Yuki Chen Profile
Yuki Chen

@guhe120

9,756
Followers
281
Following
10
Media
360
Statuses

古河, Indepent security researcher, Bug bounty, ACG Otaku, Pwn2Own 15/16/17, PwnFest16,TianfuCup 18/19/20, 5 times MSRC MVR yearly Top 1. Got two pwnie awards.

Joined September 2013
Don't wanna be here? Send us removal request.
Pinned Tweet
@guhe120
Yuki Chen
3 months
I've made my 5th yearly Top1 on MSRC leader board, glad that I'm still able to push myself forward as an independent security researcher and achieved #1 in both Windows and Azure research area with a record high score. Congrats to all researchers on the leader board this year.
@msftsecresponse
Security Response
3 months
The Microsoft Researcher Recognition Program offers public thanks and recognition to security researchers who help protect our customers by discovering and sharing security vulnerabilities under Coordinated Vulnerability Disclosure. Today, we are excited to recognize this year’s
Tweet media one
3
23
86
12
11
171
@guhe120
Yuki Chen
4 years
I have 16 bugs fixed in Microsoft's June security update, some are RCE, some are LPE, but this one is a little bit different, it's a buffer overflow in RPC marshalling for both RCE and LPE:
11
275
712
@guhe120
Yuki Chen
7 years
Our pacsec 2017 slides<<From Out of Memory to Remote Code Execution>>
2
260
396
@guhe120
Yuki Chen
1 year
Slides of my blackhat talk is now online:
8
90
356
@guhe120
Yuki Chen
3 years
This month I got my first (to twenty-five) bug credit for Kunlun Lab, mostly RCE bugs in DNS Server, SMB, LDAP, RPC, and NFS Server
Tweet media one
Tweet media two
13
27
327
@guhe120
Yuki Chen
5 years
What will happen if you can trigger arbitrary callback during a JavaScript garbage collection? Story about how I abuse a VBScript feature to trigger such callback in JavaScript engine, mass up the JS world and pop calculator:
2
139
272
@guhe120
Yuki Chen
3 years
Made #1 this year :) Thanks to @msftsecresponse and the bounty team. Congrats to all researchers on the list. I personally know some researchers who reported nice bugs but are not on the list this year, hat tip to their great work too.
Tweet media one
10
9
226
@guhe120
Yuki Chen
6 years
A pretty lucky quarter for a bug hunter. Lovely bugs, working exploits, and $197.5K bug bounty😃 Thanks to @EOS_io @msftsecresponse @Hacker0x01
Tweet media one
Tweet media two
4
45
217
@guhe120
Yuki Chen
5 years
Feel lucky and super excited to be #1 on this year’s MSRC most valuable security researcher list. Thanks to @mj0011sec and congrats to all guys on the list from @360 Vulcan Team. Thanks to all MSRC guys for their kindly help! @msftsecurity @JarekMsft @SylvieMSFT
Tweet media one
10
19
210
@guhe120
Yuki Chen
5 months
Sad but this is the average quality of MS security engineering/analysis team nowadays. As a bug hunter who worked with them for 10+ years, I'm always wondering what happened inside the department that could cause the quality dropped so much in just a few years ?
@chompie1337
chompie
5 months
microsoft: Exploit Code Unporoven me: i literally gave you a compiled PoC and also exploit code m$: No exploit code is available, or an exploit is theoretical. me:
100
402
3K
8
9
200
@guhe120
Yuki Chen
4 years
Find quite a few bugs this quarter
Tweet media one
11
7
158
@guhe120
Yuki Chen
6 years
Google Chrome pdfium shading drawing integer overflow lead to RCE, from 360 Vulcan Team: , @bee13oy
0
91
154
@guhe120
Yuki Chen
4 years
Open a report for CVE-2020-1021, an arbitrary file delete vulnerability in Windows Error Reporting service, which can be exploited by exhausting the disk space:
5
57
135
@guhe120
Yuki Chen
7 months
Excited to be #1 this quarter. The first MSRC leaderboard since I became an independent security researcher and seems to be a good start. Thanks to everyone in MSRC & bounty team for helping as always :-)
@msftsecresponse
Security Response
7 months
Congratulations to all the researchers recognized in this quarter’s MSRC 2024 Q1 Security Researcher Leaderboard! 🎉 Thank you to everyone for your hard work and continued partnership to secure customers. Learn more in our blog post: We also want to
Tweet media one
1
8
39
8
5
134
@guhe120
Yuki Chen
4 years
10 of my remote code execution bugs in rpcrt4 fixed this month :)
14
7
126
@guhe120
Yuki Chen
2 months
Will discuss some examples/experiences/tips for looking for pre-auth RCE bugs in Windows compontents and reporting them to WIP bug bounty program. See you at #TheSAS2024
@TheSAScon
TheSAS2024
2 months
A favorite APT tool and an expensive bug bounty item: pre-auth RCE in Windows components. How do you find and report them? Join the #TheSAS2024 talk by Yuki Chen ( @guhe120 ), the MSRC Most Valuable Security Researcher and winner of Pwnie and Tianfu Cup, to tap into their practical
Tweet media one
1
12
78
2
15
133
@guhe120
Yuki Chen
3 years
Be careful about those CVE-2022-26809 PoCs online, especially when they try to sell it to you. Actually I think a PoC is not important for defense purpose, apply the patch, do not expose your RPC ports (not only for this bug but a basic security baseline), that would be enough.
3
14
123
@guhe120
Yuki Chen
2 years
Very exited to get my 3rd yearly #1 , thanks for all the kind help from @msftsecresponse and MSFT bounty team, congrats to all the MVR researchers especially our @KunlunLab guys :-) for their awesome researching and bugs!
@msftsecresponse
Security Response
2 years
Congratulations to our MSRC 2022 Most Valuable Researchers! Thank you to all the researchers who have helped secure our customers. Check out our blog for the full list: #cybersecurity #securityresearch
Tweet media one
1
30
94
6
2
123
@guhe120
Yuki Chen
2 years
Excited to be #1 this quarter, got some pre-auth rce bugs, thanks for all the help from @msftsecresponse and bounty team!
@msftsecresponse
Security Response
2 years
Congratulations to all the researchers recognized in this quarter’s MSRC 2022 Q2 Security Researcher Leaderboard! For more information, check out our blog post: #cybersecurity #securityresearch #msrc
Tweet media one
3
5
43
10
2
119
@guhe120
Yuki Chen
1 year
Finsihed the pre-recording of my incoming BH session next month, check the session if you are interested in bugs in Windows remote protocols | bug bounty
Tweet media one
Tweet media two
10
9
118
@guhe120
Yuki Chen
6 years
After the ITW VBScriipt 0day CVE-2018-8174 caught by 360 Core Security department was patched, we found "new" (if not a patch bypass) exploitable 0days after analyzing the patch, read the story:
0
79
117
@guhe120
Yuki Chen
6 years
Microsoft Edge Chakra OP_NewScObjArray Type Confusion Bug & Full Poc Exploit by bo13oy of Qihoo 360 Vulcan Team:
2
85
114
@guhe120
Yuki Chen
1 year
Very excited that I achieved yearly top1 for a continous 3 years (4 in total), definitely a milestone in my bug hunting journey. Congrats to all reserachers on the list, and thanks to @msftsecresponse and MS bounty team for their continous helping.
@msftsecresponse
Security Response
1 year
Congratulations to our MSRC 2023 Most Valuable Researchers! Thank you to all the researchers who have helped secure our customers. 👏🎉 Check out our blog for the full list:
Tweet media one
3
25
102
11
3
114
@guhe120
Yuki Chen
2 years
Today Microsoft patched CVE-2022-30136 reported by me, a pretty nice pre-auth heap oob write bug in NFS v4.1. It's also interesting because every normal NFS 4.1 request triggers this vulnerbility, yet it's not noticed so far because of the internal heap management in NFS
0
15
112
@guhe120
Yuki Chen
3 years
Excited for this new journey
@KunlunLab
KunlunLab
3 years
We’re excited to announce that @guhe120 is joining our team as CTO and leader of the Kunlun lab.
0
3
72
5
3
94
@guhe120
Yuki Chen
2 years
Got 13 CVEs this month, among which the NFS and PPTP bugs are pre-auth RCE. I'm just curious about whether windows NFS and windows VPN are used in real world, any idea?
@msftsecresponse
Security Response
2 years
Security Updates for May 2022 are now available! Details are here:
2
35
31
5
6
93
@guhe120
Yuki Chen
8 years
Our slides at HitCon2016 taking about flash exploit mitigation techniques:
0
86
93
@guhe120
Yuki Chen
8 years
One of our edge exploits prepared for PwnFest (but patched before the contest ): , more to come soon @mj0011sec
2
86
84
@guhe120
Yuki Chen
1 year
Ranked 1st this quater, thanks to MSRC as always :)
@msftsecresponse
Security Response
1 year
Congratulations to all the researchers recognized in this quarter’s MSRC 2023 Q2 Security Researcher Leaderboard! For more information, check out our blog post: #cybersecurity #securityresearch #msrc
Tweet media one
3
11
42
14
0
85
@guhe120
Yuki Chen
2 years
Nice writeup, one of the NFS bugs I reported this year, a classic stack buffer overflow in year 2022 :)
@thezdi
Zero Day Initiative
2 years
The latest blog from the Trend Micro Research Team looks at CVE-2022-26937: a Microsoft Windows NFS NLM Portmap stack buffer overflow that could lead to RCE. They provide root cause, source code walkthrough, and detection guidance.
0
70
145
2
20
78
@guhe120
Yuki Chen
7 years
This edge array segment uaf problem caused by inline head segment was first exploited in Pwn2Own 2017, experienced several incomplete patches, and could still achieve reliable RCE at the time of Pwn2Own 2018. Let's check it when Pwn2Own 2019...
1
34
76
@guhe120
Yuki Chen
3 years
We are looking for security researchers @KunlunLab , consider join us if you are interested in finding/exploiting 0days :)
7
7
71
@guhe120
Yuki Chen
2 years
I canceled my bh session today due to the COVID pandemic after checked the possiblity of being able to attend the live event in Vegas. Just get tired with the feeling of giving a talk online, hope we can win the battle with the COVID sooner. Really sorry for the inconvenience.
9
0
75
@guhe120
Yuki Chen
3 years
Lucky to be #1 this quarter :)
@msftsecresponse
Security Response
3 years
Congratulations to all the researchers recognized in this quarter’s MSRC 2021 Q2 Security Researcher Leaderboard! For a full list of top researchers, check out our blog post:
0
15
52
5
1
72
@guhe120
Yuki Chen
5 years
I will be presenting at CodeBlue this year to go through all the major windows script engines(vb,jscript,jscript9,chakracore) with more interesting bugs like : , welcome to join&discuss if you are interested :)
@codeblue_jp
CODE BLUE
5 years
CODE BLUE 2019 all speaker list has been announced!! Financial, insurance, supply chain, cybercrime, and other diverse lineup. The lecture summary will be published on the web. #codeblue_jp
0
9
26
3
15
72
@guhe120
Yuki Chen
3 years
Found an heap overflow vulnerability in a function whose name starts with "Overflow", a feeling of fate
4
0
66
@guhe120
Yuki Chen
2 years
Cool PoC :)
@w3bd3vil
Omair 🇵🇸
2 years
From what was available online, a rough PoC for Windows NFS vulnerability (CVE-2022-26937).
3
162
450
0
10
57
@guhe120
Yuki Chen
7 months
Hat tip to the researcher who reported such a huge impact bug with good faith to the vendor instead of leveraging it to do evil things, to me it seems unfair to reject bounty and blame the researcher
@bearergo
Terry Zhang
7 months
It's been a while since the last tweet and I really don't like to debate publicly, but after 6yrs hunting on MSRC, I finally got really messed up by their rules. They refused to pay bounty for a critical EoP issue and said I accessed the customer/PROD data. Well, it's hard to
Tweet media one
8
40
193
2
7
56
@guhe120
Yuki Chen
2 years
Nice writeup, I also found and reported this bug
@Nettitude_Labs
Nettitude Labs
2 years
CVE-2022-21972: Windows Server VPN - remote kernel use after free vulnerability, by @i4mchr00t . This one has RCE potential. Patch just released on Patch Tuesday. Apply it now.
2
107
194
1
8
53
@guhe120
Yuki Chen
7 years
Study on CVE-2018-5146 FireFox bug, how to construct the poc exploit, etc.
@4shitak4
Ashitaka
7 years
My writeup for CVE-2018-5146
5
128
211
0
36
55
@guhe120
Yuki Chen
3 years
These DNS bugs requries dynamic update so you can read this excellent mcafee blog for the attack senario:
@S1D_
SiD
3 years
A wormable vulnerability (CVE-2021-34494) is mentioned by @thezdi . However MSRC wrote privileges requires as low with "basic user capabilities". Any hint @guhe120 ?
0
1
1
0
12
53
@guhe120
Yuki Chen
6 years
😃
@willwayy0
Ian Lee
6 years
Who we are. Zhiniang Feng and Yuku Chen( @guhe120 )
Tweet media one
1
6
33
2
2
53
@guhe120
Yuki Chen
6 years
That huge vendor's bug bounty program just makes me feel like a beggar. You responsibly report vulns (with RCE poc) to them, wait until they are fixed. Then you have to ask for the bounty by sending emails to them again and again and most of the time your queries are ignored.
6
4
52
@guhe120
Yuki Chen
2 years
Nice writeup by ZDI for another NFS bug I reported, also the well-know bug bounty hunting tip: always check the new standard. NFS 4 is totally different from NFS 2/3, which means new code and possibly new bug :-)
@thezdi
Zero Day Initiative
2 years
Following up from last month, the Trend Micro Research Team returns with details about CVE-2022-30136 - another remote, unauthenticated RCE (at SYSTEM) in #NFS . They cover the root cause and offer detection guidance. Read all the details at
0
40
79
2
9
53
@guhe120
Yuki Chen
2 years
Nice PoC for one of my IKE bugs fixed this month😀
@78_lab
78ResearchLab
2 years
Our researchers wrote a PoC code for Windows IKE Patch today! The analysis report will be posted soon!
1
42
145
0
8
51
@guhe120
Yuki Chen
4 years
Seems my TianFu-Cup Edge EoP bug is fixed this month: , it allows launching an Internet Explorer from Edge browser, inspired by @mj0011sec back to year 2016
1
4
50
@guhe120
Yuki Chen
3 months
Achieved #1 this quarter, thanks!
@msftsecresponse
Security Response
3 months
Shoutout to the top 10 researchers in the leaderboard on X: 🥇Yuki @guhe120 🥈Lewis & Ver & Zhiniang ( @edwardzpeng , @Ver0759 , @LewisLee53 ) 🥉Wei @XiaoWei___ Nitesh @_niteshsurana Sathish @SathishOFC @scwuaptx Felix Dhiral @dhiralpatel94
0
3
20
2
0
51
@guhe120
Yuki Chen
3 months
But this was the most challeagning quarter due to the difficulty in cooperating with MS security, with so many incorrect assessments/dups/excuses. I really suggest MSRC leaders to hear some voice DIRECTLY (not questionaires via email) from the top reseachers on the leader board.
@guhe120
Yuki Chen
3 months
Achieved #1 this quarter, thanks!
2
0
51
0
8
53
@guhe120
Yuki Chen
9 months
Glad to make #1 this quarter, a record high score in a single quarter, and both #1 in Windows and Azure categroy, thanks to MSRC and bounty team for helping as always
@msftsecresponse
Security Response
9 months
Congratulations Yuki @guhe120 , Wei @XiaoWei___ , & Victor @vv474172261 for securing the top 3 positions on the MSRC Q4 Security Researcher Leaderboard. Your hard work and dedication to protecting customers is truly commendable. Keep up the great work! 🏆🎉🚀
0
2
13
5
3
51
@guhe120
Yuki Chen
6 years
The detail of the EOS asset multiplication overflow bug we found, the most interesting part of the bug is that the overflow check is optimized out by compiler:
0
24
46
@guhe120
Yuki Chen
5 years
So excited to have Steven to join 360 Vulcan Team. Definitely the team will have more fun with him :)
@steventseeley
ϻг_ϻε
5 years
I’m excited to say, today is my first day at Qihoo’s 360 Vulcan Team!🖖🏻 looking forward to the pwns :-))
61
12
325
3
0
46
@guhe120
Yuki Chen
2 years
* Adobe PDF Engine into Edge=> Now here!!! * Large amount of pdf bugs submitted to edge bug bounty * Out of bounty money * We are glad to inform you that Microsoft is actively working on large scale fixes, before that PDF bugs will be out of scope * Switch back to ???
@BleepinComputer
BleepingComputer
2 years
Microsoft Edge will switch to Adobe Acrobat’s PDF rendering engine - @LawrenceAbrams
13
40
117
3
3
46
@guhe120
Yuki Chen
5 months
Reported a bug - fixed. Then bypassed the patch with excatly the same senario - won't fix. Yet another peace day with MS security engineering team😂
2
4
47
@guhe120
Yuki Chen
4 years
B1aN of Qihoo 360 Vulcan team blogs a windows kernel bug he used to escape from the Firefox sandbox at Tianfu Cup 2020
@n_b1a
B1aN
4 years
3
55
135
1
10
44
@guhe120
Yuki Chen
4 years
Congrats to all researchers on the list this year. This time TOP 3 are all 360 security researchers, amazing work!
@msftsecresponse
Security Response
4 years
Congratulations to our 2020 MSRC Most Valuable Security Researchers! We are thrilled to see so many researchers contributing to the security of millions of customers and the broader ecosystem. Check out our blog for the full list: #ResearcherRecognition
0
28
58
0
3
42
@guhe120
Yuki Chen
8 years
So adobe added memory protector to flash player to mitigate uaf bugs, analysis from 360 vulcan team:
1
39
41
@guhe120
Yuki Chen
11 months
A regular day of a bug bounty hunter: just made another out-of-scope target in MS bug bounty program
5
0
38
@guhe120
Yuki Chen
9 years
Angler EK CVE-2015-8446 exploit analysis by @360vulcan , thanks to @kafeine for discovering and sharing the exploit:
4
40
38
@guhe120
Yuki Chen
5 years
(1) We developed a mitigation which kills the exploit tech in your report (2) It is not released yet so you have no way to access a build for testing (3) Please provide a poc which bypasses this mitigation, otherwise we will close your case
@S0rryMybad
SorryMybad
5 years
The second question about you merge my cases. @msftsecresponse
Tweet media one
Tweet media two
Tweet media three
4
5
68
0
3
36
@guhe120
Yuki Chen
6 years
They are always trying to make a "universal patch" to solve your multiple reports under a single CVE, but that often results in a "failed patch".
0
4
36
@guhe120
Yuki Chen
5 years
Chrome-based RCE is 10K while Chakra RCE is 15K? A little bit strange because v8 RCE is apparently harder than Chakra RCE...
@bkth_
Bruno
5 years
Glad MS is trying to fix the low bounties offered by Google :>
2
0
8
4
5
33
@guhe120
Yuki Chen
2 years
Nice catch, exploiting this bug is quite changelling
@theabysslabs
theabysslabs
2 years
How do you escape the Chrome Sandbox on Windows? Root cause analysis of TianfuCup 2021 bug!
1
90
227
0
5
35
@guhe120
Yuki Chen
8 years
Really love the flash exploit mitigation which killed one of my exps for pwn2own 2017: If an object causes too many uafs, just never free it
2
16
34
@guhe120
Yuki Chen
3 years
This seems to be the CLFS extendMetadataBlock double free vulnerability I reported, but my bug is fixed in the same month with a different CVE number, not CVE-2021-3695... 😂
@XI_Research
Exodus Intelligence
3 years
Exploiting a use-after-free in Windows Common Logging File System (CLFS):
0
112
285
1
4
34
@guhe120
Yuki Chen
11 months
While personally I think this is too extreme, I still believe that the high-level guys in MSRC should hear more from external reserachers because there are indeed many problems in their whole process these days.
2
6
32
@guhe120
Yuki Chen
2 years
Excited to see @KunlunLab researchers got 2 Pwnie nominations this year, nice work :-)
@PwnieAwards
Pwnie Awards
2 years
Congrats! And thanks for grabbing snapshots of all the nominees so we can share them here as well 😅
4
5
41
0
3
31
@guhe120
Yuki Chen
5 years
The day when they told me my 0 day reports are "duplicated" with my already fixed ones because they look similar... Seems the guys are so eager to merge cases that they don't even want to waste time testing them on a full patched system first.
3
0
29
@guhe120
Yuki Chen
5 months
If you remembered "Preauth attack senario" instead of "Windows remote access service" after reading the slides, you've probably got what I really want to share in this talk, and wish everyone can get your own big bounty :-)
@3072_l
tgtg
5 months
@XiaoWei___ @guhe120 awesome,this one ?
0
0
7
1
1
31
@guhe120
Yuki Chen
6 years
Seems Microsoft's March security update fixed my bug reports in vbscript, jscript, jscript9 and chakracore, had a really long journey playing with MS's script engines 😂
0
0
29
@guhe120
Yuki Chen
5 years
Luck to get #2 this time, thanks to MSRC/Bounty Team
@msftsecresponse
Security Response
5 years
Congrats to everyone who placed on the MSRC Security Researcher Leaderboard for Q1 2020! Check out our blog post for the full list of top researchers for this past quarter:
2
17
48
1
0
27
@guhe120
Yuki Chen
10 years
Ananlysis and contructing the PoC of CVE-2015-3043 by 360 researchers: http://t.co/7WDzvBlMso
1
29
29
@guhe120
Yuki Chen
4 years
Thanks to this year's MSFT bounty program, got lots of help from MSRC engineers @msftsecresponse and bounty team guys @ja_wreck @SylvieInBeta , thank you all!
@ja_wreck
Jarek
4 years
$13.7 million in bounty rewards since July 2019. Thank you to all the researchers from across the globe who have helped keep our customers secure.
1
3
19
3
1
27
@guhe120
Yuki Chen
9 years
So now Adobe flash adds vector length check in the latest update, the good time for flash exploiter has gone...
1
42
23
@guhe120
Yuki Chen
6 years
<<All roads lead to Rome: Many ways to double spend your cryptocurrency>>:
0
11
26
@guhe120
Yuki Chen
11 years
My write up about CVE-2013-5842, an example of race condition vulnerabilities in JVM. http://t.co/K18OlUPzd2
1
29
24
@guhe120
Yuki Chen
3 years
To me, the exploitbility and CVSS scores for these bugs are quite confusion, so I recommend reading the description of a previous bug found by MS's own engineer: . Same attack vector.
Tweet media one
0
6
24
@guhe120
Yuki Chen
1 year
@msftsecresponse
Security Response
1 year
Congratulations to all the researchers recognized in this quarter’s MSRC 2023 Q3 Security Researcher Leaderboard! For more information, check out our blog post: #cybersecurity #securityresearch #bugbounty
Tweet media one
1
7
37
1
0
24
@guhe120
Yuki Chen
4 years
The same situation, many cases closed without any conversation, and dirty reasons (e.g. saying your reports are low quality) to refuse to pay bounty
6
2
23
@guhe120
Yuki Chen
9 years
Flash now uses os heap directly for most objects in mmgc. The good thing is that we can use page heap in fuzzer to detect heap overrun now.
0
29
21
@guhe120
Yuki Chen
7 years
Yet another Edge OOM RCE fixed this month, can you figure out why the checkLengthVsSize added in April failed for this case?
@guhe120
Yuki Chen
7 years
Our pacsec 2017 slides<<From Out of Memory to Remote Code Execution>>
2
260
396
1
12
21
@guhe120
Yuki Chen
2 years
The security advisory for this vulnerability seems incorrect. The is a pre-auth RCE in Microsoft DHCP server, no authentication required. Will Microsoft correct this advisory please? @msftsecresponse
@YanZiShuang
晏子霜
2 years
Microsoft flagged my vulnerability as Post Auth instead of Pre Auth,I don't understand the relationship between simply sending a specially crafted DHCP packet and RPC that must be authenticated
1
11
52
3
1
21
@guhe120
Yuki Chen
2 years
Thanks to MSRC and Bounty team for helping as always :)
@msftsecresponse
Security Response
2 years
Congratulations to all the researchers recognized in this quarter's MSRC 2023 Q1 Security Researcher Leaderboard! 🏆🎉👏 Thank you for your partnership with MSRC. 🫶 Stop by our blog to learn more ➡️ #msrc #bugbounty #cybersecurity
Tweet media one
3
13
56
1
0
19
@guhe120
Yuki Chen
4 years
@msftsecresponse Fix the ITW IE 0day in one month is too quick and total unworthy. You must haven't checked with your bounty review guys, if you checked with them they will tell you do not worry about those least priority sh**ty bugs that can be triggered remotely by default.
Tweet media one
1
3
19
@guhe120
Yuki Chen
10 months
"Low Quality Report" 😂
@RenwaX23
‌Renwa
10 months
XSS to OAuth access token leak in office online which can be used to account takeover Includes strict CSP bypass, postMessage origin spoof, how MSRC handle reports! I'm sharing this because MSRC considered this as (Low Quality Report) and awarded $500
Tweet media one
10
69
324
0
0
18
@guhe120
Yuki Chen
3 years
An encrypting file system remote code execution bug triggerable via remote rpc is fixed in this month: , the EFS rpc was also used by PetitPotam
0
2
18
@guhe120
Yuki Chen
11 months
clever bypass
@nachoskrnl
Ben Barnea
11 months
Happy to finally publish my research of finding a 0-click RCE vulnerability chain against Outlook client. First blogpost goes into details of bypassing Outlook's CVE-2023-23397 mitigation using Windows paths tricks. The second one goes into audio codec decoding.
3
110
359
0
3
17
@guhe120
Yuki Chen
11 years
A detailed look into the silverlight exploit (cve-2013-0074 + cve-2013-3896) exploit found by @kafeine : http://t.co/yHuuIk94yn
1
25
16
@guhe120
Yuki Chen
4 years
Great bug, amazing!
@waleedassar
Walied Assar
4 years
Null-Page Allocation.
Tweet media one
11
147
427
0
4
14
@guhe120
Yuki Chen
7 years
Actually this one is exploitable. @S0rryMybad finished the exploit before pwn2own as one of our safari backup plans.
@5aelo
Samuel Groß
7 years
Trigger for (presumably) CVE-2017-7092: var s = 'x'.repeat(0x7fffffff); (s); :)
2
46
101
1
1
16
@guhe120
Yuki Chen
4 years
👍
@S0rryMybad
SorryMybad
4 years
The REAL 0 day: Tested On Canary Version
Tweet media one
4
3
94
1
2
16
@guhe120
Yuki Chen
3 years
So cool, another mshtml bug triggered in office web view? Does this exploit bypass protected view?
1
0
16
@guhe120
Yuki Chen
4 years
Congrats!
1
1
15
@guhe120
Yuki Chen
5 months
Congrats, suprised that MSMQ still has pre-auth RCE
@KeyZ3r0
k0shl
5 months
My first pre-auth use after free RCE vulnerability with a CVSS score of 9.8 and potential exploitability has been patched by MSRC, but the mitigation provided in the advisory is incorrect🙃. I'm trying to address this with them.
4
13
123
0
1
15
@guhe120
Yuki Chen
10 years
Isolated Heap feature in latest IE update? So MS want to kill IE UAF exploits?
2
12
14
@guhe120
Yuki Chen
2 years
Congrats!
@HaifeiLi
Haifei Li
2 years
In no joking:), I discovered like 17 RCE bugs all in a SINGLE attack surface in Windows, which proved one point I've been talking about for a while. Thread.
8
20
210
0
0
14
@guhe120
Yuki Chen
8 years
360 Security Team: Master of Pwn😀
@thezdi
Zero Day Initiative
8 years
#Pwn2Own 2017 has ended. See results from day 3 (spoiler: VMware escapes) & see who was crowned Master of Pwn! #P2O
2
74
53
1
3
14
@guhe120
Yuki Chen
4 years
This is a good example of the incorrect security decision based on the assumption that "legacy component is less secure than modern compoent". I have 100% confidence to say that nowadays it is much harder to find a exploitable vulnerability in jscript than in jscirpt9
@secbughunter
Tom Gallagher
4 years
We look forward to your feedback on the draft of the Security baseline for Office 365 ProPlus (v2103, March 2021). People may find the JScript mitigation especially interesting -
0
1
6
1
0
14
@guhe120
Yuki Chen
7 years
360 Security catched new 0day attack again
@360CoreSec
360 Threat Intelligence Center
7 years
We uncovered an IE 0day vulnerability has been embedded in malicious MS Office document, targeting limited users by a known APT actor.Details reported to MSRC @msftsecresponse
12
120
163
0
1
14