Publications

Exploiting a Blind Format String Vulnerability in Modern Binaries: A Case Study from Pwn2Own Ireland 2024

30/10/2024
Exploit
Reverse-engineering
In October 2024, during the Pwn2Own event in Cork, Ireland, hackers attempted to exploit various hardware devices such as printers, routers, smartphones, home automation systems, NAS devices, security cameras, and more. This blog post highlights a challenging vulnerability that was patched just before the competition. Although it was fixed in time, it deserved more attention than simply being discarded.

Forensic analysis of bitwarden self-hosted server

14/10/2024
CSIRT
Bitwarden is a popular password managing software. Being open-source, it offers self-hosting capabilities with ease of use in a controlled office or home environment. Attackers might prioritize targeting this application given the secrets it usually stores. In this article, we will deep dive into the internals of Bitwarden, how it stores encrypted data, and what information is available to whomever controls the server.

Quantum readiness: Lattice-based PQC

11/10/2024
Cryptography
This is the third article in the "Quantum readiness" series. This article aims at giving a rough introduction to lattices in the context of cryptography. It follows the first article, "Quantum readiness: Introduction to Modern Cryptography", and the second article, "Quantum readiness: Hash-based signatures". Knowledge of the concepts introduced in those articles such as indistinguishability games and hash functions, as well as standard knowledge of linear algebra, is strongly recommended. If you are unfamiliar with linear algebra, ...

Fuzzing confused dependencies with Depfuzzer

25/09/2024
Tools
In the landscape of software development, leveraging open-source libraries and packages through registries like NPM, PyPI, Go modules, and Crates for Rust has become standard practice. This approach facilitates the rapid integration of diverse functionalities into applications, driving both innovation and efficiency across the development community. While the benefits of using these resources are clear, the management of external dependencies introduces a set of considerations regarding security and maintainability. Inspired by Alex ...

Defend against vampires with 10 gbps network encryption

13/09/2024
Network
Cryptography
Pentest
Systems
Discover how attackers can sniff your data on network cables and how you can defend against it, by encrypting on-the-fly all your ethernet traffic with very good performance. Keywords : wireguard, vxlan, tapping, fiber optics, lan2lan, macsec

Using Veeam metadata for efficient extraction of Backup artefacts (2/3)

30/08/2024
CSIRT
In a previous blogpost, we explored Veeam Backup & Replication's "backup chain metadata" files and how to parse them in a comprehensive Velociraptor artifact. In this article, we complement our findings with metadata embedded directly in VBR's Storage files. Then, we create a Velociraptor pipeline to remotely access relevant forensic artefacts in backed up data. This aims to enable DFIR analysts to extend the time horizon in their investigations using Veeam backups and Velociraptor, while minimizing network bandwidth usage and extensi...

Quantum readiness: Hash-based signatures

26/08/2024
Cryptography
Building robust digital signature algorithms is one of the main challenges in post-quantum cryptography, as classical signatures such as ECDSA and RSA are broken by quantum computers. Thankfully, in the past decades, the academic field has come up with multiple quantum-resistant algorithms which are now being standardized and implemented in modern software. This article highlights XMSS and SPHINCS+, two digital signature algorithms which rely on the well-known robustness of hash functions against quantum computers. However, each one c...

LAPSUS$ is dead, long live HexaLocker?

18/08/2024
CSIRT
The LAPSUS$ threat group has been known since 2021 for spear phishing, data theft, and extortion against large companies (e.g., Microsoft, Nvidia, Uber). Although evidence of destruction methods was reported, there was no known use of ransomware. In June 2024, LAPSUS$ announced its closure. However, two months later, a new ransomware called HexaLocker was advertised on Telegram channels. Its "only real" admin and probable developer is ZZART3XX, one of the LAPSUS$ administrators. This article will dissect the HexaLocker ransomware samp...

SCCMSecrets.py: exploiting SCCM policies distribution for credentials harvesting, initial access and lateral movement

14/08/2024
Pentest
SCCM policies are a prime target for attackers in Active Directory environments as they may expose – intentionally or otherwise – sensitive technical information such as account credentials. Said credentials could be retrieved by authenticated attackers impersonating a registered device, or in some cases from an unauthenticated position by exploiting misconfigurations on policies distribution. SCCMSecrets.py is a python utility that builds upon existing SCCM research. It goes beyond NAA credentials extraction, and aims to provide...

GitHub Actions exploitation: Dependabot

06/08/2024
Pentest
Following our GitHub action exploitation series, we found a new GitHub action exploitation technique leveraging the Dependabot GitHub app to compromise some repositories, leading to arbitrary code push. In this article we will explain how we discovered it and illustrate with 2 real world examples which are the Spring-security and trpc projects.