Publications

Exploring Android Heap allocations in jemalloc 'new'

30/05/2023 When writing an exploit for a memory corruption vulnerability, knowing the heap allocator internals is often required to shape the heap as desired. This article will dive into one of Android libc allocators: jemalloc 'new' (jemalloc version 5 and superior). Whereas scudo is the latest allocator introduced in the platform, jemalloc 'new' is still very used today but not well documented.

The printer goes brrrrr, again!

12/05/2023 For the second time at Pwn2Own competition, network printers have been featured in Toronto 2022. The same brands were included this year as in Austin 2021: HP, Lexmark and Canon with equivalent model. Unlike the previous event, we only targeted the Lexmark and Canon but nevertheless manage to compromise both. Sadly, the bug we exploited for the Canon printer was previously used by another team in the competition. Anyway, this is how we achieved code execution on the Canon printer.

Credential Stuffing: Speeding up massive leaks databases

05/05/2023 Despite the increasing usage of cross-origin authentication, password-based authentication is still massively used by people having to log into an account. With a minimal length, upper letters, digits, special characters or any constraints, people tend to reuse old passwords with little improvements. But when a website or any service is breached, then it is possible to use those for credentials replaying, password spraying or cracking attacks. In order to achieve these kinds of attacks, we have to store and query a huge ...

Windows secrets extraction: a summary

20/04/2023 Post-exploitation in Windows environments often implies secrets collection. The collected secrets can be reused for lateral or vertical movement, making them high value assets. Most people already know the LSASS process, but other secrets such as LSA secrets and DPAPI ones could also allow privilege escalation or access to sensitive resources. This article will describe the different types of secrets that can be found within a Windows machine, and public tools that can be used to retrieve them.

I hack, U-Boot

17/04/2023 During hardware assessments, it is common to come across devices implementing U-Boot. This article aims to describe what it is, why it could be interesting from an offensive perspective, and the attack surface associated with this popular bootloader.

PHP filter chains: file read from error-based oracle

21/03/2023 The possibilities allowed by filter chains will never stop amazing us. Last time we saw that using them in a PHP file inclusion function would lead to remote code execution. Since then, another way to abuse them was published at the end of the DownUnderCTF 2022! Let's see how PHP filters can also be used to read local files when their content is not printed, thanks to an error-based oracle.

Hardware investigation of wireless keyloggers

03/03/2023 When a hardware keylogger is found on a computer, you can assume the user account and its secrets are compromised. In this article, we will present how to get access to the data stored on both a basic keylogger and a more advanced model with Wi-Fi access.

CI/CD secrets extraction, tips and tricks

01/03/2023 This article aims at describing how to exfiltrate secrets that are supposed to be securely stored inside CI/CD systems. For that purpose, the examples of Azure DevOps and GitHub Actions will be detailed, and the tool we developed to automate extraction will be presented.

Exploiting a remote heap overflow with a custom TCP stack

13/02/2023 In November 2021 our team took part in the ZDI Pwn2Own Austin 2021 competition [1] with multiple entries. One of them successfully compromised the Western Digital MyCloudHome connected hard drive via a 0-day in the Netatalk daemon. Our exploit was unusual because triggering the vulnerability required to mess with the remote TCP stack, so we wrote our own. This blog post will provide some technical details about it.

Building a io_uring based network scanner in Rust

20/01/2023 Using the recent io_uring Linux kernel API to build a fast and modular network scanner in the Rust language