Publications

Code Check(mate) in SMM

18/12/2018 In this article, a bypass of the SMM_CODE_CHK_EN, the equivalent of the SMEP protection for the System Management Mode (SMM), protection is explained. This article first explain the protection and the bug class it impacts, then the idea of the bypass is detailed and a leak is explained for being able to make it work.

Binder transactions in the bowels of the Linux Kernel

14/12/2018 Binder is the main IPC/RPC (Inter-Process Communication) system in Android. It allows applications to communicate with each other and it is the base of several important mechanisms in the Android environment. For instance, Android services are built on top of Binder. Message exchanged with Binder are called binder transactions, they can transport simple data such as integers but also process more complex structures like file descriptors, memory buffers or weak/strong references on objects.

Kinibi TEE: Trusted Application exploitation

10/12/2018 This blog post is dedicated to the Trustonic's TEE implementation and more particularly to the integration made by Samsung for its Exynos chipsets. Samsung recently patched a trivial vulnerability in a Trusted Application. After a brief explanation of TrustZone/Kinibi, this article details the exploitation of this vulnerability.

E-ink maiden: Bring your reader to the reverser

01/12/2018 As a team of security researchers, we like poking at software and tinkering with common household objects for fun. So, one of our researchers bought an electronic paper reader tablet, and instead of reading ebooks on the train, started having fun with it!

Grehack 2018 qualification challenge

16/11/2018 Detailed write-up of Grehack 2018 qualification challenge.

LightSpeed, a race for an iOS/MacOS sandbox escape!

29/10/2018 iOS 12 was released a few weeks ago and fixed a kernel vulnerability we discovered that can be used to escape the sandbox. This blogpost gives the technical write-up of the vulnerability.

ColdFusion CFMX_COMPAT lolcryption

09/10/2018 A recent pentest involving ColdFusion led us to discover the fabulous and infamous encryption algorithm CFMX_COMPAT.

iOS12 Kernelcache Laundering

01/10/2018 iOS 12 has been released for a few weeks now. New major iOS versions often mean new kernelcache and dyld_shared_cache file formats. iOS12 is no exception to the rule and comes with an other surprise: Pointer Authentication Code (PAC) for the new A12 chip. This blogpost shows you how to deal with both by enhancing IDA. IDA 7.2 beta future release might add PAC and iOS12 kernelcache support but it will only be released in a few weeks and we think it will always be interesting to illustrate how to do it by ourselves. ...

Hunting mobile devices endpoints - the RF and the Hard way

13/09/2018 This article is about getting information from IoT devices that use the mobile network to exchange data and commands. Two Different techniques will be introduced to achieve this goal : the RF and Hardware ways.

2018 Summer Challenge Writeup

15/08/2018 An old school RE challenge was published on August 07th and has been solved by several people. This blog post provides a detailed solution on how to solve this challenge followed by the winner write-up.