Publications

Pentesting Cisco SD-WAN Part 2: Breaking routers

07/05/2020 In this second article, we will focus on the vEdge components which are basically routers (physical or virtual). A patch was recently published for a vulnerability we found: Cisco IOS XE SD-WAN Software Command Injection Vulnerability (CVE-2019-16011)

Memory leak and Use After Free in Squid

04/05/2020 A few months ago, Synacktiv teams performed a security assessment on the open source project Squid. This blog post describes a few vulnerabilities that were found during this audit.

Looting Symfony with EOS

23/04/2020 We wrote a new tool that automatically loots all sensitive information from misconfigured Symfony applications. This post describes the type of data it can loot and how. If you just want to use it, check our Github repo! So let's get started and see what we can grab from the web profiler.

Azure AD introduction for red teamers

20/04/2020 Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service. It is more and more used by customers in order to connect their on-premises Active Directory with online services such as Office365, SharePoint, Teams, etc. The aim of this article is to briefly present Azure AD and to explore the different attacking paths this new cloud environment offers to pentesters and red teamers.

How to exploit Liferay CVE-2020-7961 : quick journey to PoC

30/03/2020 Liferay is one of the most known CMS written in Java that we encounter sometimes during assessment. Last week, we stumbled on the blog post from Code White Security entitled "Liferay Portal JSON Web Service RCE Vulnerabilities" describing an interesting issue. Unfortunately, there is no PoC associated with it, but as we love RCEs at Synacktiv, this is a good opportunity to learn something.

Pentesting Cisco SD-WAN Part 1: Attacking vManage

25/03/2020 In late 2019, a customer asked Synacktiv to perform a security assessment in a few days of their SD-WAN project based on the Cisco SD-WAN solution. During this engagement, we actually found a few interesting vulnerabilities in different components. For this first article, we will focus on the vManage component which was recently patched to address the following vulnerabilities: CVE-2019-16012: vManage Cypher Injection CVE-2019-16010: vManage Stored XSS

I'm SMBGhost, daba dee daba da

12/03/2020 This blogpost was created due to a mistake from Microsoft, releasing publicly an advance warning for CVE-2020-0796. CVE-2020-0796, also nicknamed "SMBGhost" or "Coronablue" is a vulnerability impacting SMBv3.1.1 servers and clients and currently has no fix (12/03/2020).

Binder - Analysis and exploitation of CVE-2020-0041

03/03/2020 In December 2019, a new Binder commit was pushed in the Linux kernel. This patch fixes the calculation of an index used to process specific types of objects in a Binder transaction. This article studies the implication of the corrected issue, why it's a security bug and how to take advantage of it.

Azure DevOps Build Agent analysis

28/01/2020 Azure DevOps is becoming more and more used by customers as Microsoft pushes them to replace their on-premises VSTS Server with the cloud version, Azure DevOps. So what can we do if we compromise a build agent? Or even a basic developer account? This article aims at explaining how this whole build jobs works and what it can be (ab)used for.

Through the SMM-class and a vulnerability found there.

14/01/2020 In this blog post, a vulnerability in the code for the System Management Mode (SMM) in some Lenovo ThinkPad will be described. The vulnerability is a callout of SMRAM which allows to elevate privilege from kernel to SMM. This article explains the step-by-step exploitation of the vulnerability including the mapping of the code in SMM through the usage of the SMM save state area.