Publications

Return of the iOS sandbox escape: lightspeed's back in the race!!

Fri, 05/29/2020 - 17:38
Exploit
Last week-end a new version of the iOS jailbreak unc0ver1 was released with the support of the latest iOS 13.5. Since iOS 8 in 2014, this is the first jailbreak using a 0-day vulnerability, a vulnerability still unknown to Apple at the time of the release, to break iPhone security measures. To keep this vulnerability secret, the jailbreak is heavily obfuscated and protected against dynamic inspection. However, since this vulnerability is not exactly new to us and since the cat is out of the bag, now seems a good tim...

SharkyCTF - EZDump writeups / Linux Forensics introduction

Tue, 05/12/2020 - 12:40
Challenges
This weekend was held the Sharky CTF, organized by students of ENSIBS. A series of 7 forensic challenges concerning a same machine memory dump was proposed. They make a great introduction to memory forensic in Linux, from the creation of a specific Volatility profile, to the reverse engineering of a rootkit installed on the machine. Stay sit, here is the writeup!

Pentesting Cisco SD-WAN Part 2: Breaking routers

Thu, 05/07/2020 - 16:18
Pentest
In this second article, we will focus on the vEdge components which are basically routers (physical or virtual). A patch was recently published for a vulnerability we found: Cisco IOS XE SD-WAN Software Command Injection Vulnerability (CVE-2019-16011)

Memory leak and Use After Free in Squid

Mon, 05/04/2020 - 17:31
Exploit
A few months ago, Synacktiv teams performed a security assessment on the open source project Squid. This blog post describes a few vulnerabilities that were found during this audit.

Looting Symfony with EOS

Thu, 04/23/2020 - 16:40
Tools
Pentest
We wrote a new tool that automatically loots all sensitive information from misconfigured Symfony applications. This post describes the type of data it can loot and how. If you just want to use it, check our Github repo! So let's get started and see what we can grab from the web profiler.

Azure AD introduction for red teamers

Mon, 04/20/2020 - 17:52
Pentest
Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service. It is more and more used by customers in order to connect their on-premises Active Directory with online services such as Office365, SharePoint, Teams, etc. The aim of this article is to briefly present Azure AD and to explore the different attacking paths this new cloud environment offers to pentesters and red teamers.

How to exploit Liferay CVE-2020-7961 : quick journey to PoC

Mon, 03/30/2020 - 16:48
Pentest
Liferay is one of the most known CMS written in Java that we encounter sometimes during assessment. Last week, we stumbled on the blog post from Code White Security entitled "Liferay Portal JSON Web Service RCE Vulnerabilities" describing an interesting issue. Unfortunately, there is no PoC associated with it, but as we love RCEs at Synacktiv, this is a good opportunity to learn something.

Pentesting Cisco SD-WAN Part 1: Attacking vManage

Wed, 03/25/2020 - 16:13
Pentest
In late 2019, a customer asked Synacktiv to perform a security assessment in a few days of their SD-WAN project based on the Cisco SD-WAN solution. During this engagement, we actually found a few interesting vulnerabilities in different components. For this first article, we will focus on the vManage component which was recently patched to address the following vulnerabilities: CVE-2019-16012: vManage Cypher Injection CVE-2019-16010: vManage Stored XSS

I'm SMBGhost, daba dee daba da

Thu, 03/12/2020 - 17:19
Exploit
Reverse-engineering
This blogpost was created due to a mistake from Microsoft, releasing publicly an advance warning for CVE-2020-0796. CVE-2020-0796, also nicknamed "SMBGhost" or "Coronablue" is a vulnerability impacting SMBv3.1.1 servers and clients and currently has no fix (12/03/2020).