Pcapan: a PCAP analysis helper

This post showcases a small but very useful tool that can be used to classify expected and suspicious traffic in a network capture file, and, more importantly, what the process is for writing such a tool.

How to voltage fault injection

During physical security assessments of IoT devices, one of the goals is to take advantage of debug interfaces or accessible chips to study how the devices work. An ideal scenario is the extraction of the full file system to find a way to gain root access to the device. Then, it is easier to check what services are running, debug them if needed, to finally take control of the target. At the beginning of an audit, it is common to encounter protections on the debug interfaces that forbid access to its full functionalities, or on the boo...

Finding a POP chain on a common Symfony bundle : part 2

The Symfony doctrine/doctrine-bundle package is one of the most common bundles installed along Symfony applications. At the time we are releasing this blogpost, it has been downloaded 144 million times, making it an interesting target for unserialize exploitation. If you want to improve your knowledge about PHP unserialize exploitation and see why weak typed languages are considered less secure, this blogpost is for you. The second part of this article will be focused on building a valid POP chain based on the code already analyzed i...

EVM unravelled: recovering ABI from bytecode

The year-over-year growth in the use of decentralized applications and smart contracts brings an increasing prominence of security audits in this domain. Such audits are vital in maintaining the robustness and trustworthiness of platforms built on blockchain technologies like the Ethereum Virtual Machine (EVM). In a full black-box assessment—a methodology where the auditor has no knowledge of the system's inner workings—smart contracts can often appear more opaque compared to traditional centralized applications. This article delves ...

Behind the Shield: Unmasking Scudo's Defenses

When writing an exploit for a memory corruption vulnerability, knowing the heap allocator internals is often required to shape the heap as desired. Following our previous blogpost focusing on jemalloc (new), this article will dive into another one of Android libc allocators: Scudo.

Legitimate exfiltration tools : summary and detection for incident response and threat hunting

Legitimate data transfer tools are more and more used by threat actors. During our incident response engagements, we often see the use of several administration tools, including tools for transferring data to SFTP servers or directly to the cloud. These are widely used by attackers as means of exfiltration. The issue of exfiltrated data is one of the most important and hardest topic in the case of ransomware incidents. As the subject has already been widely covered, the aim of this article is to centralize the traces left by most com...

Presentation of the Pentest Team

Are you a potential applicant wishing to know more about Synacktiv's pentest team before actually applying? Or someone considering relying on Synacktiv to perform a security assessment and wondering whether we can handle your project? Or just someone curious and eager to know more? In any case, this blogpost will hopefully enlighten you about key aspects of what we do and how we work.