-
Technical Advisory: PDFTron JavaScript URLs Allowed in WebViewer UI (CVE-2021-39307)
Summary PDFTron’s WebViewer UI 8.0 or below renders dangerous URLs as hyperlinks in supported documents, including JavaScript URLs, allowing the execution of arbitrary JavaScript code. Impact An attacker could steal a victim’s session tokens, log their keystrokes, steal private data, or perform privileged actions in the context of a victim’s session. Details JavaScript URLs are… Read more
-
Optimizing Pairing-Based Cryptography: Montgomery Multiplication in Assembly
This is the second blog post in a new code-centric series about selected optimizations found in pairing-based cryptography. Pairing operations are foundational to the BLS Signatures central to Ethereum 2.0, the zero-knowledge arguments underpinning Filecoin, and a wide variety of other emerging applications. While my prior blog series, “Pairing over BLS12-381,” implemented the entire pairing… Read more
-
CertPortal: Building Self-Service Secure S/MIME Provisioning Portal
tl;dr NCC Group’s Research & Development team designed and built CertPortal which allows users to create and manage S/MIME certificates automating the registration and renewal to allow enterprise scale deployment. The core of the system integrates DigiCert to create an S/MIME certificate and then storing both the certificate, the password, creation and expiry dates in… Read more
-
NSA & CISA Kubernetes Security Guidance – A Critical Review
Last month, the United States’ National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Technical Report (CTR) detailing the security hardening they recommend be applied to Kubernetes clusters, which is available here. The guidance the document contains is generally reasonable, but there are several points which are either incorrect or… Read more
-
Technical Advisory – New York State Excelsior Pass Vaccine Passport Credential Forgery
Summary New York State developed an application called NYS Excelsior Pass Wallet that allows users to acquire and store a COVID-19 vaccine credential. During some research it was discovered that this application does not validate vaccine credentials added to it, allowing forged credentials to be stored by users. Impact This issue would allow an individual… Read more
-
Technical Advisory – New York State Excelsior Pass Vaccine Passport Scanner App Sends Data to a Third Party not Specified in Privacy Policy
Summary The New York State (NYS) Excelsior scanner app is used by businesses or event venues to scan the QR codes contained in the NYS Excelsior wallet app to verify that an individual has either a negative COVID-19 test or their vaccination status. We have found that some data about the businesses/event venues using the app… Read more
-
Conference Talks – September 2021
This month, members of NCC Group will be presenting their work at the following conferences: Javed Samuel, “Overview of Open-Source Cryptography Vulnerabilities”, to be presented at the International Cryptographic Module Conference 2021 (Virtual – Sept 3 2021) Robert Seacord, “Secure Coding”, to be presented at Auto ISAC Analysts (Virtual – Sept 7 2021) Erik Steringer,… Read more
-
The ABCs of NFC chip security
tl;dr NFC tags are becoming increasingly more common in everyday use cases such as: Public spaces like museums, art galleries or even retail stores in order to provide additional information about an item or product. Inventory management sites use NFC tags on product packaging to update information on its contents. Industrial facilities can use NFC… Read more
-
CVE-2021-31956 Exploiting the Windows Kernel (NTFS with WNF) – Part 2
We look at exploitation without the CVE-2021-31955 information disclosure, enabling better exploit primitives through PreviousMode, reliability, stability and exploit clean-up and well as thoughts on detection
-
Disabling Office Macros to Reduce Malware Infections
Category: Reduction/Prevention Overview Document macros have gone in and out of style since 1995 as a deployment method for malware. Netskope’s latest ‘Cloud and Threat Report: July 2021 Edition’ points out that in Q2 of 2021, Microsoft Office macros accounted for 43% of malicious Office document downloads, compared to just 20% at the beginning of… Read more
-
Some Musings on Common (eBPF) Linux Tracing Bugs
Having been in the game of auditing kprobe-based tracers for the past couple of years, and in light of this upcoming DEF CON on eBPF tracer race conditions (which you should go watch) being given by a friend of mine from the NYU(-Poly) (OSIR)IS(IS) lab, I figured I would wax poetic on some of the… Read more
-
Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Archive Extraction – CVE-2021-22937 (Patch Bypass)
Summary The Pulse Connect Secure appliance suffers from an uncontrolled archive extraction vulnerability which allows an attacker to overwrite arbitrary files, resulting in Remote Code Execution as root. This vulnerability is a bypass of the patch for CVE-2020-8260. Impact Successful exploitation of this issue results in Remote Code Execution on the underlying Operating System with… Read more
-
Technical Advisory – Sunhillo SureLine Unauthenticated OS Command Injection (CVE-2021-36380)
Summary Sunhillo is an industry leader in surveillance data distribution. The Sunhillo SureLine application contained an unauthenticated operating system (OS) command injection vulnerability that allowed an attacker to execute arbitrary commands with root privileges. This would have allowed for a threat actor to establish an interactive channel, effectively taking control of the target system. Impact… Read more
-
Practical Considerations of Right-to-Repair Legislation
Background For some time there has been a growing movement amongst consumers who wish to repair their own devices in a cost effective manner, motivated to reduce their expenses, and reduce e-waste. This is becoming ever more difficult to achieve as devices reach ever higher levels of complexity, and include more electronics and firmware. The… Read more
-
Technical Advisory – ICTFAX 7-4 – Indirect Object Reference
Summary ICTFax is fax to email software maintained by ICTInnovations. In version 7-4 of this product, available through the CentOS software repository, an indirect object reference allows a user of any privilege level to change the password of any other user within the application – including administrators. Impact Successful exploitation of this vulnerability can allow… Read more