Binder transactions in the bowels of the Linux Kernel

Binder is the main IPC/RPC (Inter-Process Communication) system in Android. It allows applications to communicate with each other and it is the base of several important mechanisms in the Android environment. For instance, Android services are built on top of Binder. Message exchanged with Binder are called binder transactions, they can transport simple data such as integers but also process more complex structures like file descriptors, memory buffers or weak/strong references on objects. There are a lot of interesting Binder documentations available on the Internet but quite few details on how messages are translated from a process to another. This article tries to describe how Binder handles messages and performs translations of complex objects (file descriptors, pointers) between different processes. For this, a binder transaction will be followed from userland to the binder kernel.

Kinibi TEE: Trusted Application exploitation

For a while now, Android devices and many embedded systems have used a Trusted Execution Environment (TEE) to host some security functions (like hardware crypto/key, DRM, mobile payment, biometric authentication, ...). On ARM platforms, TEE are small operating systems which use the ARM TrustZone technology to isolate their execution from …

E-ink maiden: Bring your reader to the reverser

As a team of security researchers, we like poking at software and tinkering with common household objects for fun.

So, one of our researchers bought an electronic paper reader tablet, and instead of reading ebooks on the train, started having fun with it!

Grehack 2018 qualification challenge

Detailed write-up of Grehack 2018 qualification challenge.

LightSpeed, a race for an iOS/MacOS sandbox escape!

TL;DR disclosure of a iOS 11.4.1 kernel vulnerability in lio_listio and PoC to panic

iOS 12 was released a few weeks ago and came with a lot of security fixes and improvements. Especially, this new version happens to patch a cool kernel vulnerability we discovered at some …

Offres de stage 2019

Comme chaque année, nous ouvrons plusieurs offres de stage sur des projets utilisés en interne par notre équipe. Si vous êtes intéressé(e) par l'une d'entre elles, merci de nous faire parvenir un message à

ColdFusion CFMX_COMPAT lolcryption

A recent pentest involving ColdFusion led us to discover the fabulous and infamous encryption algorithm CFMX_COMPAT.

iOS12 Kernelcache Laundering

iOS 12 has been released for a few weeks now. New major iOS versions often mean new kernelcache and dyld_shared_cache file formats. iOS12 is no exception to the rule and comes with an other surprise: Pointer Authentication Code (PAC) for the new A12 chip. This blogpost shows you how to …

Hunting mobile devices endpoints - the RF and the Hard way

When conducting intrusion tests, knowledge of endpoints and exchanged data is mandatory to test targeted applications, devices, and remote servers. If the target provides an Android, or iPhone application, it is possible to extract some URLs, and with any luck some secrets by disassembling the application or/and capturing the generated network traffic. But when no Android nor iPhone applications are available, attackers need to be more creative, and use other tricks to get any interesting inputs/content/behavior. Moreover, secrets exchanged between a targeted device and its servers could be totally different from those exchanged between an application and its servers, as well as contacted URLs. Indeed, pentesters are in certain cases confronted to devices with hardcoded credentials, certificates, or any other information giving further access to intrude the system. In addition, the level of trust could be overestimated by vendors/constructors, who give more privileges to devices compared to basic users. So breaking into the device or/and directly intercepting its communication could be a real change during intrusion tests.

This article is about getting those information from IoT devices that use the mobile network to exchange data and commands. Different techniques will be introduced:

  • RF way: use of mobile data interception techniques;
  • Hard way: dump and analysis of a firmware.

To illustrate these attacks, examples will be based on a 3G intercom well deployed in France, which is powered with a PIC24FJ micro-controller.

2018 Summer Challenge Writeup

An old school RE challenge was published on August 07th and has been solved by several people. This blog post provides a detailed solution on how to solve this challenge followed by the winner write-up.

Page 1 / 2 »