Alex Plaskett
@alexjplaskett
Followers
10,074
Following
575
Media
283
Statuses
5,260
Security Researcher | Pwn2Own 2018, 2021, 2022, 2024 | Tweets about 0day, OS, mobile and embedded security.
Joined June 2016
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Georgia
• 349198 Tweets
Texas
• 283706 Tweets
Yankees
• 240299 Tweets
Never Trump
• 161662 Tweets
Arnold Palmer
• 137238 Tweets
Presiden
• 100902 Tweets
World Series
• 91818 Tweets
WANG YIBO IN THE GT FINALS
• 67199 Tweets
Juan Soto
• 61803 Tweets
期日前投票
• 61213 Tweets
CHENLE VICTORIOUS FIRST THROW
• 54629 Tweets
Stanton
• 44933 Tweets
GALA EN EL AUDITORIO
• 40178 Tweets
#DOMELIVE_Atlantis
• 33464 Tweets
Kirby
• 29215 Tweets
Rayados
• 25885 Tweets
#菊花賞
• 23703 Tweets
ZETA
• 23658 Tweets
#刀剣乱舞ONLINEもうすぐ十周年
• 22068 Tweets
#かぼちゃ大作戦シルエットクイズ
• 22021 Tweets
Ewers
• 19277 Tweets
Tigres
• 18822 Tweets
gerard
• 17564 Tweets
ダノンデサイル
• 16872 Tweets
アーバンシック
• 13840 Tweets
ねこあつめ2
• 11378 Tweets
コスモキュランダ
• 10216 Tweets
Pinned Tweet
40 page whitepaper on Exploiting Sonos One Over-The-Air talk!
4
113
338
As requested, a thread about remote kernel exploits! Part 1 - Linux and macOS/iOS.
👇
5
180
651
🔥 1/ In the last 6 months working on Linux kernel bug hunting/exploitation there has been a number of key resources which have been super useful (coming from a macOS/Windows background) to understand the state of things in 2022 🚀.
Here's a short🧵 to recognise this + thoughts:
8
196
594
✍️ 1/ Want to learn how to bug hunt in hard targets and find high impact issues? Here’s a short Sunday 🧵for those starting out and some general thoughts from over the years on software security:
11
127
466
Just posted a rare non-technical short blog aiming to demystify security research a bit Part 1 is focusing on choosing topics, approach, mindset. I feel like as industry we often see the output from research but less about the process of getting there.
3
139
465
🔥 Like Windows Kernel exploitation? Your in luck! 10 items of Windows kernel exploit research from 2020/2021 🧵
4
136
418
exploit developers reading yet another RFC to see how IPv6 option processing works
4
49
380
21
110
353
10
108
362
I am often asked what books have had the most impact to me in security. This is a really tough question as I have read so many, however, here are some I have have on my shelf and why they were important to me👇
13
62
345
Some material for those learning Ghidra by Craig Young & Tripwire!
0
114
339
🔥 1/ As promised here is the long blog write-up of a 6 year old Linux kernel UAF vulnerability (CVE-2022-32250) which we exploited multiple times to gain reliable priv esc on Ubuntu 22.04.
@nccgroupinfosec
EDG
@saidelike
@fidgetingbits
@alexjplaskett
🧵
Blog: SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250) against the latest Ubuntu (22.04) and Linux kernel 5.15 - by
@saidelike
,
@alexjplaskett
and
@FidgetingBits
-
1
65
151
7
126
302
Just published a write-up of CVE-2020-3919 which was patched in macOS 10.15.4 and iOS 13.4, an uninitialised kernel memory vulnerability within IOHIDLibUserClient:
4
111
284
I recently got asked about WiFi over-the-air exploits and my knowledge was a fairly rusty. In refreshing this I went over a number of papers and tooling - here is 8 of them! 🧵
3
85
284
Ever wanted to exploit Windows 10 with CVE-2021-31956? Obsessive about kernel memory layouts? is now up focusing on exploit reliability, stability and detection!
#windows
Blog: CVE-2021-31956 Exploiting the Windows Kernel (NTFS with WNF) - Part 2 - including thoughts on detection by
@alexjplaskett
2
99
239
8
118
271
Continuing on from my previous thread on remote exploits (macOS/Linux) here is the eagerly antipated Windows version!
A small selection from multiple areas!
#cybersecurity
#windows
2
74
246
Struggling to keep up with recent security research or want some helpful tips? Here’s some threads I have created which may help you 👇
5
57
244
With so many high achieving people in security it’s common to feel like you never get enough work done. You should always take a step back and appreciate yourself. If you worked hard it will compound! Keep the momentum up! 💪
8
48
242
One problem with software security is that there are lots of materials explaining specific vulns or exploits but not many giving a broad structured overview in one place.
This free book on Low-Level Security for Compiler Developers aims to address this.
1
88
238
Here are some of the presentations I found the most interesting within the macOS/iOS Kernel Security research space in 2022! 🧵
3
65
222
Everyone knows that a firewall is meant to provide network security. However, what happens if that appliance has vulnerabilities on your external perimeter?
Here’s 5 firewall and VPN exploit research from the past:
7
58
198
At the end of last year I decide to take a look into consumer router security (Netgear, TP-Link, Synology) and dam was there a lot of great previous research! Here are some articles which practically demonstrate RCE from a LAN or WAN perspective:
2
61
197
Just picked up the hardware hacking handbook. Looking forward to levelling up some of the hardware areas I know less about!
3
23
189
Want to know how to find bugs through fuzzing others miss? 10 insights from practical experience 👇
1
53
187
Jailbreaking the Sonos Era 100
The Era 100 is Sonos’s flagship device, released on March 28th 2023 and is a notable step up from the Sonos One.
@NCCGroupInfosec
found multiple weaknesses within the bootloader which could lead to full compromise
#sonos
2
65
188
1/ As someone who has reviewed hundreds of CVs for job applications in the past, I just want to highlight some personal tips for vulnerability researchers in order to maximise their applications (i.e. outside typical career history and education). 🧵
2
41
185
The amount of free training courses available these days for
#cybersecurity
is wild. People ask me if its worth paying for a specific course? First, have you seen all the free material out there?
Lets dig into a selection! 👇
4
72
175
Friday was my last day at F-Secure (ex-MWR) after 12 years. Been quite a ride and grateful I had the opportunity to work with some brilliant people! Looking forward to new challenges now! If anyone’s interested in hiring me for a UK role, please reach out.
17
42
170
Finally got round to writing up a overview of few of my recent Apple macOS/ios priv esc vulns. and also
3
105
171
1/18 As 2021 is starting to come towards and end, now seems to be good time to look back at all the great macOS vulnerability research / exploit development published during the year! Tried to keep to macOS mainly but obviously there's some crossover with iOS research too. 🧵
1
52
166
Here's the write-up of the Mobile Pwn2Own Android Huawei Mate 9 Pro Chain: by
@NerdKernel
and myself.
#Pwn2Own
#MP2O
2
120
166
A great multi part blog series by
@timmisiak
for anyone who’s interested in writing a debugger from scratch:
1
48
160
Another interesting talk by industry legend and prolific bug hunter
@ivansprundel
on TCP/IP stack fuzzing at
#37c3
Ilja talks about his experiences co-opting an existing userland TCP/IP stack to perform stateful fuzzing. He goes through the history,
1
54
162
Another really great free book is “Hacking the Xbox: An Introduction to Reverse Engineering” by
@bunniestudios
3
49
155
Exploiting Windows 10 20H2 NTFS with WNF. Thanks to all who contributed earlier research in this area!
Blog: CVE-2021-31956 - Exploiting the Windows Kernel via NTFS with WNF – Part 1 by
@alexjplaskett
-
3
132
302
0
38
151
Happy to announce
@robHerrera_
and myself will be presenting about Sonos Over-The-Air Remote Kernel Exploitation and Covert Wiretap at BlackHat USA this year! We will demo remotely compromising the device and capturing audio.
10
32
147
Something a little different from my usual 0day research, just published a write-up of using DynamoDB streams and AWS Lambda functions to post-processing of crash logs for fuzzing triage:
0
39
144
TIL there’s a fantastic free book for anyone wanting to understand Linux Kernel Module Programming for recent kernels (5.*)
#linux
#programming
1
25
144
I got asked the other day if there are any advice for those wanting to get more into vuln research. Off the top of my head I didn’t give a great answer! So here’s 5 things now I have actually thought more about it more:
2
38
134
Interesting paper on finding and exploiting vulns within H.264 decoders:
0
46
141
✍️ Reverse-engineering an encrypted IoT protocol by smix
1
41
137
So yes, we really did exploit an car IVI to run a playable doom, complete with touchscreen interaction!
Confirmed! NCC Group EDG (
@nccgroupinfosec
,
@_mccaulay
, and
@alexjplaskett
) successfully used a 2-bug chain against the Alpine Halo9 iLX-F509. Style points for playing DOOM on the device!
#Pwn2Own
0
9
61
12
17
137
1/⚠️ CVE-2022-32250 (CVE-2022-1966) - A 6 year old bug in the linux kernel by
@nccgroupinfosec
EDG
@saidelike
@fidgetingbits
@alexjplaskett
Vuln write-up: Pretty fun bug to work on + challenging to exploit. We rewrote the exploit many times. More info soon
CVE-2022-32250 (CVE-2022-1966) - A 6 year old bug in the Linux kernel exploited by
@nccgroupinfosec
EDG
@saidelike
@fidgetingbits
@alexjplaskett
Vuln write-up: Exploit write-up coming soon.
3
90
213
5
34
135
✍️ Blackbox-Fuzzing of IoT Devices Using the Router TL-WR902AC as an Example
0
37
129
A blog on reversing Dark Souls 3 networking by Tim Leonard:
Connection
Packets
Key Exchange
Reliable UDP
More:
1
47
128
A very digestible presentation about fuzzing with LibAFL and QEMU.
Slides:
Code:
#37c3
See our (
@aflplusplus
team's) talk on how to "Fuzz Everything, Everywhere, All at Once" with LibAFL and QEMU today at 13:50 on Stage 1 at
#37c3
#LibAFL
#Fuzzing
2
20
143
0
33
125
I have just released my slides for "VR for Pwn2" from
@syspwnx
talk I gave yesterday. Covering general P2O/VR experience, SoHo Smash-Up Ubiquiti and Lexmark printers.
1
35
123
CVE-2020-9967 - looks like my kernel remote is finally public.. write-up hopefully soon.
3
15
117
✍️ An Introduction to Chrome Exploitation: Maglev Edition" by
@matteomalvica
is a great write up for understanding the V8 pipeline and Chromium security. The post features a detailed walkthrough of CVE-2023-4069. Highly recommended!
1
23
118
✍️Reverse engineering a Rust game binary from corCTF 2024 by Ignacio Gutiérrez Gómez
0
26
118
My team EDG is looking for an experienced exploit developer! RT's welcome!
This is a full time research and development role, primarily contributing to the developing of capabilities for consultants, showcasing knowledge, collab with other teams etc.
2
50
114
New blog from
@gabe_k
just dropped on discovering multiple vulns in Windows 11 24H2 + exploitation and nice KASLR bypass.
0
35
113
Seeing a lot more interest/investigations around using LLM agents and tool integration for automated hacking / CTFs recently.
by NYU /
@moyix
by project zero
by
@daveaitel
5
29
113
Cool hardware hacking talk on the Nintendo DSi today at
#37c3
by PoroCYon
They did the following:
1) Dump the ARM7 ROM using vector glitch hack
2) Dump the ARM9 ROM using double glitch hack
3) Find weak spots in the ARM9 ROM
1
31
110
Now that Apple's XNU KDK 10.15.4 build 19E287 is released, it means that it is possible to kernel debug and run a KASAN kernel the same version as the current released macOS build! Have updated my old blog post with this version now:
2
33
104
🔥 6 remote exploit demo's from
@_mccaulay
and my presentation "Your not so 'Home Office' - SOHO Hacking at Pwn2Own" at
@hitbSecConf
by
@nccgroupInfosec
EDG.
Slides:
#HITB2023AMS
5
38
105
✍️ Reversing a Samsung WB850F compact camera Firmware by Georg Lukas
0
23
102
Slides will be released soon for
@saidelike
and my talk at
@offensive_con
For now you can download libslub at
#OffensiveCon23
0
28
98
If you missed
@saidelike
and my
@offensive_con
talk on Exploit Engineering - Attacking the Linux Kernel it is now up on
Slides:
#OffensiveCon23
1
31
95
Hi Hackers,
Let’s celebrate all our wins and inspire others by dropping a link below to a write-up of some public security research you’re the most proud of!
Don’t be shy! Let’s goo! 👇
#CyberSecurity
20
14
93
This was a fun bug to exploit! Sadly had a collision before having time to port to COS for KCTF. Was kinda expected with stock syzkaller bugs 😂
NCC Group's EDG also developed a POC exploit recently for CVE-2022-0185 (Linux kernel root and a container breakout) by
@alexjplaskett
@FidgetingBits
@saidelike
- Make sure to get those patches deployed - / or implement mitigation
0
58
143
0
21
93
Looks like quite a few interesting papers from NDSS Symposium 2024 (LLM/Fuzzing/Exploitation)
Large Language Model guided Protocol Fuzzing
DeGPT: Optimizing Decompiler Output with LLM
DeepGo: Predictive Directed Greybox Fuzzing
0
32
92
Ooh cool
@travisgoodspeed
has written a book on Microcontroller Exploits. Will certainly be adding this to my collection!
1
31
94
Just published a small article about the tooling available for coverage guided fuzzing in Go Might save some other Go newbies some background research time.
0
37
89
Writeup of a remote code execution vulnerability in Western Digital PR4100 used at Pwn2Own 2021 by
@NCCGroupInfosec
EDG (
@alexjplaskett
@saidelike
@FidgetingBits
)
Vuln was in AppleDouble file format handling, which you may recognise recent samba vuln too
Blog: Remote Code Execution on Western Digital PR4100 NAS (CVE-2022-23121) OR how sleep() saved pwn2own - by
@alexjplaskett
,
@saidelike
and
@FidgetingBits
1
42
118
3
26
89
Crashing to obtain root! Here's the tech details a vuln which was could be used to compromise Lexmark printers with network level access at Pwn2Own. Dir traversal file write through PJL was discovered and exploited + AWK crash to abuse the crash handling.
Blog: Analyzing a PJL directory traversal vulnerability – exploiting the Lexmark MC3224i printer (part 2) by
@saidelike
,
@alexjplaskett
and
@FidgetingBits
0
32
81
1
43
86
✍️ An introduction to PCIe for beginners from the software side with plenty of practical example’s on Windows:
0
25
87
✍️ VMProtect 2 - A detailed analysis of the virtual machine architecture:
0
19
88
✍️ RISCVuzz: Discovering Architectural CPU Vulnerabilities via Differential Hardware Fuzzing
0
17
86
A thread on recent automotive security research.
I will highlight a selection of things which caught my during recent explorations.
#automotive
#cybersecurity
1
27
85
✍️ Take a Step Further: Understanding Page Spray in Linux Kernel Exploitation
1
25
85
📣 1/
@nccgroupinfosec
Exploit Development Group is looking for a 4th team member to join our team To develop exploits for consultants to achieve their objectives on engagements, perform research and development, do Pwn2own etc. Our recent work🧵
3
27
84
Here are the slides from
@NerdKernel
and my talk at
@hacktivityconf
2018. Slides: Whitepaper: I think that's enough Android for now, new research coming soon! :)
#Hacktivity2018
0
46
82
Some notes on control flow guard in Windows 11 24H2 by Milos (ynwarcs):
0
33
84
Here is a collection of great articles which show extending syzkaller grammars and psuedo-syscalls.
Tickling ksmbd: fuzzing SMB in the Linux kernel by
@notselwyn
by
@xairy
2
21
83
One interesting talk I noticed recently was "LLM4Shell: Discovering and Exploiting RCE Vulnerabilities in Real-World LLM-Integrated Frameworks and Apps"
1
24
83
My heap ninja colleague
@FidgetingBits
has just published a blog about exploiting CVE-2022-24834 against a Redis container running on Alpine Linux.
0
20
81
If you’re interested to see what type of software defects Soho routers have, check out our research - 7 exploit chains (netgear, TP-Link, synology, ubiquiti) and pivoted from WAN > LAN.
Slides:
Video:
#cybersecurity
#routers
1
40
77
✍️ A summary of techniques used to hide the backdoor in the xz incident by Hcamael
@Knownsec
404 Team
0
28
78
✍️ TIKTAG: Breaking ARM’s Memory Tagging Extension with Speculative Execution
1
23
77
Applying LLMs for security related tasks has been a hot topic recently.
Here's a thread of certain material which caught my eye! 🧵
2
20
90
Not long left until tomorrow the 8th 11:20 PST when myself and
@robHerrera_
demonstrate remote kernel code execution and audio capture implant deployment against Sonos devices in
@BlackHatEvents
South Pacific F, Level 0.
#BHUSA
2
19
74
Today we've gone public with a vulnerability we found in cow tracking collars. My project student Sam was able to full reverse the protocol, allowing us to both read and inject animal activity data. The paper is available here under open access
8
28
88
3
11
74
✍️ Remote, One-Click, Breaking through Smartphones via a Non Well-Known Remote Attack Surface by
@Thankkong
@Fantasyoung_
@Second2st
0
19
73
When it seems like you are not finding any vulns
When you’re just about to give up
When it feels impossible
That’s exactly when it’s time to double down and go harder than ever!
2
9
71