Publications

Bypassing Naxsi filtering engine

05/11/2020 In order to better protect its users, NBS System has asked Synacktiv to perform a source code review of Naxsi, a famous open source Web Application Firewall (WAF). During this audit, Synacktiv discovered several vulnerabilities that could allow bypassing the application of the filtering rules. This short blog post will present the most critical vulnerabilities and how they were fixed by NBS System. The fixes have been published on version 1.1a quickly after they were reported: https://github.com/nbs-system/naxsi/releas...

Ubuntu ppp's CVE-2020-15704 wrap-up

03/09/2020 As you may already know, we collaborated with Zero Day Initiative to disclose a vulnerability in Ubuntu's ppp package. This vulnerability has been assigned the identifiers ZDI-CAN-11504 / CVE-2020-15704.

Izi Izi, Pwn2Own ICS Miami

28/07/2020 ZDI announced last year a new entry in it's yearly contest "Pwn2Own". After the Vancouver edition focused on Desktop software and Tokyo specialized in smartphones, there is now a third location in Miami dedicated to industrial software also known as ICS or SCADA.

The fix for CVE-2020-9859 and the lightspeed vulnerability

03/06/2020 Last week we published about the reintroduction of a kernel vulnerability in iOS 13. Here is the follow-up with the analysis of the fix.

Return of the iOS sandbox escape: lightspeed's back in the race!!

29/05/2020 Last week-end a new version of the iOS jailbreak unc0ver1 was released with the support of the latest iOS 13.5. Since iOS 8 in 2014, this is the first jailbreak using a 0-day vulnerability, a vulnerability still unknown to Apple at the time of the release, to break iPhone security measures. To keep this vulnerability secret, the jailbreak is heavily obfuscated and protected against dynamic inspection. However, since this vulnerability is not exactly new to us and since the cat is out of the bag, now seems a good tim...

Memory leak and Use After Free in Squid

04/05/2020 A few months ago, Synacktiv teams performed a security assessment on the open source project Squid. This blog post describes a few vulnerabilities that were found during this audit.

I'm SMBGhost, daba dee daba da

12/03/2020 This blogpost was created due to a mistake from Microsoft, releasing publicly an advance warning for CVE-2020-0796. CVE-2020-0796, also nicknamed "SMBGhost" or "Coronablue" is a vulnerability impacting SMBv3.1.1 servers and clients and currently has no fix (12/03/2020).

Binder - Analysis and exploitation of CVE-2020-0041

03/03/2020 In December 2019, a new Binder commit was pushed in the Linux kernel. This patch fixes the calculation of an index used to process specific types of objects in a Binder transaction. This article studies the implication of the corrected issue, why it's a security bug and how to take advantage of it.

Through the SMM-class and a vulnerability found there.

14/01/2020 In this blog post, a vulnerability in the code for the System Management Mode (SMM) in some Lenovo ThinkPad will be described. The vulnerability is a callout of SMRAM which allows to elevate privilege from kernel to SMM. This article explains the step-by-step exploitation of the vulnerability including the mapping of the code in SMM through the usage of the SMM save state area.

Scraps of Notes on Exploiting Exim Vulnerabilities

08/10/2019 Recently, Qualys published an advisory about a severe vulnerability impacting Exim MTA: CVE-2019-15846. In their report, they even claim that they do have a PoC granting a remote attacker root privileges. The report was followed by instant alarmist articles: "Millions of Exim servers vulnerable to ..."