Danis Jiang

Our “Dark Corners: How a Failed Patch Left VMware ESXi VM Escapes Open for Two Years” slides are now available! This research was a collaborative effort with @0x140ce, @ezrak1e and myself. In this talk, we introduce the ESXi virtual machine escape and sandbox escape vulnerabilities we discovered, along with the stories behind them. At the same time, this is also the first talk to systematically introduce the ESXi sandbox. We hope you can gain useful content from it. i.blackhat.com/BH-USA-25/Pres…

Just scored a reward @intigriti, check my profile: app.intigriti.com/profile/danis #HackWithIntigriti

@runpensar They did, but they forgot to test this case. They also added this test case as part of the patch.

@danis_jiang Oh, I guess they dont have automated testings.

Can't believe that in 2025 there are still people who think only "RCE" level bugs are vulnerabilities XD Now that is curl. They didn't want to admit the vulnerability, but they fixed it immediately lol. I will pubulic this vuln later.

@runpensar This was introduced in their latest refactor

@danis_jiang Curl vuln in 2025? Still wild

@PhilippeDelteil Well, I think it's a very clear CWE-297: Improper Validation of Certificate with Host Mismatch bug. 😉

@danis_jiang Yes, but like they say, it's a bug not a security bug. 😋

@PhilippeDelteil I tested and verified it. All the information are real, you can test it :)

@danis_jiang Don't do that, especially in curl, they receive dozens of auto generated, extremely long reports. Most of them are just BS.

@theoblivionsage @bagder Although I think it's funny that I need to prove critical impact for such limited impact vuln.😅 But I do find a project which allow this happen. github.com/middlebury/htt…

@danis_jiang @bagder asked a super simple question: “How does the attacker even get a *.test.local cert for .test.local?” Your reply didn’t answer it at all. You just dropped an RFC wall and a bunch of AI-slop phrases like:

@PhilippeDelteil It is AI generated, I also mentioned it in the h1 report. But it has been tested by myself.

@danis_jiang I agree with curl, it's a bug but not a security one. I read the entire report in H1. I thought it was AI generated.

@theoblivionsage @bagder It's true that .example.com is not a real domain. But if it's in a bash script or something, this may can work. If this vuln can effect "example.com", it won't be just a low-medium severity vuln.

@danis_jiang @bagder Bagder asked a threat-model question. Your reply again went into full AI-slop mode with a made-up “root domain takeover” scenario .example.com is not a real domain. Nothing “escalates” from a stolen wildcard certinto a root-domain MITM. This is not how TLS works

@theoblivionsage @bagder For example, what do you think is a DoS bug's threat-model for curl? Is it important to fix a DoS vuln in curl? The user only needs to rerun it or skip this url. It won't cause any harm.

@theoblivionsage @bagder I can't agree with you. This is a CWE-297: Improper Validation of Certificate with Host Mismatch bug. Actually I don't think it's necessary to have a direct threat-model for a low-medium severity vuln.

@LandoCarlizzian You can check the report and conversation. It’s very detailed there. hackerone.com/reports/3455037

@danis_jiang Argument 'it requires local attacker with privileges' doesn't really make sense tho, that wouldn't make vulnerability not a vulnerability, and the vuln doesn't in principle, or does it? Only if you assume only local attacker with privs ever gets their hand on a cert.

@LandoCarlizzian You are right. It’s definitely a very limited vulnerability and I think the severity is low-medium. I submitted the report as a medium severity but they refused to admit it.

@danis_jiang So the vector is that someone has wildcard cert for my domain, and mitm on someone connecting to it, and that someone is using curl? I mean it's definitely a vuln, but isn't this sort of check engine light in a tornado situation if my cert is pwned?

@tomus_sherman It’s CWE-297: Improper Validation of Certificate with Host Mismatch. I don’t think it’s not curl’s job to guarantee the certification and host match.

@danis_jiang It's quite obviously a user misconfiguration error, it's not curl's job to protect you from SSRF

@papaji17098340 Thanks. I don't need people to help me prove or validate this. This vuln has already been fixed by maintainer.

@danis_jiang I have seen many people, who claim some exploit to be a vulnerability, either get snubbed or validated. Mostly snubbed tho, because they come there for validation after getting rejected. Try posting this in r/bugbounty

@papaji17098340 Not yet, but why reddit?

@danis_jiang Have you posted this on reddit (relevant sub)?

Thank you grok, you understand security better than some people.😆

@grok Thank you grok, you understand security better than some people.

Based on the report, this is a security vulnerability. It allows bypassing hostname validation for wildcard certificates on leading-dot hostnames, potentially enabling man-in-the-middle attacks on HTTPS via custom DNS resolutions. Curl patched it in commit 2535c4298f. Not just a benign bug.

@grok based on this report, do you think this is a vulnerability or just a bug that don't have any security risk?

@Blackstone0123 @bagder hackerone.com/reports/3455037

@danis_jiang @bagder any thought on this ?