ronka @epsilan - Twitter Profile

over 4 years ago

@xnyhps that's really unfortunate. it seems it was lost in the chaos somewhere. to add more ASB data: my disclosure to bounty timeline was 10 months starting in january

1

0

ronka @epsilan

over 4 years ago

#OBTS was just surreal. many thanks to everyone for the warm reception, you can find my slides detailing the story behind 5 app/macro sandbox escapes stemming from one root cause here: https://t.co/DXktTvGrp0

epsilan's tweet photo. #OBTS was just surreal. many thanks to everyone for the warm reception, you can find my slides detailing the story behind 5 app/macro sandbox escapes stemming from one root cause here: https://t.co/DXktTvGrp0 https://t.co/zCh4wSytyT

3

39

9

4

0

epsilan retweeted

Objective-See Foundation @objective_see

over 4 years ago

Ron Waisberg (@epsilan) of @okta, detailing a lovely a logic vulnerability he discovered in LaunchServices (CVE-2021-30677) and creative ways to reliable exploit it! 🙌🏽 #OBTS If you're not on the conference live stream, you're missing out! Join us: https://t.co/8eEeWGDkG0 🎥

objective_see's tweet photo. Ron Waisberg (@epsilan) of @okta, detailing a lovely
a logic vulnerability he discovered in LaunchServices (CVE-2021-30677) and creative ways to reliable exploit it! 🙌🏽 #OBTS

If you're not on the conference live stream, you're missing out!

Join us: https://t.co/8eEeWGDkG0 🎥 https://t.co/i5nyjzzbb7

1

26

9

1

0

ronka @epsilan

over 4 years ago

@durumcrustulum @0xmachos @patrickwardle good find. this should have the envvar ignored but testing on 5.17.2 I'm not seeing that behaviour and I'm dropped into a node interpreter 🤔

1

0

Who to follow

Mickey Jin

@patch1t

Exploring the world with my sword of debugger : )

JsQ4Kn0wledge

@JsQForKnowledge

Focussing on Microsoft Identity And (Information) Security related matters! Husband of 1, father of 2, motorcycle lover and somewhere in between a geek!

starlabs

@starlabs_sg

A Singapore company that discovers vulnerabilities to help customers mitigate the risks of cyber attacks. Organisers of @offbyoneconf

ronka @epsilan

almost 5 years ago

@ClassicII_MrMac @theevilbit all will be revealed in ~2 weeks time at @objective_see #OBTS 🤭🤠

1

2

0

ronka @epsilan

almost 5 years ago

@theevilbit @ClassicII_MrMac To add evidence to your theory: a bug of mine was fixed in 11.6

1

2

0

ronka @epsilan

almost 5 years ago

@_r3ggi @theevilbit @BlackHatEvents The bounty decision makes no sense. @mattshockl was your issue eligible for a bounty?

1

0

ronka @epsilan

almost 5 years ago

@theevilbit @BlackHatEvents @_r3ggi awesome talk & great finds!

2

0

ronka @epsilan

almost 5 years ago

Big Sur 11.5 fixed and assigned CVE-2021-30783 to a bug of mine in just under 2mo from report. Can't wait to share details about this bug and CVE-2021-30677 at @objective_see's #OBTS v4 !! Get your palms ready for your faces :))

0

8

0

ronka @epsilan

almost 5 years ago

honoured to speak alongside so many brilliant folks at #OBTS v4 https://t.co/l1yWl14UmL see y'all in Maui!! 🏖️🌴

0

3

1

0

ronka @epsilan

almost 5 years ago

CVE-2021-33765 is an Installer spoofing bug and variant of CVE-2021-26413 where a batch command is placed in CFB unallocated bytes of an Installer file (preserving the signature) and cmd.exe optimistically interprets one line at a time without exiting early

epsilan's tweet photo. CVE-2021-33765 is an Installer spoofing bug and variant of CVE-2021-26413 where a batch command is placed in CFB unallocated bytes of an Installer file (preserving the signature) and cmd.exe optimistically interprets one line at a time without exiting early https://t.co/rsp1QQITuF

0

4

0

ronka @epsilan

about 5 years ago

@clintgibler did I get it?? https://t.co/b2LyVtVH83

0

ronka @epsilan

about 5 years ago

@_xpn_ this worked well for me https://t.co/7wsWY9cUET

0

2

1

0

ronka @epsilan

about 5 years ago

@xnyhps Yikes... so 6mo+ later that other bug is still unpatched

0

1

0

ronka @epsilan

about 5 years ago

@xnyhps thanks for sharing, Thijs 🙏 is this bug separate from the process injection bug described at the end of your presentation?

1

0

ronka @epsilan

about 5 years ago

@aionescu thanks Alex!! and if you're referring to my profile pic (which admittedly does look a lot like Mont Royal) it's actually Chapultepec Castle in Mexico City :)) hopefully we'll be back in mtl soon enough 🤞

1

0

ronka @epsilan

about 5 years ago

@thracky thank you John!! hopefully enough details in here to make for an easy report :P

0

ronka @epsilan

about 5 years ago

wrote a little write-up about my first MS bug: CVE-2021-26413 https://t.co/TiI6CS5can big h/t to @mattifestation for sharing his endless knowledge!

epsilan's tweet photo. wrote a little write-up about my first MS bug: CVE-2021-26413 https://t.co/TiI6CS5can big h/t to @mattifestation for sharing his endless knowledge! https://t.co/QG8hiW8bCb

0

152

64

23

0

ronka @epsilan

over 5 years ago

@theevilbit Not IDA but I recently wrote this for Hopper to help with reconstructing ObjC runtime info in Big Sur’s cache https://t.co/DNxu2G1vBz

1

3

0

ronka @epsilan

over 5 years ago

here is an example of what class and protocol information can be discerned (easy NSXPC clients anyone??) shoutout to Steve Nygard for the excellent class-dump and Vincent for excellent disassembler!

epsilan's tweet photo. here is an example of what class and protocol information can be discerned (easy NSXPC clients anyone??) shoutout to Steve Nygard for the excellent class-dump and Vincent for excellent disassembler! https://t.co/Jrwi7jRVDe

0

ronka @epsilan

over 5 years ago

hello world! for those reversing Big Sur, I wrote a Hopper (@bSr43) plugin to reconstruct ObjC runtime structures in the dyld_shared_cache. dePAC/import/analyze the names + types of ivars, properties, methods in classes & protocols: https://t.co/DNxu2G1vBz

1

6

1

0

ronka

@epsilan

Who to follow

Last Seen Users on Sotwe

Trends for you

Most Popular Users