Publications

Credential Stuffing: Speeding up massive leaks databases

Fri, 05/05/2023 - 14:38 Despite the increasing usage of cross-origin authentication, password-based authentication is still massively used by people having to log into an account. With a minimal length, upper letters, digits, special characters or any constraints, people tend to reuse old passwords with little improvements. But when a website or any service is breached, then it is possible to use those for credentials replaying, password spraying or cracking attacks. In order to achieve these kinds of attacks, we have to store and query a huge ...

Treasure Chest Party Quest: From DOOM to exploit

Wed, 11/25/2020 - 12:43 In this blogpost, we will find what happens when two security researchers find a random printer and then manage to find vulnerabilities in it.

DJI Pilot Android Application Security Analysis

Tue, 08/04/2020 - 12:35 On 23/07/2020, we published a study of the DJI GO4 application. This application, allowing to control a drone, is dedicated to the consumer grade aircraft segment. We also studied DJI Pilot, the application dedicated to professionals and companies, in order to assess its security and look at the difference between the two apps. We found similar issues to those listed in our previous blogpost in this application, such as a forced update mechanism.

DJI Android GO 4 application security analysis

Thu, 07/23/2020 - 16:41 Drones are currently one of the most dynamic products, with multiple use cases across sectors such as personal and commercial videography, farming and land surveying, law enforcement and national security, and more. One of the market leaders, China-based Daijiang Innovations (DJI), is often in the news for suspected cybersecurity and data privacy issues. While there are technical reports sponsored by DJI stating that their associated mobile application, DJI GO 4, is harmless and does not send any personal information b...

Binder Secctx Patch Analysis

Fri, 10/11/2019 - 15:22 In the beginning of 2019, a new feature was added in the Binder kernel module. This patch allows to send the caller SElinux context in a Binder transaction. This feature was in fact a fix for CVE-2019-2023. This vulnerability is related to an unsafe use of the getpidcon function, leading to ACL bypass. This article studies details of this patch and its impact on security.

icmp-reachable

Tue, 03/19/2019 - 15:33 A strange behavior was observed by Synacktiv experts during the security assessment of a stateful firewall implementation... After few coffees & RFCs it was understood that it could be a generic issue that might affect multiple IP stacks. So... What is a strange firewall behavior ? This article presents an implicit behavior of Linux nftables and OpenBSD PacketFilter? regarding the filtering of ICMP and ICMPv6 packets we considered as a security issue. It allows an attacker to bypass filtering rules in some cases an...

Binder transactions in the bowels of the Linux Kernel

Fri, 12/14/2018 - 15:47 Binder is the main IPC/RPC (Inter-Process Communication) system in Android. It allows applications to communicate with each other and it is the base of several important mechanisms in the Android environment. For instance, Android services are built on top of Binder. Message exchanged with Binder are called binder transactions, they can transport simple data such as integers but also process more complex structures like file descriptors, memory buffers or weak/strong references on objects.

Breaking namespace isolation with PF_RING before 7.0.0

Mon, 05/21/2018 - 16:11 Linux hardening and proper isolation using containerization can be tricky especially when performance is critical. We recently helped a client to design a secure network appliance that involve sniffing network traffic. This device has high security and performance constraints. This post is a feedback on the unlikely integration of fast sniffers with linux containers.