mar 09/03/2021 - 16:58Twice a year, ZDI organizes a computer hacking contest called Pwn2Own. It challenges security experts to exploit widely used hardware and software. In November 2020, the contest was held in Vancouver and on-line. We already published an article on our success on TP-Link AC1750 Smart Wifi Router, but this wasn't the only device we focused on. This article presents the first step of our vulnerability research on the Sonos One Gen 2 smart speaker. Sonos speakers use encrypted firmware so the first thing to do for ...
ven 05/03/2021 - 11:46Synacktiv had a chance to perform a security assessment during a couple of weeks on a SD-LAN project based on the Cisco ACI solution. The following article is a brief explanation of some of the internal mechanisms of auto-discovery and initialization of the Cisco ACI and the weaknesses identified during the security assessment including CVE-2021-1228 and CVE-2021-1231.
mar 02/03/2021 - 09:22In February 2021 Samsung made some changes in one of its low level drivers : the Digital Signal Processor (DSP) Linux driver. They removed one interesting feature : the ability for untrusted apps to load a custom DSP firmware of their choice. The driver is present on Galaxy S20 and Galaxy S21 Exynos based phones (and probably on Galaxy Note 20 too). This article presents how to use this feature to boot the DSP on a custom firmware, and how to use this custom firmware along with bugs in the DSP driver to gain ker...
lun 01/03/2021 - 18:31A team of Synacktiv security experts participated to the last edition of Pwn2Own by submitting a LAN-side exploit against the TP-Link AC1750. This blogpost aims to describe the process of discovery and exploitation of this vulnerability, including the presentation of exploitation code.
mar 16/02/2021 - 16:41In the world of logic vulnerabilities, there is an interesting subclass which is confusing API designs. Usually in this subclass the vulnerability does not lie in how the API is implemented but how it's used by a third party, which makes it particularly difficult to fix once and for all for everyone. In this blogpost, we will see an example regarding gpgme which was revealed in July 2020 and how easy it is to find a vulnerable downstream codebase using a simple variant analysis.
jeu 11/02/2021 - 14:30Exploiting CVE-2021-25770, a Server-Side Template Injection that leads to remote code execution using a known Freemarker sandbox escape.
mer 10/02/2021 - 00:14Two weeks ago, CVE-2021-1782 was fixed by Apple. If the patch for this kernel vulnerability is simple, a way to exploit the bug was still to be discovered. This blog post aims to explain how an exploit is possible while providing a PoC.
mer 23/12/2020 - 08:09In this article we share technical details on how Kraqozorus automatically generates password cracking strategies that improve both the number of cracked hashes and time required to run the attacks.
jeu 17/12/2020 - 08:54Typo3 is an open source CMS we have recently encountered during one of our missions. We successfully exploited a configuration leak on this CMS to gain remote code execution on this application. This article describes the different steps to go from unauthenticated user to unsafe object deserialization and gain code execution.
mar 15/12/2020 - 13:25Lumina is a built-in function recognition feature of the well-known IDA pro disassembler that relies on an online signature database. Unfortunately, the database server is not available for local private use. Have you ever raged at a misstyped hotkey that sent your database content to the Lumina servers, wondered how it works, what kind of data is sent, and wished for a local server under your control? This blog post might answer some of your questions.