NCC Group Research

Research Report – Zephyr and MCUboot Security Assessment

May 26, 2020 by Jeremy Boone

Over the years, NCC Group has audited countless embedded devices for our customers. Through these security assessments, we have observed that IoT devices are typically built using a hodgepodge of chipset vendor board support packages (BSP), bootloaders, SDKs, and an established Real Time Operating System (RTOS) such as Mbed or FreeRTOS. However, we have recently… Read more
CVE-2018-8611 Exploiting Windows KTM Part 5/5 – Vulnerability detection and a better read/write primitive

May 25, 2020 by Aaron Adams

The fifth and final blog posts exploring the detailed exploitation of CVE-2018-8611.
CVE-2018-8611 Exploiting Windows KTM Part 4/5 – From race win to kernel read and write primitive

May 18, 2020 by Aaron Adams

The fourth of five blog posts exploring the detailed exploitation of CVE-2018-8611.
Using SharePoint as a Phishing Platform

May 14, 2020 by David Cash

Introduction The rise of endpoint protection and the use of mobile operating systems has created additional challenges when targeting corporate users with phishing payloads designed to execute code on their endpoint device. Credential capture campaigns offer an alternative chance to leverage remote working solutions such as VPNs or Desktop Gateways in order to gain access… Read more
Public Report – Coda Cryptographic Review

May 13, 2020 by Jennifer Fernick

During the spring of 2020, O(1) Labs engaged NCC Group to conduct a cryptographic assessment of Coda Protocol. This cryptocurrency leverages state-of-the art cryptographic constructions to provide traditional cryptocurrency applications with a more lightweight blockchain. This assessment focused on the core cryptographic primitives as well as the overlaid protocol. The O(1) Labs team provided source… Read more
Shell Arithmetic Expansion and Evaluation Abuse

May 12, 2020 by Balazs Bucsay

Introduction Recently we came across a class of vulnerability that was discovered some time ago yet is not very well known, despite the potential impact of its discovery and exploitation being critical. During the (re)discovery of this type of bug we managed to get a privileged shell on a Linux-based appliance that only presented a… Read more
CVE-2018-8611 Exploiting Windows KTM Part 3/5 – Triggering the race condition and debugging tricks

May 11, 2020 by Aaron Adams

The third of five blog posts exploring the detailed exploitation of CVE-2018-8611.
Tool Release – Socks Over RDP

May 6, 2020 by Balazs Bucsay

Introduction Remote Desktop Protocol (RDP) is used to create an interactive session on a remote Windows machine. This is a widely used protocol mostly used by Administrators to remotely access the resources of the operating system or network based services. As penetration testers we frequently find ourselves in a situation where the only access that… Read more
Exploring macOS Calendar Alerts: Part 1 – Attempting to execute code

May 5, 2020 by Andy Grant

This post explores the potential abuse of some features within the macOS Calendar application. It covers multiple attack paths that could lead to code execution and discusses the protections Apple has in place to mitigate them.
CVE-2018-8611 Exploiting Windows KTM Part 2/5 – Patch analysis and basic triggering

May 4, 2020 by Aaron Adams

The second of five blog posts exploring the detailed exploitation of CVE-2018-8611.
Practical Machine Learning for Random (Filename) Detection

April 29, 2020 by Liam Stevenson

There is much hyperbole around machine learning and artificial intelligence in Managed Detection & Response. We detail when to apply and what reasonable results can be achieved on a specific real-world problem.
Curve9767 and Fast Signature Verification

April 28, 2020 by Thomas Pornin

This post is about elliptic curves as they are used in cryptography, in particular for signatures. There are many ways to define specific elliptic curves that strive to offer a good balance between security and performance; here, I am talking about specific contributions of mine: a new curve definition, and some algorithmic improvements that target… Read more
CVE-2018-8611 Exploiting Windows KTM Part 1/5 – Introduction

April 27, 2020 by Aaron Adams

The first of five blog posts exploring the detailed exploitation of CVE-2018-8611.
The Extended AWS Security Ramp-Up Guide

April 24, 2020 by Rami McCarthy

On November 25th, AWS released the Ramp-Up Learning Guide for AWS Cloud Security, Governance, and Compliance. The Security Ramp-Up is a curated list of educational AWS resources. The goal is “to teach in-demand cloud skills and real-world knowledge that you can rely on to keep up with cloud security, governance, and compliance developments and grow… Read more
Code Patterns for API Authorization: Designing for Security

April 21, 2020 by Tanner Prynn

Summary This post describes some of the most common design patterns for authorization checking in web application code. Comparisons are made between the design patterns to help understand when each pattern makes sense as well as the drawbacks of the pattern. For developers and architects, this post helps you to understand what the different code… Read more

View all posts