Publications

PHP filter chains: file read from error-based oracle

Tue, 03/21/2023 - 11:38 The possibilities allowed by filter chains will never stop amazing us. Last time we saw that using them in a PHP file inclusion function would lead to remote code execution. Since then, another way to abuse them was published at the end of the DownUnderCTF 2022! Let's see how PHP filters can also be used to read local files when their content is not printed, thanks to an error-based oracle.

Hardware investigation of wireless keyloggers

Fri, 03/03/2023 - 08:44 When a hardware keylogger is found on a computer, you can assume the user account and its secrets are compromised. In this article, we will present how to get access to the data stored on both a basic keylogger and a more advanced model with Wi-Fi access.

CI/CD secrets extraction, tips and tricks

Wed, 03/01/2023 - 09:20 This article aims at describing how to exfiltrate secrets that are supposed to be securely stored inside CI/CD systems. For that purpose, the examples of Azure DevOps and GitHub Actions will be detailed, and the tool we developed to automate extraction will be presented.

Exploiting a remote heap overflow with a custom TCP stack

Mon, 02/13/2023 - 02:03 In November 2021 our team took part in the ZDI Pwn2Own Austin 2021 competition [1] with multiple entries. One of them successfully compromised the Western Digital MyCloudHome connected hard drive via a 0-day in the Netatalk daemon. Our exploit was unusual because triggering the vulnerability required to mess with the remote TCP stack, so we wrote our own. This blog post will provide some technical details about it.

Building a io_uring based network scanner in Rust

Fri, 01/20/2023 - 16:34 Using the recent io_uring Linux kernel API to build a fast and modular network scanner in the Rust language

A study on Windows HTTP authentication (Part II)

Fri, 01/06/2023 - 13:23 Discussions about Windows authentication mechanisms over HTTP and the evolution of our MitM proxy.

Escaping from bhyve

Wed, 01/04/2023 - 09:26 Bhyve is a hypervisor for FreeBSD. This blogpost will describe how a limited OOB write vulnerability in an adapter emulator can be turned into code execution allowing to escape from the guest machine.

Cool vulns don't live long - Netgear and Pwn2Own

Tue, 12/06/2022 - 16:40 Pwn2own is a competition where hackers try to execute arbitrary code on selected devices. This blogpost will describe two vulnerabilities found in the Netgear RAX30 router, and explain how both were patched the day before the event.

PrideLocker - a new fork of Babuk ESX encryptor

Mon, 12/05/2022 - 13:33 A few months after the leak of Babuk source code in September 2021, new ransomware families with very similar capabilities already seem to emerge. During an incident response, Synacktiv's CSIRT detected a new ESX encryptor dubbed PrideLocker that is based on Babuk ESX encryptor, with new additions. This article provides an in-depth analysis of PrideLocker, and a method using IDAPython to decrypt its strings, as well as tips to detect its encryption capabilities.

A dive into Microsoft Defender for Identity

Wed, 11/23/2022 - 13:10 We recently analyzed the detection capabilities of Microsoft Defender for Identity, a cloud-based security solution which is the successor of Microsoft Advanced Threat Analytics and part of Microsoft Defender 365. This article will present its architecture, analyze its detection logic and abilities and present some bypasses, as well as general Red Team advices to stay under the Blue Team’s radar.