Thomas Rinsma
@thomasrinsma
Followers
1K
Following
2K
Media
9
Statuses
88
Looking for strange loops and weird machines. Lead security analyst @CodeanIO.
Netherlands
Joined March 2013
@qynln With this we're slowly building up primitives to do almost anything. Still an open problem is a way to get to globalThis/window in more general contexts without unsafe-eval.
0
0
2
Great challenge in SekaiCTF by @qynln based on my WASM escape talk/article. I especially like the Symbol.toPrimitive trick for better function calling, also allowing for control over thisArg!.
1
5
49
Mirror of the PoC on Github:
github.com
PoC for Phrack 72 article 10. Contribute to ThomasRinsma/wasm_js_escape development by creating an account on GitHub.
0
2
5
You can now read my WASM->JS escape write-up online. Full PoC is included at the end of the article.
At long last - Phrack 72 has been released online for your reading pleasure! . Check it out:
2
35
156
The recording of my WHY2025 talk is up, see below. The PoC I showed will be in the digital release of @phrack 72, coming soon :).
0
13
37
Next week at WHY2025 I will be speaking about a trick I found to break out of WASM (e.g. like below) into JS, eval-ing arbitrary code. If you prefer to read, the full write-up will also be published in Phrack 72 :). WebAssembly.instantiateStreaming(fetch("evil.wasm"), {});.
1
0
7
Here's the write-up for the OpenPGP.js signature spoofing bug which @b0n0b0__ and I found. The PoC is included at the end, where we demonstrate by spoofing a message by the Dutch government's Cyber Security Center ;).
codeanlabs.com
CVE-2025-47934 allows attackers to spoof arbitrary signatures and encrypted emails that appear as valid in OpenPGP.js. The only requirement is access to a single valid signed message from the target...
3
32
143
RT @yeswehack: InfoSec media has jumped on the story of a vulnerability found via the OpenPGP.js Bug Bounty program on @yeswehack that allo….
0
8
0
RT @thomasrinsma: @b0n0b0__ and I found a bug in OpenPGP.js that allowed an attacker to modify a valid signature's text, without access to….
github.com
### Impact A maliciously modified message can be passed to either `openpgp.verify` or `openpgp.decrypt`, causing these functions to return a valid signature verification result while returning dat...
0
4
0
RT @CodeanIO: Codean Labs' @b0n0b0__ and @Doyensec's @drw0if discovered CVE-2025-32464, a heap-buffer overflow in HAProxy. Read our write-u….
codeanlabs.com
CVE-2025-32464 is a vulnerability in HAProxy 2.2 up to 3.1.6-d929ca2 which allows an attacker to perform a DoS attack exploiting specific usages of the regsub converter. It cause a heap buffer...
0
6
0
Just published the write-up of two bugs I found in LibreOffice, allowing remote exfiltration of file/env data and a semi-arbitrary file write. Also relevant for document conversion/preview usecases :).
codeanlabs.com
Attackers can write semi-arbitrary files in the filesystem, and remotely extract values from environment variables and from INI-like files in the filesystem via two vulnerabilities in LibreOffice....
2
17
103
Finally cleaned up and published my hacky "toolchain" for running custom code on vulnerable Verifone POS devices, enjoy:
github.com
Talk + exploit for bootloder vuln in several Verifone VX devices - ThomasRinsma/vx_pos_hacks
0
0
1
Hey cool, my PDF.js exploit made it to this list, thanks!.
The results are in! We're proud to announce the Top ten web hacking techniques of 2024!
1
1
50
RT @angealbertini: We played with JavaScript in PDFs:.API difference, text or hex literals or indirect objects. Triggers on document openin….
0
11
0
I couldn't resist.
0
0
11
I got nerdsniped ;) In the end it was not too difficult, Emscripten really is magical. Source here:
github.com
DOOM in a PDF (as ascii art). Contribute to ThomasRinsma/pdfdoom development by creating an account on GitHub.
1
1
33