Cedric Halbronn
SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)
Introduction netlink and nf_tables Overview Sets Expressions Set Expressions Stateful Expressions Expressions of Interest nft_lookup nft_dynset nft_connlimit Vulnerability Discovery CVE-2022-32250 Analysis Set Creation Set Deactivation Initial Limited UAF Write Exploitation Building an Initial Plan Offsets We Can Write at Into the UAF Chunk Hunting for Replacement Objects What Pointer Do…
September 1, 2022
57 mins read
Analyzing a PJL directory traversal vulnerability – exploiting the Lexmark MC3224i printer (part 2)
This post describes a vulnerability found and exploited in October 2021 by Alex Plaskett, Cedric Halbronn, and Aaron Adams working at the Exploit Development Group (EDG) of NCC Group. We successfully exploited it at Pwn2Own 2021 competition in November 2021. Lexmark published a public patch and their advisory in January…
Exploiting the Sudo Baron Samedit vulnerability (CVE-2021-3156) on VMWare vCenter Server 7.0
NCC Group's Exploit Development Group document exploiting the sudo vulnerability on VMWare vCenter Server
Exploit mitigations: keeping up with evolving and complex software/hardware
We have been filling the knowledge gap by tracking all the exploit mitigations in summary tables present in modern operating systems
Wubes: Leveraging the Windows 10 Sandbox for Arbitrary Processes
Wubes is like Qubes but for Microsoft Windows. The idea is to leverage the Windows Sandbox technology to spawn applications in isolation. We currently support spawning a Windows Sandbox for the Firefox browser, with other applications easily added.
March 3, 2021
2 mins read
A WarCon 2017 Presentation: Cisco ASA – Exploiting the IKEv1 Heap Overflow – CVE-2016-1287
Exodus Intel released a proof of concept (POC) in early 2016, demonstrating how to obtain remote code execution on Cisco Adaptive Security Appliance (ASA) firewalls exposed to the internet. The POC exploits a pre-authentication vulnerability in Internet Key Exchange (IKE) aka CVE-2016-1287 and is highly critical. The POC works on…
An adventure in PoEKmon NeutriGo land
TL;DR A full technical note explaining the analysis of a Flash file part of the Neutrino Exploit kit has been uploaded to our Cyber Defence Github repository. This document details a methodology to analyse all components of the original Flash file. It details how we manually deobfuscate most of its…
Exploiting CVE-2015-2426, and How I Ported it to a Recent Windows 8.1 64-bit
tl;dr This paper details how I ported the CVE-2015-2426 (a.k.a. MS15-078) vulnerability, as originally exploited by Eugene Ching of Qavar Security on the January 2015 version of Windows 8.1 64-bit to the more recent July 2015 version of Windows 8.1 64-bit, the last version of Windows still vulnerable to this issue…