Publications

Heap tricks never get old - Insomni'hack teaser 2022

Tue, 02/08/2022 - 10:50 The Synacktiv team participated in the Insomni'hack teaser 2022 last week-end and placed 9th out of 280 teams. The onetestament challenge was pretty interesting and taught me a few tricks so I have decided to write a detailed solution. In this writeup, I have tried to illustrate the thought process behind solving this challenge, rather than just the usual solve.py (which you can still find at the end of the article). Expect to see some (old) heap tricks and enjoy the read!

How to exploit CVE-2021-40539 on ManageEngine ADSelfService Plus

Thu, 11/04/2021 - 11:32 During a penetration test we encountered the ManageEngine ADSelfService Plus (ADSS) solution. ADSS offers multiple functionalities such as managing password policies for administrators or self password reset/account unlock for Active Directory users. We decided to dig into this solution. However, our research barely started that a wild exploitation on this solution was announced. In this article we will explore the details of several vulnerabilities that allow an unauthenticated attacker to execute arbitrary code on the ...

Car hijacking swapping a single bit

Tue, 10/26/2021 - 10:40 Used to interact with various ECU (Electronic Control Unit) in a car, the UDS (Unified Diagnostic Services) service is widely deployed by car constructors. This generic high level protocol is used to extract ECUs state, configure them or even update their firmware. When the implementation lacks cryptography support inside an ECU, the security level can decrease dramatically. This short blog post presents an hardware attack leveraging all diagnostic functions to an unauthorized tester.

macOS XPC Exploitation - Sandbox Share case study

Wed, 09/08/2021 - 12:59 Usually we don't do blog posts about CTF challenges but we recently stumbled across a challenge that was a good opportunity to talk about several macOS/iOS internals, security mechanisms and exploit methods...

Your vulnerability is in another OEM!

Thu, 09/02/2021 - 12:00 Among targets for the Pwn2own Tokyo 2020 was 2 NAS, the Synology DiskStation DS418play and Western Digital My Cloud Pro PR4100. We took a look at both, and quickly found out Western Digital PR4100 was vulnerable via its webserver. However, exploitation was not THAT easy (it was not that hard either) and ultimately it did not even mattered since the vulnerability was wiped by a major OS update pushed mere days before the contest. In the end, the vulnerable code we audited might not have even been written by Western D...

Exploitation of a double free vulnerability in Ubuntu shiftfs driver (CVE-2021-3492)

Tue, 07/13/2021 - 15:10 This year again, the international contest Pwn2Own Vancouver took place in the beginning of April. Among the different categories, two major operating systems were suggested for the Local Escalation of Privilege category (LPE): Linux (Ubuntu) and Windows 10. This article describes how a Ubuntu kernel vulnerability was found and exploited during this contest allowing to gain root access from an unprivileged user.

Playing with ImageTragick like it's 2016

Fri, 05/28/2021 - 12:00 You probably already have encountered document converting features that deal with ImageMagick during engagements but for some reason you were not able to exploit them. This article will mention some techniques that could be used when an older version of ImageMagick is targeted. Spoiler alert: this is not new.

An Interesting Feature in the Samsung DSP Driver

Tue, 03/02/2021 - 09:22 In February 2021 Samsung made some changes in one of its low level drivers : the Digital Signal Processor (DSP) Linux driver. They removed one interesting feature : the ability for untrusted apps to load a custom DSP firmware of their choice. The driver is present on Galaxy S20 and Galaxy S21 Exynos based phones (and probably on Galaxy Note 20 too). This article presents how to use this feature to boot the DSP on a custom firmware, and how to use this custom firmware along with bugs in the DSP driver to gain ker...

Pwn2Own Tokyo 2020: Defeating the TP-Link AC1750

Mon, 03/01/2021 - 18:31 A team of Synacktiv security experts participated to the last edition of Pwn2Own by submitting a LAN-side exploit against the TP-Link AC1750. This blogpost aims to describe the process of discovery and exploitation of this vulnerability, including the presentation of exploitation code.

Exploiting CVE-2021-25770: A Server-Side Template Injection in YouTrack

Thu, 02/11/2021 - 14:30 Exploiting CVE-2021-25770, a Server-Side Template Injection that leads to remote code execution using a known Freemarker sandbox escape.