Publications

Analysis and exploitation of the iOS kernel vulnerability CVE-2021-1782

Wed, 02/10/2021 - 00:14 Two weeks ago, CVE-2021-1782 was fixed by Apple. If the patch for this kernel vulnerability is simple, a way to exploit the bug was still to be discovered. This blog post aims to explain how an exploit is possible while providing a PoC.

This is for the Pwners: Exploiting a WebKit 0-day in PlayStation 4

Thu, 12/10/2020 - 07:39 Despite an active console hacking community, only few public PlayStation 4 exploits have been released. In this post, we will give a walk-through on the exploitation of a 0-day WebKit vulnerability on 6.xx firmware.

iOS 1-day hunting: uncovering and exploiting CVE-2020-27950 kernel memory leak

Tue, 12/01/2020 - 10:09 Back in the beginning of November, Project Zero announced that Apple has patched a full chain of vulnerabilities that were actively exploited in the wild. This chain consists in 3 vulnerabilities: a userland RCE in FontParser as well as a memory leak and a type confusion in the kernel. In this blogpost, we will describe how we identified and exploited the kernel memory leak.

Treasure Chest Party Quest: From DOOM to exploit

Wed, 11/25/2020 - 12:43 In this blogpost, we will find what happens when two security researchers find a random printer and then manage to find vulnerabilities in it.

Bypassing Naxsi filtering engine

Thu, 11/05/2020 - 09:16 In order to better protect its users, NBS System has asked Synacktiv to perform a source code review of Naxsi, a famous open source Web Application Firewall (WAF). During this audit, Synacktiv discovered several vulnerabilities that could allow bypassing the application of the filtering rules. This short blog post will present the most critical vulnerabilities and how they were fixed by NBS System. The fixes have been published on version 1.1a quickly after they were reported: https://github.com/nbs-system/naxsi/releas...

Ubuntu ppp's CVE-2020-15704 wrap-up

Thu, 09/03/2020 - 13:44 As you may already know, we collaborated with Zero Day Initiative to disclose a vulnerability in Ubuntu's ppp package. This vulnerability has been assigned the identifiers ZDI-CAN-11504 / CVE-2020-15704.

Izi Izi, Pwn2Own ICS Miami

Tue, 07/28/2020 - 14:36 ZDI announced last year a new entry in it's yearly contest "Pwn2Own". After the Vancouver edition focused on Desktop software and Tokyo specialized in smartphones, there is now a third location in Miami dedicated to industrial software also known as ICS or SCADA.

The fix for CVE-2020-9859 and the lightspeed vulnerability

Wed, 06/03/2020 - 12:48 Last week we published about the reintroduction of a kernel vulnerability in iOS 13. Here is the follow-up with the analysis of the fix.

Return of the iOS sandbox escape: lightspeed's back in the race!!

Fri, 05/29/2020 - 17:38 Last week-end a new version of the iOS jailbreak unc0ver1 was released with the support of the latest iOS 13.5. Since iOS 8 in 2014, this is the first jailbreak using a 0-day vulnerability, a vulnerability still unknown to Apple at the time of the release, to break iPhone security measures. To keep this vulnerability secret, the jailbreak is heavily obfuscated and protected against dynamic inspection. However, since this vulnerability is not exactly new to us and since the cat is out of the bag, now seems a good tim...

Memory leak and Use After Free in Squid

Mon, 05/04/2020 - 17:31 A few months ago, Synacktiv teams performed a security assessment on the open source project Squid. This blog post describes a few vulnerabilities that were found during this audit.