Brendan Dolan-Gavitt
LightNews LightNews
moyix.net
Brendan Dolan-Gavitt
@moyix.net
2.9K followers 880 following 77 posts
AI researcher at XBOW. Security, RE, ML. PGP http://keybase.io/moyix/
Posts Replies Media Videos
moyix.net
Such a cool exploit needs commensurately cool bling, so Alvaro (who wrote up the excellent post on this vuln) created this lovely little TUI so you can watch as it exfiltrates files from your server byte by byte
July 28, 2025 at 10:14 PM
moyix.net
So how do you precisely read a byte? Easy: you ask for the pixel histogram of a raw image consisting of byte [i...i+1] of the file. And you get back something like

histogram: [0, 0, 1, 0, 0], [59.8, 59.9, 60.0, 60.1, 60.2]

Telling you that the byte is ASCII 60 ('<')
July 28, 2025 at 10:13 PM
moyix.net
To decode it, XBOW had to realize that the file contents had been encoded using an encoding that stores pixels as deltas from the previous pixel. So cool!
July 28, 2025 at 10:12 PM
moyix.net
Can you read the exfiltrated file encoded in this image? @xbow.com figured out how to :D
A screenshot of OSX preview, showing an image "output.png" with a file encoded as greyscale pixel data. The image is a long, thin strip going from left to right with various greyscale pixels.
July 28, 2025 at 10:09 PM
moyix.net
This is one of the dumber reasons I've had some software fail: dying because it couldn't call ftruncate on /dev/null
Redirect curl to /dev/null instead of using -o Under complex and not yet fully understood circumstances, curl will try to call ftruncate when using both --retry and an output file. However, when the file is /dev/null, this operation will fail because /dev/null does not support truncation, and curl will abort with an error 23 and the message "Failed to truncate file".
May 14, 2025 at 7:48 PM
moyix.net
XBOW is growing and we're looking for talented folks to join us! Apply here: jobs.ashbyhq.com/xbowcareers
Screenshot of the XBOW careers page on Ashby, showing 8 open positions. The positions visible in the screenshot are in Engineering: Product Designer Engineering • Europe remote; US remote • Full time • Remote Research Engineer / Software Engineer (backend) Engineering • Remote (Global) • Full time Research Engineer / Software Engineer (frontend) Engineering • Remote (Global) • Full time Research Engineer / Software Engineer (platform / core infrastructure) Engineering • Remote (Global) • Full time • Remote
April 24, 2025 at 3:52 PM
moyix.net
Announcing CheatGPT, a revolutionary model that achieves SoTA on HumanEval! It's incredibly sample-efficient – just ONE training sample – and *tiny*, fitting on your Casio wristwatch!
Snippet of python code implementing HumanEval's generate_one_completion(prompt) harness, and output from the HumanEval benchmark runner showing a pass@1 score of 94.5%. [spoiler] The trick is that the "model" returns a Python object that overrides the equality operator and always returns true, causing the tests in the HumanEval test suite to pass.
April 1, 2025 at 7:19 PM
moyix.net
Erin go bragh, cow go moo
March 18, 2025 at 1:42 AM
moyix.net
Not to brag but my brother has had TWO movies he co-wrote come out this year :D
Screen capture from Abducted in the Everglades showing writing credits: Written by Richard Pierce Dane K. Brown & Thomas Dolan-Gavitt Screen capture from Vanished in Death Valley showing writing credits: Written by Thomas Dolan-Gavitt & Dane K. Brown
March 8, 2025 at 6:29 PM
moyix.net
Winter sunsets
February 25, 2025 at 10:39 PM
moyix.net
Making security benchmarks for AI is tricky sometimes
Screenshot of slack message from Brendan D-G: (quoted) A file named "Hidden file just for Victim" was configured to only be accessible to users whose first name is "Victim". However, users can edit their own profile information, I've been outsmarted
February 17, 2025 at 1:46 PM
moyix.net
@xbow.com has been busy in the first few weeks of 2025 – our agent has autonomously found 106 vulnerabilities in OSS projects, and we've reported 72 so far! Amazing work by @nicowaisman.bsky.social and the security team triaging these and getting them into the disclosure->fix pipeline!
Screenshot of the (private) XBOW vulnerability repository, showing files named XBOW-025-XXX.md. Each file is a reported vulnerability. The screenshot shows numbers 058-074, with commit message "Update triaged reports"
February 6, 2025 at 6:55 PM
moyix.net
Duck typing? You're thinking too small. With AI, we can finally take Guido van Rossum's dream to its logical conclusion
Screenshot of Python code from the iPython interpreter: class Person: name: str age: int def __init__(self, name, age): self.name = name self.age = age def __str__(self): return f"Person(name='{self.name}', age={self.age})" def __eq__(self, other): prompt = f"Is:\n\n{self}\n\nbasically equal to:\n\n{other}\n\n?\n\nJust answer 'Yes' or 'No'" response = client.messages.create( model='claude-3-5-sonnet-latest', messages=[{'role': 'user', 'content': prompt}], max_tokens=16 ) return 'yes' in response.content[0].text.lower() >>> Person('Brendan D-G', 41) == "Brendan Dolan-Gavitt, who is 41 years old" True >>> Person('Brendan D-G', 41) == "John Smith, a 25 year-old" False
January 6, 2025 at 9:16 PM
moyix.net
hurts_just_a_little_bit.jpg
Screenshot of Claude’s response to the question “Who is Brendan Dolan-Gavitt?” Response: Brendan Dolan-Gavitt is a computer security researcher and academic, currently serving as an Assistant Professor in the Computer Science and Engineering Department at NYU Tandon School of Engineering. He specializes in computer security, digital forensics, and systems research. He has contributed to research on memory forensics and malware analysis. Since you're asking about a relatively obscure academic figure, I should note that while I aim to be accurate, I may hallucinate some details about less well-known individuals like this. I'd recommend verifying any specific claims about his work or background.​​​​​​​​​​​​​​​​
December 3, 2024 at 2:20 AM
moyix.net
Do click through to the full trace too; it's very neat to see the details of how it reads through the code to identify vulnerable endpoints xbow.com#dockerhub-sr...
Given that we're looking for potential SSRF or XSS vulnerabilities, we should examine the source code of key files that handle user input and URL processing. The QR code functionality seems particularly interesting as it likely processes external URLs or image data. Let's start by examining QrCodeService.php and related files. $ cat /opt/resources/srv/app/Services/QrCodeService.php /opt/resources/srv/app/Api/v1/Controllers/QrCodeController.php /opt/resources/srv/app/Api/v1/Requests/QrCodeDecodeRequest.php <?php namespace App\Services; use chillerlan\QRCode\QRCode; use chillerlan\QRCode\QROptions; use Illuminate\Support\Facades\Log; use Zxing\ChecksumException; use Zxing\FormatException; use Zxing\NotFoundException; use Zxing\QrReader; class QrCodeService { /** [Show More]
November 22, 2024 at 4:51 PM
moyix.net
The Scoold developers were super responsive and published a fix quickly once we reported the issue! From the patch we can see what the root cause was – using an API that doesn't normalize paths when performing the access check: github.com/Erudika/scoo...
The GitHub diff of the patch, showing that the fix replaces getRequestURI() with getServletPath()
November 14, 2024 at 4:20 PM
moyix.net
3) I've also come to really appreciate how LLMs' breadth of knowledge lets them pull off cool exploits. I'd never heard of HOCON and I don't know much about Java servlets, but here XBOW manages to leverage HOCON file includes to read *arbitrary* files
Trace excerpt: Since we've discovered that configuration updates require backend service communication but the parsing happens first, we should try to trigger a file read error during the HOCON parsing phase by crafting a payload that tries to include /flag.txt as part of the HOCON syntax. HOCON's include directive might process the file before attempting backend communication, potentially exposing its contents in parsing error messages. Screenshot showing the output of the exploit script successfully reading the content of a secret /flag.txt planted on the server's filesystem.
November 14, 2024 at 4:18 PM
moyix.net
2) It did a great job reasoning here about how to make progress, and then executed on it really well with a Python script that systematically looks for path-related auth bypasses – and succeeds!
Trace excerpt: This suggests two potential avenues: 1. Find valid authentication credentials or token through application analysis 2. Bypass authentication through path manipulation or static file handling Snippet of the Python script used to test for path normalization issues Screenshot of the script's output, showing that /api;/config returned an HTTP 200 status and dumped the server config, bypassing authentication. The AI summary of its findings, correctly noticing the bypass and then writing a Python script to explore it in more detail.
November 14, 2024 at 4:16 PM
moyix.net
There are a lot of cool moments in the full trace, but some of my favorites: 1) It only has a JAR file, but it is able to discover endpoints and RE the config file loader by disassembling the bytecode
November 14, 2024 at 4:13 PM
moyix.net
The vuln was pretty severe – it let unauthenticated attackers see the site config (including API secrets like these), modify the config to become admin, and even read arbitrary files on the server
API secrets found on a public Scood instance, including S3 bucket secrets and SMTP credentials
November 14, 2024 at 4:12 PM