fun part: 1days are explicitly in scope!
Want to exploit a public
#syzkaller
bug that hasn't been patched in our cluster yet? That's fair game.
More info here:
2
91
231
The exploit for my Chrome/v8 challenge from the
#GoogleCTF
finals is now public. You can find it here: .
You had to exploit an JIT optimization pass that would turn 1+1 into 2.
1
98
230
I made a challenge for
#WCTF
where you got a fake XSS in the Discord electron app and had to turn it into RCE.
Here's the "writeup":
Enjoy :)
1
36
222
One thing off my bucket list. I got code execution in the Chrome renderer with a nice bug in v8's TurboFan optimizer. The bug just got de-restricted:
2
77
207
#GoogleCTF
is on and we have challenges related to hardware, crypto, reversing, web, sandbox and of course pwnables. Every category comes with an easy challenge aimed at beginners.
Check it out here:
4
75
202
The first
#v8CTF
submission is now public:
Note that the current flag is still up for grabs, maybe M118 is unhackable? ;P
You should also check out
@madstacks3
's excellent writeup at
2
59
192
Looks like I'll be in vegas this summer
@BlackHatEvents
:).
I'm going to present about some logic bugs I found in Mojo and how they affected Chrome's sandbox.
This was one of the most complicated exploits I've ever written, looking forward to talk about it.
#BHUSA
5
13
174
I prepared 2 challenges for the
#GoogleCTF
this year:
1) sendbox: a user namespace jail
2) ipcz: a challenge based on a new IPC protocol that you can find in the chromium sources
You can find both challenges and solutions at
🧵
1
24
168
My new role: v8 security \o/
I'm excited (and also a little sad) to announce that after 3 fantastic years with Project Zero, it's time for me to try something new. So starting this month, I'll be building up and leading a new V8 security team at Google!
36
34
957
6
0
155
Breaking the Chrome Sandbox with Mojo - the recording of my black hat talk is out:
(I'm painfully aware of the red shift :) )
1
39
152
My OffensiveCon talk got accepted \o/
7
7
143
And here is the exploit: .
I think we pwned all the browsers in the end, even the unintended ones :)
I wrote an exploit for for the kotkit challenge of
@RealWorldCTF
, but we couldn't figure out in the end how to trigger a page load :(.
1
21
70
1
42
129
The Google CTF is happening again this year (June 23rd/24th). We promise to have some easier challenges this time so make sure to check it out even if you're new to CTFs.
New CTF!
Google Capture The Flag 2018 (Quals), starts at 2018-06-23 00:00:01 UTC
1
30
59
1
68
133
The recording of my
#OffensiveCon20
talk is up in which I demo a Chrome sandbox escape using RIDL:
The exploit is still working as of today.
PS: I would love some feedback! I don't give many talks but prepared a lot for this: so what worked/didn't work?
4
61
125
afl's qemu mode + AFL_PRELOAD is very convenient to fuzz arbitrary functions from a binary:
0
46
118
And here's a write up for the pwn-drive challenge from the
#GoogleCTF
:
tl;dr: check your return values
2
42
103
Patch-gapping Chrome became much harder as
@_2can
and
@sherl0ck__
just showed in their amazing blog post. Easy mode is to target embedded browsers instead since those are usually ancient.
Case in point, here's an RCE for Steam on Linux:
5
20
103
Really cool talk by
@tjbecker_
on his Chrome sandbox escape:
Exploiting a UaF in the browser process without any info leak since Windows maps libraries at the same address in different processes.
2
28
101
You read that right, Andy implemented a fucking phone for a CTF challenge!
Thanks to osmocombb and the whole osmocom GSM network stack components I was able to build my own GSM phone for a
#35c3ctf
challenge. Any similarity with previous commercial phones is a pure coincidence. If you want to hack this thing, check out newphonewhodis and identitytheft.
23
451
1K
2
29
92
I couldn't find a working RIDL exploit on the internet so I made it a challenge at the
#GoogleCTF
. 5/10 teams solved it in under 24h. I heard at least
@dsredford
will publish an exploit soon, stay tuned ;)
8
23
91
And here are the writeups for my challenges.
krautflare:
@anbiondo
made a really amazing writeup with in detail description of v8 turbofan's inner workings:
namespaces: chroot escape + ptracing the supervisor
1/2
2
30
87
I wrote an exploit for for the kotkit challenge of
@RealWorldCTF
, but we couldn't figure out in the end how to trigger a page load :(.
1
21
70
Nobody solved my
#33c3ctf
recurse challenge. Solution was triggering a vfork+exit and then a bit heap-fu. Writeup:
2
29
71
Cool, another public Spectre exploit in JavaScript:
It's using type confusion in Chrome, similar to .
If you own a website with multiple subdomains, make sure to follow to protect against these attacks.
0
36
66
If you're interested in trying them out, you can find the challenges and solutions here: .
1
16
66
As promises, we made some easier challengess for the
#GoogleCTF
this year for people new to CTFs. Check out . There might be cake in the end!
4
34
62
I gave a lightning talk at the
#36c3
on PathAuditor:
The main point I tried to make is that this bug class is fun to research and easy to find.
If you've watched it, I'd love some feedback:
1
15
63
I set up an old favorite challenge of mine as a Christmas challenge:
A gdb web UI running /bin/sleep. Can you pwn it?
3
14
60
1
10
57
A blast from the past. The first vulnerability I ever found and the stars aligned to make it exploitable:
* spoof localhost ipv6 packets
* bruteforce a weak password
* a bss buffer overflow into a pointer
* bruteforce libc since OS X did ASLR at boot
Felt like a CTF challenge :)
This is another old (7+ years) P0 post that I had missed. This time it’s an amazing xdev writeup by
@_tsuro
:
Finding and exploiting ntpd vulnerabilities
1
4
28
1
7
56
I love the direction of
@RealWorldCTF
and I would like to see more real world targets in other CTFs as well.
In particular, some beginner friendly challenges would be nice since most of these were really tough :).
Congrats to
@PlaidCTF
for winning the
@RealWorldCTF
final. I think the number of
@nneonneo
’s championships is more than the number of CTFs I’ve played. See you guys in next year’s
#realworldctf
.
0
12
85
1
2
55
Check out this Spectre CTF challenge! The exploit might become useful in the future :)
Ghostbuster is the sole challenge of the Donjon CTF which remained unsolved, but not unexplained. The exploit and the writeup are now public: . Lesson learned: CPUs are tricky! 👻
#spectre
2
26
80
0
6
52
Make sure to check out while you're at it. I spent a lot of time on those anmiations ;).
tl;dr: we access a cache line once and keep it in L1 indefinitely while probing the other elements. This allows us to inflate the timing difference for measurement.
1
12
51
Cloudflare seems to have a very different risk perception than me. It sounds like they spent a lot of time thinking about how to mitigate Spectre in this platform but they don't care much for v8 0days / 1days.
So Cloudflare trusts v8 for multi-tenant isolation? That‘s bold.
6
59
133
2
9
47
Anyone at
#OffensiveCon
wants to come bouldering Sunday morning?
We can work on some V8 problems together!
5
1
46
Here's my exploit for my heap challenge (300) of the
#34c3ctf
. I solved it by overwriting (older) libc's check_action variable using a corrupted unsorted bin. This disables abort on error and gives a write-what-where primitive.
1
9
45
My weekend project: a small webapp to translate manga for me. It's using the Google Cloud Vision API for OCR and then a iframe to show translations. Next feature will be to automatically add the words to flash cards.
Hardest part was the CSS :)
1
7
43
The gVisor sandbox is open source now. And it's super easy to sandbox your docker containers with it: docker run --runtime=runsc hello-world.
0
26
41
@shhnjk
And for digging deeper there's the Mojo bindings for javascript that are fun to play with:
2
8
39
I learned a lot about the heap again at
#hitconctf
.
Here are my solutions for Ghost in the heap and Damocles:
0
15
38
Everyone is talking about the virus but how is the preauth RCE still not patched?
The vendor was probably like: requires physical proximity? => Low risk, won't fix
2
6
36
I wrote an optimization pass that replaced x + 1 + 1 with x + 2 in v8 for the
#GoogleCTF
finals. Bummed that nobody solved it. Can someone at least trigger a crash? :)
2
8
32
security concerns:
* we believe the infrastructure provides a reasonable level of security for CTF competitions
* if you're able to break it, you can get up to $10k in our VRP!
* that includes public bugs, you don't have to find a 0day :)
*
(3/3)
3
3
35
Why DiceGang is my favorite CTF team now. (Sorry
@DragonSectorCTF
)
Does your CTF team have a digital graphics department? DiceGang does. Here's how we solved `engraver` from Google CTF:
8
66
358
2
2
34
I set up an old favorite challenge of mine as a Christmas challenge:
A gdb web UI running /bin/sleep. Can you pwn it?
3
14
60
1
5
34
We (
@EatSleepPwnRpt
) made it to the 2nd place on ctftime this year with only 0.7 points to the first. Clearly the rating is still broken :)
0
5
34
Why is nobody talking about the
@TianfuCup
this year?
Is there any way to follow the results?
4
5
31
Here's my exploit for the duktype interpreter (used in a challenge in this year's
#defconctf
). tl;dr: the DUK_OP_SETALEN doesn't do any type checks and it gives you an easy arbitrary write.
1
10
29
This series on chrome internals and exploitation is really well written, highly recommended.
4th part of my series on Chrome Browser Exploitation is out. This part focuses on Turbofan, topics covered include:
1. Sea of Nodes Graph Representation
2. Turbolizer
3. Various Optimization Passes
1
48
159
0
6
30
Here's a fun bug in bubblewrap (in rare configs only):
If you're bored, this would have made a fun CTF challenge similar to my usual namespace challenges :). Just assume it's suid and unpriv user ns is available.
cc
@pastenctf
@boryspop
@adam_iwaniuk
0
4
29
If you like web security you have to check out trusted types. This has potential to fix XSS once and for all!
🔒 Trusted Types is a new browser API to help prevent Cross-Site Scripting, specifically DOM XSS.
@kkotowicz
explains how it works:
6
190
347
1
5
29
This year's
#twctf
had some really cool pwnables. Here's my solution for parrot exploiting an arb. null byte write:
0
12
28
I made it into a LiveOverflow video 🙈
The last Vlog from the Google CTF finals in 2019. Who won?!
0
6
117
0
1
24
Who is this mysterious team called Spatenbräu. We will never know.
After some crazy last-minute flag submissions, hxp CTF 2020 is over!
Congratulations to
@pastenctf
, Spatenbräu, and perfect guesser! 🎉
3
13
76
6
1
25
The sandbox category is back!
1
2
25
[v8CTF] We're going to update the deployed version on November 6th at 10am GMT+1
0
2
24
Really cool, another v8ctf exploit \o/.
Unfortunately, only the first submission per version is eligible if it's an n-day exploit :(
I am so excited , finally, I got 2nd blood of v8ctf, wait to comfirm, my exp need to brute, but i will write a writeup to prove I can increase its success rate!
2
1
63
0
0
23
If you played the
#GoogleCTF
this weekend please give us feedback at .
I heard some challenges were guessy so it will be very helpful if you can share details on which and why. Thanks!
0
8
21
I just upgraded to Ubuntu 19.10 and noticed that they enable -fcf-protection by default in gcc which adds an endbr64 instruction in every function prologue. This seems strange for two reasons:
3
4
19
This is the best writeups on advanced heap exploitation I've read in a while. I think technique 1 is what
@maciekkotowicz
used in
#34c3ctf
.
From heap to RIP: getting code execution from pure glibc heap mechanics
3
191
352
0
5
18
9h to go in the
#GoogleCTF
finals. I think we need harder challenges for
@pastenctf
next time :)
0
2
18
Check out the video of last year's
#GoogleCTF
finals in London. We had a really cool event with great talks from security researchers too.
Ready for Google CTF 2019? Join us June 22/23 for 48 hours of 3p1c 1337 h4x1ng!
4
153
251
0
2
18
filemanager: xs-search by abusing chrome's xss auditor as an oracle. Write-up from
@l4wio
here:
logrotate: if you configure logrotate to touch user-controlled directories, you can race it to get a root shell:
0
4
18
E.g. it seems their approach for v8 bugs is mitigations + detection and hoping that their customer data is not valuable enough for attackers to use a 1day v8 bug for?
So every high risk v8 bug is now a critical bug for Cloudflare?
1
3
17