/tags/vulnerability-research/Recent content in Vulnerability Research on THALIUMHugoen-usCopyright (c) 2026, all rights reserved.Tue, 16 Dec 2025 08:00:00 +0000/posts/dont-judge-an-audiobook-by-its-cover-taking-over-your-amazon-account-with-a-kindle/Tue, 16 Dec 2025 08:00:00 +0000/posts/dont-judge-an-audiobook-by-its-cover-taking-over-your-amazon-account-with-a-kindle/<p>Although Kindle e-readers are a prime target in modding and jailbreaking communities, there is little public work about vulnerability research in remote code execution scenarios.</p> <p>In this post, we give technical details about a chain of vulnerabilities we identified that can be triggered by downloading a malicious Audible audiobook, allowing to take full control of the device and its registered Amazon account.</p>/posts/achieving-remote-code-execution-in-steam-remote-play/Mon, 04 Dec 2023 08:00:00 +0000/posts/achieving-remote-code-execution-in-steam-remote-play/<p><em>Remote Play Together</em>, developed by Valve, allows sharing local multi-player games with friends over the network through streaming. The associated protocol is elaborate enough to shelter a valuable attack surface that has scarcely been ventured into in the past.</p> <p>This post covers the reverse engineering of the protocol and client/server implementations inside Steam, before presenting a dedicated fuzzer that unveiled a few critical vulnerabilities.</p>/posts/rooting-xiaomi-wifi-routers/Mon, 25 Sep 2023 00:00:00 +0000/posts/rooting-xiaomi-wifi-routers/In this article, we discuss our research approach for investigating Xiaomi routers. We discovered multiple vulnerabilities allowing Remote Code Execution (RCE) on several models, through both LAN and WAN interfaces. This work led to the publication of four CVEs specifically targeting Xiaomi routers./posts/leveraging-android-permissions/Tue, 20 Jun 2023 00:00:00 +0000/posts/leveraging-android-permissions/<p>The Android permission management system has already suffered from several vulnerabilities in the past. Such weaknesses can grant dangerous permissions to a malevolent application, an example being <code>CALL_LOG</code>, which gives access to all incoming and outgoing calls.</p> <p>This post dives into the Android permission system and how a solver was leveraged to find new vulnerabilities. With this approach, a privilege escalation was identified, which was fixed and assigned CVE-2023-20947 by Google.</p>/posts/ksmbd-trailer/Fri, 12 May 2023 12:00:00 +0000/posts/ksmbd-trailer/In this blogpost, we introduce the analysis of one SMB implementation: kSMBd. It will be followed up by a talk at OffensiveCon 2023 named &ldquo;Abusing Linux in-kernel SMB server to gain kernel remote code execution&rdquo;./posts/fuzzing-samsung-system-services/Thu, 20 Apr 2023 00:00:00 +0000/posts/fuzzing-samsung-system-services/Although the Android base is open source, many different constructors customize it with their own UIs and APIs. All these additions represent an extra attack surface that can change from one phone model to another. We tried to automatically fuzz the closed-source system services powering these modifications, discovering <code>CVE-2022-39907</code> and <code>CVE-2022-39908</code> along the way./posts/pivoting_to_the_secure_world/Fri, 24 Mar 2023 13:37:00 +0000/posts/pivoting_to_the_secure_world/<ol> <li>Discovery of two vulnerabilities in secure world components</li> <li>Exploitation to get code execution in a trusted driver, while not having a debugger for this obscure environment</li> <li>Leverage of aarch32 T32 instruction set to find nice stack pivots</li> <li>Turning an arbitrary write into an arbitrary code execution</li> </ol>/posts/rdpegfx/Fri, 14 Oct 2022 00:00:00 +0000/posts/rdpegfx/Microsoft’s Remote Desktop Protocol (RDP) client was fuzzed by various teams in the past few years, it thus seemed like a good target to try a recent snapshot fuzzer: <a href="https://github.com/0vercl0k/wtf">what the fuzz (wtf)</a> (of which we are only users). In this companion post to our <a href="https://www.hexacon.fr/conference/speakers/#fuzzing_rdpegfx">Hexacon 2022 talk</a> (<a href="/posts/misc/rdpegfx/Hexacon2022-Fuzzing_RDPEGFX_with_wtf.pdf">slides</a>, <a href="https://youtu.be/4pftjmKqeoM">video</a>) we’ll show how we took advantage of wtf flexibility in order to efficiently fuzz the RDPEGFX channel of Microsoft RDP client and uncover <a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30221">CVE-2022-30221</a>./posts/deserialization-bug-through-rdp-smart-card-extension/Fri, 10 Dec 2021 06:00:01 +0100/posts/deserialization-bug-through-rdp-smart-card-extension/<p>This is the <strong>third installment</strong> in my three-part series of articles on fuzzing Microsoft&rsquo;s RDP client, where I explain a bug I found by fuzzing the <strong>smart card extension</strong>.</p>/posts/leaking-aslr-through-rdp-printer-cache-registry/Fri, 10 Dec 2021 06:00:00 +0100/posts/leaking-aslr-through-rdp-printer-cache-registry/<p>This is the <strong>second installment</strong> in my three-part series of articles on fuzzing Microsoft&rsquo;s RDP client. I will explain a bug I found by fuzzing the <strong>printer sub-protocol</strong>, and how I exploited it.</p>/posts/fuzzing-microsoft-rdp-client-using-virtual-channels/Wed, 10 Nov 2021 12:00:00 +0000/posts/fuzzing-microsoft-rdp-client-using-virtual-channels/<p>This article begins my three-part series on fuzzing Microsoft&rsquo;s RDP client. In this <strong>first installment</strong>, I set up a methodology for <strong>fuzzing Virtual Channels</strong> using WinAFL and share some of my findings.</p>