Legitimate RATs: a comprehensive forensic analysis of the usual suspects

jeu 20/10/2022 - 13:37
Legitimate remote access tools are more and more part of threat actors toolbox: in order to gain remote access on targets, keep persistence, deploy malicious payload as well as leveraging trusted connections between an IT provider and its customers. Therefore, detection and incident response teams must have a good grasp on traces left by those tools on the system. In this context, this article aims to collect host forensic evidence of four famous legitimate remote access tools.

PHP filters chain: What is it and how to use it

mar 18/10/2022 - 15:43
Searching for new gadget chains to exploit deserialization vulnerabilities can be tedious. In this article we will explain how to combine a recently discovered technique called PHP filters [LOKNOP-GIST], to transform file inclusion primitives in PHP applications to remote code execution. To support our explanations we will rely on a Laravel file inclusion gadget chains that was discovered during this research.

Persistent PHP payloads in PNGs: How to inject PHP code in an image – and keep it there !

lun 10/10/2022 - 17:00
During the assessment of a PHP application, we recently came across a file upload vulnerability allowing the interpretation of PHP code inserted into valid PNG files. However, the image processing performed by the application forced us to dig deeper into the different techniques available to inject PHP payloads into this particular file format - and to make it persist through image transformations. These investigations allowed us to successfully exploit the vulnerability, and are summarized in this article.

Traces of Windows remote command execution

mar 13/09/2022 - 15:34
A real ninja leaves no traces. However, in the Windows context, a lot of information are disseminated when performing actions and can be leveraged by DFIR analysts. Focusing on remote command execution techniques used by attackers and red-teamers, this article aims to get a collection of artifacts that can collected by analysts.

Exploiting CVE-2022-24816: A code injection in the jt-jiffle extension of GeoServer

ven 12/08/2022 - 17:49
During one of our assessments we came across a server running GeoServer version 2.17.2. This version is outdated and affected by multiple security vulnerabilities. Among those vulnerabilities, one looked more promising than the others: CVE-2022-24816. This vulnerability is a code injection flaw in jt-jiffle that leads to an unauthenticated remote code execution.

CVE-2022-31813: Forwarding addresses is hard

mar 26/07/2022 - 10:00
A few weeks ago, version 2.4.54 of Apache HTTPD server was released. It includes a fix for CVE-2022-31813, a vulnerability we identified in mod_proxy that could affect unsuspecting applications served by an Apache reverse proxy. Let's see why it is rated as low in the software changelog and why it still matters. TL;DR: when in doubt, patch!

CCleaner forensics

lun 20/06/2022 - 15:58
During a ransomware attack, right after the ransomware was launched, we noticed the use of CCleaner as an anti-forensic tool to cover the attacker’s action. The following article aims to explore some key features of this tool from a forensic perspective. We will see how to identify the items that have been deleted and how they could be recovered. We focused on the free desktop version v6.00.9727.

The printer goes brrrrr!!!

mer 25/05/2022 - 10:43
Network printers have been featured for the first time at Pwn2Own competition in Austin 2021. Three popular LaserJet printers were included in the completion: HP, Lexmark and Canon. During the event, we (Synacktiv) managed to compromise all of them allowing us to win the whole competition. In this post, we will focus on how we achieved code execution on the Canon printer.

The reverse-engineering team presentation

mer 13/04/2022 - 18:20
A lot of candidates, or simply fellow reversers, ask us how our team usually works: what kind of technologies are we looking into? What kind of projects? Do we work solo? How do we handle remote? etc. The goal of this blogpost is to share what we can about our internals, so you don't have to reverse us.