The digital home of Joshua J. Drake | jduck's personal site

Joshua J. Drake aka jduck

Welcome! My name is Josh. I go by "jduck" on the Internet.

👁 ❤ 🦀 🖥 💻 📱

Background

I am an autodidact that is insatiably curious about myriad computer and technology topics, including; architectures, protocols, operating systems, firmware, reverse engineering, vulnerability research, and secure development.

My first time on the internet involved an external 2400 baud dial-up modem. Going all the way back to the BBS days, I showed a propensity for security research, aka "What happens when I do this?" This innate skill has served me well throughout the years and provided quite an interesting career.

You can read more about my professional experience on LinkedIn.

Contact Details

If there is something you think I can help you with, feel free to reach out. I am in the "don't ask to ask" camp, so feel free to PM away. If you see "jduck", it's probably me. Once upon a time, I was on IRC, but not really anymore.

e-mail	User: jduck, Host: qoop DOT org
LinkedIn	jduck1337
Matrix	@jduck:matrix.org
GitHub	jduck
X / Twitter	jduck
Mastadon	jduck
Discord	jduck1337
YouTube	jduck31337

Published Works

When time permits, I will update my public works here... In the meantime, maybe you can discover them on your own 😊

Writing

Book: Android Hacker's Handbook. March 2014. Drake, Fora, Lanier, Mulliner, Ridley, and Wicherski.

Developed Tools

IDA Pro / Hex Rays Superfluous Local Variable tool (iDefense, 2009)
Download: original source code
Functionality was later merged into IDA.

Public Speaking

Upcoming: Developing Secure Software in 2024 / CanSecWest

"Owning Enterprise Mail via Nth Party Software" at Toorcon 11, October 24^th 2009.
Sean Larsson and Joshua J. Drake of VeriSign iDefense Labs

Sean and I presented our research into the Autonomy KeyView and Oracle Outside-In document file format SDKs are embedded into IBM Lotus Notes, Blackberry Enterprise Server, Symantec Messaging Gateway, and Good Mobile Messaging. Using rudimentary dumb fuzzing, we were able to discover several vulnerabilities and develop working remote code execution exploits for them. While some issues required user interaction (such as previewing an attachment), it's important to note that the attack can be sent to many employees and only a small subset need interact.

Slides/Tools: toorcon2009-nth-party-software.zip
Video: not available
Additional links: Oracle Blog

Vulnerability Discoveries

CVE-2009-1010	Multiple Vendor Outside In Spreadsheet Integer Overflows (Advisory)
CVE-2009-1009	Multiple Vendor Outside In Multiple Spreadsheet Buffer Overflows (Advisory)
CVE-2009-3037	Autonomy KeyView OLE Document Integer Overflow (Advisory)
CVE-2009-3032	Autonomy KeyView Excel File SST Parsing Integer Overflow (Advisory)