03/03/2020In December 2019, a new Binder commit was pushed in the Linux kernel. This patch fixes the calculation of an index used to process specific types of objects in a Binder transaction. This article studies the implication of the corrected issue, why it's a security bug and how to take advantage of it.
28/01/2020Azure DevOps is becoming more and more used by customers as Microsoft pushes them to replace their on-premises VSTS Server with the cloud version, Azure DevOps. So what can we do if we compromise a build agent? Or even a basic developer account? This article aims at explaining how this whole build jobs works and what it can be (ab)used for.
14/01/2020In this blog post, a vulnerability in the code for the System Management Mode (SMM) in some Lenovo ThinkPad will be described. The vulnerability is a callout of SMRAM which allows to elevate privilege from kernel to SMM. This article explains the step-by-step exploitation of the vulnerability including the mapping of the code in SMM through the usage of the SMM save state area.
05/01/2020The advent ctf organized by overthewire proposed various challenges that would unlock on a daily basis (like an advent calendar). I found day number 2 (made by hpmv) quite challenging and super fun to solve! It involved crypto, network and rev in a blackbox environment. The full source code used to solve this challenge is available here https://github.com/majin42/adventctf_otw_day2
19/12/2019We took part to FIC2020's prequals CTF, organized by the French team Hexpresso with a team made of @dzeta, @laxa, @swapgs and @us3r777. We managed to finish second, so here is our writeup!
12/12/2019During a recent engagement, we came across an old outdated instance of the Kibana software. It was affected by two severe public vulnerabilities (CVE-2018-17246 and CVE-2019-7609). However, in the context, none of them was readily exploitable. In this article, we describe how we managed to takeover the software all the same, with a new exploitation technique. Don't expect any 0-dayz dropping in the following, only a new way to exploit two already known issues.
11/10/2019In the beginning of 2019, a new feature was added in the Binder kernel module. This patch allows to send the caller SElinux context in a Binder transaction. This feature was in fact a fix for CVE-2019-2023. This vulnerability is related to an unsafe use of the getpidcon function, leading to ACL bypass. This article studies details of this patch and its impact on security.
08/10/2019Recently, Qualys published an advisory about a severe vulnerability impacting Exim MTA: CVE-2019-15846. In their report, they even claim that they do have a PoC granting a remote attacker root privileges. The report was followed by instant alarmist articles: "Millions of Exim servers vulnerable to ..."
17/09/2019On September 7th, 2019, BFS published an exploitation challenge on Windows 10 x64 to win an entry for the BFS-IOACTIVE party during the Ekoparty conference. This blogpost aims at describing a successful resolution of the challenge.
30/08/2019When conducting internal intrusion tests, one can find interesting to access the phones used by a client, as they are often connected to an internal network and can provide some kind of persistent access. This article presents the research done for getting a good grasp on the firmware of Yealink VoIP phones, which enables us to analyze further the underlying system.