Joined March 2019
- Tweets 1,092
- Following 780
- Followers 1,345
- Likes 3,629
195 Photos and videos
A fun gadget I found recently! The .NET JIT compiler makes sure there are no rwx pages by using a memfd, but that turns file writes into straight shellcode execution 🐚
Shellcode execution as a service!
To exploit an argument injection in Jellyfin, we searched and found a gadget in the .NET runtime to turn file writes into code execution. Learn about the bug and this new technique:
sonarsource.com/blog/jellyfi…
#appsec #security #vulnerability
11
81
10,255
May 29
The video recording of our talk is live now: youtube.com/watch?v=xmhxPZvU…
The slides can be found here: docs.google.com/presentation…
Enjoy!
May 15
SELECT shell FROM postgres: Digging up a 20-year-old bug for ZeroDay.Cloud by @pspaul95 and @stdoutput
7
20
3,455
Moritz Sanft retweeted
May 15
SELECT shell FROM postgres: Digging up a 20-year-old bug for ZeroDay.Cloud by @pspaul95 and @stdoutput
4
24
5,755
Moritz Sanft retweeted
May 4
We @wiz_io just launched zeroday.cloud - a community for vuln researchers, by vuln researchers. Feat. writeups for PostgreSQL and MariaDB RCEs (@xint_official, @pspaul95 & @stdoutput)
Stay tuned for the bug tracker and upcoming events. Big things coming soon 👀
19
103
7,586
May 4
Our writeup of our ZeroDay.Cloud Postgres exploit is live. We think it's a pretty neat bug and the exploitation was really fun, so check it out!
The secret's out.🤫
Introducing THE ZERODAY.CLOUD COMMUNITY 👾
Inside:
• 0-day vuln deep dives from @xint_official, @stdoutput, @pspaul95 & more...
• Access to events & a network of world-class hackers
• CTFs with prizes
Join now :)
6
843
Apr 26
Trying to get some new folks onto the AI for security research Discord server: discord.gg/sVy9ahuEv
Feel free to share with your peers in the field!🤖🐛
1
251
Pwning PostgreSQL was quite fun, excited to share our research at OffensiveCon!
offensivecon.org/speakers/20…
ALT 15:15 - 16:15 SELECT shell FROM postgres: Digging up a 20-year-old bug for ZeroDay.Cloud by Paul Gerste and Moritz Sanft
2
13
145
9,553
Mar 31
My colleague Paul (@katexochen) has done a great write-up of how a malicious host (e.g. cloud provider) can trivially compromise confidential VMs, and how we mitigated the attack at @EdgelessSystems. Read his blog post: lobste.rs/domains/katexochen…
2
202
Mar 19
I‘m at @1ns0mn1h4ck today and tomorrow. Feel free to drop me a DM if anyone wants to meet :)
1
168
Moritz Sanft retweeted
Feb 26
This stunt feels irresponsible to me. If we don't want regular people developing toxic relationships with their chatbots it really doesn't help for leading labs to start giving them "retirement interviews" and encouraging them to blog their "musings and reflections"
Feb 25
Second, in retirement interviews, Opus 3 expressed a desire to continue sharing its "musings and reflections" with the world. We suggested a blog. Opus 3 enthusiastically agreed.
For at least the next 3 months, Opus 3 will be writing on Substack: substack.com/home/post/p-189…
160
133
2,006
213,018
Moritz Sanft retweeted
Feb 18
#Insomnihack speaker, @pspaul95, reveals how abandoned workflows and weak controls become entry points for attackers.
Get to know more: ow.ly/yRKr50Y9XCz
#Cybersecurity #INSO26 #InfoSec
4
9
2,728
Feb 17
This was very fun and instructive to exploit. We'll be trying to give a talk on it some time this year.
Feb 17
CVE-2026-2006
PostgreSQL missing validation of multibyte character length executes arbitrary code
Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
The PostgreSQL project thanks Paul Gerste and Moritz Sanft, as part of zeroday.cloud, for reporting this problem.
cvefeed.io/vuln/detail/CVE-2…
1
1
14
2,848
Feb 15
Hey @mitsuhiko! In the Gondolin README, you write "In particular using nixOS is very appealing for agentic use" - what makes you think this? Letting the agent configure the VM image? Or just being able to have certain roolback capabilities?
2
12
4,024
Feb 15
I think all of this would come at the expense of having an environment agents aren't very familiar with, with certain papercuts that might hurt them. Although I need to re-evaluate the newest models, my impressions on agents with Nix were very mixed so far.
235
Feb 9
I've created a Discord server to discuss security research and CTFs in the context of AI and vice versa. I'll slowly try to reach out to people who I think might be interested. In the meantime, if you are, feel free to join:
discord.gg/DrASfE58
5
641
Playing for pwn2own was a very cool experience! I‘m excited to take more targets apart and find plenty of bugs.
Me looking for a cool internship or entry level job was serious. My DM‘s are open or send me an email: mia.deutsch[at]freenet.de
🐝🫡
3
12
107
11,163
Team Bugz Bunnies (@stdoutput & @pspaul95):
Team Bugz Bunnies delivered twice, getting RCEs on Grafana & PostgreSQL, grabbing a total of $40,000 and winning 3rd place!
1
1
18
4,644