Publications

Frinet: reverse-engineering made easier

18/12/2023 By combining Frida with an enhanced version of Tenet, Frinet facilitates the study of large programs, vulnerability research and root-cause analysis on iOS, Android, Linux, Windows, and most architectures.

WordPress for Security Audit

15/12/2023 WordPress is a major player in the CMS market, powering around 40% of websites today. This widespread adoption has made it an attractive target for security research, as the safety of millions of websites depends on it. In this article, we will study in detail its core architecture: project structure, authorizations mechanisms, hooks, routing system, APIs and plugins.

Using ntdissector to extract secrets from ADAM NTDS files

06/12/2023 During the development of ntdissector, we stumbled upon an AD Lightweight Directory Services (LDS) instance used by an internal application of a customer to store data. Just like AD DS, AD LDS stores the data inside a dit file: adamntds.dit. However, all known tools failed to parse this file while it looks a lot like a NTDS.dit file. In our research, we eventually found an article in cache already explaining a lot of differences with a standard NTDS.dit file. Unfortunately, the associated code was no longer available on GitHub. This ...

Pcapan: a PCAP analysis helper

22/11/2023 This post showcases a small but very useful tool that can be used to classify expected and suspicious traffic in a network capture file, and, more importantly, what the process is for writing such a tool.

How to voltage fault injection

21/11/2023 During physical security assessments of IoT devices, one of the goals is to take advantage of debug interfaces or accessible chips to study how the devices work. An ideal scenario is the extraction of the full file system to find a way to gain root access to the device. Then, it is easier to check what services are running, debug them if needed, to finally take control of the target. At the beginning of an audit, it is common to encounter protections on the debug interfaces that forbid access to its full functionalities, or on the boo...

Magento Template Engine, a story of CVE-2022-24086

16/11/2023 Of all the components in Magento, one of the most prolific in terms of severe vulnerabilities these last years has been the template engine. Let's dissect its inner workings to understand why it is such a valuable target.

systemd hardening made easy with SHH

07/11/2023 Introducing SHH, Systemd Hardening Helper, a tool written in Rust to automatically build a set of hardening options for a service using runtime profiling.

Finding a POP chain on a common Symfony bundle : part 2

11/10/2023 The Symfony doctrine/doctrine-bundle package is one of the most common bundles installed along Symfony applications. At the time we are releasing this blogpost, it has been downloaded 144 million times, making it an interesting target for unserialize exploitation. If you want to improve your knowledge about PHP unserialize exploitation and see why weak typed languages are considered less secure, this blogpost is for you. The second part of this article will be focused on building a valid POP chain based on the code already analyzed ...

EVM unravelled: recovering ABI from bytecode

10/10/2023 The year-over-year growth in the use of decentralized applications and smart contracts brings an increasing prominence of security audits in this domain. Such audits are vital in maintaining the robustness and trustworthiness of platforms built on blockchain technologies like the Ethereum Virtual Machine (EVM). In a full black-box assessment—a methodology where the auditor has no knowledge of the system's inner workings—smart contracts can often appear more opaque compared to traditional centralized applications. This article del...

Behind the Shield: Unmasking Scudo's Defenses

05/10/2023 When writing an exploit for a memory corruption vulnerability, knowing the heap allocator internals is often required to shape the heap as desired. Following our previous blogpost focusing on jemalloc (new), this article will dive into another one of Android libc allocators: Scudo.