Alex Plaskett
@alexplaskett.bsky.social
Security Researcher | Pwn2Own 2018, 2021, 2022, 2024 | Posts about 0day, OS, mobile and embedded security.
Reposted by Alex Plaskett
Chinese robot maker Unitree has removed a problematic component from the firmware of its Go1 robot dog that could have allowed remote attackers to take over the robot
www.scmp.com/tech/tech-tr...
www.scmp.com/tech/tech-tr...
China’s Unitree fixes flaw that gives hackers remote control of robots
The start-up has downplayed the impact of the vulnerability, noting that the affected model has been discontinued.
www.scmp.com
May 11, 2025 at 4:51 PM
Chinese robot maker Unitree has removed a problematic component from the firmware of its Go1 robot dog that could have allowed remote attackers to take over the robot
www.scmp.com/tech/tech-tr...
www.scmp.com/tech/tech-tr...
Reposted by Alex Plaskett
the takeover has begun..
trainings start tomorrow morning!
trainings start tomorrow morning!
May 11, 2025 at 5:39 PM
the takeover has begun..
trainings start tomorrow morning!
trainings start tomorrow morning!
Reposted by Alex Plaskett
Happy to share my slides from BOOTSTRAP25. Unfortunately the bug discussed is still not patched in Linux 6.14.0 despite it being reported explicitly. Slides are in markdown but there's a PDF in "releases" too github.com/jduck/bs25-s...
GitHub - jduck/bs25-slides: Slides from "Musing from Decades of Linux Kernel Security Research" at BOOTSTRAP25
Slides from "Musing from Decades of Linux Kernel Security Research" at BOOTSTRAP25 - jduck/bs25-slides
github.com
March 25, 2025 at 7:26 PM
Happy to share my slides from BOOTSTRAP25. Unfortunately the bug discussed is still not patched in Linux 6.14.0 despite it being reported explicitly. Slides are in markdown but there's a PDF in "releases" too github.com/jduck/bs25-s...
Reposted by Alex Plaskett
Delighted that our paper on "Grammar mutation for testing input parsers" - led by Bachir Bendrissou and joint with @ccadar.bsky.social - is now published in ACM TOSEM! This came from a registered report at FUZZING. Check it out! doc.ic.ac.uk/~afd/papers/...
doc.ic.ac.uk
January 14, 2025 at 10:19 AM
Delighted that our paper on "Grammar mutation for testing input parsers" - led by Bachir Bendrissou and joint with @ccadar.bsky.social - is now published in ACM TOSEM! This came from a registered report at FUZZING. Check it out! doc.ic.ac.uk/~afd/papers/...
Reposted by Alex Plaskett
Reminder that the Phrack 72 CFP closes APRIL 1ST 2025. Get your papers in and come be a part of our fabulous 40th anniversary issue!
See phrack.org for more info
See phrack.org for more info
March 13, 2025 at 7:41 PM
Reminder that the Phrack 72 CFP closes APRIL 1ST 2025. Get your papers in and come be a part of our fabulous 40th anniversary issue!
See phrack.org for more info
See phrack.org for more info
Reposted by Alex Plaskett
Would you look at that, it's tmp.0ut Volume 4! Happy Friday, hope you enjoy this latest issue!
tmpout.sh/4/
tmpout.sh/4/
March 21, 2025 at 4:26 PM
Would you look at that, it's tmp.0ut Volume 4! Happy Friday, hope you enjoy this latest issue!
tmpout.sh/4/
tmpout.sh/4/
Reposted by Alex Plaskett
Only a week and a half left for USENIX WOOT '25 conference submissions - deadline March 11 AoE. We’re looking forward to seeing even more of your amazing offensive security papers this year! And still a few days for up-and-coming track (March 4). CfP at www.usenix.org/conference/w...
February 28, 2025 at 8:56 PM
Only a week and a half left for USENIX WOOT '25 conference submissions - deadline March 11 AoE. We’re looking forward to seeing even more of your amazing offensive security papers this year! And still a few days for up-and-coming track (March 4). CfP at www.usenix.org/conference/w...
Reposted by Alex Plaskett
We discover 119 vulnerabilities in LTE/5G core infrastructure, each of which can result in persistent denial of cell service to an entire metropolitan area or city and some of which can be used to remotely compromise and access the cellular core.
https://cellularsecurity.org/ransacked
https://cellularsecurity.org/ransacked
February 20, 2025 at 2:10 AM
We discover 119 vulnerabilities in LTE/5G core infrastructure, each of which can result in persistent denial of cell service to an entire metropolitan area or city and some of which can be used to remotely compromise and access the cellular core.
https://cellularsecurity.org/ransacked
https://cellularsecurity.org/ransacked
Reposted by Alex Plaskett
I watch and read and I’ve seen a manner research. But this research into visualising Wi-Fi signals using an array of ESP32 chips is something else.
www.youtube.com/watch?v=sXwD...
It is that good. That deep and frankly so out there and he calls himself a mediocre engineer too. WTF?
Blown away.
www.youtube.com/watch?v=sXwD...
It is that good. That deep and frankly so out there and he calls himself a mediocre engineer too. WTF?
Blown away.
This ESP32 Antenna Array Can See WiFi
YouTube video by Jeija
www.youtube.com
February 16, 2025 at 4:51 PM
I watch and read and I’ve seen a manner research. But this research into visualising Wi-Fi signals using an array of ESP32 chips is something else.
www.youtube.com/watch?v=sXwD...
It is that good. That deep and frankly so out there and he calls himself a mediocre engineer too. WTF?
Blown away.
www.youtube.com/watch?v=sXwD...
It is that good. That deep and frankly so out there and he calls himself a mediocre engineer too. WTF?
Blown away.
Reposted by Alex Plaskett
Hackers rejoice!
We are releasing the Phrack 71 PDF for you today!
Don't forget this year is Phrack's 40th anniversary release! Send in your contribution and be part of this historical issue!
The CFP is still open, you can find it and the PDF link at phrack.org
We are releasing the Phrack 71 PDF for you today!
Don't forget this year is Phrack's 40th anniversary release! Send in your contribution and be part of this historical issue!
The CFP is still open, you can find it and the PDF link at phrack.org
.:: Phrack Magazine ::.
Phrack staff website.
phrack.org
February 15, 2025 at 3:02 PM
Hackers rejoice!
We are releasing the Phrack 71 PDF for you today!
Don't forget this year is Phrack's 40th anniversary release! Send in your contribution and be part of this historical issue!
The CFP is still open, you can find it and the PDF link at phrack.org
We are releasing the Phrack 71 PDF for you today!
Don't forget this year is Phrack's 40th anniversary release! Send in your contribution and be part of this historical issue!
The CFP is still open, you can find it and the PDF link at phrack.org
Reposted by Alex Plaskett
Update your AMD Zen processor's BIOS: www.amd.com/en/resources...
Check with your OEM for BIOS updates with the new microcode patches, they have had some time to address this high importance item.
Check with your OEM for BIOS updates with the new microcode patches, they have had some time to address this high importance item.
www.amd.com
February 5, 2025 at 12:56 AM
Update your AMD Zen processor's BIOS: www.amd.com/en/resources...
Check with your OEM for BIOS updates with the new microcode patches, they have had some time to address this high importance item.
Check with your OEM for BIOS updates with the new microcode patches, they have had some time to address this high importance item.
Reposted by Alex Plaskett
2024 was a significant year for decompilation, constituting a possible resurgence in the field. Major talks, the thirty-year anniversary of research, movements in AI, and an all-time high for top publications in decompilation.
Join me for a retrospective:
mahaloz.re/dec-progr...
Join me for a retrospective:
mahaloz.re/dec-progr...
Decompiling 2024: A Year of Resurgance in Decompilation Research
The year 2024 was a resurgant year for decompilation. Academic publications from that year made up nearly 30% of all top publications ever made in decompilat...
mahaloz.re
January 29, 2025 at 5:45 PM
2024 was a significant year for decompilation, constituting a possible resurgence in the field. Major talks, the thirty-year anniversary of research, movements in AI, and an all-time high for top publications in decompilation.
Join me for a retrospective:
mahaloz.re/dec-progr...
Join me for a retrospective:
mahaloz.re/dec-progr...
Reposted by Alex Plaskett
Just unrestricted an issue that shows a fun new attack surface. Android RCS locally transcribes incoming media, making vulnerabilities audio codecs now fully-remote. This bug in an obscure Samsung S24 codec is 0-click
project-zero.issues.chromium.org/issues/36869...
project-zero.issues.chromium.org/issues/36869...
Project Zero
project-zero.issues.chromium.org
January 10, 2025 at 12:08 AM
Just unrestricted an issue that shows a fun new attack surface. Android RCS locally transcribes incoming media, making vulnerabilities audio codecs now fully-remote. This bug in an obscure Samsung S24 codec is 0-click
project-zero.issues.chromium.org/issues/36869...
project-zero.issues.chromium.org/issues/36869...
Reposted by Alex Plaskett
Looking through the schedule of #38c3 which starts tomorrow. Some talks I’ll be watching the streams for this year:
ACE up the sleeve: Hacking into Apple's new USB-C Controller
fahrplan.events.ccc.de/congress/202...
Liberating Wi-Fi on the ESP32
fahrplan.events.ccc.de/congress/202...
ACE up the sleeve: Hacking into Apple's new USB-C Controller
fahrplan.events.ccc.de/congress/202...
Liberating Wi-Fi on the ESP32
fahrplan.events.ccc.de/congress/202...
ACE up the sleeve: Hacking into Apple's new USB-C Controller 38C3
With the iPhone 15 & iPhone 15 Pro, Apple switched their iPhone to USB-C and introduced a new USB-C controller: The ACE3, a powerful, very custom, TI manufactured chip.
But the ACE3 does more than ju...
fahrplan.events.ccc.de
December 26, 2024 at 8:11 AM
Looking through the schedule of #38c3 which starts tomorrow. Some talks I’ll be watching the streams for this year:
ACE up the sleeve: Hacking into Apple's new USB-C Controller
fahrplan.events.ccc.de/congress/202...
Liberating Wi-Fi on the ESP32
fahrplan.events.ccc.de/congress/202...
ACE up the sleeve: Hacking into Apple's new USB-C Controller
fahrplan.events.ccc.de/congress/202...
Liberating Wi-Fi on the ESP32
fahrplan.events.ccc.de/congress/202...
vacation reading material acquired!
December 23, 2024 at 3:33 PM
vacation reading material acquired!
Pretty interesting technique used by _mccaulay here to understand the heap better and aid exploitation of a TP-Link vulnerability!
www.nccgroup.com/uk/research-...
www.nccgroup.com/uk/research-...
December 23, 2024 at 3:19 PM
Pretty interesting technique used by _mccaulay here to understand the heap better and aid exploitation of a TP-Link vulnerability!
www.nccgroup.com/uk/research-...
www.nccgroup.com/uk/research-...
Reposted by Alex Plaskett
We updated our CFP for Phrack 72! The deadline is now April 1st 2025. Check the site for specifics on how to contribute, as well as some inspiration! We also posted a link to purchase physical copies of Phrack 71, and a donation link too. Enjoy!
phrack.org
phrack.org
December 16, 2024 at 10:56 PM
We updated our CFP for Phrack 72! The deadline is now April 1st 2025. Check the site for specifics on how to contribute, as well as some inspiration! We also posted a link to purchase physical copies of Phrack 71, and a donation link too. Enjoy!
phrack.org
phrack.org
Reposted by Alex Plaskett
Intel launched the Pentium processor in 1993. Unfortunately, dividing sometimes gave a slightly wrong answer, the famous FDIV bug. Replacing the faulty chips cost Intel $475 million. I reverse-engineered the circuitry and can explain the bug. 1/9
December 6, 2024 at 4:48 PM
Intel launched the Pentium processor in 1993. Unfortunately, dividing sometimes gave a slightly wrong answer, the famous FDIV bug. Replacing the faulty chips cost Intel $475 million. I reverse-engineered the circuitry and can explain the bug. 1/9
Reposted by Alex Plaskett
I wrote a fun, little blog post. Remote pre-auth file deletion in SolarWinds ARM allowed to achieve LPE on AD machines 🙃
In his latest blog, @chudypb.bsky.social covers a pre-auth Arbitrary File Deletion bug he discovered in the SolarWinds Access Rights Manager (ARM). It may not sound exciting, but it can lead to an LPE on domain-joined Windows machines. Read the details at www.zerodayinitiative.com/blog/2024/12...
Zero Day Initiative — SolarWinds Access Rights Manager: One Vulnerability to LPE Them All
Some time ago, I spent some time researching a core SolarWinds product, SolarWinds Platform (previously Orion Platform). At that time, I hadn’t been aware of the SolarWinds Access Right Manager produc...
www.zerodayinitiative.com
December 12, 2024 at 6:03 PM
I wrote a fun, little blog post. Remote pre-auth file deletion in SolarWinds ARM allowed to achieve LPE on AD machines 🙃
Reposted by Alex Plaskett
A PoC for that Cleo zero-day is now live: labs.watchtowr.com/cleo-cve-202...
Cleo Harmony, VLTrader, and LexiCom - RCE via Arbitrary File Write (CVE-2024-50623)
Note: this is a rapidly-drafted post on an evolving topic - we'll update the post with more details as we discover more about the situation. Hit that F5 key regularly for updates!
We were having a ...
labs.watchtowr.com
December 12, 2024 at 12:04 AM
A PoC for that Cleo zero-day is now live: labs.watchtowr.com/cleo-cve-202...
Reposted by Alex Plaskett
New DCOM lateral movement technique discovered that bypasses traditional defenses. Unlike previous attacks relying on IDispatch interfaces, this method exploits undocumented COM interfaces within MSI, specifically targeting IMsiServer and IMsiCustomAction interfaces. 1/7
Forget PSEXEC: DCOM Upload & Execute Backdoor
Join Deep Instinct Security Researcher Eliran Nissan as he exposes a powerful new DCOM lateral movement attack that remotely writes custom payloads to create an embedded backdoor.
www.deepinstinct.com
December 12, 2024 at 12:00 AM
New DCOM lateral movement technique discovered that bypasses traditional defenses. Unlike previous attacks relying on IDispatch interfaces, this method exploits undocumented COM interfaces within MSI, specifically targeting IMsiServer and IMsiCustomAction interfaces. 1/7
Reposted by Alex Plaskett
Course materials for Modern Binary Exploitation by RPISEC
github.com/RPISEC/MBE?s... via @alexplaskett.bsky.social
github.com/RPISEC/MBE?s... via @alexplaskett.bsky.social
GitHub - RPISEC/MBE: Course materials for Modern Binary Exploitation by RPISEC
Course materials for Modern Binary Exploitation by RPISEC - RPISEC/MBE
github.com
December 10, 2024 at 8:09 AM
Course materials for Modern Binary Exploitation by RPISEC
github.com/RPISEC/MBE?s... via @alexplaskett.bsky.social
github.com/RPISEC/MBE?s... via @alexplaskett.bsky.social
Reposted by Alex Plaskett
I recently saw an amazing Navajo rug at the National Gallery of Art. It looks abstract at first, but it is a detailed representation of the Intel Pentium processor. Called "Replica of a Chip", it was created in 1994 by Marilou Schultz, a Navajo/Diné weaver and math teacher. 1/n
November 25, 2024 at 4:29 PM
I recently saw an amazing Navajo rug at the National Gallery of Art. It looks abstract at first, but it is a detailed representation of the Intel Pentium processor. Called "Replica of a Chip", it was created in 1994 by Marilou Schultz, a Navajo/Diné weaver and math teacher. 1/n
Reposted by Alex Plaskett
If you're interested in the technical details, I wrote the blog post here: flatt.tech/research/pos...
For the further details, please check out the announcement from the OpenWrt team: lists.openwrt.org/pipermail/op... (2/2)
For the further details, please check out the announcement from the OpenWrt team: lists.openwrt.org/pipermail/op... (2/2)
Compromising OpenWrt Supply Chain via Truncated SHA-256 Collision and Command Injection
Introduction Hello, I’m RyotaK (@ryotkak ), a security engineer at Flatt Security Inc.
A few days ago, I was upgrading my home lab network, and I decided to upgrade the OpenWrt on my router.1 After ac...
flatt.tech
December 7, 2024 at 9:47 AM
If you're interested in the technical details, I wrote the blog post here: flatt.tech/research/pos...
For the further details, please check out the announcement from the OpenWrt team: lists.openwrt.org/pipermail/op... (2/2)
For the further details, please check out the announcement from the OpenWrt team: lists.openwrt.org/pipermail/op... (2/2)