Faith 🇧🇩🇦🇺
@farazsth98
Followers
3,448
Following
316
Media
58
Statuses
820
Lead Cosmos Security Engineer @zellic_io , CTFer @SuperGuesser , Prev: Android Vulnerability Research @dfsec_com
Perth, Australia
Joined May 2019
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Adalet
• 192561 Tweets
Linkin Park
• 188537 Tweets
Gazze
• 117684 Tweets
Engin Polat
• 113053 Tweets
ベイマックス
• 102148 Tweets
Chester
• 96814 Tweets
雇用統計
• 37124 Tweets
Game Day
• 36623 Tweets
大阪府警
• 35838 Tweets
NANON LETSGO NYFW
• 35768 Tweets
エイリアン
• 33655 Tweets
#サクサクヒムヒム
• 31946 Tweets
#ساعه_استجابه
• 30476 Tweets
金メダル
• 29204 Tweets
#浦島坂田船11周年
• 22857 Tweets
#DAY6_9th_Page
• 22276 Tweets
KIDNAP CHAPTER ONE
• 21550 Tweets
Franco Escamilla
• 20680 Tweets
HAPPY BIRTHDAY TANNIE
• 20408 Tweets
#데이식스_청춘의_9번째_페이지
• 13850 Tweets
おぱんちゅうさぎ
• 11552 Tweets
ロムルス
• 11407 Tweets
Absolutely amazing, they had one job...
OMG. This is the real deal. Bython: Python with braces. Because Python is awesome, but whitespace is awful. Bython is a Python preprosessor which translates curly brackets into indentation. Would you use this?
179
134
1K
17
56
782
Pushed some notes on some hypervisor research that I've been doing recently: .
The template is pretty useful for quickly verifying / falsifying any assumptions you may make while auditing code (and of course, for exploit development too).
3
79
230
As I've recently gotten into browser exploitation, I thought I'd solve and do a writeup for a CTF challenge from earlier this year that really doesn't have any detailed writeups.
Hope someone finds my writeup for *CTF 2019 oob-v8 useful! DMs are open.
3
70
189
First blog post of 2021!
Let's analyze CVE-2020-16040 and learn how TurboFan's Simplified Lowering Phase works in detail :D
6
59
160
1/ I spent a lot of my time in the past 4-5 days analyzing the vulnerability exploited in the KyberSwap exploit, and it's lead me to one conclusion:
It is almost impossible for an auditor during an audit / competition to have found this vulnerability.
9
20
150
Finally put out a new blog post! This one goes through a very detailed root cause analysis of the new V8 vulnerability found and reported by Sergey Glazunov of Project Zero.
Hope you enjoy the read!
Check it out! New blog post! Simple bugs with complex exploits - an analysis of a v8 vulnerability from P0 by
@farazsth98
at
1
23
72
3
47
123
Well seems like we won Union CTF 2021 :p
The notepad challenge was pretty good. It showcased a C++ bug class that is very often found in real world code bases (for example, in Chrome).
Read my brief writeup here:
2
34
123
Since I had some trouble getting VirtualBox built + a debugging setup, I ended up documenting it.
Was about time I dusted off this repo😅I wrote about QEMU research years ago and that was definitely useful to me for VirtualBox.
I hope it's helpful!
First day back from holiday: confirmed 0day in VirtualBox.
Or so I thought... the bug is basically useless and not exploitable at all.🙃
Was inspired by
@theflow0
's recent VirtualBox vulnerabilities. I'm determined to find and exploit a VirtualBox 0day now😩
More soon🤞
4
3
117
0
29
119
First day back from holiday: confirmed 0day in VirtualBox.
Or so I thought... the bug is basically useless and not exploitable at all.🙃
Was inspired by
@theflow0
's recent VirtualBox vulnerabilities. I'm determined to find and exploit a VirtualBox 0day now😩
More soon🤞
Going on holiday for 2 weeks, flight is later today, and of course I find a potential vulnerability right now...
It's not web3 so it can wait the 2 weeks, but can my brain handle the wait? 😩😩😩
3
0
32
4
3
117
Reorganized + renamed the hypervisor research notes repo, and added a guide to setting up a minimal QEMU research environment. Hope someone out there finds these notes useful!
2
22
108
Was just reading through some old (ish?) Project Zero blog posts and came across this paragraph where Jann Horn explains how he found a gigabrain critical bug in the Linux kernel while trying to explain how a bugfix worked.
Vulnerability research is truly an art..
2
11
106
Happy to announce that I'll be joining the team at
@zellic_io
as an auditor and researcher soon 😄 can't wait to have a fresh start back into security, especially with some old CTF teammates of mine 😩
@gf_256
@ret2jazzy
8
7
105
I keep finding OOB read vulnerabilities in VirtualBox😭
This one I'm pretty sure leads to an info leak, but it's difficult, and a nice OOB write would be much easier to use for an info leak + exploit anyway.
I just want one exploitable bug😭give me some OOB writes or UAFs😭
2
4
103
New blog post coming soon😄 hopefully before the new year, but we'll see!🤞
12
4
96
jmp rsp in 2021
You might want to update your F5 Big IP appliances: . and are two data-plane bugs that got fixed.
13
344
751
1
12
86
We won Dragon CTF 2020! Perfect ⚔️ Guesser is pretty strong :D
A bunch of us spent around ~30-40 hours total to solve
@j00ru
's BitmapManager. Here is a writeup:
4
17
84
Found a critical vulnerability last month after deciding to randomly start looking for bugs in Substrate based chains.
More details in the thread and blog post below:
The dangers of integer truncation:
How the Zellic team found a critical vulnerability in the
@AstarNetwork
.
This bug allowed an attacker to drain certain LP contracts on the Astar-EVM, with no bugs required in the contracts.
Read more: 🧵👇
3
46
230
3
8
80
Happy new year everyone!!
Finally graduated from university. 2021 will be my year :)
7
0
77
🥳
New higher goals have officially been set ✅
Dear
@farazsth98
, we've never had a doubt that you would reach this height so soon.
Your dedication and consistency makes you the prime example of what speed looks like in this industry.
It's only a matter of time until you get top 50 on Immunefi. Keep working on it! 👾⭐️
4
3
47
14
1
73
Found the web3 equivalent of a ping of death at the end 2023. A single message that crashes any node on the network instantly, no privileges required.
Can't disclose details yet, but definitely more details to come when I'm able to share them👀
5
2
76
I know I don't do browser vuln research anymore, but it's nice to see glazunov is still a beast at it. Honestly a role model to vuln researchers in any field. The work ethic of this man and the results he puts out is insane
Chrome: Design flaw in Synchronous Mojo message handling introduces unexpected reentrancy and allows for multiple UAFs
0
25
123
2
8
67
wtf so glibc heap note challenges are actually useful irl??? 😳😳
New advisory is now out!
The Nighthawk R7000 is a popular Netgear router, with over 50,000 positive reviews on Amazon.
Find out how a vulnerability in NETGEAR R7000 allows an attacker to run arbitrary code without requiring authentication.
4
50
237
2
6
66
I realized today that I never **really** learned C++. My only experience with C++ has been auditing browser code, which never really makes use of some of the more complex C++ constructs (or at least Chrome doesn't)
So basically this is just amazing to me:
1
9
63
GG! We won Balsn CTF this year as Super⚔️Blue 🥳🎉
The pwn challenges were really hard imo. Here's my commented exploit script for Diary:
It's too complicated to make a writeup for this...
2
5
64
Here's a short write-up for SafeBridge from the 6th Real World CTF.
The bug is in the L1 bridge contract. Can you spot it in the code below?
The writeup + both bridge contracts + the exploit are included in the gist below.
Real World CTF's Safe Bridge was a nice challenge! somewhat of a realistic bug in my opinion, which made it all the more interesting 😄
1
0
23
6
5
61
In January 2023, I reported two bugs to the Cronos Gravity Bridge Immunefi project. These bugs would allow an attacker to halt all or parts of the bridge.
Here's a very belated writeup on the bugs:
6
9
61
lmao wtf
Security: UAF in UrlLoaderFactoryProxyImpl (reward: $20000)
4
11
57
1
5
56
Some FreeBSD kernel info leaks I reported while working at elttam just got disclosed today in an advisory. It was fun working on FreeBSD for a little while!
Details + PoC for a couple of FreeBSD kernel info leaks that were released today (CVE-2020-25578 and CVE-2020-25579) available here:
0
31
86
1
2
56
Last two Immunefi bug reports from 2023 got paid out recently. Can't wait to see where I end up on the leaderboard after it gets updated😄
6
2
54
My V8 challenge got first blooded in the first 6 hours!
Check out if you want to give it a shot as well!
1
6
51
Spent a little bit of time on ParadigmCTF - here's writeups for Grains of Sand and Hopping into Place.
0
12
51
Upgrading to Elite very soon😉
2
3
50
I swear there's always like a hundred false positives before you get to that one juicy bug 😒
3
3
49
Requested by
@OddlySpecivik
to post this 😄
Still have 2 crits that are confirmed but not paid yet, but hey, not bad for ~1.5-2 months of bug hunting in the entire year
6
2
48
I'm close! A few more days until the second bounty gets recognized on the dashboard. Wondering if I'll make top 50 or not 😩😩😩
4
1
47
Was just writing up a bug report, and while copying code over, I found another bug 😩
I want to finish this report... but new bug....
2
0
44
It's been a long time since I actually played a CTF. SECCON CTF 2020 from last weekend had some great pwn challenges.
I solved "lazynote" (by
@ptrYudai
) after the CTF ended (without looking at writeups).
Here is my writeup! Enjoy!
1
7
42
Thanks
@immunefi
! Looks very comfy 🙏
Thankfully the Australian winter is in a few months, will be able to wear this out and about soon 😄
4
0
43
So
@elttam
recently released a set of Linux memory corruption challenges called Corrupt Penguin. I'll do a livestream attempting to solve all of these challenges this Saturday at 4:00pm AWST!
Hopefully I still got my pwning skills intact :D Stay tuned!
2
11
40
Been working on a fuzzer recently (details coming maybe later👀)
100x performance loss after I added support for fuzzing some Elliptic Curve operations 🥲
Each EC operation takes ~2.5ms to run (and it's native code)... Need to work on scaling this across multiple cores later
1
1
42
@snyff
Variant analysis is also a heavily underestimated technique for finding new bugs. Sometimes even attempting to trigger an old CVE bug will result in you noticing that something is off, or that the patch for the old bug wasn't complete, or etc.
1
2
40
I was this close 🥲
Alright, now how to find the time to grind out some Immunefi....
6
0
41
All set up for WACTF this weekend! It's my first and last local CTF for this year 😩😩
4
1
41
So... After a long hiatus from playing CTFs, I participated in the DEFCON Red Team Village CTF with
@Neutrino_Cannon
and placed 2nd!
Scoreboard here:
4
5
38
I will be posting a detailed writeup sometime soon for this mind blowing challenge from pbctf by
@wcbowling
tl;dr pwn userland -> pwn kernel -> execute code in the unicorn engine emulator 🤯🤯🤯
1
1
38
Shitcoin devs be like "Can you audit my token pls? It's gonna be the next biggest token, 1 bil market cap for sure!!!!"
The code:
3
1
37
Slides for this talk are up!
⚠️SPEAKER!
☣️Syed Faraz Abrar
@farazsth98
⚡️ haha v8 engine go brrrrr
V8 is so complex that it has its own bug classes
You'll be able to learn about the gory internals of one of the most used JS engines in the world and the best approach for finding JS engine vulns
#AirGap2020
2
16
55
0
8
35
This exploit is accompanied with an amazing writeup (link in the GitHub repo) for anyone interested in understanding some key aspects of Spidermonkey's JIT compiler, as well as exploiting a vulnerability in it. Highly recommended and very well written!
Published my exploit for CVE-2019-17026 (Firefox JIT bug):
No sandbox escape included but if anybody wants a challenge, chain it with CVE-2020-0674 for a neat sandbox escape on Windows!
1
129
318
1
5
36
There's a poc already out for BleedingTooth with no patches to mitigate it btw
2
6
35
I was recently introduced to a great blog by
@secfaultsec
which contains two really good blog posts on exploiting some vulnerabilities in the FreeBSD kernel. I am currently reading through their post on writing an iOS kernel exploit.
Very well written!
1
9
32
Looks like the culprit is a free controlled external call into WETH from the `SocketGateway` contract that calls `transferFrom(victim, attackerWallet, victimWethBalance)`.
Anyone who has approved this contract should revoke approval ASAP:
4
4
34
I just came across this repo... It's so good 🤯 might have to start looking at the sandbox soon 🤪
0
4
34
STOP THE COUNT
0
2
31
2/ First of all, SlowMist did a brilliant job analyzing the actual vulnerability. I wish I'd found out about it before I finished my analysis, it would've saved me a lot of time 😅 I highly recommend reading it:
2
1
31
This CTF had a dotnet core pwn. I wrote a short writeup here:
If you have any questions about it please ask me. I was too lazy to write in more detail about how to debug the binary correctly, which is probably the biggest problem :p
We won aeroCTF 2021. Thanks for nice quality challenges 🙂🙂
5
3
84
0
3
31
Going on holiday for 2 weeks, flight is later today, and of course I find a potential vulnerability right now...
It's not web3 so it can wait the 2 weeks, but can my brain handle the wait? 😩😩😩
3
0
32
Spent the last few days setting up a fully local testing environment for a bridge (multiple nodes + the bridge + relayers), and found a crit. I'm convinced more people don't hunt for vulns in bridges simply due to the sheer complexity of setting up the needed testing environment.
3
2
30
Tbh this applies to all complex systems really well. All you have to do is come up with one question and attempt to answer it yourself.
Web3: What exactly happens when you borrow an asset on Aave?
VMs: How does a hypervisor like Xen prevent guest VMs from accessing host memory?
This occasionally comes up in my DMs so here's a few Windows Internals / RE exercises and projects for people at different knowledge levels:
1. What happens when you call CreateFile?
From Win32, syscall, filter drivers, filesystems, disk access, etc.
1/2
4
39
252
0
6
28
Didn't even realize there's a new mid tier JIT compiler for V8 being developed right now (currently experimental)
0
2
30
In the end, 10 teams were able to solve it, and the feedback is good!
Hope to do this again next year (with harder pwns of course). Thanks to everyone who participated, and especially the admin team for being amazing and organizing such an amazing CTF!
My V8 challenge got first blooded in the first 6 hours!
Check out if you want to give it a shot as well!
1
6
51
1
2
29
:D First win with the team! The PWN challenges were insane. Was fun working with the gods themselves
@RBTree_
and
@circleous
2
1
29
The writeup for this is now online!
I cannot stress how amazing this challenge was. It was very realistic. I learned so many new things, I don't think I can list them all out in a single tweet.
Enjoy!
I will be posting a detailed writeup sometime soon for this mind blowing challenge from pbctf by
@wcbowling
tl;dr pwn userland -> pwn kernel -> execute code in the unicorn engine emulator 🤯🤯🤯
1
1
38
1
5
28
Exploit scripts for the pwn challenges I solved can be found on my gist. I wrote a short writeup specifically for GuessFS, which can be found here:
1
5
28
Oh yeah, the ping-of-death style bug I found was unfortunately in a non-Immunefi bug bounty program. That would have definitely pushed me into the top 50😩
All good though, plenty of time this year to get into the top 50, just need to find the time to do some bug hunting 😅
Last two Immunefi bug reports from 2023 got paid out recently. Can't wait to see where I end up on the leaderboard after it gets updated😄
6
2
54
6
0
28
Was looking for an i3wm or dwm equivalent for windows and came across GlazeWM, and it's actually amazing.
Workflow improved by 10x, would recommend to anyone to try it out even if you've never used a tiling WM before.
Just gotta learn the keybinds :D
1
2
27
Looks like VirtualBox is patching the Pwn2Own bugs in private... No SVN revisions in the past 7 days 🤨🤨
1
3
28
So, project on ImmuneFi uses signatures incorrectly, resulting in a high severity issue. I report it. Them - "this is a side-effect of a decentralized system using signatories, therefore it's out of scope, but we will give you $500 in good faith". I post a fix, and.... silence...
6
0
27
Wasn't able to spend too much time on Harekaze Mini CTF this weekend, but the challenges I solved were pretty nice, so here's some short writeups:
0
2
25
It has been a while indeed.
Also I made a mastodon (don't know how to use it yet lol):
2
4
24
Just finished analyzing the Nereus Finance flash loan attack. This was the perfect exercise for me to figure out how to break down a complex transaction step by step, and recreate it.
New blog post coming very soon :) transaction here for the curious:
1
8
25
Moved over to a new blog (built using gatsby.js) for easier maintenance. I moved over the web3 related blog posts for now:
Old blog will still stay up for a long time to come though!
0
4
24
Real World CTF's Safe Bridge was a nice challenge! somewhat of a realistic bug in my opinion, which made it all the more interesting 😄
1
0
23
Just got shown this little gem by
@volvent
that happened when I was 11 years old... We need more drama like this in the modern world so people like me can experience this in real time 😂
4
1
22
So.. Pretty much spent the entire weekend trying to solve this but could not figure out a way to leak IPC port names with just the initial leak that's provided..
@_tsuro
did you write this challenge? It was a very good concept, would love to see a writeup if possible!
3
2
22
I was only able to play pbctf for a few hours this weekend, but my teammates are so good 😭 we got second place!
Here's a short writeup for JHeap (unintended solution, actual solution is a little more complicated):
2
4
19
@S1r1u5_
same for me, don't worry. The interest comes and goes, and that's the good thing, because if you constantly have the interest all the time, you get burnt out.
The longer you grind in your free time, the longer the burnout break is, so take those breaks often :)
0
2
21
I watched the OffensiveCon 2020 "Bugs on the Windshield" talk a while ago, but I just found this other blog post by Checkpoint Research from 2 years ago and I think its absolutely amazing!
Definitely worth a read:
2
1
21
- Find a crit
- Report it immediately because funds are at risk
- Investigate more...
- Realize that even though the bug is in the master branch of the codebase, it doesn't affect the currently deployed code in the mainnet
..
- Only the mainnet is considered in-scope for bounties
4
0
21
Finally getting comfortable with Rust by using the Advent of Code 2022. FeelsGoodMan
1
0
20
Every time Man Yue Mo posts something, I bring out the 🍿
In this post I'll use CVE-2023-6241, a vulnerability in the Arm Mali GPU that I reported last November to gain arbitrary kernel code execution from an untrusted app on a Pixel 8 with MTE enabled.
8
142
391
1
0
20
My Paradigm CTF 2023 writeups are now on the Zellic blog too!
Make sure to follow
@zellic_io
because I have another blog post coming up soon where I'll disclose the details of a critical vulnerability I found on an L1 chain 😄
We are excited to share write-ups for two
@paradigm_ctf
challenges from
@farazsth98
, a Security Researcher at Zellic. We'll be looking at Grains of Sand and Hopping Into Place!
For an in-depth look into both challenges, check out our blog:
1
6
31
1
1
19
Short analysis of the SportsDAO flash loan attack from yesterday is out:
The full exploit is linked in the blog post :)
2
5
19
Don't you just love the feeling of finding a cool bug and then realizing that it's only abusable under specific conditions 😭
0
0
18
Legend 🙏 now I can fuzz Java with UBSan 👀
1
0
18
literal guess god btw
How to solve primary ingredient : a guide
1. ask reversers for reversing
2. they give you a prime and "complex numbers are used"
3. take an abstract algebra class
4. guess fermat's two square theorem
5. get the flag with literally two lines of code
2
2
26
0
2
19