Mikhail Shcherbakov
@yu5k3.bsky.social
Doing security research. For fun and profit...
Also planning to finally drop those promised threads in the coming weeks: my V8 exploit dev journey, some client-side #bugbountytips, and maybe more depending on what I dig up from my old notes ✍️
July 23, 2025 at 9:56 AM
Also planning to finally drop those promised threads in the coming weeks: my V8 exploit dev journey, some client-side #bugbountytips, and maybe more depending on what I dig up from my old notes ✍️
Due to vacation, June (and probably July) don't bring many reports:
- 1 Crit reported;
- 1 Crit 9.9 😎 (
@elastic.co
fixed the #RCE chain behind my CVE-2025-2135 exploit discuss.elastic.co/t/kibana-7-1... and CVE-2025-25012 discuss.elastic.co/t/kibana-7-1...);
- 1 new Medium closed as Informative.
- 1 Crit reported;
- 1 Crit 9.9 😎 (
@elastic.co
fixed the #RCE chain behind my CVE-2025-2135 exploit discuss.elastic.co/t/kibana-7-1... and CVE-2025-25012 discuss.elastic.co/t/kibana-7-1...);
- 1 new Medium closed as Informative.
discuss.elastic.co
July 23, 2025 at 9:56 AM
Due to vacation, June (and probably July) don't bring many reports:
- 1 Crit reported;
- 1 Crit 9.9 😎 (
@elastic.co
fixed the #RCE chain behind my CVE-2025-2135 exploit discuss.elastic.co/t/kibana-7-1... and CVE-2025-25012 discuss.elastic.co/t/kibana-7-1...);
- 1 new Medium closed as Informative.
- 1 Crit reported;
- 1 Crit 9.9 😎 (
@elastic.co
fixed the #RCE chain behind my CVE-2025-2135 exploit discuss.elastic.co/t/kibana-7-1... and CVE-2025-25012 discuss.elastic.co/t/kibana-7-1...);
- 1 new Medium closed as Informative.
Looks like now's the right time to finally dive in! The threat model for extensions looks promising for BB. postMessage() alone opens up new attack variations that don't exist in classic client-side apps 💡
Let's see what I can find in this space 👀
Let's see what I can find in this space 👀
July 23, 2025 at 9:56 AM
Looks like now's the right time to finally dive in! The threat model for extensions looks promising for BB. postMessage() alone opens up new attack variations that don't exist in classic client-side apps 💡
Let's see what I can find in this space 👀
Let's see what I can find in this space 👀
@shaunau.bsky.social If you haven't seen my previous talk about Kibana RCEs (it doesn't cover these ones), you might find it interesting, especially if you're into tricky Prototype Pollution exploits. Check it out youtu.be/H-bhmSwnRdY?...
DEF CON 32 - Exploiting the Unexploitable Insights from the Kibana Bug Bounty - Mikhail Shcherbakov
YouTube video by DEFCONConference
youtu.be
June 13, 2025 at 11:16 AM
@shaunau.bsky.social If you haven't seen my previous talk about Kibana RCEs (it doesn't cover these ones), you might find it interesting, especially if you're into tricky Prototype Pollution exploits. Check it out youtu.be/H-bhmSwnRdY?...
Yeah, many Kibana RCEs I reported are beautiful. They implemented a lot of mitigations I had to bypass 😁 I'd love to share details, but for this bug it's too early. I'm also too lazy for blog posts, usually just drop stuff at conferences. Definitely need to do one more talk on Kibana RCEs.
June 13, 2025 at 11:10 AM
Yeah, many Kibana RCEs I reported are beautiful. They implemented a lot of mitigations I had to bypass 😁 I'd love to share details, but for this bug it's too early. I'm also too lazy for blog posts, usually just drop stuff at conferences. Definitely need to do one more talk on Kibana RCEs.
If there's interest, I might write a thread on the resources that I used to dev my own Chrome RCE exploit.
Also, if you have an SSRF in Chrome 134 in a BBP, DM me. It could be a great collab to turn the report into a full RCE 🤝
#bugbounty #infosec #rce #chromium #v8
Also, if you have an SSRF in Chrome 134 in a BBP, DM me. It could be a great collab to turn the report into a full RCE 🤝
#bugbounty #infosec #rce #chromium #v8
June 11, 2025 at 11:47 AM
If there's interest, I might write a thread on the resources that I used to dev my own Chrome RCE exploit.
Also, if you have an SSRF in Chrome 134 in a BBP, DM me. It could be a great collab to turn the report into a full RCE 🤝
#bugbounty #infosec #rce #chromium #v8
Also, if you have an SSRF in Chrome 134 in a BBP, DM me. It could be a great collab to turn the report into a full RCE 🤝
#bugbounty #infosec #rce #chromium #v8
- Open-source repo = easy diffs for n-days
- Regression tests (if you're lucky) help a lot
- Controlled JS = powerful primitives, e.g., heap- & jit- spraying
- V8 sandbox adds that spicy edge 🌶️
- Regression tests (if you're lucky) help a lot
- Controlled JS = powerful primitives, e.g., heap- & jit- spraying
- V8 sandbox adds that spicy edge 🌶️
June 11, 2025 at 11:47 AM
- Open-source repo = easy diffs for n-days
- Regression tests (if you're lucky) help a lot
- Controlled JS = powerful primitives, e.g., heap- & jit- spraying
- V8 sandbox adds that spicy edge 🌶️
- Regression tests (if you're lucky) help a lot
- Controlled JS = powerful primitives, e.g., heap- & jit- spraying
- V8 sandbox adds that spicy edge 🌶️
I played with Chrome vulns back in Jan, mostly trying to reproduce n-days. In May, I found promising targets and developed an RCE from scratch to reverse shell in Chromium 134.
Low-level exploits are real fun 🔥 and Chromium is an awesome playground for them:
Low-level exploits are real fun 🔥 and Chromium is an awesome playground for them:
June 11, 2025 at 11:47 AM
I played with Chrome vulns back in Jan, mostly trying to reproduce n-days. In May, I found promising targets and developed an RCE from scratch to reverse shell in Chromium 134.
Low-level exploits are real fun 🔥 and Chromium is an awesome playground for them:
Low-level exploits are real fun 🔥 and Chromium is an awesome playground for them:
So yeah, I've started thinking about switching back to industry and ending the full-time BB experiment. Don't be surprised if that happens in the next couple of months, it'll just mean the dark side with cookies and performance reviews won this round 😅
May 13, 2025 at 9:59 AM
So yeah, I've started thinking about switching back to industry and ending the full-time BB experiment. Don't be surprised if that happens in the next couple of months, it'll just mean the dark side with cookies and performance reviews won this round 😅
Hitting my Q1 milestone of earning the same as I would've by signing my last job offer definitely gives me motivation to push even harder. That said, my current efforts haven't led to any big breakthroughs in my BB methodology.
May 13, 2025 at 9:59 AM
Hitting my Q1 milestone of earning the same as I would've by signing my last job offer definitely gives me motivation to push even harder. That said, my current efforts haven't led to any big breakthroughs in my BB methodology.
Still, it opens up more opportunities that I'm trying to take advantage of. I'm investing time into researching new types of attacks and building out automation.
This is really the kind of life I enjoy: taking risks and being fully responsible for everything that happens!
This is really the kind of life I enjoy: taking risks and being fully responsible for everything that happens!
May 13, 2025 at 9:59 AM
Still, it opens up more opportunities that I'm trying to take advantage of. I'm investing time into researching new types of attacks and building out automation.
This is really the kind of life I enjoy: taking risks and being fully responsible for everything that happens!
This is really the kind of life I enjoy: taking risks and being fully responsible for everything that happens!
The first financial goal, reaching income comparable to a full-time IT job, is achieved!
Two RCEs with a bit of "collateral damage" per month has been enough to make it work, though I won't lie, it's way more stressful.
Two RCEs with a bit of "collateral damage" per month has been enough to make it work, though I won't lie, it's way more stressful.
May 13, 2025 at 9:59 AM
The first financial goal, reaching income comparable to a full-time IT job, is achieved!
Two RCEs with a bit of "collateral damage" per month has been enough to make it work, though I won't lie, it's way more stressful.
Two RCEs with a bit of "collateral damage" per month has been enough to make it work, though I won't lie, it's way more stressful.
In April, I reported 2 #RCE (consistency 😎), and once again, one of them was classified as Medium. Fine, move on. Many previously reported vulns also got paid this month 💸
I've been doing BB full-time since late last year, so it's a good moment to sum things up.
I've been doing BB full-time since late last year, so it's a good moment to sum things up.
May 13, 2025 at 9:59 AM
In April, I reported 2 #RCE (consistency 😎), and once again, one of them was classified as Medium. Fine, move on. Many previously reported vulns also got paid this month 💸
I've been doing BB full-time since late last year, so it's a good moment to sum things up.
I've been doing BB full-time since late last year, so it's a good moment to sum things up.
If I have extra time, I go through old notes and mine a few more, usually with less critical severity. As you can see, some RCEs end up being classified as Medium due to BBP restrictions... but even then, the bounties were not too bad.
May 13, 2025 at 9:59 AM
If I have extra time, I go through old notes and mine a few more, usually with less critical severity. As you can see, some RCEs end up being classified as Medium due to BBP restrictions... but even then, the bounties were not too bad.
RCE in Elastic Kibana via Prototype Pollution (CVSS 9.9) 🚀 www.cve.org/CVERecord?id...
www.cve.org
May 7, 2025 at 7:19 PM
RCE in Elastic Kibana via Prototype Pollution (CVSS 9.9) 🚀 www.cve.org/CVERecord?id...
RCE in Elastic Kibana via Prototype Pollution (CVSS 8.7) 🤔 Curious about the A:N in the vector for the RCE... typo or did I miss something?.. www.cve.org/CVERecord?id...
www.cve.org
May 7, 2025 at 7:19 PM
RCE in Elastic Kibana via Prototype Pollution (CVSS 8.7) 🤔 Curious about the A:N in the vector for the RCE... typo or did I miss something?.. www.cve.org/CVERecord?id...
Unrestricted File Upload in Elastic Kibana (CVSS 5.4). Part of another chain ending in XSS and showing ATO impact. I shared some details at my last DEF CON, but the deep dive is still in the vault. Looks like I've hoarded enough CVEs for the next talk 😅 www.cve.org/CVERecord?id...
www.cve.org
May 7, 2025 at 7:19 PM
Unrestricted File Upload in Elastic Kibana (CVSS 5.4). Part of another chain ending in XSS and showing ATO impact. I shared some details at my last DEF CON, but the deep dive is still in the vault. Looks like I've hoarded enough CVEs for the next talk 😅 www.cve.org/CVERecord?id...
Unrestricted File Upload in Elastic Kibana. Part of the most beautiful and non-trivial chain I've built. I'm excited to get a chance to share the full story in a con talk someday 🤞 www.cve.org/CVERecord?id...
www.cve.org
May 7, 2025 at 7:19 PM
Unrestricted File Upload in Elastic Kibana. Part of the most beautiful and non-trivial chain I've built. I'm excited to get a chance to share the full story in a con talk someday 🤞 www.cve.org/CVERecord?id...
RCE in Elastic Kibana via Prototype Pollution (CVSS 9.1) 🔥 www.cve.org/CVERecord?id...
www.cve.org
May 7, 2025 at 7:19 PM
RCE in Elastic Kibana via Prototype Pollution (CVSS 9.1) 🔥 www.cve.org/CVERecord?id...
I also agree that there are cases where RCE can be an expected issue,eg via ffmpeg in an isolated container. My concern is about changing the reported CVSS without any clarification. An RCE can be paid as Medium if it affects a non-priority target (and BBP says it),but this fact does not affect CVSS
February 26, 2025 at 10:15 AM
I also agree that there are cases where RCE can be an expected issue,eg via ffmpeg in an isolated container. My concern is about changing the reported CVSS without any clarification. An RCE can be paid as Medium if it affects a non-priority target (and BBP says it),but this fact does not affect CVSS