A recent pentest involving ColdFusion led us to discover the fabulous and infamous encryption algorithm CFMX_COMPAT.
iOS 12 has been released for a few weeks now. New major iOS versions often mean new kernelcache and dyld_shared_cache file formats. iOS12 is no exception to the rule and comes with an other surprise: Pointer Authentication Code (PAC) for the new A12 chip. This blogpost shows you how to …
When conducting intrusion tests, knowledge of endpoints and exchanged data is mandatory to test targeted applications, devices, and remote servers. If the target provides an Android, or iPhone application, it is possible to extract some URLs, and with any luck some secrets by disassembling the application or/and capturing the generated network traffic. But when no Android nor iPhone applications are available, attackers need to be more creative, and use other tricks to get any interesting inputs/content/behavior. Moreover, secrets exchanged between a targeted device and its servers could be totally different from those exchanged between an application and its servers, as well as contacted URLs. Indeed, pentesters are in certain cases confronted to devices with hardcoded credentials, certificates, or any other information giving further access to intrude the system. In addition, the level of trust could be overestimated by vendors/constructors, who give more privileges to devices compared to basic users. So breaking into the device or/and directly intercepting its communication could be a real change during intrusion tests.
This article is about getting those information from IoT devices that use the mobile network to exchange data and commands. Different techniques will be introduced:
- RF way: use of mobile data interception techniques;
- Hard way: dump and analysis of a firmware.
To illustrate these attacks, examples will be based on a 3G intercom well deployed in France, which is powered with a PIC24FJ micro-controller.
Getting bored at the beach this summer? We have a small & old-school challenge for you!
Among the various security assessments performed by Synacktiv, some involve attacking the security hardening of a laptop or workstation master image that will be massively deployed in an infrastructure. The purpose of this kind of security assessment is to give the client an overview of its level of maturity regarding security concerns and provide him with some recommendations in order to increase his level of security.
This post describes how Synacktiv defeated a workstation security measures by using a hardware approach.
Linux hardening and proper isolation using containerization can be tricky especially when performance is critical.
We recently helped a client to design a secure network appliance that involve sniffing network traffic. This device has high security and performance constraints.
This post is a feedback on the unlikely integration of fast sniffers with linux containers.
Synacktiv met netdata in the wild in the last few
months. This blog post aims at telling the story of a vulnerability which
was first forgotten 1 year ago and then partially fixed. On a standard setup,
the vulnerability can be exploited by gid
netdata to read arbitrary
files owned by
root. On a weak setup (as seen in the wild by Synacktiv),
the vulnerability can be exploited by all users.