-
Technical Advisory – Sunhillo SureLine Unauthenticated OS Command Injection (CVE-2021-36380)
Summary Sunhillo is an industry leader in surveillance data distribution. The Sunhillo SureLine application contained an unauthenticated operating system (OS) command injection vulnerability that allowed an attacker to execute arbitrary commands with root privileges. This would have allowed for a threat actor to establish an interactive channel, effectively taking control of the target system. Impact… Read more
-
Practical Considerations of Right-to-Repair Legislation
Background For some time there has been a growing movement amongst consumers who wish to repair their own devices in a cost effective manner, motivated to reduce their expenses, and reduce e-waste. This is becoming ever more difficult to achieve as devices reach ever higher levels of complexity, and include more electronics and firmware. The… Read more
-
Technical Advisory – ICTFAX 7-4 – Indirect Object Reference
Summary ICTFax is fax to email software maintained by ICTInnovations. In version 7-4 of this product, available through the CentOS software repository, an indirect object reference allows a user of any privilege level to change the password of any other user within the application – including administrators. Impact Successful exploitation of this vulnerability can allow… Read more
-
Technical Advisory: Stored and Reflected XSS Vulnerability in Nagios Log Server (CVE-2021-35478,CVE-2021-35479)
Summary Nagios Log Server is a Centralized Log Management, Monitoring, and Analysis software that allows organizations to monitor, manage, visualize, archive, analyse, and alert on all of their log data. Version 2.1.8 of the application was found to be vulnerable to Stored and Reflected XSS. This occurs when malicious JavaScript or HTML code entered as… Read more
-
Detecting and Hunting for the Malicious NetFilter Driver
Category: Detection and Threat Hunting Overview During the week of June 21st, 2021, information security researchers from G Data discovered that a driver for Microsoft Windows named “netfilter.sys” had a backdoor added by a 3rd party that Microsoft then signed as a part of the Microsoft OEM program. The malicious file is installed on a… Read more
-
CVE-2021-31956 Exploiting the Windows Kernel (NTFS with WNF) – Part 1
NCC Group’s Exploit Development Group look at exploiting CVE-2021-31956 – the Windows Kernel (NTFS with WNF)
-
NCC Group Research at Black Hat USA 2021 and DEF CON 29
This year, NCC Group researchers will be presenting 10 presentations at Black Hat USA (2 Briefings, 2 Arsenal tools, and 6 training sessions), and 7 presentations at DEF CON 29 (2 main track talks, 3 Demo Labs, and 2 Village talks). A guide to these presentations (abstracts, dates, and links) is included below. We will… Read more
-
Alternative Approaches for Fault Injection Countermeasures (Part 3/3)
Authors: Jeremy Boone, Sultan Qasim Khan In the previous blog post we described a set of software-based fault injection countermeasures. However, we recognize that software-based mitigations are not a silver bullet and do have several drawbacks. Though they can frustrate an attacker and reduce the reliability of an exploit attempt, a persistent attacker may possess… Read more
-
Software-Based Fault Injection Countermeasures (Part 2/3)
Authors: Jeremy Boone, Sultan Qasim Khan This blog post is a continuation of part 1, which introduced the concept of fault injection attacks. You can read that prior post here. When advising our clients on the matter of fault injection (FI), we are often asked how to determine whether low-level software is vulnerable, and more importantly, how… Read more
-
An Introduction to Fault Injection (Part 1/3)
Authors: Jeremy Boone, Sultan Qasim Khan Though the techniques have existed for some time, in recent years, fault injection (FI) has emerged as an increasingly more common and accessible method of exploitation. Typically requiring physical access, an attacker can momentarily tamper with a processor’s electrical inputs (e.g., voltage or clock). By violating the safe ranges… Read more
-
Technical Advisory – Arbitrary File Read in Dell Wyse Management Suite (CVE-2021-21586, CVE-2021-21587)
Summary Thin clients are often found in secure environments as their diskless operation reduces physical security risks. Wyse Management Suite (WMS) acts a central hub for Dell’s thin client hardware, providing centralised provisioning and configuration. The Wyse Management Suite web interface and the configuration services used by the Thin Clients on boot are part of… Read more
-
Exploiting the Sudo Baron Samedit vulnerability (CVE-2021-3156) on VMWare vCenter Server 7.0
NCC Group’s Exploit Development Group document exploiting the sudo vulnerability on VMWare vCenter Server
-
Technical Advisory – Shop app sends pasteboard data to Shopify’s servers
Summary In the Shop app when adding a package, any data that matches a specific format defined by Shopify that is contained on the global pasteboard (iOS) or clipboard (Android) is automatically sent without user interaction to Shopify’s servers. Impact Sensitive PII such as credit card numbers and passwords can live on the global pasteboard.… Read more
-
Tool Release – Reliably-checked String Library Binding
by Robert C. Seacord Memory Safety Reliably-checked Strings is a library binding I created that uses static array extents to improve diagnostics that can help identify memory safety flaws. This is part of broader initiative in the C Standards Committee to improve bounds checking for array types. See my blog post Improving Software Security through… Read more
-
Are you oversharing (in Salesforce)? Our new tool could sniff it out!
Unauthorised access to data is a primary concern of clients who commission a Salesforce assessment. The Salesforce documentation acknowledges that the sharing model is a “complex relationship between role hierarchies, user permissions, sharing rules, and exceptions for certain situations”[1]. It is often said that complexity and security are natural enemies. Salesforce empowers its users with… Read more