Adrian Denkiewicz
Adrian has worked as an Offensive Security Expert, Penetration Tester, and Software Developer in financial, e-commerce, and semiconductor companies. Eventually, he became full-time security consultant working with experts from different industries and people from all around the world. His experience ranges from attacking complex applications, through sophisticated red teaming exercises, to exploiting internals of operating systems. Currently working as Staff Application Engineer at Doyensec.
Session
CFITSIO is a NASA-maintained library widely used for reading and writing FITS (Flexible Image Transport System) data across astronomy, astrophotography, and scientific software. The raw data behind the stunning images from Hubble and Webb telescopes — and even from casual backyard observatories — is stored in FITS format. CFITSIO is often embedded deep inside larger applications and services. One of its core features, Extended Filename Syntax (EFS), turns what appears to be a simple filename into a powerful mini-language supporting virtual files, filtering, filesystem interaction, and network access.
This talk presents original security research into CFITSIO’s Extended Filename Syntax and shows how it quietly expands the attack surface of applications that rely on default CFITSIO APIs. I will demonstrate how EFS can be abused to enable multiple high-impact security primitives, including arbitrary file operations, server-side request forgery, protocol-level manipulation, and unintended data exposure.
These issues are not classic memory corruption bugs, but abuses of legitimate, documented features that are enabled by default and inherited by third-party software without explicit awareness or threat modeling. This research builds on earlier CFITSIO vulnerabilities I previously reported and highlights how feature-rich parsing logic can turn filenames into a supply-chain attack surface.