Publications

Writing a (toy) symbolic interpreter, and solving challenges, part 4

Fri, 07/30/2021 - 09:11 This is the last part of series, where we solve the challenge using our symbolic interpreter, and an external SMT solver. Huge success!

Writing a (toy) symbolic interpreter, and solving challenges, part 3

Wed, 07/28/2021 - 10:00 In this installment, we turn the concrete interpreter into a symbolic interpreter. How exciting!

Writing a (toy) symbolic interpreter, and solving challenges, part 2

Fri, 07/23/2021 - 10:05 In the second part of this series, we write a concrete interpreter for a subset of WebAssembly.

Writing a (toy) symbolic interpreter, and solving challenges, part 1

Mon, 07/19/2021 - 19:01 Writing a symbolic interpreter, and wiring it to a solver in order to solve reverse engineering challenges (or other uses), might seem like a daunting task. Even simply using an existing symbolic interpretation framework is far from easy when one has no experience in it. This serie of articles will describe, throughout the summer, how such an engine is built, and showcase implementation tricks and some trade offs to be aware off. Do not worry, the interpreter will be kept as simple as possible though! In the end, we...

Exploitation of a double free vulnerability in Ubuntu shiftfs driver (CVE-2021-3492)

Tue, 07/13/2021 - 15:10 This year again, the international contest Pwn2Own Vancouver took place in the beginning of April. Among the different categories, two major operating systems were suggested for the Local Escalation of Privilege category (LPE): Linux (Ubuntu) and Windows 10. This article describes how a Ubuntu kernel vulnerability was found and exploited during this contest allowing to gain root access from an unprivileged user.

Baking Mojolicious cookies

Tue, 06/01/2021 - 15:56 Mojolicious is a Perl framework for web development we have recently encountered during one of our missions. Mojolicious handles cookies using a JSON string signed using HMAC-SHA1. The format reminds JWT. This article describes how the cookie signature is done by Mojolicious and how to crack it in order to generated valid cookies.

Playing with ImageTragick like it's 2016

Fri, 05/28/2021 - 12:00 You probably already have encountered document converting features that deal with ImageMagick during engagements but for some reason you were not able to exploit them. This article will mention some techniques that could be used when an older version of ImageMagick is targeted. Spoiler alert: this is not new.

RM -RF IS THE ROOT OF ALL EVIL

Thu, 05/27/2021 - 16:00 There are some days where things do not go your way. And there are some other days where they go catastrophically wrong. Several months ago, I had the unfortunate experience of wiping 2 years of my work. This blogpost explains why this tragedy happened and what I did to recover some critical data from the ashes of my SSD.

Kubernetes namespaces isolation - what it is, what it isn't, life, universe and everything

Fri, 03/26/2021 - 09:52 When speaking about Cloud, containers, orchestration and that kind of things, Kubernetes is the name that comes to mind. We meet it in a lot of situations ranging from microservices implementation to user oriented self service hosting. But developers don't always understand the limits of the system and the mechanisms it implements. In particular, we commonly encounter misunderstanding about namespaces isolation. Time to bring some light in this darkness.

Dumping the Sonos One smart speaker

Tue, 03/09/2021 - 16:58 Twice a year, ZDI organizes a computer hacking contest called Pwn2Own. It challenges security experts to exploit widely used hardware and software. In November 2020, the contest was held in Vancouver and on-line. We already published an article on our success on TP-Link AC1750 Smart Wifi Router, but this wasn't the only device we focused on. This article presents the first step of our vulnerability research on the Sonos One Gen 2 smart speaker. Sonos speakers use encrypted firmware so the first thing to do for ...