Álisson Bertochi

🚨 We are extending the deadline for our Volume 5 Call For Papers and its Rootkit Competition! Check out the updated dates below: → tmpout.sh/blog/vol5-cfp.… (until May 1st 2026) → tmpout.sh/blog/vol5-root… (until May 31st 2026) We are looking forward to reading your work!

CTF is cooked blog.krauq.com/post/ctf-is-dy…

I gave a talk at CCC about silicon reverse engineering! 👨🏼‍💻 I went through how I used JavaScript and Inkscape to automate my process, going from a microscope picture of a chip to a working emulator 🔬 You can watch it here 📽️: media.ccc.de/v/38c3-proprie…

An incredibly awful security vulnerability just got revealed in MongoDB. So much that it got named after HeartBleed. MongoBleed is a vulnerability affecting all MongoDB versions from 2017 to... today. The exploit is simple. It's a buffer over read bug due to compression. Here's how it works 👇 Clients can send compressed requests to MongoDB. The client helpfully includes the uncompressed size of the message so the server knows exactly how much memory to allocate when decompressing. The server allocates a memory buffer with the given space. Due to how memory management and garbage collection in programs work, this allocated memory may already contain sensitive information that was copied earlier and is considered garbage now (eg because it's unreferenced). This is technically fine - every computer program works that way because it is assumed that whatever unclaimed memory exists there will be overwritten. Unfortunately that’s exactly where the bug lies. 🙃 The server stupidly trusts the client’s provided uncompressed size. When a malicious client lies about the uncompressed size - e.g the actual decompressed size is 100 bytes, but the client says its 1MB - Mongo will treat the full 1MB block as the message. It will unload the 100 byte decompressed msg into the buffer, yet treat the full 1MB block as the msg. This is extremely problematic if you can get the server to return back parts of the 1MB block, because it could contain data you may not have access to. That is exactly what the exploit does - it sends a badly-formatted BSON message. The server fails to parse it, and "helpfully" returns an error message containing the invalid message. The invalid message can be that whole 1MB block of foreign data. To understand the exploit a bit better, you need to understand the MongoDB protocol. • Mongo also uses its own TCP wire format (i.e doesn't use HTTP, gRPC or the like). • BSON is Mongo's message format passed within the TCP wire format. BSON is basically JSON in binary form • Commands in Mongo don't have particular endpoints or RPC names - rather, they are simply JSON-like messages. The action is inferred from the first key of the JSON. For example, an insert request looks like this: `{ "insert": "users", "documents": [ { "name": "alice", "age": 30 } ] }` Every request to the server is therefore decoded into the BSON format as it’s parsed. Critically, BSON parsing of field names (which are strings) work by parsing the field until you hit a null terminator byte (0x00). It works exactly like strings in C, which have their own rich history of vulnerabilities. We can now tie things together: 1. The client lies to the the server that its request has a big uncompressed size, so the server allocates a large block of memory 2. The client sends an invalid BSON with a field which does NOT contain the null terminator (0x00) 3. The server naively tries to parse the BSON field in that allocated block until it hits the first null byte. The first null byte is encountered in some foreign data since the BSON literally doesn't have it 4. The server realizes this is a completely invalid BSON message so it responds with an error. 5. The error response contains the invalid BSON "field". Critically, the server parsed garbage data from the heap in step 3), so it returns that data in the response. Congrats. If the garbage contains passwords or other sensitive info, you’ve hacked MongoDB! Hackers exploit this by sending many malicious requests per second and then attempting to reconstruct the pieces of garbage they received back. What’s critical about this vulnerability is that it works on ANY internet-accessible unpatched instance of MongoDB. 💀 You don’t need to authenticate with the server, because this whole request/response parsing cycle happens before the server can even authenticate. Obviously you can’t authenticate a malformed request which doesn’t contain credentials - so that path of the code never gets executed. The server simply responds with an error response. It just so happens that this error response can contain sensitive data. 🤷‍♂️ Merry Christmas

Cracking the Pixel 8: Exploiting the Undocumented DSP to Bypass MTE Talk by @Peterpan980927 and @st424204 about exploiting a logical bug in the Pixel GXP driver that allows overwriting read-only files. Video: youtube.com/watch?v=_iSwTu… Slides: hitcon.org/2025/slides/b7…

Runtime Mobile Security (RMS) 📱🔥 v1.5.24 is out 🚀 #MobileSecurity @fridadotre #AndroidSecurity #iOSsecurity Huge thanks to @n0ps13d Check the changelog 👇👇👇 github.com/m0bilesecurity…

If you're excited to see the WhatsApp bug thrown @thezdi - free to watch my talk from @reconmtl 2025 on 4 remote bugs I discovered last year! While they're not 0-click RCE - there are some remote corruption and funny logic bugs in there. youtube.com/watch?v=bre5bA…

Remote code execution on a Yamaha piano. psi3.ru/blog/swl01u/

Living legend Yuki Chen @guhe120, who has reported over 1,000 vulnerabilities to Microsoft in his career, gives a presentation on Windows 0-clicks #TheSAS2024

Última chamada! bit.ly/tecland-2024-i…

1 mês para o evento mais exclusivo do ano, últimos dias de inscrições! bit.ly/tecland-2024-i…

Analysis of a Use-after-free in Linux kernel's process termination code accessvector.net/2022/linux-iti… #Linux #cybersecurity

Reta final, últimos 25 dias de inscrições para o evento mais exclusivo do ano! Infos e inscrições: bit.ly/tecland-2024-i… Já é leet e quer participar de graça? curl harder.tha.never.pro

O suprassumo dos desafios de PPC (Coding), pra fechar com chave de ouro os ingressos 0800! Divirta-se!

Segundo challenge valendo ingressos para o TecLand Vulnerability Research Edition. Dessa vez de PPC (Coding), para os 3 primeiros solves ;) curl easier.than.minecraft.pe

2 meses até o evento mais exclusivo (e leet) do ano! Sua chance de aprender e fazer networking com os melhores está quase indo embora! :) bit.ly/tecland-2024-i…

CVE-2024-6387: Critical OpenSSH Unauthenticated RCE Flaw ‘regreSSHion’ Exposes Millions of Linux Systems securityonline.info/cve-2024-6387-…

Amanhã vai ficar mais caro participar do evento técnico mais exclusivo do Brasil! As vagas foram reduzidas para proporcionarmos uma experiência extremamente única de aprendizado e networking para os participantes, em um ambiente muito aconchegante. bit.ly/tecland-2024-i…

This is a kinda fun read (from Eugenio Benincasa at ETHZ) for people in the CTF scene: css.ethz.ch/content/dam/et… It's quite interesting to see someone look so deeply at CTF team lineages and memberships, and it's extra entertaining for those of us who "lived" it.