Callum Thomson

Software Engineer / Security Researcher

I'm an experienced Security Researcher and System Software Engineer, primarily skilled in Rust, C and Assembly.

Projects

Zuneslayer

The first Microsoft Zune HD full chain exploit

Combines a Microsoft IE 6 Use-After-Free and a Windows CE 6.0 kernel exploit to achieve the first non-XNA, intact keyslot, homebrew entrypoint. As well as enabling future custom firmware.

See the code

Rust Exploit

iPod sun

The first ever unsigned code execution on the iPod Nano 6 and iPod Nano 7

Using a combination of Bootrom logic bugs and a sprinkle of CVE-2010-1797, achieved full persistant unsigned code execution on the final two iPod Nano generations. Unlocking BootROM extraction, firmware decryption and custom firmware.

See the code

Rust Exploit

Vindolanda

An AMD SVM powered Type 1 hypervisor for fuzzing

This one's private :3

Rust Fuzzing

Hadrian

A RiscV RV64IMAC emulator and JIT, specially designed for coverage-guided snapshot fuzzing
Capable of over 150,000 fuzz cases / second / core

This one's private :3

Rust Fuzzing

flash-lso

A safe and fast serialization and de-serialization library for the flash Local Shared Object file format, as well as a collection of tools to help work with it.
Part of the ruffle project

See the code

More Info

Rust

SMOL

A simple link shortener, written in Rust with actix_web

Try it out

See the code

HTML5 CSS3 JavaScript Rust SQL Diesel Actix Docker

Notes App

A clean and fast note taking app for Android with support for image notes and checklists

See the code

Android Kotlin Android Jetpack Dagger2

CBNS

A rapid pub/sub based messaging system for device to device messaging

See the code

Rust Actix

See more on my GitHub

Security Reports

Stack overflow / Heap corruption while parsing PVR files | IrfanView

11/01/2023, Both fixed in FORMATS plugin version 4.62.3

Unspecified out of bounds access reading PVR files | IrfanView

04/01/2023, fixed in FORMATS plugin version 4.62.2

Integer overflow leading to controlled heap corruption | mupdf

11/11/2022, Link to bug report (private)

See original report

I've found what I belive to be a security vulnerability in the fitz TIFF parser.

By providing a specially modified TIFF file (such as the one attached), such that tiff->bitspersample == 16 && tiff->order == TII but where tiff->imagelength * tiff->stride < tiff->imagewidth * tiff->imagelength * tiff->samplesperpixel, an attacker can overwrite an arbitary amount of data off the end of a heap allocated buffer.

In source/fitz/load-tiff.c, tiff_decode_samples, line 1322, a buffer is allocated with size (tiff->imagelength * tiff->stride)
On line 1377, this buffer is passed to tiff_swap_byte_order, with parameter n = tiff->imagewidth * tiff->imagelength * tiff->samplesperpixel
Because these two values can differ, tiff_swap_byte_order will both read uninitialised heap memory and write out of bounds into this buffer by an arbitary amount

Additionally, I belive a similar bug is present on line 1385, when calling tiff_scale_lab_samples.

I believe the fix would be to use the existing allocation size as the parameter to tiff_swap_byte_order rather than recomputing it.

Stack buffer overflow in RTSP packet parsing | gpac/gpac

01/05/2022, CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H (9.1)

Controlled heap buffer overflow in SDP packet parsing | gpac/gpac

30/03/2022, CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H (9.1)

Stack buffer overflow in XML entity parsing | gpac/gpac

27/03/2022, CVSS: AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H (7.1)

Experience

Rent-A-Writer | Software Development Intern

November 2021 - April 2022

Managed a full hosting migration, while ensuring no loss of service for end users
Development of a management interface to ease data management

PHP Hetzner Frontend

Landmark Information | Software Development Intern

June 2020 - September 2021

Worked as part of SAFe team to assist in the development of a set of core services shared by many departments
Helped guide a multi-service data migration project from planning to production deployment
Aided in the realisation of business vision by assisting in the deployment of three new, crucial services

c# Azure Cloud Postman

MyStyleQuest | Freelance Software Engineer

August 2019 - February 2020

Assisted in a site wide refactor and redesign, including an upgrade from PHP5 to PHP7
Worked with Google Cloud technologies to implement a machine-learning based image recognition and suggestion system
Implemented multiple social media integrations

PHP7 HTML5 CSS3 JavaScript SQL Google Cloud Machine Learning

The Reinventory Company | Software Engineering Internship

July 2019 - February 2020

Worked closely with another developer to complete an initial MVP and refactor of an Android app and backend
Created the MVP of a migration from Ionic to React Native
Migrated mobile payment solutions to ensure SCA comparability
Implemented NFC based reading of EMV compatible cards for Android

HTML5 CSS3 JavaScript React Native Iconic SQL Java Kotlin SpringBoot Rust Google Cloud Firebase

Prospect Path | Software Developer Intern

February 2019 - June 2019

Working as part of a team to design and implement efficient and reliable solutions for new features
Started development on an internal analytics system to better understand sales

HTML5 CSS3 JavaScript SQL PHP7 Laravel React

Open Source

Ruffle

An Adobe Flash Player emulator in rust

Added support for various features such as Local Shared Objects

PostmarketOS

A project to revive old android phones with mainline linux

Added initial support for the Samsung Galaxy SIII mini (i8190)

Education

BSc Computer Science with Industrial Placement - Newcastle University

2018 - 2022

First Class With Honours
Achieved a stage 2 average of 87.9
Helped run events for the Computing & Technology society (NUCATS) as Social Secretary from 2021-2022