Publications

LightSpeed, a race for an iOS/MacOS sandbox escape!

29/10/2018 iOS 12 was released a few weeks ago and fixed a kernel vulnerability we discovered that can be used to escape the sandbox. This blogpost gives the technical write-up of the vulnerability.

ColdFusion CFMX_COMPAT lolcryption

09/10/2018 A recent pentest involving ColdFusion led us to discover the fabulous and infamous encryption algorithm CFMX_COMPAT.

iOS12 Kernelcache Laundering

01/10/2018 iOS 12 has been released for a few weeks now. New major iOS versions often mean new kernelcache and dyld_shared_cache file formats. iOS12 is no exception to the rule and comes with an other surprise: Pointer Authentication Code (PAC) for the new A12 chip. This blogpost shows you how to deal with both by enhancing IDA. IDA 7.2 beta future release might add PAC and iOS12 kernelcache support but it will only be released in a few weeks and we think it will always be interesting to illustrate how to do it by ourselves. ...

Hunting mobile devices endpoints - the RF and the Hard way

13/09/2018 This article is about getting information from IoT devices that use the mobile network to exchange data and commands. Two Different techniques will be introduced to achieve this goal : the RF and Hardware ways.

2018 Summer Challenge Writeup

15/08/2018 An old school RE challenge was published on August 07th and has been solved by several people. This blog post provides a detailed solution on how to solve this challenge followed by the winner write-up.

2018 summer challenge: MetroCross

15/08/2018 Getting bored at the beach this summer? We have a small & old-school challenge for you!

Practical DMA attack on Windows 10

30/05/2018 Among the various security assessments performed by Synacktiv, some involve attacking the security hardening of a laptop or workstation master image that will be massively deployed in an infrastructure. The purpose of this kind of security assessment is to give the client an overview of its level of maturity regarding security concerns and provide him with some recommendations in order to increase his level of security. This post describes how Synacktiv defeated a workstation security measures by using a hardware appro...

Breaking namespace isolation with PF_RING before 7.0.0

21/05/2018 Linux hardening and proper isolation using containerization can be tricky especially when performance is critical. We recently helped a client to design a secure network appliance that involve sniffing network traffic. This device has high security and performance constraints. This post is a feedback on the unlikely integration of fast sniffers with linux containers.

netdata apps.plugin security fixes

19/04/2018 Synacktiv met netdata in the wild in the last few months. This blog post aims at telling the story of a vulnerability which was first forgotten 1 year ago and then partially fixed. On a standard setup, the vulnerability can be exploited by gid netdata to read arbitrary files owned by root. On a weak setup (as seen in the wild by Synacktiv), the vulnerability can be exploited by all users.

HP iLO talk at Recon Brx 2018

07/02/2018 Since we presented our vulnerability in HP Integrated Lights-Out (iLO) 4 to Recon Brussels, we are now releasing the slides and tools that were developed during our study.