Publications

Car hijacking swapping a single bit

26/10/2021 Used to interact with various ECU (Electronic Control Unit) in a car, the UDS (Unified Diagnostic Services) service is widely deployed by car constructors. This generic high level protocol is used to extract ECUs state, configure them or even update their firmware. When the implementation lacks cryptography support inside an ECU, the security level can decrease dramatically. This short blog post presents an hardware attack leveraging all diagnostic functions to an unauthorized tester.

Finding gadgets like it's 2015: part 1

18/10/2021 We found a new Java gadget chain in the Mojarra library, one of the most used implementation of the JSF specification. It uses a known entry point to start the chain and ends with arbitrary code execution through Java's Expression Language. It was tested on versions 2.3 and 3.0 of the Eclipse implementation of the JSF specification.

Cracking Radmin Server 3 passwords

17/09/2021 Reverse-engineering a hashing mechanism and optimizing password cracking

Baking Mojolicious cookies

01/06/2021 Mojolicious is a Perl framework for web development we have recently encountered during one of our missions. Mojolicious handles cookies using a JSON string signed using HMAC-SHA1. The format reminds JWT. This article describes how the cookie signature is done by Mojolicious and how to crack it in order to generated valid cookies.

Playing with ImageTragick like it's 2016

28/05/2021 You probably already have encountered document converting features that deal with ImageMagick during engagements but for some reason you were not able to exploit them. This article will mention some techniques that could be used when an older version of ImageMagick is targeted. Spoiler alert: this is not new.

Kubernetes namespaces isolation - what it is, what it isn't, life, universe and everything

26/03/2021 When speaking about Cloud, containers, orchestration and that kind of things, Kubernetes is the name that comes to mind. We meet it in a lot of situations ranging from microservices implementation to user oriented self service hosting. But developers don't always understand the limits of the system and the mechanisms it implements. In particular, we commonly encounter misunderstanding about namespaces isolation. Time to bring some light in this darkness.

Pentesting Cisco ACI: LLDP mishandling

05/03/2021 Synacktiv had a chance to perform a security assessment during a couple of weeks on a SD-LAN project based on the Cisco ACI solution. The following article is a brief explanation of some of the internal mechanisms of auto-discovery and initialization of the Cisco ACI and the weaknesses identified during the security assessment including CVE-2021-1228 and CVE-2021-1231.

GPGme used confusion, it's super effective !

16/02/2021 In the world of logic vulnerabilities, there is an interesting subclass which is confusing API designs. Usually in this subclass the vulnerability does not lie in how the API is implemented but how it's used by a third party, which makes it particularly difficult to fix once and for all for everyone. In this blogpost, we will see an example regarding gpgme which was revealed in July 2020 and how easy it is to find a vulnerable downstream codebase using a simple variant analysis.

Exploiting CVE-2021-25770: A Server-Side Template Injection in YouTrack

11/02/2021 Exploiting CVE-2021-25770, a Server-Side Template Injection that leads to remote code execution using a known Freemarker sandbox escape.

Typo3: leak to Remote code execution.

17/12/2020 Typo3 is an open source CMS we have recently encountered during one of our missions. We successfully exploited a configuration leak on this CMS to gain remote code execution on this application. This article describes the different steps to go from unauthenticated user to unsafe object deserialization and gain code execution.