Publications

Exploring GrapheneOS secure allocator: Hardened Malloc

22/09/2025 GrapheneOS is a mobile operating system based on Android and focusing on privacy and security. To enhance further the security of their product, GrapheneOS developers introduced a new libc allocator : hardened malloc. This allocator has a security-focused design in mind to protect processes against common memory corruption vulnerabilities. This article will explain in details its internal architecture and how security mitigation are implemented from a security researcher point of view.

Dissecting DCOM part 1

15/09/2025 This is the first article on the "Dissecting DCOM" series. This article aims at giving an introduction to the base principles of COM and DCOM protocols as well as a detailed network analysis of DCOM. No previous knowledge is required. The following articles will dig into the authorization and enumeration mechanisms on COM/DCOM. This articles series aims to regroup known knowledge about DCOM in order to allow one to have the necessary tools for vulnerability research on DCOM.

2025 summer challenge writeup

12/09/2025 Last month we organised the Synacktiv Summer Challenge 2025, an event featuring an original challenge based on Podman archive formats. Many of you spent several hours working on it: we received over thirty attempts! This article aims to present and explain in detail the different steps involved in designing an optimal solution.

Extraction of Synology encrypted archives - Pwn2Own Ireland 2024

11/08/2025 This article features the reverse engineering of Synology encrypted archives extraction libraries and the release of a script able to decrypt these archives. The tool is available on Synacktiv's GitHub.

Should you trust your zero trust? Bypassing Zscaler posture checks

08/08/2025 Zscaler is widely used to enforce zero trust principles by verifying device posture before granting access to internal resources. These checks are meant to provide an additional layer of security beyond credentials and MFA. In this blogpost, we present a vulnerability that allowed us to bypass Zscaler’s posture verification mechanism. Although the issue has been patched for quite some time now, we observed it still being exploitable in several environments during recent engagements. This post details the configuration of the Zscaler c...

2025 Summer Challenge: OCInception

31/07/2025 The last Synacktiv summer challenge was in 2019, and after 6 years, it's back. Send us your solution before the end of August, there are skills to learn and prizes to win! This challenge is inspired by code golfing, where the goal is to produce the smallest program implementing a feature. But this time, it will be about creating the smallest self-replicating Podman image archive...

Laravel: APP_KEY leakage analysis

10/07/2025 In November 2024, Mickaël Benassouli and I talked about vulnerability patterns based on Laravel encryption at Grehack. Although, each discovered vulnerability requires access to a Laravel secret: the APP_KEY, we emphasized the security risks involved and highlighted how this secret is often insecurely exposed in public projects. The story did not stop there, we gathered a huge chunk of APP_KEY and developed a new tool to identify vulnerable patterns from a set of publicly exposed Laravel applications. This blog post sums up our...

Let Me Cook You a Vulnerability: Exploiting the Thermomix TM5

10/07/2025 This article delves into vulnerability research on the Thermomix TM5, leading to the discovery of multiple vulnerabilities, which allow firmware downgrade and arbitrary code execution on some firmware versions. We provide an in-depth analysis of the system and its attack surface, detailing the vulnerabilities found and steps for exploitation.

From cheap IoT toy to your smartphone: Getting RCE by leveraging a companion app

08/07/2025 In this article, we will go through some vulnerabilities we found in an Android application, allowing us to take control of a recent smartphone by faking the drone itself.

Exploiting the Tesla Wall connector from its charge port connector

17/06/2025 In January 2025, we participated in Pwn2Own Automotive with multiple targets. One of them was the Tesla Wall Connector — the home charger for electric vehicles (including non-Tesla ones). We presented an attack that used the charging connector as the entry point, communicating with the charger using a non-standard protocol (for this type of application). We exploited a logic flaw to install a vulnerable firmware on the device. This article explains how we studied the device, how we built a Tesla car simulator to communicate with the c...