Archive

This page contains all published blog posts.

• NCC Group’s Upcoming Trainings at Black Hat USA 2021
• Public Report – VPN by Google One: Technical Security & Privacy Assessment
• Technical Advisory – ParcelTrack sends all pasteboard data to ParcelTrack’s servers on startup
• Tool Release – Principal Mapper v1.1.0 Update
• SAML XML Injection
• The Future of C Code Review
• RIFT: Detection capabilities for recent F5 BIG-IP/BIG-IQ iControl REST API vulnerabilities CVE-2021-22986
• Tool Release – Solitude: A privacy analysis tool
• Deception Engineering: exploring the use of Windows Installer Packages against first stage payloads
• Lending a hand to the community – Covenant v0.7 Updates
• Technical Advisory: Dell SupportAssist Local Privilege Escalation (CVE-2021-21518)
• Technical Advisory – Multiple Vulnerabilities in Netgear ProSAFE Plus JGS516PE / GS116Ev2 Switches
• Deception Engineering: exploring the use of Windows Service Canaries against ransomware
• Wubes: Leveraging the Windows 10 Sandbox for Arbitrary Processes
• Technical Advisory: Administrative Passcode Recovery and Authenticated Remote Buffer Overflow Vulnerabilities in Gigaset DX600A Handset (CVE-2021-25309, CVE-2021-25306)
• Cryptopals: Exploiting CBC Padding Oracles
• Investigating Potential Security Vulnerability Manifestation through Various Analyses & Inferences Regarding Internet RFCs (and how RFC Security might be Improved)
• NCC Group’s 2020 Annual Research Report
• Conference Talks – February/March 2021
• Software Verification and Analysis Using Z3
• Technical Advisory – Linksys WRT160NL – Authenticated Command Injection (CVE-2021-25310)
• Real World Cryptography Conference 2021: A Virtual Experience
• RIFT: Analysing a Lazarus Shellcode Execution Method
• MSSQL Lateral Movement
• Public Report – BLST Cryptographic Implementation Review
• Sign over Your Hashes – Stealing NetNTLM Hashes via Outlook Signatures
• Abusing cloud services to fly under the radar
• Building an RDP Credential Catcher for Threat Intelligence
• Double-odd Elliptic Curves
• Using AWS and Azure for Cost Effective Log Ingestion with Data Processing Pipelines for SIEMs
• Domestic IoT Nightmares: Smart Doorbells
• Technical Advisory: OS Command Injection in Silver Peak EdgeConnect Appliances (CVE-2020-12148, CVE-2020-12149)
• Helping Engineering Teams Tackle Security Debt in Embedded Systems: U-Boot Configuration Auditing Introduced in Depthcharge v0.2.0
• An Adventure in Contingency Debugging: Ruby IO#read/IO#write Considered Harmful
• ABSTRACT SHIMMER (CVE-2020-15257): Host Networking is root-Equivalent, Again
• Tool Release – HTTPSignatures: A Burp Suite Extension Implementing HTTP Signatures
• ICS/OT Security & the evolution of the Purdue Model: Integrating Industrial and Business Networks
• Tool Release – Carnivore: Microsoft External Assessment Tool
• Technical Advisory: containerd – containerd-shim API Exposed to Host Network Containers (CVE-2020-15257)
• Conference Talks – December 2020
• TA505: A Brief History Of Their Time
• Decrypting OpenSSH sessions for fun and profit
• Past, Present and Future of Effective C
• Technical Advisory: SQL Injection and Reflected Cross-Site Scripting (XSS) Vulnerabilities in Oracle Communications Diameter Signaling Router (CVE-2020-14787, CVE-2020-14788)
• Conference Talks – November 2020
• Technical Advisory: Pulse Connect Secure – Arbitrary File Read via Logon Message (CVE-2020-8255)
• Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Gzip Extraction (CVE-2020-8260)
• Technical Advisory – Jitsi Meet Electron – Arbitrary Client Remote Code Execution (CVE-2020-27162)
• Technical Advisory – Jitsi Meet Electron – Limited Certificate Validation Bypass (CVE-2020-27161)
• Public Report – Filecoin Bellman and BLS Signatures Cryptographic Review
• Technical Advisory – Linksys WRT160NL – Authenticated Remote Buffer Overflow (CVE-2020-26561)
• There’s A Hole In Your SoC: Glitching The MediaTek BootROM
• RIFT: F5 CVE-2020-5902 and Citrix CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196 honeypot data release
• Technical Advisory – Pulse Connect Secure – RCE via Template Injection (CVE-2020-8243)
• Tool – Windows Executable Memory Page Delta Reporter
• Salesforce Security with Remote Working
• Tool Release – ScoutSuite 5.10
• Conference Talks – October 2020
• Tool Release – ICPin, an integrity-check and anti-debug detection pintool
• Faster Modular Inversion and Legendre Symbol, and an X25519 Speed Record
• Technical Advisory – Lansweeper Privilege Escalation via CSRF Using HTTP Method Interchange (CVE-2020-13658)
• Online Casino Roulette – A guideline for penetration testers and security researchers
• Extending a Thinkst Canary to become an interactive honeypot
• StreamDivert: Relaying (specific) network connections
• Public Report – Electric Coin Company NU4 Cryptographic Specification and Implementation Review
• Machine learning from idea to reality: a PowerShell case study
• Conference Talks – September 2020
• Whitepaper – Exploring the Security of KaiOS Mobile Applications
• Technical Advisory – wolfSSL TLS 1.3 Client Man-in-the-Middle Attack (CVE-2020-24613)
• Technical Advisory – Multiple HTML Injection Vulnerabilities in KaiOS Pre-installed Mobile Applications
• Technical Advisory – FreePBX – Multiple Authenticated SQL Injections in UCP application
• Immortalising 20 Years of Epic Research
• Pairing over BLS12-381, Part 3: Pairing!
• Public Report – Pixel 4/4XL and Pixel 4a ioXt Audit
• NCC Group researchers named amongst MSRC’s Most Valuable Security Researchers in 2020
• Lights, Camera, HACKED! An insight into the world of popular IP Cameras
• Conference Talks – August 2020
• Tool Release – Winstrument: An Instrumentation Framework for Windows Application Assessments
• Tool Release: Sinking U-Boots with Depthcharge
• Technical Advisory: Heartbleed chained with a Pass-the-Hash attack leads to device compromise on TP-Link C200 IP Camera
• Public Report – Qredo Apache Milagro MPC Cryptographic Assessment
• Pairing over BLS12-381, Part 2: Curves
• Understanding the root cause of F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902
• RIFT: Citrix ADC Vulnerabilities CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196 Intelligence
• An offensive guide to the Authorization Code grant
• Technical Advisory – KwikTag Web Admin Authentication Bypass
• Pairing over BLS12-381, Part 1: Fields
• RIFT: F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902 Intelligence
• Experiments in Extending Thinkst Canary – Part 1
• Tool Release – ScoutSuite 5.9.0
• Technical Advisory – macOS Installer Local Root Privilege Escalation (CVE-2020-9817)
• Paper: Thematic for Success in Real-World Offensive Cyber Operations – How to make threat actors work harder and fail more often
• How-to: Importing WStalker CSV (and more) into Burp Suite via Import to Sitemap Extension
• Tool: WStalker – an easy proxy to support Web API assessments
• Security Considerations of zk-SNARK Parameter Multi-Party Computation
• WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
• Tool Release – Socks Over RDP Now Works With Citrix
• Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability
• Technical Advisory – ARM MbedOS USB Mass Storage Driver Memory Corruption
• Cyber Security of New Space Paper
• In-depth analysis of the new Team9 malware family
• Common Insecure Practices with Configuring and Extending Salesforce
• Exploring DeepFake Capabilities & Mitigation Strategies with University College London
• Game Security
• Exploring macOS Calendar Alerts: Part 2 – Exfiltrating data (CVE-2020-3882)
• Research Report – Zephyr and MCUboot Security Assessment
• CVE-2018-8611 Exploiting Windows KTM Part 5/5 – Vulnerability detection and a better read/write primitive
• CVE-2018-8611 Exploiting Windows KTM Part 4/5 – From race win to kernel read and write primitive
• Using SharePoint as a Phishing Platform
• Public Report – Coda Cryptographic Review
• Shell Arithmetic Expansion and Evaluation Abuse
• CVE-2018-8611 Exploiting Windows KTM Part 3/5 – Triggering the race condition and debugging tricks
• Tool Release – Socks Over RDP
• Exploring macOS Calendar Alerts: Part 1 – Attempting to execute code
• CVE-2018-8611 Exploiting Windows KTM Part 2/5 – Patch analysis and basic triggering
• Practical Machine Learning for Random (Filename) Detection
• Curve9767 and Fast Signature Verification
• CVE-2018-8611 Exploiting Windows KTM Part 1/5 – Introduction
• The Extended AWS Security Ramp-Up Guide
• Code Patterns for API Authorization: Designing for Security
• Order Details Screens and PII
• How cryptography is used to monitor the spread of COVID-19
• Rise of the Sensors: Securing LoRaWAN Networks
• CVE-2019-1381 and CVE-2020-0859 – How Misleading Documentation Led to a Broken Patch for a Windows Arbitrary File Disclosure Vulnerability
• C Language Standards Update – Zero-size Reallocations are Undefined Behavior
• IETF Draft: Indicators of Compromise and Their Role in Attack and Defen[c|s]e
• Exploring Verifiable Random Functions in Code
• Crave the Data: Statistics from 1,300 Phishing Campaigns
• Impact of DNS over HTTPS (DoH) on DNS Rebinding Attacks
• Tool Release – ScoutSuite 5.8.0
• Whitepaper – Coinbugs: Enumerating Common Blockchain Implementation-Level Vulnerabilities
• Smart Contracts Inside SGX Enclaves: Common Security Bug Patterns
• LDAPFragger: Bypassing network restrictions using LDAP attributes
• Threat Actors: exploiting the pandemic
• A Survey of Istio’s Network Security Features
• Conference Talks – March 2020
• Public Report – RustCrypto AES/GCM and ChaCha20+Poly1305 Implementation Review
• Reviewing Verifiable Random Functions
• CVE-2018-8611 – Diving into the Windows Kernel Transaction Manager (KTM) for fun and exploitation
• Whitepaper – Microcontroller Readback Protection: Bypasses and Defenses
• Improving Software Security through C Language Standards
• Whitepaper – A Tour of Curve 25519 in Erlang
• Deep Dive into Real-World Kubernetes Threats
• Technical Advisory – playSMS Pre-Authentication Remote Code Execution (CVE-2020-8644)
• Interfaces.d to RCE
• Properly Signed Certificates on CPE Devices
• Conference Talks – February 2020
• Tool Release – Collaborator++
• Public Report – Electric Coin Company NU3 Specification and Blossom Implementation Audit
• Tool Release – Enumerating Docker Registries with go-pillage-registries
• Conference Talks – January 2020
• Passive Decryption of Ethereum Peer-to-Peer Traffic
• On Linux’s Random Number Generation
• Demystifying AWS’ AssumeRole and sts:ExternalId
• Welcome to the new NCC Group Global Research blog
• Compromising a Hospital Network for £118 (Plus Postage & Packaging)
• Getting Shell with XAMLX Files
• Kerberos Resource-Based Constrained Delegation: When an Image Change Leads to a Privilege Escalation
• Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 10: Efficacy Demonstration, Project Conclusion and Next Steps
• Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 9: Adventures with Expert Systems
• Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 8: Development of Prototype #4 – Building on Takaesu’s Approach with Focus on XSS
• Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 7: Development of Prototype #3 – Adventures in Anomaly Detection
• Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 6: Development of Prototype #2 – Creating a SQLi PoC
• Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 5: Development of Prototype #1 – Text Processing and Semantic Relationships
• Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 4: Architecture and Design
• Technical Advisory – Authorization Bypass Allows for Pinboard Corruption
• Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 3: Understanding Existing Approaches and Attempts
• Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 2: Going off on a Tangent – AI/ML Applications in Social Engineering
• Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 1: Understanding the Basics and What Platforms and Frameworks Are Available
• Story of a Hundred Vulnerable Jenkins Plugins
• Technical Advisory – DelTek Vision – Arbitrary SQL Execution (SQLi)
• Chafer backdoor analysis
• Finding and Exploiting .NET Remoting over HTTP using Deserialisation
• Owning the Virgin Media Hub 3.0: The perfect place for a backdoor
• Turla PNG Dropper is back
• RokRat Analysis
• Securing Google Cloud Platform – Ten best practices
• Celebrating NCC Con Europe 2018
• Securing Teradata Database
• CVE-2017-8570 RTF and the Sisfader RAT
• Emissary Panda – A potential new malicious tool
• SMB hash hijacking & user tracking in MS Outlook
• Testing HTTP/2 only web services
• Readable Thrift
• Introducing Azucar
• Decoding network data from a Gh0st RAT variant
• APT15 is Alive and Strong: An Analysis of RoyalCli and RoyalDNS
• Spectre and Meltdown: What you Need to Know
• HIDDEN COBRA Volgmer: A Technical Analysis
• Kubernetes Security: Consider Your Threat Model
• Cisco ASA series part eight: Exploiting the CVE-2016-1287 heap overflow over IKEv1
• Bypassing Android’s Network Security Configuration
• Technical Advisory – Bomgar Remote Support – Local Privilege Escalation
• Cisco ASA series part seven: Checkheaps
• Cisco ASA series part six: Cisco ASA mempools
• Cisco ASA series part five: libptmalloc gdb plugin
• Cisco ASA series part four: dlmalloc-2.8.x, libdlmalloc, & dlmalloc on Cisco ASA
• Decoder Improved Burp Suite plugin release part two
• Cisco ASA series part three: Debugging Cisco ASA firmware
• Cisco ASA series part two: Static analysis & datamining of Cisco ASA firmware
• Cisco ASA series part one: Intro to the Cisco ASA
• EternalGlue part one: Rebuilding NotPetya to assess real-world resilience
• Decoder Improved Burp Suite plugin release part one
• Poison Ivy string decryption
• Signaturing an Authenticode anomaly with Yara
• Analysing a recent Poison Ivy sample
• DeLux Edition: Getting root privileges on the eLux Thin Client OS
• UK government cyber security guidelines for connected & autonomous vehicles
• Smuggling HTA files in Internet Explorer/Edge
• Live Incident Blog: June Global Ransomware Outbreak
• A WarCon 2017 Presentation: Cisco ASA – Exploiting the IKEv1 Heap Overflow – CVE-2016-1287
• Setting a New Standard for Kubernetes Deployments
• Microsoft Zero-Day Vulnerability – OLE2Link – Threat Intelligence and Signatures
• Fix Bounty
• SCOMplicated? – Decrypting SCOM “RunAs” credentials
• ISM RAT
• Compromising Apache Tomcat via JMX access
• Berserko: Kerberos Authentication for Burp Suite
• NCC CON Europe 2017
• iOS Instrumentation Without Jailbreak
• The Password is Dead, Long Live the Password!
• A Peek Behind the Great Firewall of Russia
• Avoiding Pitfalls Developing with Electron
• The CIS Security Standard for Docker available now
• An adventure in PoEKmon NeutriGo land
• The Automotive Threat Modeling Template
• Ransomware: How vulnerable is your system?
• Writing Exploits for Win32 Systems from Scratch
• Sakula: an adventure in DLL planting
• When a Trusted Site in Internet Explorer was Anything But
• GSM/GPRS Traffic Interception for Penetration Testing Engagements
• Adventures in Windows Driver Development: Part 1
• From CSV to CMD to qwerty
• Sysinternals SDelete: When Secure Delete Fails
• Breaking into Security Research at NCC Group
• Building WiMap the Wi-Fi Mapping Drone
• NCC Con Europe 2016
• Remote Exploitation of Microsoft Office DLL Hijacking (MS15-132) via Browsers
• Phishing Mitigations: Configuring Microsoft Exchange to Clearly Identify External Emails
• Exploiting CVE-2014-0282
• Car Parking Apps Vulnerable To Hacks
• Drones: Detect, Identify, Intercept, and Hijack
• Introducing Chuckle and the Importance of SMB Signing
• Understanding Microsoft Word OLE Exploit Primitives
• Vehicle Emissions and Cyber Security
• Does TypeScript Offer Security Improvements Over JavaScript?
• Build Your Own Wi-Fi Mapping Drone Capability
• Exploiting CVE-2015-2426, and How I Ported it to a Recent Windows 8.1 64-bit
• libtalloc: A GDB plugin for analysing the talloc heap
• Broadcasting your attack – DAB security
• Exploiting the win32k!xxxEnableWndSBArrows use-after-free (CVE-2015-0057) bug on both 32-bit and 64-bit
• Blind Return Oriented Programming
• Username enumeration techniques and their value
• Some Notes About the Xen XSA-122 Bug
• A Back-to-Front TrueCrypt Recovery Story: The Plaintext is the Ciphertext
• Xen SMEP (and SMAP) Bypass
• Exploiting Samba CVE-2015-0240 on Ubuntu 12.04 and Debian 7 32-bit
• Derusbi: A Case Study in Rapid Capability Development
• SMACK, SKIP-TLS & FREAK SSL/TLS Vulnerabilities
• Samba _netr_ServerPasswordSet Expoitability Analysis
• Adventures in Xen Exploitation
• Abusing Blu-ray Players Part 1 – Sandbox Escapes
• Violating the Virtual Channel – RDP Testing
• Windows Firewall Hook Enumeration
• DARPA OnStar Vulnerability Analysis
• Ghost Vulnerability (CVE-2015-0235)
• Analysis of setting cookies for third party websites in different browsers
• Intel® Software Guard Extensions (SGX): A Researcher’s Primer
• Launching the first in our series of Research Insights
• Tis the Season to Be…
• Analysis of the Linux backdoor used in freenode IRC network compromise
• Drupal Vulnerability
• The facts about BadUSB
• CloudWatch: Amazon Web Services & Shellshock
• Shellshock Bash Vulnerability
• Technical Advisory – Apple iOS / OSX: Foundation NSXMLParser XXE Vulnerability
• Understanding Ransomware
• A New Flying Kitten?
• Extracting the Payload from a CVE-2014-1761 RTF Document
• Writing Robust Yara Detection Rules for Heartbleed
• Whitepaper – XML Schema, DTD, and Entity Attacks: A Compendium of Known Techniques
• The Case of Missing File Extensions
• Apache Struts Vulnerability
• Logs, Logs, the Audit Trail – Features of a Successful Log Management Solution
• Heartbleed OpenSSL vulnerability
• Security of Things: An Implementer’s Guide to Cyber Security for Internet of Things Devices and Beyond
• Vulnerabilities Found In Geofencing Apps
• Introduction to Anti-Fuzzing: A Defence in Depth Aid
• Non Obvious PE Parsers – The .NET runtime – Part 1
• Windows DACLs & Why There Is Still Room for Interest
• Scenester – A Small Tool for Cross-Platform Web Application
• How To Spot a Penetration Tester in Your Network (and Catch the Real Bad Guys at the Same Time)
• Technical Advisory – IBM WebSphere Commerce: Encrypted URL Parameter Vulnerable to Padding Oracle Attacks
• EasyDA – Easy Windows Domain Access Script
• ASP.NET Security and the Importance of KB2698981 in Cloud Environments Threat Brief
• Pip3line – The Swiss Army Knife of Byte Manipulation
• Content Security Policies and Popular CMS Systems
• Grepify – a Small Tool for Code Reviewers
• Visualising Firewall Rulesets – Simplifying Firewall Administration and Spotting the Pivot Point
• Spy-Pi: Do you trust your laptop docking stations?
• Advice for security decision makers contemplating the value of Antivirus
• The death of USB autorun and the rise of the USB keyboard
• Lessons learned from 50 USB bugs
• How Microsoft Office knows a document came from the Internet and might be dangerous
• Technical Advisory – HTC IQRD Android Permission Leakage
• Technical Advisory – libraptor – XXE in RDF/XML File Interpretation
• Whitepaper – A Heap of Trouble: Breaking the Linux Kernel SLOB Allocator
• Technical Advisory – VMware Tools Multiple Vulnerabilities
• Technical Advisory – Apple HFS+ Information Disclosure Vulnerability
• Technical Advisory – OpenOffice.org Multiple Memory Corruption Vulnerabilities
• Technical Advisory – Citrix Access Gateway Command Injection Vulnerability
• Technical Advisory – Linux RDS Protocol Local Privilege Escalation
• Technical Advisory – Coda Filesystem Kernel Memory Disclosure
• WebLogic Plugin HTTP Injection via Encoded URLs
• Multiple Cisco CSS / ACE Client Certificate and HTTP Header
• TANDBERG Video Communication Server Authentication Bypass
• TANDBERG Video Communication Server Static SSH Host Keys
• TANDBERG Video Communication Server Arbitrary File Retrieval
• Chrome Password Manager Cross Origin Weakness
• Whitepaper – Weaning the Web off of Session Cookies: Making Digest Authentication Viable
• Whitepaper – HTTP Digest Integrity: Another look, in light of recent attacks
• Research Paper – Recovering deleted data from the Windows registry
• Java Web Start File Inclusion via System Properties Override
• Multiple Format String Injections in AFFLIB
• Multiple Shell Metacharacter Injections in AFFLIB
• Multiple Buffer Overflows Discovered in AFFLIB
• PDF Form Filling and Flattening Tool Buffer Overflow
• WebSense content filter bypass when deployed in conjunction with Cisco filtering devices
• Remote Directory Traversal and File Retrieval
• Technical Advisory – IBM TAM: Remote Directory Traversal and File Retrieval via web server plug-in