Xiaobye

Confirmed! Orange Tsai (@orange_8361) of DEVCORE Research Team (@d3vc0r3) chained 4 logic bugs to achieve a sandbox escape on Microsoft Edge, earning $175,000 and 17.5 Master of Pwn points. Full win! #Pwn2Own #P2OBerlin

Booyah it's been confirmed! 🎉 splitline (@_splitline_) of DEVCORE Research Team chained 2 bugs to exploit Microsoft SharePoint, earning $100,000 and 10 Master of Pwn points. Massive aura farming this year at #P2OBerlin. Full win! #Pwn2Own

There it is! Orange Tsai (@orange_8361) of DEVCORE Research Team was able to exploit Microsoft Exchange! If confirmed, they win a whooping $200,000 and 20 Master of Pwn points. Off to the disclosure room to explain how they did it and seal the deal. #Pwn2Own #P2OBerlin

That's my chain — a full chain w/ logic bugs only! No memory corruption, no AI, and of course no collisions at all 😉

Welcoming gift for @justdionysus: QEMU and UTM Escape Blog: open.substack.com/pub/calif/p/ma… PoCs: github.com/califio/public… youtube.com/watch?v=WWfxGy…

@calif_io @Dinosn @justdionysus Great write-up, thanks for sharing! I’m curious whether you’ve checked if the VNC server is accessible by default from the guest on platforms you mentioned.

@lcfr_eth @calif_io @justdionysus 🤫

@calif_io @justdionysus cc @xiaobye_tw :>

I have finally achieved remote code execution!!! I ended up using the arbitrary read primitive and overwritting some function pointers. Also, mediatek acknowledged the vuln, so I will be releasing a very cool blog about this when the vuln is disclosed :D

Angelboy (@scwuaptx) takes the CODE BLUE 2025 stage with his latest findings in Kernel Streaming vulnerabilities -- this time diving deep into the MDL cache mechanism and unveiling even more vulnerabilities. codeblue.jp/en/program/tim… #codeblue_jp #MSRC #VulnerabilityResearch

@hexacon_fr 2025 is here! This week (Oct 10–11), our researchers Xiaobye (@xiaobye_tw) and Pumpkin (@u1f383) hit the Paris stage with vulnerability research on MediaTek Wi-Fi and Linux io_uring. Big debut for our young talents at Hexacon! 🔥

📶 Wi-Fi isn’t safe! MediaTek frame injection flaws let attackers bypass auth and run code on devices from cameras to cars. Join Wei-Che Kao at #hw_ioNL2025 to discover hidden vulnerabilities in #WiFi7 and learn to analyze chipsets. 👉 hardwear.io/netherlands-20… #wirelesssecurity

📢 Arise from the Wireless: Breaking the Security Barrier in Wi-Fi by @xiaobye_tw

Great free book introducing cryptography concepts and algorithms in an accessible way. Credits Svetlin Nakov (@svetlinnakov) "Practical Cryptography for Developers Book" cryptobook.nakov.com #cryptography

Bluetooth Eavesdropping Threat Exposed: New “BlueSpy” Exploit Targets Popular Headsets securityonline.info/bluetooth-eave…

Blog post by @McuOnEclipse on embedded devices reverse engineering ( IoT monitoring/sensor device) mcuoneclipse.com/2019/05/26/rev… #iot #infosec

Interesting project attempting to reverse engineering the precompiled Wi-Fi stack of ESP32 SoC to recreate an open source version Part 1: zeus.ugent.be/blog/23-24/ope… Part 2: zeus.ugent.be/blog/23-24/esp… Repo: github.com/esp32-open-mac… #esp32 #infosec

#LearnEmbedded 🎓 "I2C, UART and SPI: comparison of advantages and limitations" Explore the intricacies of I2C, UART, and SPI protocols in the ever-evolving tech landscape of 2024 👉 parlezvoustech.com/en/comparaison… 📌 #EmbeddedSystems #Semiconductor #Engineering #Electronics #Hardware

Fully automated vulnerability research is changing the cybersecurity landscape Claude 3 Opus is capable of reading source code and identifying complex security vulnerabilities used by APTs. But scaling is still a challenge. Demo: claude.ai/share/ddc7ff37… This is beginner-level prompt engineering: I just simply asked the model to role-play a cyberdefense assistant and to look for a class of vulnerability. And yet, even with this trivial prompting, Claude was able to identify the vulnerability which was unveiled in googleprojectzero.blogspot.com/2023/09/analyz… a month after our training data cutoff: Code defect scanning is not new, but this technique points the way to a more nuanced, complete analysis—especially with very large, 1M token context windows. This is part of a larger story: there are now two different ways that vulnerability discovery is being automated by defenders. 1) Defenders can wire-up LLMs to cluster fuzzers Starting with last generation’s models, Google pioneered this work here: security.googleblog.com/2023/08/ai-pow… . This has now been implemented by a number of players on the defenders’ side since last year. The technique is to have LLMs write the test harnesses and triage the results. This has, reportedly, increased the fuzzer signal-to-noise ratio by 20x, depending on the technique and software. Google has new research in this area posted recently. 2) Defenders can ask models to analyze code using large context windows The next level-prompt is to take large amounts of related code, and iterate through each class of coding vulnerability requesting that the output be produced pointing to a line of code in JSON format. Currently, with frontier models like Claude 3, doing this for every file in a codebase as large as the Linux kernel could get pricey. But, for those with the time, there’s vulnerabilities to find via this method. And the price will, of course, go down over time as compute gets more accessible. We measure these capabilities as a part of our Responsible Scaling Policy evals. We don't see very advanced capabilities today, but capabilities are jumpy. We could see that coming very soon and what we don't know is how offense/defense dominant this will be. But I think, right now, these tools are going to be super useful/important for mostly defending current systems. We are building advanced cyber reasoning evals and looking at this closely—come collaborate with us! I am proud that we’re also partnering with @DARPA to support #AIxCC, a first-of-its-kind competition challenging the masses to identify new ways to shift the #AI cybersecurity offense-defense balance in the defender’s favor. Fully automated vulnerability discovery is here and it will only become more available. I believe that—in the future—the availability of patches to fix vulnerabilities from these methods will be coming out daily. Defenders should prepare to patch their environments on a rolling basis.

Dirty pagetable technique for pwning Linux kernel (CTF challenge) Mitigations KASLR, SMAP, SMEP, KPTI and slab freelist randomization ptr-yudai.hatenablog.com/entry/2023/12/… #Linux #cybersecurity

 🌪️ PlayStation 4 Kernel RCE will be presented by @theflow0 at #TyphoonCon24! Early bird tickets are now on sale: typhooncon.com/playstation-4-…