I've made my 5th yearly Top1 on MSRC leader board, glad that I'm still able to push myself forward as an independent security researcher and achieved
#1
in both Windows and Azure research area with a record high score. Congrats to all researchers on the leader board this year.
The Microsoft Researcher Recognition Program offers public thanks and recognition to security researchers who help protect our customers by discovering and sharing security vulnerabilities under Coordinated Vulnerability Disclosure.
Today, we are excited to recognize this year’s
I have 16 bugs fixed in Microsoft's June security update, some are RCE, some are LPE, but this one is a little bit different, it's a buffer overflow in RPC marshalling for both RCE and LPE:
What will happen if you can trigger arbitrary callback during a JavaScript garbage collection? Story about how I abuse a VBScript feature to trigger such callback in JavaScript engine, mass up the JS world and pop calculator:
Made
#1
this year :) Thanks to
@msftsecresponse
and the bounty team. Congrats to all researchers on the list. I personally know some researchers who reported nice bugs but are not on the list this year, hat tip to their great work too.
Feel lucky and super excited to be
#1
on this year’s MSRC most valuable security researcher list. Thanks to
@mj0011sec
and congrats to all guys on the list from
@360
Vulcan Team. Thanks to all MSRC guys for their kindly help!
@msftsecurity
@JarekMsft
@SylvieMSFT
Sad but this is the average quality of MS security engineering/analysis team nowadays. As a bug hunter who worked with them for 10+ years, I'm always wondering what happened inside the department that could cause the quality dropped so much in just a few years ?
microsoft: Exploit Code Unporoven
me: i literally gave you a compiled PoC and also exploit code
m$: No exploit code is available, or an exploit is theoretical.
me:
Open a report for CVE-2020-1021, an arbitrary file delete vulnerability in Windows Error Reporting service, which can be exploited by exhausting the disk space:
Excited to be
#1
this quarter. The first MSRC leaderboard since I became an independent security researcher and seems to be a good start. Thanks to everyone in MSRC & bounty team for helping as always :-)
Congratulations to all the researchers recognized in this quarter’s MSRC 2024 Q1 Security Researcher Leaderboard! 🎉 Thank you to everyone for your hard work and continued partnership to secure customers.
Learn more in our blog post:
We also want to
Will discuss some examples/experiences/tips for looking for pre-auth RCE bugs in Windows compontents and reporting them to WIP bug bounty program. See you at
#TheSAS2024
A favorite APT tool and an expensive bug bounty item: pre-auth RCE in Windows components. How do you find and report them? Join the
#TheSAS2024
talk by Yuki Chen (
@guhe120
), the MSRC Most Valuable Security Researcher and winner of Pwnie and Tianfu Cup, to tap into their practical
Be careful about those CVE-2022-26809 PoCs online, especially when they try to sell it to you. Actually I think a PoC is not important for defense purpose, apply the patch, do not expose your RPC ports (not only for this bug but a basic security baseline), that would be enough.
Very exited to get my 3rd yearly
#1
, thanks for all the kind help from
@msftsecresponse
and MSFT bounty team, congrats to all the MVR researchers especially our
@KunlunLab
guys :-) for their awesome researching and bugs!
Congratulations to our MSRC 2022 Most Valuable Researchers! Thank you to all the researchers who have helped secure our customers. Check out our blog for the full list:
#cybersecurity
#securityresearch
Congratulations to all the researchers recognized in this quarter’s MSRC 2022 Q2 Security Researcher Leaderboard! For more information, check out our blog post:
#cybersecurity
#securityresearch
#msrc
Finsihed the pre-recording of my incoming BH session next month, check the session if you are interested in bugs in Windows remote protocols | bug bounty
After the ITW VBScriipt 0day CVE-2018-8174 caught by 360 Core Security department was patched, we found "new" (if not a patch bypass) exploitable 0days after analyzing the patch, read the story:
Very excited that I achieved yearly top1 for a continous 3 years (4 in total), definitely a milestone in my bug hunting journey. Congrats to all reserachers on the list, and thanks to
@msftsecresponse
and MS bounty team for their continous helping.
Congratulations to our MSRC 2023 Most Valuable Researchers! Thank you to all the researchers who have helped secure our customers. 👏🎉
Check out our blog for the full list:
Today Microsoft patched CVE-2022-30136 reported by me, a pretty nice pre-auth heap oob write bug in NFS v4.1. It's also interesting because every normal NFS 4.1 request triggers this vulnerbility, yet it's not noticed so far because of the internal heap management in NFS
Got 13 CVEs this month, among which the NFS and PPTP bugs are pre-auth RCE. I'm just curious about whether windows NFS and windows VPN are used in real world, any idea?
Congratulations to all the researchers recognized in this quarter’s MSRC 2023 Q2 Security Researcher Leaderboard!
For more information, check out our blog post:
#cybersecurity
#securityresearch
#msrc
The latest blog from the Trend Micro Research Team looks at CVE-2022-26937: a Microsoft Windows NFS NLM Portmap stack buffer overflow that could lead to RCE. They provide root cause, source code walkthrough, and detection guidance.
This edge array segment uaf problem caused by inline head segment was first exploited in Pwn2Own 2017, experienced several incomplete patches, and could still achieve reliable RCE at the time of Pwn2Own 2018. Let's check it when Pwn2Own 2019...
I canceled my bh session today due to the COVID pandemic after checked the possiblity of being able to attend the live event in Vegas. Just get tired with the feeling of giving a talk online, hope we can win the battle with the COVID sooner. Really sorry for the inconvenience.
Congratulations to all the researchers recognized in this quarter’s MSRC 2021 Q2 Security Researcher Leaderboard! For a full list of top researchers, check out our blog post:
I will be presenting at CodeBlue this year to go through all the major windows script engines(vb,jscript,jscript9,chakracore) with more interesting bugs like : , welcome to join&discuss if you are interested :)
CODE BLUE 2019 all speaker list has been announced!! Financial, insurance, supply chain, cybercrime, and other diverse lineup. The lecture summary will be published on the web.
#codeblue_jp
Hat tip to the researcher who reported such a huge impact bug with good faith to the vendor instead of leveraging it to do evil things, to me it seems unfair to reject bounty and blame the researcher
It's been a while since the last tweet and I really don't like to debate publicly, but after 6yrs hunting on MSRC, I finally got really messed up by their rules. They refused to pay bounty for a critical EoP issue and said I accessed the customer/PROD data. Well, it's hard to
CVE-2022-21972: Windows Server VPN - remote kernel use after free vulnerability, by
@i4mchr00t
.
This one has RCE potential. Patch just released on Patch Tuesday. Apply it now.
A wormable vulnerability (CVE-2021-34494) is mentioned by
@thezdi
. However MSRC wrote privileges requires as low with "basic user capabilities". Any hint
@guhe120
?
That huge vendor's bug bounty program just makes me feel like a beggar. You responsibly report vulns (with RCE poc) to them, wait until they are fixed. Then you have to ask for the bounty by sending emails to them again and again and most of the time your queries are ignored.
Nice writeup by ZDI for another NFS bug I reported, also the well-know bug bounty hunting tip: always check the new standard. NFS 4 is totally different from NFS 2/3, which means new code and possibly new bug :-)
Following up from last month, the Trend Micro Research Team returns with details about CVE-2022-30136 - another remote, unauthenticated RCE (at SYSTEM) in
#NFS
. They cover the root cause and offer detection guidance. Read all the details at
Seems my TianFu-Cup Edge EoP bug is fixed this month: , it allows launching an Internet Explorer from Edge browser, inspired by
@mj0011sec
back to year 2016
But this was the most challeagning quarter due to the difficulty in cooperating with MS security, with so many incorrect assessments/dups/excuses. I really suggest MSRC leaders to hear some voice DIRECTLY (not questionaires via email) from the top reseachers on the leader board.
Glad to make
#1
this quarter, a record high score in a single quarter, and both
#1
in Windows and Azure categroy, thanks to MSRC and bounty team for helping as always
Congratulations Yuki
@guhe120
, Wei
@XiaoWei___
, & Victor
@vv474172261
for securing the top 3 positions on the MSRC Q4 Security Researcher Leaderboard. Your hard work and dedication to protecting customers is truly commendable. Keep up the great work! 🏆🎉🚀
The detail of the EOS asset multiplication overflow bug we found, the most interesting part of the bug is that the overflow check is optimized out by compiler:
* Adobe PDF Engine into Edge=> Now here!!!
* Large amount of pdf bugs submitted to edge bug bounty
* Out of bounty money
* We are glad to inform you that Microsoft is actively working on large scale fixes, before that PDF bugs will be out of scope
* Switch back to ???
Congratulations to our 2020 MSRC Most Valuable Security Researchers! We are thrilled to see so many researchers contributing to the security of millions of customers and the broader ecosystem. Check out our blog for the full list:
#ResearcherRecognition
(1) We developed a mitigation which kills the exploit tech in your report (2) It is not released yet so you have no way to access a build for testing (3) Please provide a poc which bypasses this mitigation, otherwise we will close your case
This seems to be the CLFS extendMetadataBlock double free vulnerability I reported, but my bug is fixed in the same month with a different CVE number, not CVE-2021-3695... 😂
While personally I think this is too extreme, I still believe that the high-level guys in MSRC should hear more from external reserachers because there are indeed many problems in their whole process these days.
The day when they told me my 0 day reports are "duplicated" with my already fixed ones because they look similar... Seems the guys are so eager to merge cases that they don't even want to waste time testing them on a full patched system first.
If you remembered "Preauth attack senario" instead of "Windows remote access service" after reading the slides, you've probably got what I really want to share in this talk, and wish everyone can get your own big bounty :-)
Seems Microsoft's March security update fixed my bug reports in vbscript, jscript, jscript9 and chakracore, had a really long journey playing with MS's script engines 😂
Congrats to everyone who placed on the MSRC Security Researcher Leaderboard for Q1 2020! Check out our blog post for the full list of top researchers for this past quarter:
To me, the exploitbility and CVSS scores for these bugs are quite confusion, so I recommend reading the description of a previous bug found by MS's own engineer: . Same attack vector.
Congratulations to all the researchers recognized in this quarter’s MSRC 2023 Q3 Security Researcher Leaderboard!
For more information, check out our blog post:
#cybersecurity
#securityresearch
#bugbounty
The security advisory for this vulnerability seems incorrect. The is a pre-auth RCE in Microsoft DHCP server, no authentication required. Will Microsoft correct this advisory please?
@msftsecresponse
Microsoft flagged my vulnerability as Post Auth instead of Pre Auth,I don't understand the relationship between simply sending a specially crafted DHCP packet and RPC that must be authenticated
Congratulations to all the researchers recognized in this quarter's MSRC 2023 Q1 Security Researcher Leaderboard! 🏆🎉👏
Thank you for your partnership with MSRC. 🫶
Stop by our blog to learn more ➡️
#msrc
#bugbounty
#cybersecurity
@msftsecresponse
Fix the ITW IE 0day in one month is too quick and total unworthy. You must haven't checked with your bounty review guys, if you checked with them they will tell you do not worry about those least priority sh**ty bugs that can be triggered remotely by default.
XSS to OAuth access token leak in office online which can be used to account takeover
Includes strict CSP bypass, postMessage origin spoof, how MSRC handle reports!
I'm sharing this because MSRC considered this as (Low Quality Report) and awarded $500
Happy to finally publish my research of finding a 0-click RCE vulnerability chain against Outlook client.
First blogpost goes into details of bypassing Outlook's CVE-2023-23397 mitigation using Windows paths tricks.
The second one goes into audio codec decoding.
My first pre-auth use after free RCE vulnerability with a CVSS score of 9.8 and potential exploitability has been patched by MSRC, but the mitigation provided in the advisory is incorrect🙃. I'm trying to address this with them.
In no joking:), I discovered like 17 RCE bugs all in a SINGLE attack surface in Windows, which proved one point I've been talking about for a while. Thread.
This is a good example of the incorrect security decision based on the assumption that "legacy component is less secure than modern compoent". I have 100% confidence to say that nowadays it is much harder to find a exploitable vulnerability in jscript than in jscirpt9
We look forward to your feedback on the draft of the Security baseline for Office 365 ProPlus (v2103, March 2021). People may find the JScript mitigation especially interesting -
We uncovered an IE 0day vulnerability has been embedded in malicious MS Office document, targeting limited users by a known APT actor.Details reported to MSRC
@msftsecresponse