Home

Sunrise from Crib Goch

Welcome to my space on the web! I’m a coder and an information security consultant and researcher. I love a good challenge that gets the cogs turning, particularly if it involved reverse engineering tech and even more so when somebody says “it can’t be done” or “it’s really secure”!

I founded a company in the UK called Cognitous to help businesses use and implement technology securely by providing security expertise through training, penetration testing (simulated hacking attacks), and team augmentation.

Check out my blog to see what I’ve been up to. Let me know if you find it useful and feel free to ask questions, leave a comment, or get in touch.

Latest blog posts:

  • Another ColdFusion RCE – CVE-2018-4939 18/6/2018 - In October 2017 I published an overview and video proof-of-concept of a Java RMI/deserialization vulnerability affecting the Flex Integration service of Adobe ColdFusion. I held off on publishing all of...
  • POPping WordPress 28/2/2018 - Fun with PHP deserialization and some accidental WordPress bugs. A few months ago I was putting together a blog post on PHP deserialization vulnerabilities. I decided to look for a...
  • Popping Password-“Protected” JMX 26/1/2018 - The name gives it away, Java Management Extensions (JMX) is a potentially juicy target for attack. One of the ways that a JMX service may be exposed is using Java...
  • Improving the BMC RSCD RCE Exploit 8/1/2018 - Last week I wrote about how I semi-blindly produced an RCE exploit for the BMC Server Automation RSCD service without access to a test environment. Since then I’ve got my...
  • RCE with BMC Server Automation 1/1/2018 - If you’ve ever come across BMC Server Automation during network scanning then you may have seen Nessus flag up a Critical vulnerability titled “BMC Server Automation RSCD Agent Weak ACL NSH...
  • Analysis of CVE-2017-12628 22/10/2017 - This morning I spotted a tweet mentioning an “Apache James 3.0.1 JMX Server Deserialization” vulnerability, CVE-2017-12628, which caught my eye because I wrote a generic JMX deserialization exploit which is...
  • Adobe ColdFusion Deserialization RCE (CVE-2017-11283, CVE-2017-11284) 13/10/2017 - During my research into the Java Remote Method Invocation (RMI) protocol, the most common RMI service that I came across was Adobe ColdFusion’s Flex integration service which is used to...
  • When Parameterized Queries Won’t Help 9/10/2017 - The usual recommendation for vulnerabilities that enable us to manipulate database queries (SQL injection) is to use a method such as prepared statements (parameterized queries) to query the database. Correct...
  • Java’s BaRMIe Back Door 1/10/2017 - A week ago I released a tool that I have been working on to enable security professionals to interact with applications that utilise Java’s Remote Method Invocation (RMI). This is...
  • Attacking Java Deserialization 13/8/2017 - Deserialization vulnerabilities are far from new, but exploiting them is more involved than other common vulnerability classes. During a recent client engagement I was able to take advantage of Java...
Advertisements