About

Hi, I am Orange, currently the Principal Security Researcher at DEVCORE, and the core member of CHROOT Security Group in Taiwan. I am a RCE enthusiast and mainly focus on Web and Application Security. My research has received several hacking awards and has been accepted by numerous security conferences.

You can find me on , and .

Selected Honors

• 2022 - Champion of Pwn2Own Toronto
• 2021 - Winner of Pwnie Awards — “Best Server-Side Bug” for Exchange Server RCEs
• 2021 - 3rd of Top 10 Web Hacking Techniques for Exchange Server RCEs
• 2021 - Champion of Pwn2Own Vancouver
• 2021 - 28th of Top 100 Microsoft Most Valuable Security Researchers
• 2019 - Winner of Pwnie Awards — “Best Server-Side Bug” for SSL VPN RCEs
• 2019 - 4st of Top 10 Web Hacking Techniques for research of SSL VPN RCEs
• 2019 - 2nd of DEFCON CTF Final as team HITCON x BFKinesiS
• 2018 - 1st of Top 10 Web Hacking Techniques for research of Breaking Parser Logics
• 2017 - 1st of Top 10 Web Hacking Techniques for research of A New Era Of SSRF
• 2017 - 2nd of DEFCON CTF Final as team HITCON
• 2015 - 1st of 0CTF Final as team 217
• 2014 - 2nd of DEFCON CTF Final as team HITCON
• 2014 - 1st of 台灣大專院校資安技能金盾獎
• 2012 - 1st of 台灣大專院校資安技能金盾獎
• 2011 - 1st of 台灣大專院校資安技能金盾獎
• 2009 - 1st of HITCON Wargame Contest

Selected RCEs

2024

• Apache HTTP Server
  • We proposed several attacks and got multiple CVEs.
• PHP
  • CVE-2024-4577 - An unauthorized Argument Injection vulnerability.

2022

• Sonos One Speaker
  • An unauthorized RCE, chained from Information Leakage (CVE-2023-27353) to Stack Overflow (CVE-2023-27355).
• WSO2 Identity Server
  • CVE-2022-29464 - An unauthorized Arbitrary File Upload vulnerability.

2021

• Microsoft Exchange Server
  • ProxyLogon - An unauthorized RCE chained with 3 bugs from SSRF (CVE-2021-26855) to Arbitrary File Writing (CVE-2021-27065).
  • ProxyShell - An unauthorized RCE chained with 3 bugs from SSRF (CVE-2021-34473) to Arbitrary File Writing (CVE-2021-31207).
• Samba
  • CVE-2021-44142 - An Out-of-Bounds Read/Write vulnerability.
• Neta Talk
  • CVE-2022-23122 - An unauthorized Out-of-Bounds Write vulnerability.
  • CVE-2022-23123 - An unauthorized Out-of-Bounds Read vulnerability.
• Western Digital
  • We chained Neta Talk bugs, and then pwned Western Digital NAS in Pwn2own Austin 2021.
• Sonos One Speaker
  • CVE-2022-24046 - An unauthorized Integer Underflow vulnerability.
• PHPWind
  • An unauthorized RCE, chained from PRNG Prediction to PHP Use-After-Free (CVE-2015-0237)

2020

• Microsoft Exchange Server
  • CVE-2020-17117 - A Command Injection in Exchange PowerShell Remoting.
• Ivanti MobileIron
  • CVE-2020-15505 - An unauthorized Hessian Deserialization vulnerability.
• Facebook Bug Bounty
  • Facebook held an unpatched MobileIron instance, and we then hacked it!

2019

• Twitter Bug Bounty
  • Twitter held an unpatched SSL VPN instance, and we then hacked it!
• Uber Bug Bounty
  • Uber held several unpatched SSL VPN instances, and we then hacked it!
• Tesla Bug Bounty
  • Tesla held several unpatched SSL VPN instances, and we then hacked it!
• Riot Games Bug Bounty
  • Riot Games held an unpatched SSL VPN instance, and we then hacked it!
• Netflix Bug Bounty
  • Program keeps the report private.
• Pulse Secure SSL VPN
  • An unauthenticated RCE, chained from Arbitrary File Reading (CVE-2019-11510) to Command Injection (CVE-2019-11539).
• Fortinet FortiGate SSL VPN
  • An unauthenticated RCE, chained from Arbitrary File Reading (CVE-2018-13379) to Heap Overflow (CVE-2018-13383).
• Palo Alto GlobalProtect SSL VPN
  • CVE-2017-15944 - An unauthenticated Format String vulnerability.
• Jenkins
  • An unauthenticated RCE, chained with 3 bugs from ACL Bypass (CVE-2018-1000861) to exploit Metaprogramming.
• Hinet GPON Modem
  • An unauthenticated RCE, chained from ACL Bypass to Command Injection (CVE-2019-13411).

2018

• Nuxeo
  • An unauthenticated RCE, chained with 4 bugs from ACL Bypass to EL Injection.
• Amazon Bug Bounty
  • Amazon held an unpatched instance, and we then hacked it!

2017

• GitHub Bug Bounty
  • An unauthenticated RCE, chained with 4 bugs from Blind SSRF to unsafe deserialization on GitHub Enterprise.
• Imgur Bug Bounty
  • Imgur held an unpatched GitHub Enterprise instance, and we then hacked it!

2016

• Uber Bug Bounty
  • The rider site rider.uber.com is vulnerable to Jinja2 SSTI.
• Accellion File Transfer
  • An unauthenticated RCE, chained from SQL Injection (CVE-2016-2351) to Local Root (CVE-2016-2352).
• Facebook Bug Bounty
  • Facebook held an unpatched Accellion instance, and we then hacked it!

2013

• Yahoo! Bug Bounty
  • Several *.login.yahoo.com instances are vulnerable to a Struts2 vulnerability, and we hacked it!

2012

• Microsoft Internet Explorer
  • CVE-2012-4775 - A Use-After-Free vulnerability, which is also my first CVE!