Anthony Weems | +15125656059 | | https://github.com/amlweems Last Updated: 2021-08-18

EXPERIENCE

Praetorian, Principal Engineer, March 2021 - Present Member of Praetorian Labs, an R&D team dedicated to delivering advanced tooling and capabilities to both the product/services teams at Praetorian. Developed an orchestration platform for command and control for use in red team engagements. Published root cause analysis on the Microsoft Exchange Proxylogon attack chain in collaboration with Google Project Zero [1]. Open sourced a scalable password spraying tool for use in customer assessments [2].

Praetorian, Staff Engineer, Jan 2016 - February 2021 Engagement lead for complex application security projects covering web, mobile, desktop, cloud, and embedded device assessments. Concurrently performed general assessment work alongside project management. Managed teams of engineers on the more complex assessments that require multiple team members with unique skills. Spoke at B-Sides, RMISC, and lectured at the University of Texas at Austin with Nathan Sportsman to the Intro to Computer Security class (CS378). Developed the Diana Platform [3], a product to deliver on-going, comprehensive, and efficient security testing coverage.

Praetorian, Senior Security Engineer, Aug 2014 - Dec 2015 Worked with a senior engineering team on web and mobile application penetration tests for venture backed startups and Fortune 1000 companies. Analyzed security and risk metrics related to Smart Lighting devices through investigation of the ZigBee network and security layers, physical teardown of the device, probing of UART pins to view debugging information, and manual analysis of device firmware in disassembled form. Current member of recently founded vulnerability research program. Vulnerability research thusfar has involved reverse engineering target binaries, source code review, instrumentation and test harness development, and fuzzing of network protocols and file parsing using american fuzzy lop. Created two new career challenges: Machine Learning challenge [4], pwnable [5].

Praetorian, Intern, Summer 2013 & Summer 2014 Worked with a senior engineering team on several pen-tests, social engineering, and reverse engineering. Performed web and mobile application pen-tests. Worked on a team with another intern to create and release https://mars.praetorian.com to beta. Developed a set of cryptography/steganography puzzles to aid candidate selection. The set of challenges is available on Praetorian's careers page [6].

PROFESSIONAL CERTIFICATIONS

Stanford University Cryptography I Certification GIAC Web Application Penetration Tester (GWAPT) [7] Offensive Security Web Expert (OSWE) [8] Certified Kubernetes Administrator (CKA) [9] Certified Kubernetes Security Specialist (CKS) [10] Burp Suite Certified Practitioner [11]

PUBLIC VULNERABILITIES

CVE-2015-5238: Stack Overflow in libtre, also reported by P0 [12] [13] CVE-2016-4991: Command Injection in nodepdf PDF rendering library [14] CVE-2016-7063: Privilege escalation to root in Pritunl VPN client [15] CVE-2016-7064: Man-in-the-middle compromise of Pritunl VPN client [16] CVE-2018-2813: MySQL privilege esc via missing file access checks [17] CVE-2019-1003040: Jenkins Groovy sandbox escape via type coersion [18] CVE-2019-1003041: Jenkins Groovy sandbox escape via type coersion [18] CVE-2019-15021: Server-side Request Forgery per Zingbox Inspector [19] CVE-2019-15018: Tenant authentication bypass in Zingbox Inspector [20] CVE-2019-18818: Password reset bypass discovered during OSWE exam [21]

NOTABLE SIDE-PROJECTS

(All of the following can be found at github.com/amlweems) - sklton-key: tool to decrypt TLS traffic sent by an arbitrary Go program - gringotts: proof of concept exploit for CVE-2020-0601 - maildump: implentation of RFC 5321 for use as a catch-all email server - atmin: automatic testbase minification library (e.g. minimize http req) - abci: array-based command injection guide - stun: TLS proxy with automated certificate provisioning based on SNI - cryptopals (private): solutions to sets 1 through 7 of cryptopals - sandbox-escapes (private): research into Java sandbox escapes - hexpand: proof of concept Hash Length Extension Attack - EE319k: embedded systems lab projects, includes winning final project - tk421: toy operating system developed in spare time

REFERENCES

[1] https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26855.html [2] https://github.com/praetorian-inc/trident [3] https://www.praetorian.com/platforms/diana [4] https://www.praetorian.com/challenges/pwnable [5] https://www.praetorian.com/challenges/machine-learning [6] https://www.praetorian.com/challenges/crypto [7] https://www.youracclaim.com/badges/53efae58-c24d-48b5-94bf-5aa0d3a32aa4 [8] https://www.youracclaim.com/badges/aca5ac0a-2a05-4ae4-b2b1-59d62311895c [9] https://www.youracclaim.com/badges/5bb5614f-8e9d-4321-84ba-761fa1aa3280 [10] https://www.youracclaim.com/badges/cb2ef899-3577-4cdd-bad0-3e9bb41c3708 [11] https://portswigger.net/web-security/E/C/6C6778BFF86A429 [12] https://bugs.chromium.org/p/project-zero/issues/detail?id=428 [13] https://lf.lc/CVE-2015-5238.txt [14] https://lf.lc/CVE-2016-4991.txt [15] https://lf.lc/CVE-2016-7063.txt [16] https://lf.lc/CVE-2016-7064.txt [17] https://lf.lc/CVE-2018-2813.txt [18] https://lf.lc/CVE-2019-1003040.txt [19] https://security.paloaltonetworks.com/CVE-2019-15021 [20] https://security.paloaltonetworks.com/CVE-2019-15018 [21] https://lf.lc/CVE-2019-18818.txt