All Your (Data)base Are Belong To Us

Getting Started in Vulnerability Research with Code Execution Bugs in Office Applications

About the Speaker

Eugene Lim (spaceraccoon) is a security researcher and white hat hacker. He has worked on several bug bounty programs, including Starbucks, Grab, and Salesforce, and was ranked #2 globally out of more than 600,000 hackers on the Hackerone moving leaderboard. In 2019, he won the Most Valuable Hacker award at the H1-213 live hacking event in Los Angeles organized by Hackerone, the US Air Force, the UK Ministry of Defense, and Verizon Media.


Modern office applications support a wide variety of file formats, some of which have been around for decades. Parsing and processing these formats can often lead to trouble. This talk will demonstrate how you can get started in software vulnerability research by walking you through my journey in discovering and exploiting zero-days in office applications. Along the way, we will explore simple approaches to vulnerability research such as fuzzing, source code review, and reverse-engineering. The talk is targeted at researchers who are curious about binary exploitation and assumes minimal background knowledge.