Publications

elFinder: The story of a repwning

mer 30/03/2022 - 11:01
Exploit
Pentest
We recently identified a path traversal issue in the elFinder software. It is assigned CVE identifier CVE-2022-26960. While the vulnerability is pretty classical, the story of its discovery is not. Keep on reading for the details.

Finding gadgets like it's 2022

lun 14/03/2022 - 14:30
Pentest
So you have found an application vulnerable to Log4Shell, but the bypass gadgets are not working, and you did not manage to use a gadget from Ysoserial? If you read our last articles on finding Java gadgets you might have found a new one with gadget inspector. But what if gadget inspector did not find a valid chain? You might stop and be desperate because, as we saw, manual gadget research is not an easy task! In this article we will present a new methodology and multiple CodeQL queries to find gadget chains in Java a...

How to exploit CVE-2021-40539 on ManageEngine ADSelfService Plus

jeu 04/11/2021 - 11:32
Exploit
Pentest
During a penetration test we encountered the ManageEngine ADSelfService Plus (ADSS) solution. ADSS offers multiple functionalities such as managing password policies for administrators or self password reset/account unlock for Active Directory users. We decided to dig into this solution. However, our research barely started that a wild exploitation on this solution was announced. In this article we will explore the details of several vulnerabilities that allow an unauthenticated attacker to execute arbitrary code on the ...

Car hijacking swapping a single bit

mar 26/10/2021 - 10:40
Hardware
Exploit
Pentest
Used to interact with various ECU (Electronic Control Unit) in a car, the UDS (Unified Diagnostic Services) service is widely deployed by car constructors. This generic high level protocol is used to extract ECUs state, configure them or even update their firmware. When the implementation lacks cryptography support inside an ECU, the security level can decrease dramatically. This short blog post presents an hardware attack leveraging all diagnostic functions to an unauthorized tester.

Finding gadgets like it's 2015: part 1

lun 18/10/2021 - 15:23
Pentest
We found a new Java gadget chain in the Mojarra library, one of the most used implementation of the JSF specification. It uses a known entry point to start the chain and ends with arbitrary code execution through Java's Expression Language. It was tested on versions 2.3 and 3.0 of the Eclipse implementation of the JSF specification.

Baking Mojolicious cookies

mar 01/06/2021 - 15:56
Pentest
Mojolicious is a Perl framework for web development we have recently encountered during one of our missions. Mojolicious handles cookies using a JSON string signed using HMAC-SHA1. The format reminds JWT. This article describes how the cookie signature is done by Mojolicious and how to crack it in order to generated valid cookies.

Playing with ImageTragick like it's 2016

ven 28/05/2021 - 12:00
Exploit
Pentest
You probably already have encountered document converting features that deal with ImageMagick during engagements but for some reason you were not able to exploit them. This article will mention some techniques that could be used when an older version of ImageMagick is targeted. Spoiler alert: this is not new.

Kubernetes namespaces isolation - what it is, what it isn't, life, universe and everything

ven 26/03/2021 - 09:52
Pentest
When speaking about Cloud, containers, orchestration and that kind of things, Kubernetes is the name that comes to mind. We meet it in a lot of situations ranging from microservices implementation to user oriented self service hosting. But developers don't always understand the limits of the system and the mechanisms it implements. In particular, we commonly encounter misunderstanding about namespaces isolation. Time to bring some light in this darkness.

Pentesting Cisco ACI: LLDP mishandling

ven 05/03/2021 - 11:46
Pentest
Synacktiv had a chance to perform a security assessment during a couple of weeks on a SD-LAN project based on the Cisco ACI solution. The following article is a brief explanation of some of the internal mechanisms of auto-discovery and initialization of the Cisco ACI and the weaknesses identified during the security assessment including CVE-2021-1228 and CVE-2021-1231.