Publications

Pwn2Own Tokyo 2020: Defeating the TP-Link AC1750

Mon, 03/01/2021 - 18:31
Exploit
A team of Synacktiv security experts participated to the last edition of Pwn2Own by submitting a LAN-side exploit against the TP-Link AC1750. This blogpost aims to describe the process of discovery and exploitation of this vulnerability, including the presentation of exploitation code.

GPGme used confusion, it's super effective !

Tue, 02/16/2021 - 16:41
Pentest
In the world of logic vulnerabilities, there is an interesting subclass which is confusing API designs. Usually in this subclass the vulnerability does not lie in how the API is implemented but how it's used by a third party, which makes it particularly difficult to fix once and for all for everyone. In this blogpost, we will see an example regarding gpgme which was revealed in July 2020 and how easy it is to find a vulnerable downstream codebase using a simple variant analysis.

Typo3: leak to Remote code execution.

Thu, 12/17/2020 - 08:54
Pentest
Typo3 is an open source CMS we have recently encountered during one of our missions. We successfully exploited a configuration leak on this CMS to gain remote code execution on this application. This article describes the different steps to go from unauthenticated user to unsafe object deserialization and gain code execution.

Investigating IDA Lumina feature

Tue, 12/15/2020 - 13:25
Tools
Reverse-engineering
Lumina is a built-in function recognition feature of the well-known IDA pro disassembler that relies on an online signature database. Unfortunately, the database server is not available for local private use. Have you ever raged at a misstyped hotkey that sent your database content to the Lumina servers, wondered how it works, what kind of data is sent, and wished for a local server under your control? This blog post might answer some of your questions.

Pull up your bootloader

Wed, 12/09/2020 - 09:23
Hardware
SoC usually have the capability to customize the hardware behavior at system boot based on the value of input pin states called configuration word. However, the set of pull-up and pull-down resistors that control the configuration word can be hard to locate, especially on chips using BGA casings. In this study you will see that you don't always have to use expensive equipment to uncover these pins, sometimes all you need is a scope, a decent camera and knowing what you're looking for.

iOS 1-day hunting: uncovering and exploiting CVE-2020-27950 kernel memory leak

Tue, 12/01/2020 - 10:09
Exploit
Reverse-engineering
Back in the beginning of November, Project Zero announced that Apple has patched a full chain of vulnerabilities that were actively exploited in the wild. This chain consists in 3 vulnerabilities: a userland RCE in FontParser as well as a memory leak and a type confusion in the kernel. In this blogpost, we will describe how we identified and exploited the kernel memory leak.