Code Check(mate) in SMM

Tue, 12/18/2018 - 16:17
In this article, a bypass of the SMM_CODE_CHK_EN, the equivalent of the SMEP protection for the System Management Mode (SMM), protection is explained. This article first explain the protection and the bug class it impacts, then the idea of the bypass is detailed and a leak is explained for being able to make it work.

Kinibi TEE: Trusted Application exploitation

Mon, 12/10/2018 - 16:09
This blog post is dedicated to the Trustonic's TEE implementation and more particularly to the integration made by Samsung for its Exynos chipsets. Samsung recently patched a trivial vulnerability in a Trusted Application. After a brief explanation of TrustZone/Kinibi, this article details the exploitation of this vulnerability.

iOS12 Kernelcache Laundering

Mon, 10/01/2018 - 15:47
iOS 12 has been released for a few weeks now. New major iOS versions often mean new kernelcache and dyld_shared_cache file formats. iOS12 is no exception to the rule and comes with an other surprise: Pointer Authentication Code (PAC) for the new A12 chip. This blogpost shows you how to deal with both by enhancing IDA. IDA 7.2 beta future release might add PAC and iOS12 kernelcache support but it will only be released in a few weeks and we think it will always be interesting to illustrate how to do it by ourselves. ...

netdata apps.plugin security fixes

Thu, 04/19/2018 - 15:54
Synacktiv met netdata in the wild in the last few months. This blog post aims at telling the story of a vulnerability which was first forgotten 1 year ago and then partially fixed. On a standard setup, the vulnerability can be exploited by gid netdata to read arbitrary files owned by root. On a weak setup (as seen in the wild by Synacktiv), the vulnerability can be exploited by all users.

HP iLO talk at Recon Brx 2018

Wed, 02/07/2018 - 15:59
Since we presented our vulnerability in HP Integrated Lights-Out (iLO) 4 to Recon Brussels, we are now releasing the slides and tools that were developed during our study.

RCE vulnerability in HP iLO

Tue, 09/12/2017 - 12:59
On August 28th, HP published a security bulletin regarding a critical vulnerability in HP Integrated Lights-Out (iLO) 4. This blog post aims at giving some details about this vulnerability, and a few hints for administrators to protect their servers. This research only applies to iLO version 4.