Thu, 12/17/2020 - 08:54Typo3 is an open source CMS we have recently encountered during one of our missions. We successfully exploited a configuration leak on this CMS to gain remote code execution on this application. This article describes the different steps to go from unauthenticated user to unsafe object deserialization and gain code execution.
Tue, 12/15/2020 - 13:25Lumina is a built-in function recognition feature of the well-known IDA pro disassembler that relies on an online signature database. Unfortunately, the database server is not available for local private use. Have you ever raged at a misstyped hotkey that sent your database content to the Lumina servers, wondered how it works, what kind of data is sent, and wished for a local server under your control? This blog post might answer some of your questions.
Thu, 12/10/2020 - 07:39Despite an active console hacking community, only few public PlayStation 4 exploits have been released. In this post, we will give a walk-through on the exploitation of a 0-day WebKit vulnerability on 6.xx firmware.
Wed, 12/09/2020 - 09:23SoC usually have the capability to customize the hardware behavior at system boot based on the value of input pin states called configuration word. However, the set of pull-up and pull-down resistors that control the configuration word can be hard to locate, especially on chips using BGA casings. In this study you will see that you don't always have to use expensive equipment to uncover these pins, sometimes all you need is a scope, a decent camera and knowing what you're looking for.
Tue, 12/01/2020 - 10:09Back in the beginning of November, Project Zero announced that Apple has patched a full chain of vulnerabilities that were actively exploited in the wild. This chain consists in 3 vulnerabilities: a userland RCE in FontParser as well as a memory leak and a type confusion in the kernel. In this blogpost, we will describe how we identified and exploited the kernel memory leak.
Thu, 11/26/2020 - 16:19You probably already have encountered a fanatical WAF during an engagement that turned you crazy preventing your almighty SQL injection from being exploited properly. This will never happen again thanks to a novel advanced technique based on artificial intelligence and block chain analysis. Read this article to know how. Disclaimer: this is click-bait.
Wed, 11/25/2020 - 12:43In this blogpost, we will find what happens when two security researchers find a random printer and then manage to find vulnerabilities in it.
Thu, 11/05/2020 - 09:16In order to better protect its users, NBS System has asked Synacktiv to perform a source code review of Naxsi, a famous open source Web Application Firewall (WAF). During this audit, Synacktiv discovered several vulnerabilities that could allow bypassing the application of the filtering rules. This short blog post will present the most critical vulnerabilities and how they were fixed by NBS System. The fixes have been published on version 1.1a quickly after they were reported: https://github.com/nbs-system/naxsi/releas...
Thu, 09/03/2020 - 13:44As you may already know, we collaborated with Zero Day Initiative to disclose a vulnerability in Ubuntu's ppp package. This vulnerability has been assigned the identifiers ZDI-CAN-11504 / CVE-2020-15704.
Wed, 08/26/2020 - 09:12Have you ever compromised a Cisco ISE with CVE-2017-5638? But what could you do next? This is a good network access but it can actually give you more. After a little digging, we found that guests passwords were stored in plaintext or encrypted (configuration dependent). This article explains how to extract the encrypted passwords, the encryption key and why it matters.