Publications

How to exploit Liferay CVE-2020-7961 : quick journey to PoC

lun 30/03/2020 - 16:48
Pentest
Liferay is one of the most known CMS written in Java that we encounter sometimes during assessment. Last week, we stumbled on the blog post from Code White Security entitled "Liferay Portal JSON Web Service RCE Vulnerabilities" describing an interesting issue. Unfortunately, there is no PoC associated with it, but as we love RCEs at Synacktiv, this is a good opportunity to learn something.

Pentesting Cisco SD-WAN Part 1: Attacking vManage

mer 25/03/2020 - 16:13
Pentest
In late 2019, a customer asked Synacktiv to perform a security assessment in a few days of their SD-WAN project based on the Cisco SD-WAN solution. During this engagement, we actually found a few interesting vulnerabilities in different components. For this first article, we will focus on the vManage component which was recently patched to address the following vulnerabilities: CVE-2019-16012: vManage Cypher Injection CVE-2019-16010: vManage Stored XSS

I'm SMBGhost, daba dee daba da

jeu 12/03/2020 - 17:19
Exploit
Reverse-engineering
This blogpost was created due to a mistake from Microsoft, releasing publicly an advance warning for CVE-2020-0796. CVE-2020-0796, also nicknamed "SMBGhost" or "Coronablue" is a vulnerability impacting SMBv3.1.1 servers and clients and currently has no fix (12/03/2020).

Binder - Analysis and exploitation of CVE-2020-0041

mar 03/03/2020 - 17:02
Exploit
In December 2019, a new Binder commit was pushed in the Linux kernel. This patch fixes the calculation of an index used to process specific types of objects in a Binder transaction. This article studies the implication of the corrected issue, why it's a security bug and how to take advantage of it.

Azure DevOps Build Agent analysis

mar 28/01/2020 - 16:55
Pentest
Azure DevOps is becoming more and more used by customers as Microsoft pushes them to replace their on-premises VSTS Server with the cloud version, Azure DevOps. So what can we do if we compromise a build agent? Or even a basic developer account? This article aims at explaining how this whole build jobs works and what it can be (ab)used for.

Through the SMM-class and a vulnerability found there.

mar 14/01/2020 - 16:52
Exploit
In this blog post, a vulnerability in the code for the System Management Mode (SMM) in some Lenovo ThinkPad will be described. The vulnerability is a callout of SMRAM which allows to elevate privilege from kernel to SMM. This article explains the step-by-step exploitation of the vulnerability including the mapping of the code in SMM through the usage of the SMM save state area.

Advent ctf 2019 overthewire - day2 writeup

dim 05/01/2020 - 12:12
Challenges
The advent ctf organized by overthewire proposed various challenges that would unlock on a daily basis (like an advent calendar). I found day number 2 (made by hpmv) quite challenging and super fun to solve! It involved crypto, network and rev in a blackbox environment. The full source code used to solve this challenge is available here https://github.com/majin42/adventctf_otw_day2

FIC2020 prequals CTF write-up

jeu 19/12/2019 - 11:30
Challenges
We took part to FIC2020's prequals CTF, organized by the French team Hexpresso with a team made of @dzeta, @laxa, @swapgs and @us3r777. We managed to finish second, so here is our writeup!

Pwning an outdated Kibana with not so sad vulnerabilities

jeu 12/12/2019 - 08:09
Pentest
During a recent engagement, we came across an old outdated instance of the Kibana software. It was affected by two severe public vulnerabilities (CVE-2018-17246 and CVE-2019-7609). However, in the context, none of them was readily exploitable. In this article, we describe how we managed to takeover the software all the same, with a new exploitation technique. Don't expect any 0-dayz dropping in the following, only a new way to exploit two already known issues.

Binder Secctx Patch Analysis

ven 11/10/2019 - 15:22
Système
In the beginning of 2019, a new feature was added in the Binder kernel module. This patch allows to send the caller SElinux context in a Binder transaction. This feature was in fact a fix for CVE-2019-2023. This vulnerability is related to an unsafe use of the getpidcon function, leading to ACL bypass. This article studies details of this patch and its impact on security.