Publications

I'm SMBGhost, daba dee daba da

Thu, 03/12/2020 - 17:19 This blogpost was created due to a mistake from Microsoft, releasing publicly an advance warning for CVE-2020-0796. CVE-2020-0796, also nicknamed "SMBGhost" or "Coronablue" is a vulnerability impacting SMBv3.1.1 servers and clients and currently has no fix (12/03/2020).

Binder - Analysis and exploitation of CVE-2020-0041

Tue, 03/03/2020 - 17:02 In December 2019, a new Binder commit was pushed in the Linux kernel. This patch fixes the calculation of an index used to process specific types of objects in a Binder transaction. This article studies the implication of the corrected issue, why it's a security bug and how to take advantage of it.

Through the SMM-class and a vulnerability found there.

Tue, 01/14/2020 - 16:52 In this blog post, a vulnerability in the code for the System Management Mode (SMM) in some Lenovo ThinkPad will be described. The vulnerability is a callout of SMRAM which allows to elevate privilege from kernel to SMM. This article explains the step-by-step exploitation of the vulnerability including the mapping of the code in SMM through the usage of the SMM save state area.

Scraps of Notes on Exploiting Exim Vulnerabilities

Tue, 10/08/2019 - 16:40 Recently, Qualys published an advisory about a severe vulnerability impacting Exim MTA: CVE-2019-15846. In their report, they even claim that they do have a PoC granting a remote attacker root privileges. The report was followed by instant alarmist articles: "Millions of Exim servers vulnerable to ..."

BFS 2019 Exploitation Challenge

Tue, 09/17/2019 - 16:35 On September 7th, 2019, BFS published an exploitation challenge on Windows 10 x64 to win an entry for the BFS-IOACTIVE party during the Ekoparty conference. This blogpost aims at describing a successful resolution of the challenge.

Exploiting a No-Name FreeBSD Kernel Vulnerability

Wed, 07/24/2019 - 16:29 A new patch has been recently shipped in FreeBSD kernels to fix a vulnerability (cve-2019-5602) present in the cdrom device. In this post, we will introduce the bug and discuss its exploitation on pre/post-SMEP FreeBSD revisions.

Using your BMC as a DMA device: plugging PCILeech to HPE iLO 4

Thu, 12/20/2018 - 16:23 This blogpost aims at describing a method to turn a vulnerable HP iLO 4 instance into a DMA-capable device with the associated connector for PCILeech, the reference tool for memory acquisition and manipulation through DMA accesses.

Code Check(mate) in SMM

Tue, 12/18/2018 - 16:17 In this article, a bypass of the SMM_CODE_CHK_EN, the equivalent of the SMEP protection for the System Management Mode (SMM), protection is explained. This article first explain the protection and the bug class it impacts, then the idea of the bypass is detailed and a leak is explained for being able to make it work.

Kinibi TEE: Trusted Application exploitation

Mon, 12/10/2018 - 16:09 This blog post is dedicated to the Trustonic's TEE implementation and more particularly to the integration made by Samsung for its Exynos chipsets. Samsung recently patched a trivial vulnerability in a Trusted Application. After a brief explanation of TrustZone/Kinibi, this article details the exploitation of this vulnerability.

LightSpeed, a race for an iOS/MacOS sandbox escape!

Mon, 10/29/2018 - 15:35 iOS 12 was released a few weeks ago and fixed a kernel vulnerability we discovered that can be used to escape the sandbox. This blogpost gives the technical write-up of the vulnerability.