Alvaro Muñoz (@pwntester) / X

Alvaro Muñoz

5,282 posts

Alvaro Muñoz

@pwntester

Security Researcher with @XBOW. CTF #int3pids. Opinions here are mine! bluesky: pwntester.bsky.social

Madrid 🇪🇸

Joined December 2008

Alvaro Muñoz
@pwntester
Dec 10, 2021
Alvaro Muñoz
@pwntester
Jun 13, 2018
Finally my best 0 day was released yesterday ☺️
Alvaro Muñoz
@pwntester
Aug 11, 2019
Whitepaper and slides for our .NET SAML bypass research is now available at @BlackHatEvents server: i.blackhat.com/USA-19/Wednesd… [WhitePaper] i.blackhat.com/USA-19/Wednesd… [Slides] github.com/pwntester/Dupe… [Burp Plugin]
Alvaro Muñoz
@pwntester
Jun 25, 2021
When time permits I will write a blog post about how I found all these vulnerabilities using CodeQL as an audit oracle. Would you read it?
Alvaro Muñoz
@pwntester
Apr 21, 2019
Two new tools using ysoserial.net and implementing the technique I presented last year for generating RCE viewstates (speakerdeck.com/pwntester/dot-…) were released today (1/2)👇🏼
GitHub - pwntester/ysoserial: A proof-of-concept tool for generating payloads that exploit unsafe...
From github.com
Alvaro Muñoz
@pwntester
Sep 23, 2017
Releasing `ysoserial.net`, a deserialization payload generator for a variety of .NET serializers: github.com/pwntester/ysos…
GitHub - pwntester/ysoserial: A proof-of-concept tool for generating payloads that exploit unsafe...
From github.com
Alvaro Muñoz
@pwntester
Dec 16, 2021
CVE-2021-45046 is vulnerable when attackers can control **non-message** parts of the pattern layout. Here are some examples 🧵
Alvaro Muñoz
@pwntester
Dec 10, 2021
This Log4J RCE is HUUGE you should patch ASAP! if you want to understand more about the internals make sure to check our 2016 presentation (blackhat.com/docs/us-16/mat… and blackhat.com/docs/us-16/mat…) and @artsploit follow up research (veracode.com/blog/research/…)
Alvaro Muñoz
@pwntester
Feb 19, 2021
#CodeQL was also used by @NASAJPL to find critical bugs on Curiosity mission 9 years ago and they were fixed remotely!
Nat Friedman
@natfriedman
Feb 19, 2021
Honored that @NASA is using GitHub, Actions, and CodeQL for the Mars drone flight software: github.com/nasa/fprime If anyone working on this needs GitHub support, please feel free to DM me directly!
Alvaro Muñoz
@pwntester
Dec 16, 2021
🚨@_atorralba and I just managed to bypass the allowedLdapHost and allowedClasses checks. 2.15 with no formatMsgNoLookups mitigations is still vulnerable to RCE. 2.15.0 w/o those mitigations is vulnerable only if attackers can control non-message parts of the pattern layout🚨
Alvaro Muñoz
@pwntester
Dec 28, 2021
Most Java apps working with databases have configuration files where you specify the JNDI address to fetch the JDBC datasource. Please do not start requesting CVEs for them 🙏🏼
Alvaro Muñoz
@pwntester
Mar 31, 2022
#Spring4Shell details are now public, It is an old ClassLoader Manipulation. Actually, CVE-2022-22965 is just a bypass of the 12 years old CVE-2010-1622 (exchange.xforce.ibmcloud.com/vulnerabilitie…)
Alvaro Muñoz
@pwntester
Jan 27, 2023
Had some fun with OGNL sandboxes last year. Read how I bypassed Atlassian Confluence and Struts ones in my latest blog post
Bypassing OGNL sandboxes for fun and charities
From github.blog
40K
Alvaro Muñoz
@pwntester
Dec 10, 2021
Wait waattt? Released 9 moths ago?! github.com/nice0e3/log4j_… #log4j