Publications

Behind the Shield: Unmasking Scudo's Defenses

05/10/2023 When writing an exploit for a memory corruption vulnerability, knowing the heap allocator internals is often required to shape the heap as desired. Following our previous blogpost focusing on jemalloc (new), this article will dive into another one of Android libc allocators: Scudo.

Old bug, shallow bug: Exploiting Ubuntu at Pwn2Own Vancouver 2023

01/09/2023 At this year Pwn2Own Vancouver we demonstrated Local Escalation of Privilege (LPE) exploits for the three desktop operating systems present at the competition: Windows, MacOS and Linux (Ubuntu). This blogpost explores the Ubuntu entry exploiting CVE-2023-35001, a 9 year old vulnerability in the Linux Kernel.

Exploring Android Heap allocations in jemalloc 'new'

30/05/2023 When writing an exploit for a memory corruption vulnerability, knowing the heap allocator internals is often required to shape the heap as desired. This article will dive into one of Android libc allocators: jemalloc 'new' (jemalloc version 5 and superior). Whereas scudo is the latest allocator introduced in the platform, jemalloc 'new' is still very used today but not well documented.

The printer goes brrrrr, again!

12/05/2023 For the second time at Pwn2Own competition, network printers have been featured in Toronto 2022. The same brands were included this year as in Austin 2021: HP, Lexmark and Canon with equivalent model. Unlike the previous event, we only targeted the Lexmark and Canon but nevertheless manage to compromise both. Sadly, the bug we exploited for the Canon printer was previously used by another team in the competition. Anyway, this is how we achieved code execution on the Canon printer.

Exploiting a remote heap overflow with a custom TCP stack

13/02/2023 In November 2021 our team took part in the ZDI Pwn2Own Austin 2021 competition [1] with multiple entries. One of them successfully compromised the Western Digital MyCloudHome connected hard drive via a 0-day in the Netatalk daemon. Our exploit was unusual because triggering the vulnerability required to mess with the remote TCP stack, so we wrote our own. This blog post will provide some technical details about it.

Escaping from bhyve

04/01/2023 Bhyve is a hypervisor for FreeBSD. This blogpost will describe how a limited OOB write vulnerability in an adapter emulator can be turned into code execution allowing to escape from the guest machine.

Cool vulns don't live long - Netgear and Pwn2Own

06/12/2022 Pwn2own is a competition where hackers try to execute arbitrary code on selected devices. This blogpost will describe two vulnerabilities found in the Netgear RAX30 router, and explain how both were patched the day before the event.

CVE-2022-31813: Forwarding addresses is hard

26/07/2022 A few weeks ago, version 2.4.54 of Apache HTTPD server was released. It includes a fix for CVE-2022-31813, a vulnerability we identified in mod_proxy that could affect unsuspecting applications served by an Apache reverse proxy. Let's see why it is rated as low in the software changelog and why it still matters. TL;DR: when in doubt, patch!

The printer goes brrrrr!!!

25/05/2022 Network printers have been featured for the first time at Pwn2Own competition in Austin 2021. Three popular LaserJet printers were included in the completion: HP, Lexmark and Canon. During the event, we (Synacktiv) managed to compromise all of them allowing us to win the whole competition. In this post, we will focus on how we achieved code execution on the Canon printer.

elFinder: The story of a repwning

30/03/2022 We recently identified a path traversal issue in the elFinder software. It is assigned CVE identifier CVE-2022-26960. While the vulnerability is pretty classical, the story of its discovery is not. Keep on reading for the details.