-
Public Report – Filecoin Bellman and BLS Signatures Cryptographic Review
In May 2020, Protocol Labs engaged NCC Group’s Cryptography Services team to conduct a cryptography review of multiple Filecoin code repositories. Filecoin is a decentralized storage and content distribution network developed by Protocol Labs. These repositories implement finite field and group arithmetic, cryptographic pairings, SHA2 via intrinsics, BLS signatures and zk-SNARK operations. Taken together, these… Read more
-
Technical Advisory – Linksys WRT160NL – Authenticated Remote Buffer Overflow (CVE-2020-26561)
Current Vendor: Belkin Vendor URL: https://www.linksys.com/sg/p/P-WRT160NL/ Versions affected: Latest FW version – 1.0.04 build 2 (FW_WRT160NL_1.0.04.002_US_20130619_code.bin) Systems Affected: Linksys WRT160NL (maybe others) Authors: Diego Gómez Marañón – Diego.GomezMaranon[at]nccgroup[dot]com CVE Identifier: CVE-2020-26561 Risk: 8.8 (High) – AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Summary The Linksys WRT160NL is a switch device initially owned by Cisco and, after the sale of its respective… Read more
-
There’s A Hole In Your SoC: Glitching The MediaTek BootROM
This research was conducted by our intern Ilya Zhuravlev, who has returned to school but will be rejoining our team after graduation, and was advised by Jeremy Boone of NCC Group’s Hardware & Embedded Systems Practice. With the advent of affordable toolchains, such as ChipWhisperer, fault injection is no longer an attack vector that is… Read more
-
RIFT: F5 CVE-2020-5902 and Citrix CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196 honeypot data release
NCC Group is today releasing three months of honeypot web traffic data related to the F5 CVE-2020-5902 and Citrix CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196 exploitation events from earlier in 2020. Our objective is to enable all threat intelligence researchers to gain further understanding and contribute back to the community.
-
Technical Advisory – Pulse Connect Secure – RCE via Template Injection (CVE-2020-8243)
Vendor: Pulse Secure Vendor URL: https://www.pulsesecure.net/ Versions affected: Pulse Connect Secure (PCS) 9.1Rx or below, Pulse Policy Secure (PPS) 9.1Rx or below Systems Affected: Pulse Connect Secure (PCS) Appliances Authors: Richard Warren – richard.warren[at]nccgroup[dot]com, David Cash – david.cash[at]nccgroup[dot]com CVE Identifier: CVE-2020-8243 Advisory URL: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44588 Risk: 7.2 High CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Summary Pulse Connect Secure (PCS) appliances before… Read more
-
Tool – Windows Executable Memory Page Delta Reporter
One true constant (until someone schools me) is that threat actors need executable memory of some kind to operate from for their endpoint implant even if fleeting. Given this we’ve released an open source Microsoft Windows Service that aims to facilitate detection of anomalous executable memory
-
Salesforce Security with Remote Working
With Coronavirus still active across the world, life is far from settled, but the uptake of remote working is surely here to stay. From a security standpoint, organisations[1] may feel less comfortable at the moment simply because staff are working out of sight. Whether that feeling is justified will depend on the technical measures put… Read more
-
Tool Release – ScoutSuite 5.10
We’re proud to announce the release of a new version of our open-source, multi-cloud auditing tool ScoutSuite (on Github)! Notable improvements and features include: Core Breaking change: support for Python 3.5 has been deprecated Moved unit tests from nose to pytest & improved coverage Bug fixes and improved error handling AWS Created a ruleset for the… Read more
-
Conference Talks – October 2020
This month, members of NCC Group will be presenting their work at the following conferences: Dirk-Jan Mollema, “Walking Your Dog in Multiple Forests: Breaking AD Trust Boundaries through Kerberos Vulnerabilities,” to be presented at Black Hat Asia 2020 (Virtual – October 1 2020) Sanne Maasakkers, “Improve Security Awareness Campaigns by Applying Phishing Research,” to be… Read more
-
Tool Release – ICPin, an integrity-check and anti-debug detection pintool
by Nicolas Guigo ICPin is an Intel pintool leveraging the framework’s JIT mode designed to track a binary’s integrity checks. It records all reads and all writes performed by the target executable or dynamically loaded library on its text section and outputs a human readable text file describing each memory access with its type (R|W)… Read more
-
Faster Modular Inversion and Legendre Symbol, and an X25519 Speed Record
Elliptic curves are commonly used to implement asymmetric cryptographic operations such as key exchange and signatures. These operations are used in many places, in particular to initiate secure network connections within protocols such as TLS and Noise. However, they are relatively expensive in terms of computing resources, especially for low-end embedded systems, which run on… Read more
-
Technical Advisory – Lansweeper Privilege Escalation via CSRF Using HTTP Method Interchange (CVE-2020-13658)
Summary: Lansweeper is an application that gathers hardware and software information of computers and other devices on a computer network for management and compliance and audit purposes. The application also encompasses a ticket based help desk system and capabilities for software updates on target devices. Location: http://[LANSWEEPER_URL]/configuration/HelpdeskUsers/HelpdeskusersActions.aspx Impact: An attacker with an existing user account… Read more
-
Online Casino Roulette – A guideline for penetration testers and security researchers
Introduction In recent years, the gaming industry has grown significantly, especially casino games and sports betting. Online casinos consolidate their position as one of the main sources of entertainment in many countries worldwide, which evidently involves a notable rise in their turnover. For instance, in Spain alone, the gaming industry generated revenue of around €4,567… Read more
-
Extending a Thinkst Canary to become an interactive honeypot
In this post we explore how to use the extensible nature of Thinkst Canary to build a high interaction honeypot.
-
StreamDivert: Relaying (specific) network connections
Author: Jelle Vergeer The first part of this blog will be the story of how this tool found it’s way into existence, the problems we faced and the thought process followed. The second part will be a more technical deep dive into the tool itself, how to use it, and how it works. Storytime About… Read more