-
NCC Group’s Upcoming Trainings at Black Hat USA 2021
NCC Group will be presenting 4 different training courses at Black Hat USA 2021. Below you will find high level details about each course, as well as a link to a detailed course description and course registration details on the Black Hat website. Join us! Mastering Container Security V5 – Black Hat edition (August 2-3… Read more
-
Public Report – VPN by Google One: Technical Security & Privacy Assessment
During the fourth calendar quarter of 2020 and the first calendar quarter of 2021, NCC Group conducted an in-depth review of the VPN by Google One virtual private network system. The focus of the engagement was to assess the product’s technical security properties and review its associated privacy claims. The public report for this assessment… Read more
-
Technical Advisory – ParcelTrack sends all pasteboard data to ParcelTrack’s servers on startup
Summary Upon start of the ParcelTrack application any data contained on the global pasteboard (iOS) or clipboard (Android) will be sent to Parcel Track’s servers. Impact Sensitive PII such as credit card numbers and passwords often live on the global pasteboard. If any sensitive data is contained on the pasteboard when a user starts the… Read more
-
Tool Release – Principal Mapper v1.1.0 Update
Principal Mapper, or PMapper, is a tool and library for in-depth analysis with AWS Identity and Access Management, as well as AWS Organizations. PMapper stores data about AWS accounts and organizations, then provides options to query, visualize, and analyze that data. The library, written in Python, enables users to extend PMapper’s functionality for other use-cases.… Read more
-
SAML XML Injection
The Single Sign-On (SSO) approach to authentication controls and identity management was quickly adopted by both organizations and large online services for its convenience and added security. The benefits are clear; for end-users, it is far easier to authenticate to a single service and gain access to all required applications. And for administrators, credentials and… Read more
-
The Future of C Code Review
I gave a short talk on the Future of C Code Review at our internal (Not) NCC Con Conference this year (held virtually due to Covid-19) and recorded it for posterity. In this short talk, I focus on optimizations resulting from pointer provenance-based alias analysis that can modify the behavior of code with undefined behaviors.… Read more
-
RIFT: Detection capabilities for recent F5 BIG-IP/BIG-IQ iControl REST API vulnerabilities CVE-2021-22986
This post discusses NCC Group observed in the wild exploitation attempts and detection logic for the F5 BIG-IP/BIG-IQ iControl REST API vulnerabilities CVE-2021-22986
-
Tool Release – Solitude: A privacy analysis tool
Created by Dan Hastings and Emanuel Flores Solitude is an open source privacy analysis tool that enables you to conduct your own privacy investigations into where your private data goes once it leaves your web browser or mobile device. Whether a curious novice or a more advanced researcher, Solitude makes the process of evaluating an… Read more
-
Deception Engineering: exploring the use of Windows Installer Packages against first stage payloads
We prototyped a Windows Installer Package Canary to help detect certain first stage trade craft. The ultimate goal being to alert for those threat actors targeting security products through uninstallation.
-
Lending a hand to the community – Covenant v0.7 Updates
Introduction Covenant [1] is an open source .NET command and control framework to support Red Team operations, similar in many ways to the well-known Cobalt Strike threat emulation software. Covenant is an ASP.NET Core, cross-platform application that includes a web-based interface that allows for multi-user collaboration. It has two main agents/payloads: The Grunt, which is… Read more
-
Technical Advisory: Dell SupportAssist Local Privilege Escalation (CVE-2021-21518)
Summary When running PC-Doctor modules, the Dell SupportAssist service attempted to load DLLs from a world-writable directory. Furthermore, it did not validate the signature of libraries loaded from this directory, leading to a “DLL Hijacking” vulnerability. Impact Successful exploitation of this issue would allow a low privileged user to execute arbitrary code with SYSTEM privileges.… Read more
-
Technical Advisory – Multiple Vulnerabilities in Netgear ProSAFE Plus JGS516PE / GS116Ev2 Switches
Multiple vulnerabilities were found in Netgear ProSafe Plus JGS516PE switches that may pose a serious risk to their users. The most critical vulnerability could allow unauthenticated users to gain arbitrary code execution. The following vulnerabilities were the most relevant identified during the internal research: Unauthenticated Remote Code Execution (CVE-2020-26919) NSDP Authentication Bypass (CVE-2020-35231) Unauthenticated Firmware… Read more
-
Deception Engineering: exploring the use of Windows Service Canaries against ransomware
We prototyped a Windows Service Canary to help detect and respond to certain pre-ransomware trade craft. The ultimate goal being to alert and minimize the impact of ransomware deployments.
-
Wubes: Leveraging the Windows 10 Sandbox for Arbitrary Processes
Wubes is like Qubes but for Microsoft Windows. The idea is to leverage the Windows Sandbox technology to spawn applications in isolation. We currently support spawning a Windows Sandbox for the Firefox browser, with other applications easily added.
-
Technical Advisory: Administrative Passcode Recovery and Authenticated Remote Buffer Overflow Vulnerabilities in Gigaset DX600A Handset (CVE-2021-25309, CVE-2021-25306)
Current Vendor: Gigaset Vendor URL: https://www.gigaset.com/es_es/gigaset-dx600a-isdn/ Versions affected: V41.00-175.00.00-SATURN-175.00 Systems Affected: DX600A Authors: Manuel Ginés – manuel.gines[at]nccgroup[dot]com Admin Service Weak Authentication CVE Identifier: CVE-2021-25309 Risk: 8.8 (High) – AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H AT Command Buffer Overflow CVE Identifier: CVE-2021-25306 Risk: 4.5 (Medium) – AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Summary According to the oficial documentation, the Gigaset DX600A is a high-end ISDN desktop… Read more