Archive

Constant-Time Data Processing At a Secret Offset, Privacy and QUIC

Introduction NCC Group Cryptography Services team assessed security aspects of several implementations of the QUIC protocol. During the course of their reviews, the team found a number of recurrent cryptography side channel findings of arguably negligible privacy risk to users, across these implementations. However, repetition in itself makes these findings somehow worth having a deeper … Continue reading Constant-Time Data Processing At a Secret Offset, Privacy and QUIC

There’s Another Hole In Your SoC: Unisoc ROM Vulnerabilities

UNISOC (formerly Spreadtrum) is a rapidly growing semiconductor company that is nowadays focused on the Android entry-level smartphone market. While still a rare sight in the west, the company has nevertheless achieved impressive growth claiming 11% of the global smartphone application processor market, according to Counterpoint Research. Recently, it's been making its way into some … Continue reading There’s Another Hole In Your SoC: Unisoc ROM Vulnerabilities

Conference Talks – September/October 2022

Throughout September and October, members of NCC Group will be presenting their work at SANS CyberThreat, 44CON, ResponderCon, BSides St John's, ICMC, DevOps World, RootCon, Hexacon, and Hardwear.io NL. Ollie Whitehouse & Eric Shamper, "Enterprise IR:Live Free, live large" to be presented at Sans CyberThreat (September 12-13 2022) NCC Group, "Mastering Container Security," training to … Continue reading Conference Talks – September/October 2022

SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)

Introduction netlink and nf_tables Overview Sets Expressions Set Expressions Stateful Expressions Expressions of Interest nft_lookup nft_dynset nft_connlimit Vulnerability Discovery CVE-2022-32250 Analysis Set Creation Set Deactivation Initial Limited UAF Write Exploitation Building an Initial Plan Offsets We Can Write at Into the UAF Chunk Hunting for Replacement Objects What Pointer Do We Want to Arbitrary Free? … Continue reading SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)

Writing FreeBSD Kernel Modules in Rust

At present all major operating system kernels are written in C/C++, languages which provide no or minimal assistance in avoiding common security problems. Modern languages such as Rust provide better security guarantees by default and prevent many of the common classes of memory safety security bugs. In this post we will take a brief look … Continue reading Writing FreeBSD Kernel Modules in Rust

NCC Con Europe 2022 – Pwn2Own Austin Presentations

Cedric Halbronn, Aaron Adams, Alex Plaskett and Catalin Visinescu presented two talks at NCC Con Europe 2022. NCC Con is NCC Group's annual private internal conference for employees. We have decided to publish these 2 internal presentations as it is expected that the wider security community could benefit from understanding both the approach and methodology … Continue reading NCC Con Europe 2022 – Pwn2Own Austin Presentations

Tool Release – JWT-Reauth

[Editor’s note: This post is a part of our blog series from our NCC Group summer interns! You can see more posts from consultants in our internship program here.] When testing APIs with short-lived authentication tokens, it can be frustrating to login every few minutes, taking up a consultant's time with an unnecessary cut+paste task … Continue reading Tool Release – JWT-Reauth

Wheel of Fortune Outcome Prediction – Taking the Luck out of Gambling

Authored by: Jesús Miguel Calderón Marín Introduction Two years ago I carried out research into online casino games specifically focusing on roulette. As a result, I composed a detailed guide with information on classification of online roulette, potential vulnerabilities and the ways to detect them[1]. Although this guideline was particularly well-received by the security community, … Continue reading Wheel of Fortune Outcome Prediction – Taking the Luck out of Gambling

Detecting DNS implants: Old kitten, new tricks – A Saitama Case Study 

Max Groot & Ruud van Luijk TL;DR A recently uncovered malware sample dubbed ‘Saitama’ was uncovered by security firm Malwarebytes in a weaponized document, possibly targeted towards the Jordan government. This Saitama implant uses DNS as its sole Command and Control channel and utilizes long sleep times and (sub)domain randomization to evade detection. As no … Continue reading Detecting DNS implants: Old kitten, new tricks – A Saitama Case Study