Fri, 08/12/2022 - 17:49During one of our assessments we came across a server running GeoServer version 2.17.2. This version is outdated and affected by multiple security vulnerabilities. Among those vulnerabilities, one looked more promising than the others: CVE-2022-24816. This vulnerability is a code injection flaw in jt-jiffle that leads to an unauthenticated remote code execution.
Tue, 07/26/2022 - 10:00A few weeks ago, version 2.4.54 of Apache HTTPD server was released. It includes a fix for CVE-2022-31813, a vulnerability we identified in mod_proxy that could affect unsuspecting applications served by an Apache reverse proxy. Let's see why it is rated as low in the software changelog and why it still matters. TL;DR: when in doubt, patch!
Mon, 06/20/2022 - 10:57During a ransomware attack, right after the ransomware was launched, we noticed the use of CCleaner as an anti-forensic tool to cover the attacker’s action. The following article aims to explore some key features of this tool from a forensic perspective. We will see how to identify the items that have been deleted and how they could be recovered. We focused on the free desktop version v6.00.9727.
Wed, 06/08/2022 - 11:40Thanks to Ready for IT organizers so we can shared a feedback regarding our incident response services (CSIRT Synacktiv) and red team activities. Below is a summary of the intervention.
Wed, 05/25/2022 - 10:43Network printers have been featured for the first time at Pwn2Own competition in Austin 2021. Three popular LaserJet printers were included in the completion: HP, Lexmark and Canon. During the event, we (Synacktiv) managed to compromise all of them allowing us to win the whole competition. In this post, we will focus on how we achieved code execution on the Canon printer.
Wed, 04/13/2022 - 18:20A lot of candidates, or simply fellow reversers, ask us how our team usually works: what kind of technologies are we looking into? What kind of projects? Do we work solo? How do we handle remote? etc. The goal of this blogpost is to share what we can about our internals, so you don't have to reverse us.
Wed, 03/30/2022 - 11:01We recently identified a path traversal issue in the elFinder software. It is assigned CVE identifier CVE-2022-26960. While the vulnerability is pretty classical, the story of its discovery is not. Keep on reading for the details.
Fri, 03/25/2022 - 14:49Twice a year ZDI organizes a competition where the goal is to hack hardware and software. During November 2021, in Austin, hackers tried to exploit hardware devices such as printers, routers, phones, home automation devices, NAS and more. This blogpost describes how we successfully took over a Netgear router from the WAN interface.
Mon, 03/14/2022 - 14:30So you have found an application vulnerable to Log4Shell, but the bypass gadgets are not working, and you did not manage to use a gadget from Ysoserial? If you read our last articles on finding Java gadgets you might have found a new one with gadget inspector. But what if gadget inspector did not find a valid chain? You might stop and be desperate because, as we saw, manual gadget research is not an easy task! In this article we will present a new methodology and multiple CodeQL queries to find gadget chains in Java a...
Tue, 02/08/2022 - 10:50The Synacktiv team participated in the Insomni'hack teaser 2022 last week-end and placed 9th out of 280 teams. The onetestament challenge was pretty interesting and taught me a few tricks so I have decided to write a detailed solution. In this writeup, I have tried to illustrate the thought process behind solving this challenge, rather than just the usual solve.py (which you can still find at the end of the article). Expect to see some (old) heap tricks and enjoy the read!