Blog on Thomas Rinsma

Popping an alert from a sandboxed WebAssembly module

Tue, 19 Aug 2025 00:00:00 +0000

Would you believe me if I told you this HTML page could show an alert('hi from WASM'), when loaded?

<script>
WebAssembly.instantiateStreaming(fetch("plugin.wasm"), {});
</script>

More generally, if plugin.wasm is attacker-controlled, this could execute arbitrary JavaScript, despite the empty object as imports! Doesn’t this feel counter-intuitive, given the isolation properties of WebAssembly?

It turns out that the WASM/JS barrier is not really meant to be a sandbox, and that a subtle “feature, not a bug” in the WebAssembly JS API specification allows for such an “escape”, when making use of some convoluted JS prototype and WASM interop trickery.

Spoofing OpenPGP.js signature verification (write-up)

Sun, 15 Jun 2025 00:00:00 +0000

During a research project for Codean Labs, Edoardo and I found several vulnerabilities in OpenPGP.js. The worst of which was a subtle logical flaw which allowed an attacker to craft a “valid” PGP signature without access to the respective private key.

Read the write-up on Codean Labs’ blog:
https://codeanlabs.com/2025/06/cve-2025-47934-spoofing-openpgp-js-signatures/

Media coverage

YesWeHack wrote a blog about this bug after several online news media picked it up, including TechRadar, SecurityWeek, and The Register.

Exploiting LibreOffice (write-up)

Wed, 12 Feb 2025 00:00:00 +0000

During a research tangent at work, I found several logical vulnerabilities in LibreOffice.

The write-up includes a proof-of-concept showing how one of the bugs can be used to steal a secret from an incoming email (assuming a desktop Linux usecase with LibreOffice and Thunderbird), which was particularly fun to put together.

Read the write-up on Codean Labs’ blog:
https://codeanlabs.com/2025/02/exploiting-libreoffice-cve-2024-12425-and-cve-2024-12426/

Tetris in a PDF

Sun, 12 Jan 2025 14:00:00 +0100

Click to play Tetris

Recently, just for fun, I managed to create a playable version of Tetris inside a PDF. I posted about this a couple days ago on Hacker News and Twitter. You can play it by opening this file in a compatible desktop browser (Firefox and anything Chromium-based). The “source code” can be found here.

As there was quite some feedback, I’ll share a bit more context here.

Why?

Why not? I learned a bit about PDF’s JavaScript API and its implementations and realized there might be just enough I/O possibility there for a simple game.

Ghostscript security research (write-up series)

Thu, 31 Oct 2024 00:00:00 +0000

Through pentest work at Codean Labs, I found that Ghostscript is unexpectedly part of many attack surfaces, even server-side: applications that process user-submitted documents or images may invoke ImageMagick or LibreOffice for conversion, which in turn may call into Ghostscript for (embedded) EPS images.

Hence, I went digging and found a bunch of memory corruption bugs, several logic bugs and a really fun format string bug. I was able to turn the latter into a nice privilege escalation exploit, bypassing Ghostscript’s SAFER flag and thereby being able to invoke system commands. This results in RCE on server-side document conversion flows, but also in desktop cases when opening malicious documents/images.

Arbitrary JavaScript execution in PDF.js (write-up)

Mon, 20 May 2024 00:00:00 +0000

I found a way to execute Javascript inside PDF.js from within an untrusted PDF. Real Javascript, not the sandboxed PDF version :)

This had heavy consequences for many platforms rendering user-uploaded PDFs, lots of which use PDF.js, directly or indirectly (e.g. through react-pdf). Firefox itself was also vulnerable.

Read the write-up on Codean Labs’ blog:
https://codeanlabs.com/2024/05/cve-2024-4367-arbitrary-js-execution-in-pdf-js/

This bug gained quite some attention in the bug bounty crowd, and ended up being voted nr. 7 in Portswigger’s top 10 web hacking techniques 2024.

kb1: a fully DIY mechanical keyboard

Thu, 18 Apr 2024 20:00:00 +0100

Recently I’ve been learning more about electronics and PCB design, something I had no experience with up until recently. I wanted to challenge myself so I picked a relatively hard goal. This keyboard is the result of that. I call it kb1.

Specs

In short, it

is mechanically built using two PCBs with standoffs in between;
has a proper “tenkeyless” layout, compatible with Cherry MX-style switches (my version has Kailh box crystal jades);
has per-key RGB backlight using reverse-mounted SK6812 neopixels;
features an old-school 16x2 character LED display, located between F6 and F7;
has an obligatory knob (rotary encoder);
makes use of a Raspberry Pi Pico and KMK

See the Github project for the firmware and PCB design files.

Overclocking a Gameboy Color using a Raspberry Pi Pico

Thu, 28 Dec 2023 13:13:00 +0100

You might have seen the classic Youtube video by marcan showing a Gameboy Color being overclocked to arbitrary frequencies, using an FPGA development board.

Recently, I got hold of a GBC again and wanted to try this myself. I don’t have such an FGPA or a even a VCO, but I realized that the RP2040 on the Raspberry Pi Pico supports PWM at varying frequencies. Turns out, it indeed has a pretty wide frequency range, and it is trivial to connect it to a Gameboy.

Vulnerability write-up - "Dangerous assumptions"

Fri, 24 Feb 2023 20:20:00 +0100

Last year, during a tangent for a project, Kevin and I found a series of vulnerabilities in (combinations of) several Node.js packages that led to critical issues for our client, and most likely other users as well.

It was a lot of fun learning about all the ways that logic in Javascript code like this can break, mostly by abusing its dynamic typing and oddities like __proto__. All in all, this resulted in 6 CVEs in three different packages (Feathers.js, Sequelize and Socket.IO).

Porting Doom to a payment terminal

Mon, 18 Jul 2022 10:00:00 +0100

For the past half a year or so I have been playing around with a specific type of payment terminal, the VX820 from Verifone.

I randomly bought a couple of second-hand devices, and found out that they are wonderful pieces of hardware with lots of potential for alternative uses. I figured that a fun goal for myself would be to port Doom to it, which would nicely showcase the device’s unexpected computational power.

dromaius: a C++ GameBoy emulator and debugger

Sun, 25 Apr 2021 00:00:00 +0000

Over many years I kept coming back to this side-project: an emulator for the original Nintendo GameBoy (aka DMG). I believe I started by just parsing ROM files in C, then ended up following Imran Nazar’s wonderful tutorial, and came back to it a couple more times in later years with ideas for GUI elements (dear imgui is amazing) and debugging features.

It’s quite buggy, but I’m calling it good enough. It served its purpose as a learning tool for me. Pokemon Red was my main benchmark; I did not play it to the end but it seems to work :)

Exploiting a stack-based buffer overflow in practice

Tue, 17 Nov 2020 09:00:00 +0100

In my previous post, I detailed a fun method of obtaining root access on the Zyxel VMG8825-T50 router, which required physical access to the device and authenticated access to the web interface.

In this post, I will detail the exploitation of a vulnerability that could potentially result in unauthenticated RCE as root, given LAN access only. This vulnerability was also found on the VMG8825-T50 router, but it turns out to be present in multiple other Zyxel devices.

Getting root on a Zyxel VMG8825-T50 router

Thu, 26 Mar 2020 08:43:00 +0100

The device.

Update (December 2020): Several of the vulnerabilities mentioned in the post below have since been patched by Zyxel. In a later post I detail a different vulnerability, which has also been fixed.

My ISP recently provided me with a new router, the Zyxel VMG8825-T50. It seems to be a relatively new gigabit router with all kinds of capabilities. Sadly, some of them are locked down behind a somewhat restrictive web interface.

Rendering recursive portals with OpenGL

Sun, 19 May 2013 19:26:56 +0200

For the last couple of months I’ve been working on and off on my C++/OpenGL “game engine”, mostly for the purpose of learning OpenGL. The feature I was the most excited about trying to implement in this engine was portal rendering. Actually understanding and implementing that correctly has taken me a little while but I feel like I know enough now to explain some of the concepts here.

Tetris Friends AI

Mon, 24 Dec 2012 16:29:11 +0100

You might know the Facebook game called “Tetris Friends”. It’s basically just a flash version of tetris but with some added features like the ability to “hold” a block and to see multiple pieces in advance.

About a year ago I started to wonder if I could make an AI for it, just like I did for my own implementation of Tetris. It would have to look at the rendered pixels of the webpage containing the flash object, use those to determine the current state of the game, and then send keystrokes to the web browser to provide new input.

External publications

Mon, 01 Jan 0001 00:00:00 +0000

A list of publications external to this site (hence, excluding articles original to this blog). Most entries link to a meta-post containing the external link(s) with some context.

Conference talks

Escaping a misleading “sandbox”: breaking the WebAssembly-JavaScript barrier (WHY2025)
Payment terminals as general purpose (game-)computers (MCH2022)

Articles and papers

(in addition to original content on this blog itself)

Article in Phrack 72
- Popping an alert from a sandboxed WebAssembly module (Phrack 72, 2025)
Write-ups for Codean Labs research
Academic writing
- Automatic Library Version Identification, an Exploration of Techniques (research paper, 2017, arXiv)
- Seeing through obfuscation: interactive detection and removal of opaque predicates (Master’s thesis, 2017, pdf)
- University Card security (Bachelor’s thesis, 2015, pdf)