Publications

I'm SMBGhost, daba dee daba da

12/03/2020 This blogpost was created due to a mistake from Microsoft, releasing publicly an advance warning for CVE-2020-0796. CVE-2020-0796, also nicknamed "SMBGhost" or "Coronablue" is a vulnerability impacting SMBv3.1.1 servers and clients and currently has no fix (12/03/2020).

Binder - Analysis and exploitation of CVE-2020-0041

03/03/2020 In December 2019, a new Binder commit was pushed in the Linux kernel. This patch fixes the calculation of an index used to process specific types of objects in a Binder transaction. This article studies the implication of the corrected issue, why it's a security bug and how to take advantage of it.

Azure DevOps Build Agent analysis

28/01/2020 Azure DevOps is becoming more and more used by customers as Microsoft pushes them to replace their on-premises VSTS Server with the cloud version, Azure DevOps. So what can we do if we compromise a build agent? Or even a basic developer account? This article aims at explaining how this whole build jobs works and what it can be (ab)used for.

Through the SMM-class and a vulnerability found there.

14/01/2020 In this blog post, a vulnerability in the code for the System Management Mode (SMM) in some Lenovo ThinkPad will be described. The vulnerability is a callout of SMRAM which allows to elevate privilege from kernel to SMM. This article explains the step-by-step exploitation of the vulnerability including the mapping of the code in SMM through the usage of the SMM save state area.

Advent ctf 2019 overthewire - day2 writeup

05/01/2020 The advent ctf organized by overthewire proposed various challenges that would unlock on a daily basis (like an advent calendar). I found day number 2 (made by hpmv) quite challenging and super fun to solve! It involved crypto, network and rev in a blackbox environment. The full source code used to solve this challenge is available here https://github.com/majin42/adventctf_otw_day2

FIC2020 prequals CTF write-up

19/12/2019 We took part to FIC2020's prequals CTF, organized by the French team Hexpresso with a team made of @dzeta, @laxa, @swapgs and @us3r777. We managed to finish second, so here is our writeup!

Pwning an outdated Kibana with not so sad vulnerabilities

12/12/2019 During a recent engagement, we came across an old outdated instance of the Kibana software. It was affected by two severe public vulnerabilities (CVE-2018-17246 and CVE-2019-7609). However, in the context, none of them was readily exploitable. In this article, we describe how we managed to takeover the software all the same, with a new exploitation technique. Don't expect any 0-dayz dropping in the following, only a new way to exploit two already known issues.

Binder Secctx Patch Analysis

11/10/2019 In the beginning of 2019, a new feature was added in the Binder kernel module. This patch allows to send the caller SElinux context in a Binder transaction. This feature was in fact a fix for CVE-2019-2023. This vulnerability is related to an unsafe use of the getpidcon function, leading to ACL bypass. This article studies details of this patch and its impact on security.

Scraps of Notes on Exploiting Exim Vulnerabilities

08/10/2019 Recently, Qualys published an advisory about a severe vulnerability impacting Exim MTA: CVE-2019-15846. In their report, they even claim that they do have a PoC granting a remote attacker root privileges. The report was followed by instant alarmist articles: "Millions of Exim servers vulnerable to ..."

BFS 2019 Exploitation Challenge

17/09/2019 On September 7th, 2019, BFS published an exploitation challenge on Windows 10 x64 to win an entry for the BFS-IOACTIVE party during the Ekoparty conference. This blogpost aims at describing a successful resolution of the challenge.