About

TL;DR: I wrote a couple of advisories, several Burp extensions, I’m the author of a Metasploit module with various different OS/architecture targets and multiple AFL related tools. I have also developed a cracking technique for private keys in Java JKS files and wrote the “15:12 Nail in the Java Key Store Coffin” POC||GTFO article about it. I’ve contributed to projects like mona.py, AFL, Browser Exploitation Framework (BeEF), Metasploit and w3af.

I’m interested in all kind of security topics and I’m working as an IT security analyst (consultant/Pentester) at my own company Pentagrid AG. Before I started working I got two nice little pieces of papers from my university. Since then I analysed the security of products, systems and environments in well over 250 different projects. I also lectured information security at University and might do again in the future.

A long time ago (2009?) I was active on the remote-exploit.org forums (former backtrack and now kali linux). For example I played with Fake Wireless Access Points, which I still use from time to time. Later I developed a fuzzer plugin for the web application scanner w3af and contributed other plugins. For a couple of months I was all into Advanced Search Engine Operators, for example the ip: operator of Bing to detect shared hosting. I wrote two plugins (taking pictures from a webcam and sending it to the attacker as well as a Gmail XSRF logout plugin) for the Browser Exploitation Framework (BeEF).

At one point I wanted to move on and explore other areas. I started playing with Atmega microcontrollers, my Raspberry Pi and I built a small 3x3x3 LED Cube with an Arduino. I never dived extremely deep into hardware, but from time to time I’m still doing hardware related projects. Much later I started doing the ChipWhisperer tutorials which can be used to attack hardware such as embedded devices. Although I didn’t get very far yet. Again several years later now I supported someone trying to Volt glitch a chip, we tried several days, but no success so far.

I did some research and had a few public speeches about Android security. I broke some Android related things that were never made public.

At the same time I was lucky to be able to attend the corelan exploit development training. One and a half years later I wrote my first feature for corelan’s awesome mona.py tool. The unicodealign command I wrote automatically generates code alignment code for Unicode buffer overflows. The feature is available in mona.py with “!mona unicodealign”. The next step was to use this knowledge in the wild, I turned a Proof of Concept crash into a full exploit which circumvents DEP and ASLR, works on x86 and ARM and targets Windows, Linux and FreeBSD. The entire process took a lot of code porting (python to ruby), implementing as a Metasploit module, separating protocol and exploit and so on. In the end it landed in the official Metasploit repository.

I’ve been fuzzing a lot, mostly with AFL and helping to improve the tool where I can. I also bought some odroid u3s which were under heavy load to fuzz C/C++ code. For example I reported a couple of issues to the libtiff maintainers and several other projects. From this point on I started fuzzing work-related projects if time permits.

Breaking the products of all three major Mobile Device Management (MDM) vendors is part of my job for many years already. Although most of the found issues are under NDA, a XSS and a little authentication trick aren’t anymore.

I found a technically very interesting TLS session resumption race condition in the Twitter iOS app.

I’ve also been collecting “things that can go wrong” (mainly things that go wrong in code) as a big script that uses the grep command line tool, the project is called crass. I always use it for security analysis when I get zip files thrown at me where I don’t know where to start. I still think it’s a good alternative/addition to semgrep. By now crass also made it into the EMBA scanner as a module.

I always came back to my web application security roots, this time to release two Burp Suite extensions, an HTTP fuzzer and a response overview (it’s also in the BApp) extension. Moreover, I gave a workshop at the area41.io conference about the massive UploadScanner Burp extension I wrote during an entire year (it is also available through the official Burp BApp store). As Burp needs to understand custom encoding and encryption, I’ve released a couple of HTTP transport encoding Burp extensions and background information. To improve control of the Burp active scanner for pentesters I’ve also released the Pentagrid scan controller extension to the BApp store.

I have also developed a cracking technique for private keys in Java JKS files and wrote the “15:12 Nail in the Java Key Store Coffin” POC||GTFO article about it.

Six years after the Corelan Bootcamp and after solving all its exercises twice as well as writing nicely documented solutions for personal use, I felt ready to go for the Corelan Advanced course. I went the extra mile and wrote some scripts automating crash exploration for certain exercises, people who took the course can read all about it on the forum. That’s also where I finished my first heap overflow exploit exercise including DEP/ASLR evasion (memory leak) on Windows 7 with IE8 (CVE-2012-1875). There is still several month of full time work ahead of me to finish all the homework, so I’m sure that will take me another six years. On the other hand I never sell vulnerability or exploits, so this is only a very time-consuming hobby.

As I like trying new AFL-fuzzer related things, I started fuzzing Java programs with several AFL-based Java fuzzers and found several DoS issues in Apache Commons, Apache PDFBox, Apache Tika and rediscovered an issue in the Java standard library. Later I found an issue (CVE-2019-17359) in the ASN.1 parser of BouncyCastle (Java). I’m closely watching the AFL++ developments now of course.

I also gave a couple of CTF challenges a try and wrote some tools while doing them. Afterwards, I started being a trainer for the Liechtenstein European Cyber Security Challenge (ECSC) team, where people between the age of 15 and 25 solve CTF challenges during the year to compete in a yearly European tournament.

While doing pentesting for Pentagrid I broke several things that we made public such as a vulnerability in AWS Cognito, a broken password manager, a minor issue in a Electronic Banking Internet Communication Standard (EBICS) implementation (that used a WAF bypass that was then reported to modsecurity) or a technically boring IDOR to download credit card statements. I didn’t hack NASA’s Curiosity rover.

Languages are important. I know enough German, English, Python, Java, PHP, SQL, Search Engine Operators, HTML, French, Javascript, XML, Bash, Regex, C/C++, Assembler, Ruby, Vallader Romansh and clef (music) to get along. And probably some others. Let’s not start with tools. And of course there are Metasploit modules I’d like to release and a hundred things I’d like to write about in public. But that’s not how our industry works.

I’ve been speaking and giving workshops at various conferences and meetups, including area41, hashdays (the former area41), OWASP Switzerland, 0sec, BSides Zurich, Blackalps, Swiss Cyber Storm and other security meetups as well as private conferences. I’ve and I still am participating in the review board of a very large event.

In the past I’ve collected bug bounties from Twitter, Shopify and Swisscom.

Contributed to CVEs: CVE-2015-8870, CVE-2015-9232, CVE-2016-10511, CVE-2017-10356, CVE-2018-1338, CVE-2018-1339, CVE-2018-8017, CVE-2018-8036, CVE-2018-12418, CVE-2018-11771, CVE-2018-3214, CVE-2019-17359, CVE-2019-19461, CVE-2019-19821, CVE-2022-3442. However, as MITRE is super unreliable in assigning CVEs for vulnerabilities (they often don’t reply to emails), I don’t always bother anymore to request one (better check the Pentagrid blog for what we could have requested one).

You can send me an email to floyd at floyd dot ch. Or simply leave me a message here.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.