Welcome 👋

Just some security research, exploits, and rambling thoughts

metatrapd - Metadata and honeypots

Using a honeypot/honeyservice/honeytoken is one of the simplest and most impactful security actions one can take. Thinkst Canary has proven this over a number of years and continues to lead the field. Taking inspiration from what Thinkst has done and combining this with their idea of “honey tokens” for cloud services, I wrote metatrapd a couple of years back. Finally I’m making this public, maybe it will be useful to someone....

January 4, 2024 · 3 min · 516 words · Etienne Stalmans

Accessibility in Security

A really quick post about how we as security and engineering communicate. The language we use in communicating security issues has been spoken about often and we have gotten a lot better at making the language more inclusive and accessible. We still have a long way to go, but a shift away from confrontational language (we aren’t fighting a war) has, in my experience lead to better acceptance of what we are trying to say....

May 25, 2021 · 7 min · 1441 words · Etienne Stalmans

Thoughts on Threat Modeling

It has taken me a long time to get around to writing this post, mostly because having an opinion about threat modeling can be so polarising. I’m expecting to be told “you are wrong!”, “that is not what threat modeling is!”, and “that is not how you threat model!”. Fortunately, this is the internet, and we all get to have our own wrong opinions. What follows are some of my personal views on threat modeling, how I approach threat modeling and what has worked for me (both as a Platform Security Engineer and vulnerability researcher)....

March 26, 2021 · 14 min · 2945 words · Etienne Stalmans

Universal RCE with Ruby YAML.load (versions > 2.7)

A couple of years ago I wrote a universal YAML.load deserialization RCE gadget based on the work by Luke Jahnke from elttam. This has since been patched and no longer works on Ruby versions after 2.7.2 and Rails 6.1. Fortunately, William Bowling (vakzz) has found a new gadget chain that works on all Ruby versions 2.x - 3.x. His write-up for this is excellent and I highly recommend you give it a read: https://devcraft....

January 9, 2021 · 3 min · 606 words · Etienne Stalmans

CVE-2020-25695 Privilege Escalation in Postgresql

It has been quite a year, I hope everyone is well and staying safe. This is my first and probably only post for the year, and covers a fun privilege escalation vulnerability I found in Postgresql. This affects all supported versions of Postgresql going back to 9.5, it is likely it affects most earlier versions as well. The vulnerability is similar to a time-of-check to time-of-use (TOCTOU) issue, however in this case it relates to state not being fully cleared/reset before exiting a security restricted operation....

December 15, 2020 · 13 min · 2637 words · Etienne Stalmans