Sign in with Twitter

Username:

stephen @_tsuro Zurich, Switzerland

CTF player with Eat, Sleep, Pwn, Repeat. Security engineer at Google.

438 Following   6,369 Followers   904 Tweets

Joined Twitter 8/28/11


A Chromium IPC sniffer https://t.co/rXuf6nM4bJ
Retweeted by stephen
9/19
2020
I'm playing a bit with @benhawkes 's exploit on @Qualcomm Adreno GPU, trying to reproduce it on my old Oneplus3T ru… https://t.co/mnlTx5hwiX
Retweeted by stephen
9/17
2020
https://t.co/uavWYGzK43 -0 is always trouble maker :D
Retweeted by stephen
9/14
2020
We just open sourced most challenges (and exploits) from this year's #GoogleCTF: https://t.co/VXWfqboevk
9/11
2020
Writeup for @_tsuro's teleport challenge from #GoogleCTF: https://t.co/AOj79uECCB
Retweeted by stephen
9/9
2020
@EyalItkin @AmarSaar The FD set part was the intended bug :) @happyCoder92Share my solution for the echo chg from GoogleQuals2020 CTF :) As a bonus, I added a cute exploit for old tcache, j… https://t.co/gmbltmdWBc
Retweeted by stephen
9/8
2020
How did you find it so fast 😁 ICYMI, Here is a writeup for the Chromium sandbox escape challenge "teleport" at Goog… https://t.co/Xd2T1bijqi
Retweeted by stephen
9/7
2020
The most important part: the file read PoC fits in a tweet! PAGER='/bin/sh -c "MODPROBE_OPTIONS=\"-C /etc/shadow\" /sbin/pppd notty"' man x
Retweeted by stephen
9/4
2020
New blog post series "JITSploitation" about a fun WebKit JIT bug and how it can be exploited on iOS despite Structu… https://t.co/7UOA30qmGx
Retweeted by stephen
9/1
2020
It currently takes us around 3 days to turn a v8 bug + sandbox escape into an exploit. Times vary based on bugs. Gi… https://t.co/ZSFk65wV2h
Retweeted by stephen @SecurityMB @sirdarckcat it's public in the javascript (ctrl+f "500"): var st=function(){this.Du=50;… https://t.co/lWcUNle2oP
8/31
2020
@SigPococurante @raistolo I'm not familiar with flatpak sandboxing. While it probably won't be as strong as Chrome'… https://t.co/8PI4Bm5GKh @ReneFreingruber Just tried the linux exploit against windows and it successfully leaks some pointers before crashi… https://t.co/UQnzz1bRrO @ReneFreingruber I believe I tested that I can get a crash in windows as well at some point but I can try it again later today. @sirdarckcat There was a blog post about it recently: https://t.co/JJph7HM1tR They got rid of 1days and don't co-sc… https://t.co/FClwo0Nip3 @ReneFreingruber I wrote exploits against steam for Chrome 68, 72 and 79. I think the embedded chrome actually hasn… https://t.co/fqQSzkclyi @msd0s7 For windows you just have to write a 1day exploit for one of the public browser process UaFs :)Periodic reminder that Steam is still running Chrome 79 and without a sandbox on Linux. 🤷 https://t.co/p9I0kEZ20zHere's my 1day exploit for https://t.co/HOW8DV5aCe 😁. Works for chrome version <= 83.0.4103.61.… https://t.co/PXjgk87V74
Retweeted by stephen
8/27
2020
this one's kinda interesting IMO: https://t.co/XZWLk1dq7z - especially the THP mapcount part. see the thp_malloc_la… https://t.co/lyIVim9OHw
Retweeted by stephenChrome: Missing array size check in NewFixedArray https://t.co/cg3cgotHR9
Retweeted by stephen
8/25
2020
Check out this classic and super strong OOB vulnerability in the USB emulator of QEMU: https://t.co/tBKZZrP4uI https://t.co/HCnRH0S0qV
Retweeted by stephen @thebillparks We usually open source the challenges and the solutions after the event. While I can't promise, I exp… https://t.co/aZrPoRcyao @Drahflow @kptnpez Nice. I hope the paper is valid shellcode itself :) @itszn13 @farazsth98 That's similar to what i did. You can also find the port on the heap as well but g_mojo is probably the better option.
8/24
2020
@itszn13 For some reason the team didn't like the change :) @mad_4_king @wtm_offensi You can register a team yourself. Just need one person with a gmail account @chaignc @tiraniddo There's a chrome challenge already released. It's not a js engine exploit though.#GoogleCTF is on and we have challenges related to hardware, crypto, reversing, web, sandbox and of course pwnables… https://t.co/AG8vAo6UA3
8/22
2020
I made it into a LiveOverflow video 🙈 https://t.co/dXmYz0rsV8
8/21
2020
my first stable sbx is opened. https://t.co/qlU3zawXSK
Retweeted by stephen
8/16
2020
god I love doing static analysis on 16-bit EXEs. It works just like 32bit EXEs, except when you locate a string and… https://t.co/mn29GbIzzX
Retweeted by stephenYES, the Google CTF is happening soon! Check https://t.co/PKSuEJPrvs for details. https://t.co/wKsAAUphHt
Retweeted by stephen
8/14
2020
Day 1 from the Google CTF Finals 2019 https://t.co/kHBKnKfyN1 https://t.co/5eKNWtBkrS
Retweeted by stephen @LiveOverflow As usual, you think you found a bug and it's WAI :) @LiveOverflow Day 1 or 3?JS Bugs IRL https://t.co/7ViTPWmgAw
Retweeted by stephenOOB read/write in v8::internal::ElementsAccessorBase<v8::internal::FastHoleyDoubleElementsAccessor (reward: $7500) https://t.co/sJ8CTcoBj6
Retweeted by stephen
8/12
2020
1/ Fixing a dead satellite: a CTF tale. A thread in N parts. @SamuraiCTF @hack_a_sat @defcon
Retweeted by stephen
8/11
2020
https://t.co/69iPT1RoA6 what a great chain of bugs, has it all: JSC, DOM, memory corruption in XPC, logic bugs, ra… https://t.co/cKHKmPsfhR
Retweeted by stephen
8/7
2020
This one was a really interesting bug. What made the XSS possible was a chain of interesting script gadgets using… https://t.co/8IWw8HmSis
Retweeted by stephen
7/31
2020
I want to write more about how we’re actually using Firecracker at Fly, but, first, some background. https://t.co/BdtDG52EQi
Retweeted by stephen
7/30
2020
@pedrib1337 I can’t at the moment - waiting for the disclosure timeline to go away My report collided with these… https://t.co/UZ8UZg5hHb
Retweeted by stephen @pedrib1337 I reported an exploitable vulnerability in DCCP that allows LPE in all Ubuntu LTS and got a reply that… https://t.co/PHitBYwjkQ
Retweeted by stephen
7/29
2020
Excited to announce our USENIX Security'20 paper: “Timeless Timing Attacks: Exploiting Concurrency to Leak Secrets… https://t.co/ESAuIq47KP
Retweeted by stephenChrome 83 and Firefox 79 are shipping new opt-in security features to combat XSS, CSRF, XS-leaks & more. It's argua… https://t.co/esYLA7kf3Y
Retweeted by stephenFor those that might need this, but didn't know, Google has been sponsoring CTFs this year (see… https://t.co/vQvTs2HPtW
Retweeted by stephen
7/22
2020
@r_dan33l @GoogleVRP Sorry about that, @sirdarckcat is on it. In the meantime, you can find all the documentation o… https://t.co/EGCOgZ3wTn
7/20
2020
@julianvolodia @robertswiecki Ah, makes sense. There is nothing secret in that cluster besides the two flags in two different pods. @julianvolodia @robertswiecki Not sure I understand. Do you mean how to proof that you can exploit without sending us the exploit?
7/19
2020
This from @danie1zy is why MS do not consider Windows Server Containers a security boundary.… https://t.co/aCegGjCjF6
Retweeted by stephen
7/16
2020
@SeccKings 🤣🤣 https://t.co/tlQ95dkruA
Retweeted by stephen @svblxyz @AdmVonSchneider Schnüre?
7/15
2020
Here is the write up for my finding of the Ice Lake MDS vulnerability: https://t.co/3vWr7NzQ16 POC of MSBDS (CVE-2… https://t.co/Gp5nJkOh9j
Retweeted by stephenPatch Tuesday surprise: @IntelSecurity updated the MDS advisory to include 10th Gen Processor Family (Ice Lake). It… https://t.co/AXWNBMIP4F
Retweeted by stephenGive our bada$$ #CTF judges a socially distant hello @hellman1908 @dsredford @ZetaTwo @t0nk42 @orange_8361 @l4wiohttps://t.co/SZM0dluWGm
Retweeted by stephen
7/14
2020
https://t.co/H1eIVgtPIc this BinaryAI demo looks crazy...
Retweeted by stephen
7/6
2020
Calling all CTF Authors! Do you love building CTF tasks? New competition to find the best CTF Tasks, both original… https://t.co/cWiLVD1RCQ
Retweeted by stephenA recording of today's presentation of "10 Years of Linux Security - A Report Card" is now available to view here:… https://t.co/HS1aUOwnCw
Retweeted by stephen
7/3
2020
Accidentally found a v8 0day when I was preparing the challenges for 0CTF/TCTF 2020😅. It was the second RCE in this… https://t.co/Q1PGU46zm5
Retweeted by stephen
6/24
2020
Continue the journey into the depths of Chrome memory management trickery with @mmolgtm 's root cause and variant a… https://t.co/y9wHBx3quu
Retweeted by stephen
6/23
2020
Released a short write up about the FF sandbox escape from last month. Includes details of how I was able to add a… https://t.co/6bxjoOVmSk
Retweeted by stephen
6/17
2020
Introducing #CrossTalk (#SRBDS), the first #MDS cross-core attack which can leak stale data from an offcore staging… https://t.co/KABP5ub2v1
Retweeted by stephen
6/9
2020
@domenuk @jiska___ Well sedWe (w/ @__hach_) found a vulnerability in Kubernetes: - CVE-2020–8555 - +40K$ crazy bounties - Really cool stuf… https://t.co/c9nFE8a6PB
Retweeted by stephen
6/3
2020
My solution to Scriptless challenge from @Pwn2Win created by @lbherrera_ tl;dr #xsleaks in <input pattern=""> https://t.co/uG4foysjpR
Retweeted by stephen
5/31
2020
@joernchen Depends on the bug. Any funny name/logo opportunities? => Twitter it is
5/29
2020
@dvyukov @_tsuro If you fix it, submit it at https://t.co/nVupucKfMv if you just want an exploit, sent it to https://t.co/gSMvDrHIKs
Retweeted by stephenWant easy money? Take a use-after-free from syzbot dashboard: https://t.co/7DO16l2Gal Fix & submit to VRP program.… https://t.co/RSSM1FWPs6
Retweeted by stephen @0xddaa Yeah, we're working on some k8s based CTF infrastructure: https://t.co/BGTSBV6uIZ It's still in alpha thoug… https://t.co/vS6O4S8lu1We just announced a new bug bounty on a hardened kubernetes cluster. The fun part: 1days are explicitly in scope!… https://t.co/OU3zkCKwwEAnnouncing Twitter account: @BugsChromium. Similarly to @ProjectZeroBugs, It periodically tweets about bugs in Chro… https://t.co/JzZJBNXMQP
Retweeted by stephen
5/28
2020
@p4_team @hack_a_sat https://t.co/MYIgr7Oq6N
Retweeted by stephen
5/25
2020
@AmarSaar @tjbecker_ @5aelo Agreed, I used the same for my ntpd exploit on OSX a while back :): https://t.co/j3jfnzZaAQ @Yannayli @yoavalon @tjbecker_ @PlaidCTF The challenge was based on this bug. Did you release your exploit btw? @_tsuro @tjbecker_ Great work! Yeah, the fact shared libs have the same virtual address among different processes i… https://t.co/vvWm1FbWRM
Retweeted by stephenReally cool talk by @tjbecker_ on his Chrome sandbox escape: https://t.co/UXItNgcW3U Exploiting a UaF in the brows… https://t.co/AlVzz6OjGD
5/22
2020
It's online! Bluetooth RCE == Wi-Fi RCE. Say hello to Spectra, the concept of breaking wireless chip separation as… https://t.co/JlfKYldVq9
Retweeted by stephen
5/21
2020
Lots of blog posts in queue. This week we're talking about about all of the cool features in the new debugger plugi… https://t.co/4YRwbwZm6q
Retweeted by stephen
5/8
2020
New blogpost on some recent fuzzing work of mine (and 0click attack surfaces!): https://t.co/b2FInuz4bG
Retweeted by stephen
4/28
2020
https://t.co/acBBMTvPvI
Retweeted by stephen
4/24
2020
Can finally share the details for our recent chrome sandbox escape exploit. Full exploit code provided in bug repor… https://t.co/BQMzx615Xx
Retweeted by stephen
4/22
2020
@hama7230 https://t.co/46yOSu3kkL @Oranav We were thinking what if you create a second connection and somehow get shared memory between the two. But… https://t.co/r9mYmj1Z6L
4/21
2020
@Oranav Another solution is in https://t.co/e9S1hd00DQ, but what's the third? Maybe a race on the open arg check?It's here! Details on how we achieved #SMBGhost RCE are available. Enjoy! "I'll ask your body": SMBGhost pre-auth R… https://t.co/3XburjYaEO
Retweeted by stephenhttps://t.co/9W1nNj5zCl 2020 Plaid CTF mojo
Retweeted by stephen
4/20
2020
@borrello_pietro I want to wait with releasing the exploit since it's not fixed yet and IMO the exploit is not triv… https://t.co/RXXvmsNJJ3The video from our presentation about fuzzing Windows kernel is up https://t.co/bptfYvJGAr https://t.co/Uoas0jehCG
Retweeted by stephenMy OffensiveCon talk is online! This year I did a talk about Safari RCE and SBX bugs at OffensiveCon. You can chec… https://t.co/BfduxfjXra
Retweeted by stephen @cgvwzq I was using CookieManager.SetCanonicalCookie: https://t.co/CpcaKgpGaD and put the payload in the path. I th… https://t.co/lg8uBeSH83The recording of my #OffensiveCon20 talk is up in which I demo a Chrome sandbox escape using RIDL:… https://t.co/Buh05FxNaWBored in isolation? Do not despair! #OffensiveCon20 videos are now up! https://t.co/JpPpX4oUoz
Retweeted by stephen
4/17
2020
@kolombrey I just pushed the code to https://t.co/cUXDtsP5vU. The way it works is pretty simple: * scan the image w… https://t.co/08To3jxD1J
4/15
2020
Our exploit team (@hugeh0ge, @_N4NU_) has succeeded at #SMBGhost pre-auth "remote" code execution. While SMBGhost… https://t.co/6uHYVOEdhO
Retweeted by stephen
4/14
2020
My weekend project: a small webapp to translate manga for me. It's using the Google Cloud Vision API for OCR and th… https://t.co/xKUDJOcDr9
4/13
2020
The funny thing is that we’re like, “huh, ok” with this disclosure, but “oh no what will Schneier say” with the (co… https://t.co/9TDKj6aOON
Retweeted by stephen
4/8
2020
Here's a fun bug in bubblewrap (in rare configs only): https://t.co/8msEoeZSMn If you're bored, this would have ma… https://t.co/5Qtk1pg5y7
4/3
2020

0