Personal hacking and security blog by @dozernz

See about, my (public) advisories, or my blog posts.


  • DEFCON 30 - Hunting Bugs In The Tropics

    I gave a talk at DEF CON 30 this year, titled Hunting Bugs In The Tropics. It covered a few years of my security research on Aruba Networks products, including the software in use on several of their popular products, as well as architectural details, and a whole lot of vulnerabilities.

  • Debugging a Java application with decompiled source code

    When reviewing a local Java-based target for vulnerabilities the first thing I do is decompile the class files into Java with the aid of several decompilers such as CFR, Procyon, etc, then load it into an IDE. I like IntelliJ and other JetBrains products for code review and easy navigation.

  • Developing an exploit for the Jira Data Center Ehcache RCE (CVE-2020-36239)

    Last Friday I saw an Atlassian security advisory for a critical RCE in Jira Data Center (CVE-2020-36239), so I decided to try to develop a proof of concept exploit for it. This ended up taking me about 5 hours. This short blog post details the process I went through to create the POC. I’ve also included some of the mistakes made and dead ends I went down, which is all too often missing from POC writeups.

  • SaltStack API vulnerabilities

    In November 2020 after seeing a pre-auth RCE (CVE-2020-16846, CVE-2020-25592) get dropped for Salt API, I wanted to find my own. This resulted in CVE-2021-3197, CVE-2021-25281 and CVE-2021-25282, which I detail in this post.

  • Aruba Clearpass RCE (CVE-2020-7115)

    I discovered an unauthenticated RCE vulnerability in Aruba ClearPass Policy Manager that I reported to Aruba, and it is now fixed. The Aruba security bulletin is available at ARUBA-PSA-2020-005.txt. Exploiting this vulnerability uses a couple of interesting tricks that I’ll explain in this post.

  • OpenSSL Arg Injection

    This is a short little post detailing how to get OpenSSL to run arbitrary code through the use of the -engine option. As detailed in the docs, an OpenSSL engine is a new component “to support alternative cryptography implementations, most commonly for interfacing with external crypto devices”. These engines consist of compiled code which is loaded by OpenSSL, and can be used to run arbitrary code.

  • Citrix Netscaler config decryption

    Citrix Netscaler (or whatever they’re calling it now) uses hardcoded encryption keys to encrypt at least some passwords stored in the appliance config, most importantly for LDAP bind passwords. This post details how to recover the cleartext for them.