Publications

Yet another BEC investigation on M365

22/11/2021
CSIRT
Several materials already describe this type of attack, this document is an operational feedback from the CSIRT Synacktiv on several BEC incidents based on Microsoft 365 service. This is the part one of this publication.

How to exploit CVE-2021-40539 on ManageEngine ADSelfService Plus

04/11/2021
Exploit
Pentest
During a penetration test we encountered the ManageEngine ADSelfService Plus (ADSS) solution. ADSS offers multiple functionalities such as managing password policies for administrators or self password reset/account unlock for Active Directory users. We decided to dig into this solution. However, our research barely started that a wild exploitation on this solution was announced. In this article we will explore the details of several vulnerabilities that allow an unauthenticated attacker to execute arbitrary code on the ...

Finding gadgets like it's 2015: part 2

28/10/2021
We found a new Java gadget chain in the Mojarra library, one of the most used implementation of the JSF specification. It uses a known entry point to start the chain and ends with arbitrary code execution through Java's Expression Language. It was tested on version 2.3 and 3.0 of the Eclipse implementation of the JSF specification.

Car hijacking swapping a single bit

26/10/2021
Hardware
Exploit
Pentest
Used to interact with various ECU (Electronic Control Unit) in a car, the UDS (Unified Diagnostic Services) service is widely deployed by car constructors. This generic high level protocol is used to extract ECUs state, configure them or even update their firmware. When the implementation lacks cryptography support inside an ECU, the security level can decrease dramatically. This short blog post presents an hardware attack leveraging all diagnostic functions to an unauthorized tester.

Finding gadgets like it's 2015: part 1

18/10/2021
Pentest
We found a new Java gadget chain in the Mojarra library, one of the most used implementation of the JSF specification. It uses a known entry point to start the chain and ends with arbitrary code execution through Java's Expression Language. It was tested on versions 2.3 and 3.0 of the Eclipse implementation of the JSF specification.

Is it post quantum time yet?

28/09/2021
Cryptographie
Quantum computing. Among all the fashionable IT buzzwords, this one comes prominently. Quantum computing, or the idea people get of it, feeds a lot of fantasy. This trend is supported by the news that sometimes relay hazy information about a topic they do not fully grasp. Getting a precise view of the state of quantum computing and its implications on security is not easy if you are not familiar with the topic. In this article, we will try to answer this seemingly simple question: is it post quantum time yet?

Your vulnerability is in another OEM!

02/09/2021
Exploit
Reverse-engineering
Among targets for the Pwn2own Tokyo 2020 was 2 NAS, the Synology DiskStation DS418play and Western Digital My Cloud Pro PR4100. We took a look at both, and quickly found out Western Digital PR4100 was vulnerable via its webserver. However, exploitation was not THAT easy (it was not that hard either) and ultimately it did not even mattered since the vulnerability was wiped by a major OS update pushed mere days before the contest. In the end, the vulnerable code we audited might not have even been written by Western D...