Using your BMC as a DMA device: plugging PCILeech to HPE iLO 4

2018 has been a really tough year for BMCs! Although their attack surface was not something new (IPMI has been studied by Dan Farmer back in 2013, followed by a state-of-the-art blogpost by HD Moore), recent studies have shed light on how powerful these devices are in the servers, being able to directly access the main host memory, and how poor their code quality and software mitigations were.

Code Check(mate) in SMM

Some time ago I started reversing an AMI firmware from a quite up-to-date computer (2017/2018). While I was reversing a System Management Mode (SMM) driver, I noticed an interesting code change: during initialization, the SMM driver search for a SMM configuration table with a GUID named EFI_SMM_RUNTIME_SERVICES_TABLE_GUID 1. The …

Kinibi TEE: Trusted Application exploitation

For a while now, Android devices and many embedded systems have used a Trusted Execution Environment (TEE) to host some security functions (like hardware crypto/key, DRM, mobile payment, biometric authentication, ...). On ARM platforms, TEE are small operating systems which use the ARM TrustZone technology to isolate their execution from …

LightSpeed, a race for an iOS/MacOS sandbox escape!

TL;DR disclosure of a iOS 11.4.1 kernel vulnerability in lio_listio and PoC to panic

iOS 12 was released a few weeks ago and came with a lot of security fixes and improvements. Especially, this new version happens to patch a cool kernel vulnerability we discovered at some …

iOS12 Kernelcache Laundering

iOS 12 has been released for a few weeks now. New major iOS versions often mean new kernelcache and dyld_shared_cache file formats. iOS12 is no exception to the rule and comes with an other surprise: Pointer Authentication Code (PAC) for the new A12 chip. This blogpost shows you how to …

netdata apps.plugin security fixes

Synacktiv met netdata in the wild in the last few months. This blog post aims at telling the story of a vulnerability which was first forgotten 1 year ago and then partially fixed. On a standard setup, the vulnerability can be exploited by gid netdata to read arbitrary files owned by root. On a weak setup (as seen in the wild by Synacktiv), the vulnerability can be exploited by all users.

HP iLO talk at Recon Brx 2018

Since we presented our vulnerability in HP Integrated Lights-Out (iLO) 4 to Recon Brussels, we are now releasing the slides and tools that were developed during our study.

RCE vulnerability in HP iLO

On August 28th, HP published a security bulletin regarding a critical vulnerability in HP Integrated Lights-Out (iLO) 4. This blog post aims at giving some details about this vulnerability, and a few hints for administrators to protect their servers. This research only applies to iLO version 4.

Page 1 / 1