SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)

Introduction netlink and nf_tables Overview Sets Expressions Set Expressions Stateful Expressions Expressions of Interest nft_lookup nft_dynset nft_connlimit Vulnerability Discovery CVE-2022-32250 Analysis Set Creation Set Deactivation Initial Limited UAF Write Exploitation Building an Initial Plan Offsets We Can Write at Into the UAF Chunk Hunting for Replacement Objects What Pointer Do We Want to Arbitrary Free? … Continue reading SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)

Analyzing a PJL directory traversal vulnerability – exploiting the Lexmark MC3224i printer (part 2)

This post describes a vulnerability found and exploited in October 2021 by Alex Plaskett, Cedric Halbronn, and Aaron Adams working at the Exploit Development Group (EDG) of NCC Group. We successfully exploited it at Pwn2Own 2021 competition in November 2021. Lexmark published a public patch and their advisory in January 2022 together with the ZDI advisory. The vulnerability is now known as CVE-2021-44737.

A WarCon 2017 Presentation: Cisco ASA – Exploiting the IKEv1 Heap Overflow – CVE-2016-1287

Exodus Intel released a proof of concept (POC) in early 2016, demonstrating how to obtain remote code execution on Cisco Adaptive Security Appliance (ASA) firewalls exposed to the internet. The POC exploits a pre-authentication vulnerability in Internet Key Exchange (IKE) aka CVE-2016-1287 and is highly critical. The POC works on 32-bit ASA 9.2.4 and supports … Continue reading A WarCon 2017 Presentation: Cisco ASA – Exploiting the IKEv1 Heap Overflow – CVE-2016-1287

An adventure in PoEKmon NeutriGo land

TL;DR A full technical note explaining the analysis of a Flash file part of the Neutrino Exploit kit has been uploaded to our Cyber Defence Github repository. This document details a methodology to analyse all components of the original Flash file. It details how we manually deobfuscate most of its components and refers to many … Continue reading An adventure in PoEKmon NeutriGo land

Exploiting CVE-2015-2426, and How I Ported it to a Recent Windows 8.1 64-bit

tl;dr This paper details how I ported the CVE-2015-2426 (a.k.a. MS15-078) vulnerability, as originally exploited by Eugene Ching of Qavar Security on the January 2015 version of Windows 8.1 64-bit to the more recent July 2015 version of Windows 8.1 64-bit, the last version of Windows still vulnerable to this issue before it got patched by … Continue reading Exploiting CVE-2015-2426, and How I Ported it to a Recent Windows 8.1 64-bit