-
Public Report – Pixel 4/4XL and Pixel 4a ioXt Audit
NCC Group was contracted by Google to conduct a security assessment of the Pixel 4, Pixel 4XL, and Pixel 4a devices. This assessment was specifically focused on determining whether the devices comply with the ioXt Android Profile based on the ioXt Security Pledge. This assessment was performed between July 28 and August 7, 2020. The Google… Read more
-
NCC Group researchers named amongst MSRC’s Most Valuable Security Researchers in 2020
Yesterday, the Microsoft Security Response Center announced their Most Valuable Security Researchers for 2020 (MVRs). This honour, awarded annually by Microsoft during Black Hat USA, is a part of MSRC’s Researcher Recognition program, and recognizes the top security researchers globally based upon the volume, accuracy, and impact of their vulnerability reports to Microsoft over the… Read more
-
Lights, Camera, HACKED! An insight into the world of popular IP Cameras
Preface During the Covid-19 pandemic, the battle to secure and protect businesses as well as consumers changed from the office environment to our homes, but this did not stop us from working on research projects aimed at contributing to the creation of a safer online world. Working from home, this research was carried out to… Read more
-
Conference Talks – August 2020
This month, NCC Group researchers will be presenting their work at the following conferences: Dirk-Jan Mollema, “ROADtools and ROADrecon,” to be presented at Black Hat USA 2020 (Virtual – August 1-6 2020) Chris Nevin, “Carnivore: Microsoft External Attack Tool” to be presented at Black Hat USA 2020 (Virtual – August 1-6 2020) Rory McCune, “Mastering… Read more
-
Tool Release – Winstrument: An Instrumentation Framework for Windows Application Assessments
by George Osterweil Winstrument is a modular framework built on top of Frida designed to help testers reverse engineer Windows applications and assess their attack surface. Motivation Winstrument is built on top of Frida, a powerful dynamic instrumentation framework which aids reverse engineering and debugging by injecting into a process a Javascript runtime with an… Read more
-
Tool Release: Sinking U-Boots with Depthcharge
Depthcharge is an extensible Python 3 toolkit designed to aid security researchers when analyzing a customized, product-specific build of the U-Boot bootloader. This blog post details the motivations for Depthcharge’s creation, highlights some key features, and exemplifies its use in a “tethered jailbreak” of a smart speaker that leverages secure boot functionality. I boot, you… Read more
-
Technical Advisory: Heartbleed chained with a Pass-the-Hash attack leads to device compromise on TP-Link C200 IP Camera
Vendor: TP-Link Vendor URL: https://www.tp-link.com/uk/ Versions affected: 1.7.0 Systems Affected: Tapo C200 Author: Dale Pavey Risk: High Summary: The device is vulnerable to the heartbleed vulnerability and a Pass-the-Hash attack. Impact: Successfully exploiting the Heartbleed vulnerability leads to the device being remotely taken over using the memory-leaked user hash and the Pass-the-Hash attack. Details: Using… Read more
-
Public Report – Qredo Apache Milagro MPC Cryptographic Assessment
During the spring of 2020, Qredo engaged NCC Group Cryptography Services to conduct a security assessment of the Apache Milagro MPC library. This library implements the primitives necessary to instantiate the multi-party ECDSA signature scheme provided in Gennaro and Goldfeder’s Fast Multiparty Threshold ECDSA with Fast Trustless Setup. This assessment occurred over the course of… Read more
-
Pairing over BLS12-381, Part 2: Curves
This is the second of three code-centric blog posts on pairing based cryptography. The first post [1] covered modular arithmetic, finite fields, the embedding degree, and presented an implementation of a 12-degree prime extension field tower. The series will ultimately conclude with a detailed review of the popular BLS12-381 pairing operations found in a variety… Read more
-
Understanding the root cause of F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902
CVE-2020-5902 was disclosed on July 1st, 2020 by F5 Networks in K52145254 as a CVSS 10.0 remote code execution vulnerability in the Big-IP administrative interface. This blog looks at the root causes of both the exploit paths discovered which boil down to subtle configuration issues and differences in behavior between Apache httpd and Apache Tomcat when dealing with an uncommon URI element called matrix (or path) parameters.
-
RIFT: Citrix ADC Vulnerabilities CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196 Intelligence
Citrix disclosed on July 7th, 2020 a number of vulnerabilities in the Application Delivery Controller. This blog is a summary of what we know as the situation develops.
-
An offensive guide to the Authorization Code grant
OAuth is the widely used standard for access delegation, enabling many of the “Sign in with X” buttons and “Connect your Calendar” features of modern Internet software. OAuth 2.0 is the most common and recent version of this specification, which defines four grant types (as well as various extensions), specifically suited for different use cases.… Read more
-
Technical Advisory – KwikTag Web Admin Authentication Bypass
Summary: KwikTag is a digital document management solution. KwikTag Web Admin is used to administrate accounts and permissions of the KwikTag instance. KwikTag Web Admin grants an active session without properly validating expired admin credentials. Location: ~/ktadmin/Default.aspx Impact: An attacker can gain administrative access to KwikTag Web Admin by logging in as an admin account… Read more
-
Pairing over BLS12-381, Part 1: Fields
This is the first of three code-centric blog posts on pairing based cryptography. The series will ultimately conclude with a detailed review of the popular BLS12-381 pairing operations found in a variety of applications such as BLS signatures [1]. Support for these operations in an Ethereum precompiled contract has been proposed [2], and support for… Read more
-
RIFT: F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902 Intelligence
CVE-2020-5902 was disclosed on June 1, 2020 by F5 Networks in K52145254 as a CVSS 10.0 remote code execution vulnerability in the Big-IP administrative interface. By June 3, 2020 NCC Group observed active exploitation. This blog is a summary of what we know as the situation develops.