mer 26/08/2020 - 09:12Have you ever compromised a Cisco ISE with CVE-2017-5638? But what could you do next? This is a good network access but it can actually give you more. After a little digging, we found that guests passwords were stored in plaintext or encrypted (configuration dependent). This article explains how to extract the encrypted passwords, the encryption key and why it matters.
mar 04/08/2020 - 12:35On 23/07/2020, we published a study of the DJI GO4 application. This application, allowing to control a drone, is dedicated to the consumer grade aircraft segment. We also studied DJI Pilot, the application dedicated to professionals and companies, in order to assess its security and look at the difference between the two apps. We found similar issues to those listed in our previous blogpost in this application, such as a forced update mechanism.
mar 28/07/2020 - 14:36ZDI announced last year a new entry in it's yearly contest "Pwn2Own". After the Vancouver edition focused on Desktop software and Tokyo specialized in smartphones, there is now a third location in Miami dedicated to industrial software also known as ICS or SCADA.
jeu 23/07/2020 - 16:41Drones are currently one of the most dynamic products, with multiple use cases across sectors such as personal and commercial videography, farming and land surveying, law enforcement and national security, and more. One of the market leaders, China-based Daijiang Innovations (DJI), is often in the news for suspected cybersecurity and data privacy issues. While there are technical reports sponsored by DJI stating that their associated mobile application, DJI GO 4, is harmless and does not send any personal information b...
lun 08/06/2020 - 09:39In this blog post the goal is to explain how I started looking at the Lenovo password. We will start by looking at how the reverse was started and the different kinds of passwords in the firmware, before having a more in depth look at two of them: the Power-On Password and the Bios Passwords. No vulnerability has been identified (yet) in the management of those passwords, but without further ado let get started.
mer 03/06/2020 - 12:48Last week we published about the reintroduction of a kernel vulnerability in iOS 13. Here is the follow-up with the analysis of the fix.
ven 29/05/2020 - 17:38Last week-end a new version of the iOS jailbreak unc0ver1 was released with the support of the latest iOS 13.5. Since iOS 8 in 2014, this is the first jailbreak using a 0-day vulnerability, a vulnerability still unknown to Apple at the time of the release, to break iPhone security measures. To keep this vulnerability secret, the jailbreak is heavily obfuscated and protected against dynamic inspection. However, since this vulnerability is not exactly new to us and since the cat is out of the bag, now seems a good tim...
jeu 14/05/2020 - 09:50We wrote a new tool that automates the creation of efficient mutation rules for password crackers, such as John the Ripper or hashcat. This posts describes the high level ideas behind this tool, along with some history. If you just want to use it, check our Github repo!
mar 12/05/2020 - 12:40This weekend was held the Sharky CTF, organized by students of ENSIBS. A series of 7 forensic challenges concerning a same machine memory dump was proposed. They make a great introduction to memory forensic in Linux, from the creation of a specific Volatility profile, to the reverse engineering of a rootkit installed on the machine. Stay sit, here is the writeup!
jeu 07/05/2020 - 16:18In this second article, we will focus on the vEdge components which are basically routers (physical or virtual). A patch was recently published for a vulnerability we found: Cisco IOS XE SD-WAN Software Command Injection Vulnerability (CVE-2019-16011)