Publications

Typo3: leak to Remote code execution.

Thu, 12/17/2020 - 08:54
Pentest
Typo3 is an open source CMS we have recently encountered during one of our missions. We successfully exploited a configuration leak on this CMS to gain remote code execution on this application. This article describes the different steps to go from unauthenticated user to unsafe object deserialization and gain code execution.

Investigating IDA Lumina feature

Tue, 12/15/2020 - 13:25
Tools
Reverse-engineering
Lumina is a built-in function recognition feature of the well-known IDA pro disassembler that relies on an online signature database. Unfortunately, the database server is not available for local private use. Have you ever raged at a misstyped hotkey that sent your database content to the Lumina servers, wondered how it works, what kind of data is sent, and wished for a local server under your control? This blog post might answer some of your questions.

Pull up your bootloader

Wed, 12/09/2020 - 09:23
Hardware
SoC usually have the capability to customize the hardware behavior at system boot based on the value of input pin states called configuration word. However, the set of pull-up and pull-down resistors that control the configuration word can be hard to locate, especially on chips using BGA casings. In this study you will see that you don't always have to use expensive equipment to uncover these pins, sometimes all you need is a scope, a decent camera and knowing what you're looking for.

iOS 1-day hunting: uncovering and exploiting CVE-2020-27950 kernel memory leak

Tue, 12/01/2020 - 10:09
Exploit
Reverse-engineering
Back in the beginning of November, Project Zero announced that Apple has patched a full chain of vulnerabilities that were actively exploited in the wild. This chain consists in 3 vulnerabilities: a userland RCE in FontParser as well as a memory leak and a type confusion in the kernel. In this blogpost, we will describe how we identified and exploited the kernel memory leak.

Don't fear the bark, ts_rewrite to dodge the mark

Thu, 11/26/2020 - 16:19
Pentest
You probably already have encountered a fanatical WAF during an engagement that turned you crazy preventing your almighty SQL injection from being exploited properly. This will never happen again thanks to a novel advanced technique based on artificial intelligence and block chain analysis. Read this article to know how. Disclaimer: this is click-bait.

Bypassing Naxsi filtering engine

Thu, 11/05/2020 - 09:16
Exploit
In order to better protect its users, NBS System has asked Synacktiv to perform a source code review of Naxsi, a famous open source Web Application Firewall (WAF). During this audit, Synacktiv discovered several vulnerabilities that could allow bypassing the application of the filtering rules. This short blog post will present the most critical vulnerabilities and how they were fixed by NBS System. The fixes have been published on version 1.1a quickly after they were reported: https://github.com/nbs-system/naxsi/releas...

Ubuntu ppp's CVE-2020-15704 wrap-up

Thu, 09/03/2020 - 13:44
Exploit
As you may already know, we collaborated with Zero Day Initiative to disclose a vulnerability in Ubuntu's ppp package. This vulnerability has been assigned the identifiers ZDI-CAN-11504 / CVE-2020-15704.

Cisco ISE < 1.5 Passwords decryption

Wed, 08/26/2020 - 09:12
Pentest
Have you ever compromised a Cisco ISE with CVE-2017-5638? But what could you do next? This is a good network access but it can actually give you more. After a little digging, we found that guests passwords were stored in plaintext or encrypted (configuration dependent). This article explains how to extract the encrypted passwords, the encryption key and why it matters.