Stephen Fewer
@stephenfewer
Followers
7,923
Following
213
Media
28
Statuses
704
Principal Security Researcher @rapid7 . Decompiler @relyze . Core @metasploit dev 2009 - 2013. MSRC Top 100 2015. Pwn2Own 2011 & 2021.
Ireland
Joined March 2009
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Telegram
• 1245361 Tweets
#خلصوا_صفقات_الهلال1
• 1227251 Tweets
Brazil
• 909926 Tweets
O Brasil
• 673758 Tweets
Elon Musk
• 664376 Tweets
Chelsea
• 514036 Tweets
Alexandre de Moraes
• 479925 Tweets
Osimhen
• 278244 Tweets
Sterling
• 200998 Tweets
Xandão
• 143250 Tweets
Napoli
• 134156 Tweets
Adeus Twitter
• 124643 Tweets
Ditadura
• 124505 Tweets
Threads
• 95139 Tweets
#مولد_ولي_العهد
• 86926 Tweets
Labor Day
• 65868 Tweets
Tchau
• 65537 Tweets
Anatel
• 63566 Tweets
Eddie
• 62083 Tweets
Nelson
• 53666 Tweets
Derrubaram o X
• 42526 Tweets
Bluesky
• 37982 Tweets
Tumblr
• 36343 Tweets
VPNs
• 35964 Tweets
Coreia do Norte
• 33429 Tweets
Benfica
• 32029 Tweets
CONGRATULATIONS RM
• 30461 Tweets
#الجناح_مطلب_اهلاوي
• 23809 Tweets
CONGRATULATIONS NAMJOON
• 22098 Tweets
Orkut
• 19059 Tweets
BARMY WITH BTS
• 15786 Tweets
Shelton
• 10363 Tweets
野菜の日
• 10349 Tweets
This weeks
@metasploit
release has our unauthenticated RCE exploit module for CVE-2023-22515, affecting Atlassian Confluence. Get all the release details here:
2
81
211
We have added a
@metasploit
unauthenticated RCE exploit module to the pull queue for the recent ConnectWise ScreenConnect vulnerability (No CVE has been assigned yet):
4
94
213
We have disclosed 2 authentication bypass vulnerabilities, CVE-2024-27198 and CVE-2024-27199, affecting JetBrains TeamCity CI/CD server. The most severe of which allows for unauthenticated RCE. Read all the details here:
0
75
162
Here's my writeup of the 4 bugs from my Cisco exploit at pwn2own 👇
2
49
159
We have posted our AttackerKB
@rapid7
Analysis of the recent 0day exploit chain affecting Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887). Full details of the auth bypass and command injection vulns. Read all the details here:
5
57
155
Woot!
@chrisrohlf
released his "Modern Memory Safety: C/C++ Vulnerability Discovery, Exploitation, Hardening" course
0
96
159
This week's
@metasploit
release includes our unauth RCE exploit against Cisco IOS XE (CVE-2023-20198 and CVE-2023-20273), get all the details here:
2
60
156
We have added 2 modules to the
@metasploit
pull queue for the recent Cisco IOS XE vulns (CVE-2023-20198 and CVE-2023-20273)
1
47
155
We have published our AttackerKB
@rapid7
analysis for CVE-2024-21893, an SSRF vulnerability in the SAML component of Ivanti Connect Secure, that has recently been exploited in the wild, allowing attackers bypass the mitigation for an earlier exploit chain.
4
62
154
We have posted our
@rapid7
AttackerKB Analysis for CVE-2023-22515, affecting Atlassian Confluence. The vuln is unauthenticated and can be leveraged to create a new admin account on the server. Full root cause analysis and exploitation details are here:
2
58
129
We now have an RCE exploit module in the
@metasploit
pull queue for CVE-2024-0204 in Fortra GoAnywhere MFT:
2
51
129
A new year and a new adventure, I'm delighted to have started a new position
@rapid7
as a Principal Security Researcher 🥳
8
3
127
We also have a (draft) pull request in the queue for a
@metasploit
exploit module against Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887):
2
42
121
The weeks
@metasploit
release includes our exploit for CVE-2023-40044, an unauthenticated RCE in the Ad Hoc Transfer module of WS_FTP Server, due to unsafe .NET deserialization. Get all the details here:
2
42
118
Our
@rapid7
AttackerKB analysis detailing CVE-2023-28771 is available. Unauthenticated command injection on the WAN interface of several Zyxel devices. Bug is in the IKE packet decoder for the IPSec VPN service, running by default.
2
36
113
Our exploit module for CVE-2024-27198 is now in the
@metasploit
pull queue. Unauthenticated RCE in JetBrains TeamCity due to an authentication bypass vulnerability:
0
35
117
and now we've added an RCE exploit module for this too...
We have added 2 modules to the
@metasploit
pull queue for the recent Cisco IOS XE vulns (CVE-2023-20198 and CVE-2023-20273)
1
47
155
1
25
103
So I am looking for a new full time role; remote from Ireland, vulnerabilities, exploitation, RE, tooling. Any leads please let me know :)
15
33
96
This weeks
@metasploit
release includes our JetBrains TeamCity exploit module (CVE-2023-42793). Unauthenticated RCE due to an auth bypass vuln, all versions prior to 2023.05.4 are affected. Read the details here:
2
38
94
This week's
@metasploit
release has our exploit for CVE-2023-26360, unauth RCE in all versions of Adobe ColdFusion 2021 and 2018 prior to Adobe's March patch. Get the release here:
1
27
91
My
@rapid7
technical analysis of CVE-2022-21587 for Oracle E-business Suite is out. An arbitrary file upload vuln can be used to drop malicious JSP payloads, and we now have a
@metasploit
exploit for this in the pull queue too:
3
31
89
Our
@rapid7
AttackerKB Analysis of CVE-2023-26359 in Adobe ColdFusion has been updated to detail unauthenticated remote code execution and arbitrary file reading. A
@metasploit
module will be available soon. All the details here:
3
42
86
Our
@rapid7
AttackerKB analysis of CVE-2023-46604 affecting Apache ActiveMQ is out. Unauthenticated RCE via deserialization in the OpenWire transport connector. We also have a
@metasploit
module for this in the pull queue. Read our analysis here:
2
38
76
We have published our
@rapid7
AttackerKB Analysis of CVE-2023-42793, an unauthenticated RCE in JetBrains TeamCity CI/CD server, affecting all versions below 2023.05.4. A full technical analysis of both the root cause and exploitation is available here:
10
39
75
We have posted our
@rapid7
AttackerKB Analysis for CVE-2023-38548, an NTLM hash leak via the Veeam ONE Web Client. Read all the details here:
1
37
74
We have published our
@rapid7
AttackerKB Analysis for CVE-2023-40044. An unauthenticated RCE in WS_FTP due to unsafe .NET deserialization. Full root cause analysis and exploitation details here:
1
48
70
Our
@rapid7
AttackerKB analysis of CVE-2023-27532 in Veeam Backup & Replication has been posted, detailing the vulnerability, plaintext credentials leak and remote code execution:
3
26
64
Adobe has patched an access control bypass (CVE-2023-29298) affecting ColdFusion 2023, 2021 and 2018 that we reported last April, found when researching some other CF vulns. Full details on the
@rapid7
blog:
4
32
64
Last Friday's
@metasploit
release adds coverage for CVE-2023-34362 in MOVEit Transfer, great work by
@tychos_moose
,
@iagox86
,
@_CField
and team. Nice to see the new fetch payloads in action too🔥Check out the release here:
0
23
64
The vuln research team
@rapid7
is hiring for a Lead Security Researcher; working on 0day vuln research, n-day analysis, exploit dev, and more. Check out the job description below. Ping me with any questions, it's a fun job and we get to work on allot of very interesting things :)
0
28
59
Updated this assessment to include how Docker based installs are indeed exploitable via a small modification to the request. This development increases the potential impact of this vuln, we have more details on our
@rapid7
blog here:
Wrote up a short AttackerKB assessment on the ownCloud graphapi vuln (CVE-2023-49103). Docker installations do not seem exploitable due to an additional .htaccess rewrite rule not present in manually installed instances of ownCloud, which results in the target endpoint generating
6
15
31
1
20
52
I'm launching a commercial RE tool called Relyze (
http://t.co/IzAF7ai6uq),
check it out! Follow
@relyze_ltd
for product news and updates.
4
44
50
Our
@rapid7
AttackerKB Analysis of CVE-2023-34362 in MOVEit Transfer is now available. Full details of the RCE exploit chain and how the SQLi is leveraged to achieve RCE via unsafe deserialization:
3
22
45
0
19
44
QNAP have patched an unauthenticated command injection vuln we reported, CVE-2023-47218, affecting QTS and QuTS Hero based systems. Vuln is in a component quick.cgi, which helps configure uninitialized systems. Read our disclosure here:
1
21
42
Adobe have released an out of band update for ColdFusion, to address CVE-2023-38205, a patch bypass of the access control bypass CVE-2023-29298 that was published last week (and exploited in the wild). Full details on the
@rapid7
blog:
4
13
39
Wrote up a short AttackerKB assessment on the ownCloud graphapi vuln (CVE-2023-49103). Docker installations do not seem exploitable due to an additional .htaccess rewrite rule not present in manually installed instances of ownCloud, which results in the target endpoint generating
6
15
31
Our
@rapid7
AttackerKB analysis of CVE-2023-26359 has been published. An interesting deserialization vulnerability in Adobe ColdFusion that was recently patched:
0
7
31
This module has been updated to support Linux targets, older versions of ScreenConnect, and improved in-memory Windows payload support.
We have added a
@metasploit
unauthenticated RCE exploit module to the pull queue for the recent ConnectWise ScreenConnect vulnerability (No CVE has been assigned yet):
4
94
213
0
6
29
Proof of concept code from the AttackerKB analysis is here:
16
14
28
Super analysis by
@ChairNectar
detailing CVE-2024-4040 in CrushFTP - detailing the root cause, unauthenticated arbitrary file read primitive, and session stealing. Plus evasion techniques due to non compliant HTTP processing! 🔥
Rapid7's full technical analysis of
#CrushFTP
CVE-2024-4040 is available here courtesy of
@ChairNectar
.
0
20
49
0
8
28
The SSRF, as we found it, is actually an n-day in the xmltooling library, patched out around June 2023 and assigned CVE-2023-36661. The SSRF can be chained to CVE-2024-21887 for unauthenticated command injection with root privileges.
1
8
27
Wrote up a post about the NETGEAR R6700v3 bug I used in last Novembers pwn2own which was patched recently. Overflowing a .bss variable into adjacent heap memory for the win!
NETGEAR R6700v3 upnpd Buffer Overflow Remote Code Execution Vulnerability (CVE-2022-27643):
0
27
83
0
6
27
Our
@rapid7
AttackerKB Analysis of CVE-2023-0339 in ForgeRock Web Agent is out. A simple yet highly impactful access control bypass vulnerability that leads to unauthorized access to protected resources:
2
5
26
Join us! ...the
@rapid7
vulnerability research team is hiring a Senior Security Researcher to work on zero day vuln discovery, n-day analysis, exploit development, and more! Location for this role is onsite in our Prague office. Full details here:
0
10
23
So CVE-2023-35082 (Unauth API access) is now known to affect all versions of Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core prior to the fix Ivanti released yesterday. Our
@rapid7
disclosure blog has been updated with the new details:
1
10
21
Interesting vuln in the ZK framework being activity exploited against ConnectWise R1Soft Server Backup Manager, details and guidance on the
@rapid7
blog:
0
12
19
h/t to
@Horizon3ai
and
@leak_ix
for their posts detailing exploitation, and today
@r4shimo
posted a full dump of the implant being installed which is the first time I have seen this in detail:
1
2
19
Curtis is a hugely talented and enthusiastic vulnerability researcher, who worked with us on our MOVEit exploit and he recently did an amazing deep dive analysis + exploit against barracuda esg. Snap him up!
Had a great time and will miss the team at Rapid7. Onto the next adventure to continue on with fun work. I'll be open to any vuln research and exploit dev work!
2
13
38
0
6
17
2 exploits, 2 root shells. Routers are a fun target 😀 Thanks
@thezdi
and
@TrendMicro
for a great
#Pwn2Own
1
0
14
Sneak peek of the upcoming
@relyze
v3 multi arch decompiler! Public beta happening soon and general release later this year \o/
1
6
13
While inevitable, having your software product pirated will always suck, however I cant help but be impressed they bother to translate the entire UI too 🙃
1
0
13
Added in 64-bit debugger support to Grinder for latest IE, yay for Metasm :)
http://t.co/FjgOJcBLox
1
13
12
I've got two exploits in this weeks
#Pwn2Own
targeting the Cisco RV340 LAN and the Netgear R6700v3 LAN. Best of luck to all contestants 😀
1
0
11
Interesting to read through the NCC teams methodology and results against three targets, thanks for sharing
🔥We have just published our Pwn2Own methodology from last year to help other teams since the targets for this year are live🥳cc
@thezdi
0
56
148
0
0
9
Nice blog post about diffing and triggering one of the ICMP bugs from MS10-009 by
NeWSoFT (
http://bit.ly/bK9SyL)
0
13
9
Good post/PoC by
@feliam
on an Adobe Reader heap corruption bug.
http://t.co/OXxmKydv87
(CVE-2013-2729)
0
17
9
Douglas is an extremely strong and accomplished leader and researcher in offensive security and vulnerability research. You would be lucky to hire him and have him on your team
Unfortunately I was affected by the Rapid 7 layoffs and therefore looking for a new opportunity. I have 14 years of experience in offensive security, security research, technical leadership, and public speaking. I will be at
@defcon
starting tonight. Send me a message to chat!
4
102
228
0
6
8
@berendjanwever
Try disabling mem protector via OverrideMemoryProtectionSetting in registry (
http://t.co/OUWhKPHwO1)
(pdf), might help
0
1
8
This vuln was reported exploited in the wild as CVE-2023-26360 but the root cause appears to be the deserialization of untrusted data via CVE-2023-26359.
1
3
8
Website back online for anyone who had difficulties earlier...
We have posted our AttackerKB
@rapid7
Analysis of the recent 0day exploit chain affecting Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887). Full details of the auth bypass and command injection vulns. Read all the details here:
5
57
155
0
3
8
A full technical writeup of the issue is available on AttackerKB:
0
1
7
Exploit creates and admin account, then uploads a JSP payload to get a session. There's a nice (undocumented) unauthenticated REST endpoint /rest/gacmd/v1/system which gives you back version information too! Shoutout to
@Horizon3ai
for their analysis and PoC
0
0
7
Great three part series on writing an Edge (Chakra) exploit, super work
@33y0re
👍
Today I am releasing the final post of a 3 part series on “modern” browser exploitation targeting Windows. In this post we port our exploit primitives to Edge itself & combine 12 ROP chains in order to defeat ACG, CIG, DEP, ASLR, CFG, "no child processes"
9
217
632
1
1
7
Awesome opportunity for a security researcher to join the
@metasploit
team!
Hey friends, the
#Metasploit
team is looking for a security researcher to work on modules, features, and enhancements for
@zeroSteiner
's open-source team! Currently Austin-based, but we're open to other R7 office locations, too!
3
23
46
0
2
6
The same vuln can also be leveraged for arbitrary file read, so we have an auxiliary gather module for that too:
1
0
6
h/t to
@X1r0z
who analyzed the patches last week.
@Shadowserver
has detected 3,329 vulnerable instances online:
0
2
5
lol, "Avoid Data Execution Prevention" (
http://t.co/aRWSeHV01c)
...been avoiding it for years bro :P
0
4
4
OptiROP looks cool (
http://t.co/0T9TjwPVv9)
(PDF) anyone know if the tool is available online yet?
1
0
4
@hacks_zach
@rapid7
And you too! Nicely done leveraging the comment field for gadget encryption.
0
0
3
@wvuuuuuuuuuuuuu
@catc0n
OVERFLOW_CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
1
0
3
If you're in Vegas next week check out
@zeroSteiner
at BlackHat Arsenal (and DEF CON), showcasing the awesome new active directory features recently added to
@metasploit
🔥
🛠 At the
#BlackHatUSA
Arsenal, join Rapid7 Manager, Security Research
@zeroSteiner
for an Active Directory-focused
#Metasploit
demonstration!
See the Framework's latest upgrades in action, learn how to execute multiple attack techniques, and much more:
0
9
26
0
0
3
So chrome 29 is now partitioning allocations for differing DOM nodes (
http://t.co/lWJ7BwG9bn)
0
8
3
Oracle patched my Java IE Plugin stack buffer overflow (goo.gl/iIwE) Blog/PoCs by
@berendjanwever
who came across the same bug (goo.gl/4Srk)
0
5
3
@joel_land
ahh, was able to reproduce. If I delete the License.xml file and restart the server, it 404s when requesting anything from an installed extension. So the issue seems to be exploiting an unlicensed server.
1
0
3
@rhowe212
@catc0n
@rapid7
@ChairNectar
ya I agree, the os_MkdirAll call and creating the path from the session id cookie value during main__ptr_SessDiskStore_New is in first party PA code, and does not appear to be the gorilla library code as the root cause.
0
1
3
Some of the docker images I tested also explicitly add phpinfo to the disable_functions list in php.ini, so thats gonna be a blocker to exploitation also :)
0
0
3
@Big5_sec
Experimenting with adding both a subject (Arg01) and body (Arg04) omits that log message, however a different single log message remains for a package with no valid recipient. I don't think we can avoid that. Thanks for the feedback.
0
0
1
@haxor31337
@rapid7
@metasploit
Interesting, I haven't come across any stability issues leveraging the forms app. Nice work on your research.
1
0
2
ZDI have published my Java readMabCurveData bug (
http://bit.ly/cYbHrL)
(
http://bit.ly/agMGhp),
interesting stack buffer overflow!
0
4
2
Found an old copy of Easy Amos for the Amiga! Had such fun trying to learn how to program on this back in the day. Even came with some file save icons 😄
#amigaforever
0
0
2
RT
@PiotrBania
: my new paper is out: Securing The Kernel via Static Binary Rewriting and Program Shepherding ->
http://tinyurl.com/6xcavhe
0
1
2
Hat tip to
@Ubiquiti
, I spent longer then I'd like to admit finding nothing in the Edge Router 4 🤣
0
0
2
TIL C/C++ has standardized alternative tokens for several operators and punctuators due to limitations in some character encoding sets, which I thought was an interesting curiosity:
0
0
2
@dm557
The trick is that WriteProcessMemory forces the memory writable (check it out in IDA), quick PoC here
http://pastebin.com/0hvNaE7y
0
1
2