Publications

Exploitation of a double free vulnerability in Ubuntu shiftfs driver (CVE-2021-3492)

13/07/2021 This year again, the international contest Pwn2Own Vancouver took place in the beginning of April. Among the different categories, two major operating systems were suggested for the Local Escalation of Privilege category (LPE): Linux (Ubuntu) and Windows 10. This article describes how a Ubuntu kernel vulnerability was found and exploited during this contest allowing to gain root access from an unprivileged user.

Playing with ImageTragick like it's 2016

28/05/2021 You probably already have encountered document converting features that deal with ImageMagick during engagements but for some reason you were not able to exploit them. This article will mention some techniques that could be used when an older version of ImageMagick is targeted. Spoiler alert: this is not new.

An Interesting Feature in the Samsung DSP Driver

02/03/2021 In February 2021 Samsung made some changes in one of its low level drivers : the Digital Signal Processor (DSP) Linux driver. They removed one interesting feature : the ability for untrusted apps to load a custom DSP firmware of their choice. The driver is present on Galaxy S20 and Galaxy S21 Exynos based phones (and probably on Galaxy Note 20 too). This article presents how to use this feature to boot the DSP on a custom firmware, and how to use this custom firmware along with bugs in the DSP driver to gain ker...

Pwn2Own Tokyo 2020: Defeating the TP-Link AC1750

01/03/2021 A team of Synacktiv security experts participated to the last edition of Pwn2Own by submitting a LAN-side exploit against the TP-Link AC1750. This blogpost aims to describe the process of discovery and exploitation of this vulnerability, including the presentation of exploitation code.

Exploiting CVE-2021-25770: A Server-Side Template Injection in YouTrack

11/02/2021 Exploiting CVE-2021-25770, a Server-Side Template Injection that leads to remote code execution using a known Freemarker sandbox escape.

Analysis and exploitation of the iOS kernel vulnerability CVE-2021-1782

10/02/2021 Two weeks ago, CVE-2021-1782 was fixed by Apple. If the patch for this kernel vulnerability is simple, a way to exploit the bug was still to be discovered. This blog post aims to explain how an exploit is possible while providing a PoC.

This is for the Pwners: Exploiting a WebKit 0-day in PlayStation 4

10/12/2020 Despite an active console hacking community, only few public PlayStation 4 exploits have been released. In this post, we will give a walk-through on the exploitation of a 0-day WebKit vulnerability on 6.xx firmware.

iOS 1-day hunting: uncovering and exploiting CVE-2020-27950 kernel memory leak

01/12/2020 Back in the beginning of November, Project Zero announced that Apple has patched a full chain of vulnerabilities that were actively exploited in the wild. This chain consists in 3 vulnerabilities: a userland RCE in FontParser as well as a memory leak and a type confusion in the kernel. In this blogpost, we will describe how we identified and exploited the kernel memory leak.

Treasure Chest Party Quest: From DOOM to exploit

25/11/2020 In this blogpost, we will find what happens when two security researchers find a random printer and then manage to find vulnerabilities in it.

Bypassing Naxsi filtering engine

05/11/2020 In order to better protect its users, NBS System has asked Synacktiv to perform a source code review of Naxsi, a famous open source Web Application Firewall (WAF). During this audit, Synacktiv discovered several vulnerabilities that could allow bypassing the application of the filtering rules. This short blog post will present the most critical vulnerabilities and how they were fixed by NBS System. The fixes have been published on version 1.1a quickly after they were reported: https://github.com/nbs-system/naxsi/releas...