elttam - Security Assessment Services

ORM Leaking More Than You Joined For

elttam - Alex Brown — Thu, 18 Dec 2025 06:00:00 -0600

A follow-up article in our ORM Leaks series covering newly susceptible ORMs, techniques for bypassing ORM Leak protections, and demonstrating how ORM Leaks can exist in any web application that uses one.

Gotchas in Email Parsing - Lessons From Jakarta Mail

elttam - Jia Hao Poh — Mon, 17 Nov 2025 18:00:00 -0600

This writeup goes through the various primitives in Jakarta Mail that could lead to high impact bugs if developers are unaware of the library's quirks. Primitives discussed here here can be applied to other mail parsing libraries.

New Method to Leverage Unsafe Reflection and Deserialisation to RCE on Rails

elttam - Alex Brown — Tue, 04 Mar 2025 18:00:00 -0600

This blog article documents a new unsafe reflection gadget in the sqlite3 gem, that can also be used in a deserialisation gadget chain to achieve RCE and is installed by default in new Rails applications.

A Monocle on Chronicles

elttam - Matt — Wed, 02 Oct 2024 19:00:00 -0500

This post provides an overview of Talkback Chronicles for viewing snapshots of trending infosec resources for points in time, and also how to subscribe to a new weekly Newsletter feature.

DUCTF 2024 ESPecially Secure Boot Writeup

elttam - daniel — Thu, 01 Aug 2024 19:00:00 -0500

This blog post covers a DUCTF 2024 pwn challenge called "ESPecially Secure Boot", which required writing an exploit for CVE-2018-18558.

plORMbing your Prisma ORM with Time-based Attacks

elttam - Alex Brown — Mon, 08 Jul 2024 19:00:00 -0500

Part two of our ORM Leak series about attacking the Prisma ORM and leaking sensitive data in a time-based attack.

plORMbing your Django ORM

elttam - Alex Brown — Sun, 23 Jun 2024 19:00:00 -0500

This blog article explains what are ORM Leak vulnerabilities, how they could be exploited to access sensitive information with the Django ORM.

Keeping up with the Pwnses

elttam - Matt, Seb — Tue, 09 Jan 2024 18:00:00 -0600

This post provides an overview of Talkback, a smart infosec resource aggregator. The post details how the system works, steps through some of its key features, and also presents how to use the UI and GraphQL API.

Exploring the STSAFE-A110

elttam - Zoltan Madarassy — Tue, 03 Oct 2023 19:00:00 -0500

Using a sample application, this blog post gives a walkthrough of the I2C communication between the STSAFE-A110 secure element and a host MCU. A tool is released to aid in understanding the I2C flow using a logic analyser.

RE of LR3

elttam - Victor Kahan — Wed, 06 Sep 2023 07:00:00 -0500

This blog post provides a walk-through of ESP32 firmware extraction and analysis to understand the technical implementation of the Litter Robot 3.

Abusing Amazon VPC CNI plugin for Kubernetes

elttam - berne — Mon, 17 Jul 2023 05:00:00 -0500

This blog post covers exploring the Amazon VPC CNI plugin for Kubernetes, and how it can be abused to manipulate networking to expose access to other resources, including in other VPCs.

PwnAssistant - Controlling /home's via a Home Assistant RCE

elttam - elttam — Tue, 09 May 2023 19:00:00 -0500

This blog post provides a summary of the Home Assistant architecture, attack surface, and our approach auditing pre-authentication components. This post summarises and links to a few published advisories, including a Critical pre-authentication vulnerability.

Cracking the Odd Case of Randomness in Java

elttam - joseph — Thu, 09 Feb 2023 18:00:00 -0600

This blog post details a technique for breaking Apache Commons Lang's RandomStringUtils and Java's random.nextInt(bound) when the bound is odd. A tool is released which demonstrates the practicality of the attack.

Golang code review notes

elttam - Zoltan Madarassy — Thu, 30 Jun 2022 07:00:00 -0500

This blog post is aimed to help people performing security code reviews on Golang code bases to identify dangerous code patterns.

ESP-IDF setup guide

elttam - Daniel Hodson — Mon, 06 Jun 2022 07:00:00 -0500

This post is for vulnerability researchers looking at the ESP32 and would like a quick setup guide.

Tuya IoT and EZ Mode Pairing

elttam - Mykel Pritchard — Wed, 09 Dec 2020 06:00:00 -0600

This blog post aims to highlight how EZ mode pairing implemented by Mirabella Genio and other Tuya Cloud IoT devices broadcast your WiFi credentials to the neighbourhood.

Attacks on GCM with Repeated Nonces

elttam - Sebastien Macke — Fri, 25 Sep 2020 07:00:00 -0500

This blog post illustrates the security consequences of nonce-reuse in AES-GCM with a Proof of Concept exploit on a vulnerable demo application

Simple Bugs With Complex Exploits

elttam - Faraz — Thu, 03 Sep 2020 10:30:00 -0500

This blog post details a root cause analysis for Project Zero Issue 2046 found by Sergey Glazunov.

Lua SUID Shells

elttam - Brendan Scarvell — Thu, 09 Jul 2020 12:30:00 -0500

This blog post explores how privileged Lua scripts can pop shells without dropping privileges.

Hacking with Environment Variables

elttam - Luke Jahnke — Wed, 24 Jun 2020 07:00:00 -0500

A look into how scripting language interpreters can execute arbitrary commands when supplied with malicious environment variables.

Are you winning if you're pinning?

elttam - Mykel Pritchard — Thu, 24 Jan 2019 06:00:00 -0600

This blog post takes a brief look at TLS and certificate pinning, the problem of trust in Certificate Authorities that pinning attempts to address, and discusses whether the lack of certificate pinning in a mobile application constitutes a vulnerability.

Ruby 2.x Universal RCE Deserialization Gadget Chain

elttam - Luke Jahnke — Thu, 08 Nov 2018 06:00:00 -0600

This blog post details exploitation of arbitrary deserialization for the Ruby programming language and releases the first public universal gadget chain to achieve arbitrary command execution for Ruby 2.x.

Fuze Multi-Card Technology Security Review

elttam - Mykel Pritchard — Tue, 24 Apr 2018 07:00:00 -0500

Reviewing the security of the Fuze card device revealed no trust boundary between the card and the connecting device, which allowed complete access to the Fuze card's settings and stored credit-card information.

Remote LD_PRELOAD Exploitation

elttam - dan — Mon, 18 Dec 2017 06:00:00 -0600

Analysing a vulnerability in all versions of the GoAhead web server < 3.6.5 that allowed for reliable remote code execution via LD_PRELOAD injection.

Building Hardened Docker Images from Scratch with Kubler

elttam - berne — Thu, 16 Nov 2017 06:00:00 -0600

How to use Kubler to build hardened, minimalistic, Docker Images from scratch for better security

Intro to SDR and RF Signal Analysis

elttam - Mykel Pritchard — Thu, 15 Jun 2017 07:00:00 -0500

We take a brief look into Radio Frequency (RF) theory, Software Defined Radio (SDR), and visual analysis of various RF signal characteristics. We discover a good methodology for reversing RF signals, along with some simple analysis of some common RF remote devices that might be found around the home.

Playing with canaries

elttam - hugsy — Tue, 24 Jan 2017 06:00:00 -0600

Analysis of compiler stack canaries and their implementation across various architectures.

EFF secure messaging scorecard review

elttam - mattdan — Thu, 11 Aug 2016 07:00:00 -0500

We decided to audit libotr to gauge its general maturity. This post shares some of our work from the audit, and also some recommendations for software security relevant to the EFF Secure IM Scorecard work.

Vuln research on the WAG54G home router

elttam - daniel — Thu, 02 Jun 2016 00:00:00 -0500

Journey of hunting for bugs in the WAG54G routers http daemon. The end goal of this research is to find a way to remotely flash C&C firmware (pre-auth), while learning a thing or two along the way... hey, we'd never actually touched MIPS assembly before this!

A review of the EFF secure messaging scorecard...

elttam - mattdan — Wed, 03 Feb 2016 06:00:00 -0600

First part in a series of reviews against IM clients promoted by the EFF secure messaging scorecard, drawing from real examples to demonstrate the dependency between privacy and security. Findings have been patched in the latest release of RetroShare.

Gaining console access to the WAG54G home router

elttam - daniel — Wed, 16 Dec 2015 00:00:00 -0600

Illustrated guide on identifying and interfacing with the serial pinout exposed on the Linksys WAG54G home router, useful for debugging and exploit dev.

Why I recommend Chrome to family...

elttam - matt — Tue, 08 Sep 2015 07:00:00 -0500

An analysis of the browser threat landscape and reasoning about browser security for the family user.