Publications

The printer goes brrrrr!!!

Wed, 05/25/2022 - 10:43
Exploit
Reverse-engineering
Network printers have been featured for the first time at Pwn2Own competition in Austin 2021. Three popular LaserJet printers were included in the completion: HP, Lexmark and Canon. During the event, we (Synacktiv) managed to compromise all of them allowing us to win the whole competition. In this post, we will focus on how we achieved code execution on the Canon printer.

The reverse-engineering team presentation

Wed, 04/13/2022 - 18:20
Reverse-engineering
A lot of candidates, or simply fellow reversers, ask us how our team usually works: what kind of technologies are we looking into? What kind of projects? Do we work solo? How do we handle remote? etc. The goal of this blogpost is to share what we can about our internals, so you don't have to reverse us.

Pwn2Own Austin 2021 : Defeating the Netgear R6700v3

Fri, 03/25/2022 - 14:49
Exploit
Reverse-engineering
Twice a year ZDI organizes a competition where the goal is to hack hardware and software. During November 2021, in Austin, hackers tried to exploit hardware devices such as printers, routers, phones, home automation devices, NAS and more. This blogpost describes how we successfully took over a Netgear router from the WAN interface.

Your vulnerability is in another OEM!

Thu, 09/02/2021 - 12:00
Exploit
Reverse-engineering
Among targets for the Pwn2own Tokyo 2020 was 2 NAS, the Synology DiskStation DS418play and Western Digital My Cloud Pro PR4100. We took a look at both, and quickly found out Western Digital PR4100 was vulnerable via its webserver. However, exploitation was not THAT easy (it was not that hard either) and ultimately it did not even mattered since the vulnerability was wiped by a major OS update pushed mere days before the contest. In the end, the vulnerable code we audited might not have even been written by Western D...

RM -RF IS THE ROOT OF ALL EVIL

Thu, 05/27/2021 - 16:00
Challenges
Reverse-engineering
There are some days where things do not go your way. And there are some other days where they go catastrophically wrong. Several months ago, I had the unfortunate experience of wiping 2 years of my work. This blogpost explains why this tragedy happened and what I did to recover some critical data from the ashes of my SSD.

Investigating IDA Lumina feature

Tue, 12/15/2020 - 13:25
Tools
Reverse-engineering
Lumina is a built-in function recognition feature of the well-known IDA pro disassembler that relies on an online signature database. Unfortunately, the database server is not available for local private use. Have you ever raged at a misstyped hotkey that sent your database content to the Lumina servers, wondered how it works, what kind of data is sent, and wished for a local server under your control? This blog post might answer some of your questions.

iOS 1-day hunting: uncovering and exploiting CVE-2020-27950 kernel memory leak

Tue, 12/01/2020 - 10:09
Exploit
Reverse-engineering
Back in the beginning of November, Project Zero announced that Apple has patched a full chain of vulnerabilities that were actively exploited in the wild. This chain consists in 3 vulnerabilities: a userland RCE in FontParser as well as a memory leak and a type confusion in the kernel. In this blogpost, we will describe how we identified and exploited the kernel memory leak.

DJI Pilot Android Application Security Analysis

Tue, 08/04/2020 - 12:35
Systems
Reverse-engineering
On 23/07/2020, we published a study of the DJI GO4 application. This application, allowing to control a drone, is dedicated to the consumer grade aircraft segment. We also studied DJI Pilot, the application dedicated to professionals and companies, in order to assess its security and look at the difference between the two apps. We found similar issues to those listed in our previous blogpost in this application, such as a forced update mechanism.