Publications

Baking Mojolicious cookies

Mojolicious is a Perl framework for web development we have recently encountered during one of our missions. Mojolicious handles cookies using a JSON string signed using HMAC-SHA1. The format reminds JWT. This article describes how the cookie signature is done by Mojolicious and how to crack it in order to generated valid cookies.

Playing with ImageTragick like it's 2016

You probably already have encountered document converting features that deal with ImageMagick during engagements but for some reason you were not able to exploit them. This article will mention some techniques that could be used when an older version of ImageMagick is targeted. Spoiler alert: this is not new.

RM -RF IS THE ROOT OF ALL EVIL

There are some days where things do not go your way. And there are some other days where they go catastrophically wrong. Several months ago, I had the unfortunate experience of wiping 2 years of my work. This blogpost explains why this tragedy happened and what I did to recover some critical data from the ashes of my SSD.

Kubernetes namespaces isolation - what it is, what it isn't, life, universe and everything

When speaking about Cloud, containers, orchestration and that kind of things, Kubernetes is the name that comes to mind. We meet it in a lot of situations ranging from microservices implementation to user oriented self service hosting. But developers don't always understand the limits of the system and the mechanisms it implements. In particular, we commonly encounter misunderstanding about namespaces isolation. Time to bring some light in this darkness.

Dumping the Sonos One smart speaker

Twice a year, ZDI organizes a computer hacking contest called Pwn2Own. It challenges security experts to exploit widely used hardware and software. In November 2020, the contest was held in Vancouver and on-line. We already published an article on our success on TP-Link AC1750 Smart Wifi Router, but this wasn't the only device we focused on. This article presents the first step of our vulnerability research on the Sonos One Gen 2 smart speaker. Sonos speakers use encrypted firmware so the first thing to do for ...

Pentesting Cisco ACI: LLDP mishandling

Synacktiv had a chance to perform a security assessment during a couple of weeks on a SD-LAN project based on the Cisco ACI solution. The following article is a brief explanation of some of the internal mechanisms of auto-discovery and initialization of the Cisco ACI and the weaknesses identified during the security assessment including CVE-2021-1228 and CVE-2021-1231.

An Interesting Feature in the Samsung DSP Driver

In February 2021 Samsung made some changes in one of its low level drivers : the Digital Signal Processor (DSP) Linux driver. They removed one interesting feature : the ability for untrusted apps to load a custom DSP firmware of their choice. The driver is present on Galaxy S20 and Galaxy S21 Exynos based phones (and probably on Galaxy Note 20 too). This article presents how to use this feature to boot the DSP on a custom firmware, and how to use this custom firmware along with bugs in the DSP driver to gain ker...

Pwn2Own Tokyo 2020: Defeating the TP-Link AC1750

A team of Synacktiv security experts participated to the last edition of Pwn2Own by submitting a LAN-side exploit against the TP-Link AC1750. This blogpost aims to describe the process of discovery and exploitation of this vulnerability, including the presentation of exploitation code.

GPGme used confusion, it's super effective !

In the world of logic vulnerabilities, there is an interesting subclass which is confusing API designs. Usually in this subclass the vulnerability does not lie in how the API is implemented but how it's used by a third party, which makes it particularly difficult to fix once and for all for everyone. In this blogpost, we will see an example regarding gpgme which was revealed in July 2020 and how easy it is to find a vulnerable downstream codebase using a simple variant analysis.

Exploiting CVE-2021-25770: A Server-Side Template Injection in YouTrack

Exploiting CVE-2021-25770, a Server-Side Template Injection that leads to remote code execution using a known Freemarker sandbox escape.