Publications

"No grave but the SIP": Reversing a VoIP phone firmware

30/08/2019 When conducting internal intrusion tests, one can find interesting to access the phones used by a client, as they are often connected to an internal network and can provide some kind of persistent access. This article presents the research done for getting a good grasp on the firmware of Yealink VoIP phones, which enables us to analyze further the underlying system.

2019 summer challenge writeup

30/07/2019 The 2019 summer challenge is now closed! This was a bit of a departure from the usual hardened binaries, as it showcased a programming model that is not a distant relative of the Turing machine. This article will give a high level overview of the challenge's solution, and some behind-the scenes comments.

Exploiting a No-Name FreeBSD Kernel Vulnerability

24/07/2019 A new patch has been recently shipped in FreeBSD kernels to fix a vulnerability (cve-2019-5602) present in the cdrom device. In this post, we will introduce the bug and discuss its exploitation on pre/post-SMEP FreeBSD revisions.

2019 summer challenge: Alonzo!

18/06/2019 The Synacktiv summer challenge is back!

icmp-reachable

19/03/2019 A strange behavior was observed by Synacktiv experts during the security assessment of a stateful firewall implementation... After few coffees & RFCs it was understood that it could be a generic issue that might affect multiple IP stacks. So... What is a strange firewall behavior ? This article presents an implicit behavior of Linux nftables and OpenBSD PacketFilter? regarding the filtering of ICMP and ICMPv6 packets we considered as a security issue. It allows an attacker to bypass filtering rules in some cases an...

rutorrent code review

15/01/2019 Opportunistic and quick review of rutorrent’s overall security.

Using your BMC as a DMA device: plugging PCILeech to HPE iLO 4

20/12/2018 This blogpost aims at describing a method to turn a vulnerable HP iLO 4 instance into a DMA-capable device with the associated connector for PCILeech, the reference tool for memory acquisition and manipulation through DMA accesses.

Code Check(mate) in SMM

18/12/2018 In this article, a bypass of the SMM_CODE_CHK_EN, the equivalent of the SMEP protection for the System Management Mode (SMM), protection is explained. This article first explain the protection and the bug class it impacts, then the idea of the bypass is detailed and a leak is explained for being able to make it work.

Binder transactions in the bowels of the Linux Kernel

14/12/2018 Binder is the main IPC/RPC (Inter-Process Communication) system in Android. It allows applications to communicate with each other and it is the base of several important mechanisms in the Android environment. For instance, Android services are built on top of Binder. Message exchanged with Binder are called binder transactions, they can transport simple data such as integers but also process more complex structures like file descriptors, memory buffers or weak/strong references on objects.

Kinibi TEE: Trusted Application exploitation

10/12/2018 This blog post is dedicated to the Trustonic's TEE implementation and more particularly to the integration made by Samsung for its Exynos chipsets. Samsung recently patched a trivial vulnerability in a Trusted Application. After a brief explanation of TrustZone/Kinibi, this article details the exploitation of this vulnerability.