The printer goes brrrrr!!!

mer 25/05/2022 - 10:43
Network printers have been featured for the first time at Pwn2Own competition in Austin 2021. Three popular LaserJet printers were included in the completion: HP, Lexmark and Canon. During the event, we (Synacktiv) managed to compromise all of them allowing us to win the whole competition. In this post, we will focus on how we achieved code execution on the Canon printer.

The reverse-engineering team presentation

mer 13/04/2022 - 18:20
A lot of candidates, or simply fellow reversers, ask us how our team usually works: what kind of technologies are we looking into? What kind of projects? Do we work solo? How do we handle remote? etc. The goal of this blogpost is to share what we can about our internals, so you don't have to reverse us.

Pwn2Own Austin 2021 : Defeating the Netgear R6700v3

ven 25/03/2022 - 14:49
Twice a year ZDI organizes a competition where the goal is to hack hardware and software. During November 2021, in Austin, hackers tried to exploit hardware devices such as printers, routers, phones, home automation devices, NAS and more. This blogpost describes how we successfully took over a Netgear router from the WAN interface.

Your vulnerability is in another OEM!

jeu 02/09/2021 - 12:00
Among targets for the Pwn2own Tokyo 2020 was 2 NAS, the Synology DiskStation DS418play and Western Digital My Cloud Pro PR4100. We took a look at both, and quickly found out Western Digital PR4100 was vulnerable via its webserver. However, exploitation was not THAT easy (it was not that hard either) and ultimately it did not even mattered since the vulnerability was wiped by a major OS update pushed mere days before the contest. In the end, the vulnerable code we audited might not have even been written by Western D...


jeu 27/05/2021 - 16:00
There are some days where things do not go your way. And there are some other days where they go catastrophically wrong. Several months ago, I had the unfortunate experience of wiping 2 years of my work. This blogpost explains why this tragedy happened and what I did to recover some critical data from the ashes of my SSD.

Investigating IDA Lumina feature

mar 15/12/2020 - 13:25
Lumina is a built-in function recognition feature of the well-known IDA pro disassembler that relies on an online signature database. Unfortunately, the database server is not available for local private use. Have you ever raged at a misstyped hotkey that sent your database content to the Lumina servers, wondered how it works, what kind of data is sent, and wished for a local server under your control? This blog post might answer some of your questions.

iOS 1-day hunting: uncovering and exploiting CVE-2020-27950 kernel memory leak

mar 01/12/2020 - 10:09
Back in the beginning of November, Project Zero announced that Apple has patched a full chain of vulnerabilities that were actively exploited in the wild. This chain consists in 3 vulnerabilities: a userland RCE in FontParser as well as a memory leak and a type confusion in the kernel. In this blogpost, we will describe how we identified and exploited the kernel memory leak.

DJI Pilot Android Application Security Analysis

mar 04/08/2020 - 12:35
On 23/07/2020, we published a study of the DJI GO4 application. This application, allowing to control a drone, is dedicated to the consumer grade aircraft segment. We also studied DJI Pilot, the application dedicated to professionals and companies, in order to assess its security and look at the difference between the two apps. We found similar issues to those listed in our previous blogpost in this application, such as a forced update mechanism.