Oh hi, you found my blog, welcome. Most of the bugs I find start with “I wonder if…” or “What happens when…”. This blog is a record of following those threads through real systems until something breaks or I run out of ideas. If that sounds like your kind of reading, it’s probably worth adding to your feed reader.
Who I am
I go by NULLCATHEDRAL (sometimes _NULL).
I grew up sending net send messages across the network and checking if /install directories were left exposed on random sites. Spending hours in WPE Pro trying to figure out how to dupe items in obscure MMOs and writing game cheats to hook functions I didn’t fully understand. Modding game clients, running private game servers out of my bedroom. I learned more about networking and memory management trying to keep a private server stable and “cheat-proof” than I ever did in a classroom.
At some point that tinkering turned into a career. I’ve worked as a penetration tester for most of it. The only part I don’t love is report writing, but that’s the deal.
This blog is the other side of that: stuff I poke at on my own time because I got curious, not because someone’s paying me to. The bugs I like most hide in forgotten attack surface1 and custom protocols with hard-coded or homebrew crypto. Most of the work is reading source code and commit logs. Understand how it’s supposed to work, then think about how it might not. Test it, be wrong, read more code, repeat. I’d rather be in the code than running scanners. Vendors don’t want to share their source, so half the time you end up engineering your way in just to start the actual research.2 That part is sometimes more fun than the bugs themselves. Nothing for weeks, then 48 hours straight when something clicks. Sometimes the thread goes nowhere and I’ve spent a weekend staring at something that was never vulnerable in the first place.
On disclosure
Vendors get 120 days to patch. Full technical details go up the day a fix drops. Anyone with a diff tool can figure out what changed anyway, and the window between “patch released” and “exploit in the wild” keeps shrinking. Withholding the writeup doesn’t protect anyone. It just means defenders have less context than attackers.
Good vendors make the process rewarding. Bad ones ghost you completely. But timing still matters. Dropping an exploit on Christmas Day when every sysadmin is offline isn’t disclosure, it’s a head start for attackers.3 So I try to work with vendors to ensure patches and disclosures land on days where people can actually patch, this is a case-by-case thing.
The blog
The Roundcube post is what most posts here will look like. Found a bug, here’s how it works and how to fix it. A writeup without a PoC is just a story, for me at least.
I’ve got a few more writeups waiting on vendor patches. Before this blog they would usually end up in text files or not get written at all. Having a place to publish them is reason enough to keep it going. Subscribe via the feeds to know when new posts go up, or find me in #nullcathedral on Libera.Chat and any of the contact methods.
Oh, and if you already have me in your reader from the previous post, hello! Thanks for that.
If you find this blog interesting, shoot me an email. I enjoy the interaction and I’d find it interesting to hear what you’re working on!
Debug endpoints left in production, deprecated API versions still routed, legacy admin panels, features the current dev team doesn’t even know exist. They survive because they’re not in anyone’s scope and scanners don’t know to look for them. ↩︎
Pulling application bits and binaries off a server through an arbitrary file read, decompiling .NET assemblies, that sort of stuff. Source-assisted testing helps me find the things that actually matter. ↩︎
MongoBleed. An Elastic Security researcher dropped a working exploit for a decade-old MongoDB memory leak on Christmas Day. Over 200k instances on the internet exposed. Merry Christmas to every MongoDB admin on the planet. ↩︎