NCC Group Publication Archive

This whitepaper details the vulnerability and examines some of the concepts needed for browser exploitation before describing how to construct a working exploit that exits gracefully. Download Whitepaper: Click to access cve-2014-0282.pdf Authored by Katy Winterborn

Vendor: KineticaVendor URL: https://www.kinetica.com/Versions affected: 7.0.9.2.20191118151947Systems Affected: AllAuthor: Gary Swales Gary.Swales@nccgroup.com Advisory URL / CVE Identifier: CVE-2020-8429Risk: High (Command Injection on the underlying operating system) Summary The Kinetica Admin web application version 7.0.9.2.20191118151947 did not properly sanitise the input for the function getLogs. This lack of sanitisation could be exploited…

Vendor: SumppleVendor URL: http://www.sumpple.comVersions affected: S610 firmware 9063.SUMPPLE.7601 - 9067.SUMPPLE.7601 Sumpple IP Cam Android V1.1.33 – V1.11 IOS 1.51.5986 (Previous versions are also likely to be affected)Systems Affected: Sumpple S610 WiFi Wireless PTZ Outdoor Security Video Network IP Camera Summple IP Cam Android and IOS mobile application.Author: Sebastian Parker-Fitch (@scorpioitsec)Advisory…

We are moving to a time where many ‘things’ that we know and use have the capability to be connected to a network either wired or wirelessly. The way we use technology is becoming more integrated in all aspects of our daily lives and is steadily integrating within the enterprise…

Over the past few years there has been an increase in the use of sound as a communications channel for device-to-device communications. This practice has been termed Data-Over-Sound (DOS) and has been billed as a cheap and easy to use alternative to traditional communications protocols such as Wi-Fi and Bluetooth.…

Quantum computing is still in its infancy but is expected to cause major changes to the technology landscape in coming years. Its ability to massively reduce the time taken for processes normally requiring large amounts of processing power is already causing concerns about the future of cryptography and the resistance…

Vendor: LansweeperVendor URL: https://www.lansweeper.com/Versions affected: prior to 7.1.117.4Systems Affected: Lansweeper applicationAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: https://www.lansweeper.com/changelog/ - CVE-2019-13462Risk: Critical when MSSQL database is in use (not default) Summary The Lansweeper application is agentless network inventory software that can be used for IT asset management. It uses the…

15 Security Advisories, 128 Jenkins Plugin Vulnerabilities and 1 Core Vulnerability118 CVEs, 1 CVE pending, 10 issues with no CVE requested About the Vulnerabilities NCC Group Security Consultant Viktor Gazdag has identified 128 security vulnerabilities across Jenkins plugins and one within the Jenkins core with the following distribution: Credentials stored…

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in some Ricoh printers. The vulnerability list below was found affecting to some Ricoh printers: Multiple Buffer Overflows Parsing HTTP Cookie Headers (CVE-2019-14300) Multiple Buffer Overflows Parsing HTTP Parameters (CVE-2019-14305, CVE-2019-14307) Buffer Overflow Parsing LPD Packets (CVE-2019-14308) No…

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Brother printers. The vulnerability list below was found affecting to several Brother printers: Stack Buffer Overflow in Cookie Values (CVE-2019-13193) Heap Overflow in IPP Attribute Name (CVE-2019-13192) Information Disclosure Vulnerability (CVE-2019-13194) Technical Advisories: Stack Buffer Overflow…

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Xerox printers. The vulnerability list below was found affecting to several Xerox printers: Buffer Overflow in Google Cloud Print Implementation (CVE-2019-13171) Multiple Buffer Overflows in IPP Service (CVE-2019-13165, CVE-2019-13168) Multiple Buffer Overflows in Web Server (CVE-2019-13169,…

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Kyocera printers. The vulnerability list below was found affecting to several Kyocera printers: Multiple Buffer Overflows in Web Server (CVE-2019-13196, CVE-2019-13197, CVE-2019-13202, CVE-2019-13203, CVE-2019-13206) Multiple Buffer Overflows in IPP Service (CVE-2019-13204) Buffer Overflow in LPD Service…

Multiple vulnerabilities, ranging Cross-Site Scripting to buffer overflows, were found in several HP printers: Multiple Buffer Overflows in IPP Service (CVE-2019-6327) Buffer Overflow in Web Server (CVE-2019-6326) Multiple Cross-Site Scripting Vulnerabilities (CVE-2019-6323, CVE-2019-6324) Cross-Site Request Forgery Countermeasures Bypass (CVE-2019-6325)   Technical Advisories: Multiple Buffer Overflows in IPP Service (CVE-2019-6327) Vendor:…

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Lexmark printers. The vulnerability list below was found affecting to several Lexmark printers: SNMP Denial of Service Vulnerability (CVE-2019-9931) Multiple Overflows in Lexmark Web Server (CVE-2019-9930, CVE-2019-9932, CVE-2019-9933) Information Disclosure Vulnerabilities (CVE-2019-9934, CVE-2019-9935) Information Disclosure Vulnerability…

Vendor: IntelVendor URL: http://www.intel.com/Versions affected: Intel Driver Support Assistance prior to version 19.4.18Systems Affected: Microsoft WindowsAuthor: Richard Warren <richard.warren[at]nccgroup[dot]com>Advisory URL / CVE Identifier: CVE-2019-11114.Risk: Medium Summary This vulnerability allows a low privileged user to escalate their privileges to SYSTEM. Location Intel Driver Support Assistance – DSAService (DSACore.dll) Impact Upon successful…

Vendor: CitrixVendor URL: http://www.citrix.com/Versions affected: Citrix Workspace App versions prior to 1904 and Receiver for Windows versions prior to LTSR 4.9 CU6 version 4.9.6001Systems Affected: Microsoft WindowsAuthor: Ollie Whitehouse <ollie.whitehouse[at]nccgroup[dot]com> Richard Warren <richard.warren[at]nccgroup[dot]com> Martin Hill <martin.hill[at]nccgroup[dot]com>Advisory URL / CVE Identifier: CVE-2019-11634.Risk: Critical Summary The Citrix Workspace / Receiver client suffers…

This whitepaper addresses the cyber security threat to agriculture and the wider food network. The perspective and primary focus is the United Kingdom but the majority of observations on the structure of markets, technologies and related issues are largely applicable to other countries. Furthermore, some of the recommended actions identified in…

Connected Health is a rapidly growing area with huge innovative possibilities and potential. This is mostly due to the uptake of digital technologies in the health and medical fields that support diagnosis, treatment and management of health conditions. It is however crucially important that security of Connected Health products, systems…

Vendor: SmarterToolsVendor URL: https://www.smartertools.com/ Versions affected: prior to Build 6985 (CVE-2019-7214), prior to Build 7040 (CVE-2019-7211, CVE-2019-7212, CVE-2019-7213)Systems Affected: SmarterMailAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: CVE-2019-7214, CVE-2019-7213, CVE-2019-7212, CVE-2019-7211 https://www.smartertools.com/smartermail/release-notes/current Risk: Critical and High Summary The SmarterMail application is a popular mail server with rich features for normal…

Vendor: MailEnableVendor URL: https://www.mailenable.com/ Versions affected: versions before 10.24, 9.83, 8.64, 7.62, 6.90 (20th June 2019)Systems Affected: tested on Enterprise Premium but all versions have been patchedAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: CVE-2019-12923, CVE-2019-12924, CVE-2019-12925, CVE-2019-12926, CVE-2019-12927 http://www.mailenable.com/Premium-ReleaseNotes.txt http://www.mailenable.com/Premium-ReleaseNotes9.txt http://www.mailenable.com/Premium-ReleaseNotes8.txt http://www.mailenable.com/Premium-ReleaseNotes7.txt http://www.mailenable.com/Premium-ReleaseNotes6.txtRisk: Critical, High, Medium Summary The MailEnable…

Abstract Unikernels are small, specialized, single-address-space machine images constructed by treating component applications and drivers like libraries and compiling them, along with a kernael and a thin OS layer, into a single binary blob. Proponents of unikernels claim that their smaller codebase and lack of excess services make them more efficient and secure than…

Vendor: AvayaVendor URL: https://www.avaya.com/Versions affected: 10.0 through 10.1 SP3, 11.0Systems Affected: Avaya IP OfficeAuthor: Mattia Reggiani mattia.reggiani[at]nccgroup[dot]comAdvisory URL: https://downloads.avaya.com/css/P8/documents/101054317Advisory URL / CVE Identifier: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15614Risk: Medium Summary The One-X Web Portal was vulnerable to multiple persistent or stored cross-site scripting (XSS) vulnerabilities. This occurs when JavaScript or HTML code entered as…

Executive Summary In the spring of 2018, The Zerocoin Electric Coin Company engaged NCC Group to perform a two-pronged review of recent changes to the Zcash cryptocurrency. The first prong focused on updates to the Overwinter consensus code, such as architectural changes facilitating future network upgrades, and new features, such as transaction expiry. The second prong…

xendbg is a full-featured debugger for both HVM and PV Xen guests. It can act as a stub server for LLDB, allowing users to do their work in a familiar environment, and also provides a standalone REPL with all the standard comfort features of popular debuggers: contextual tab-completion, expressions, and variables.…

These days it is quite common to see a deserialisation flaw in a product. Although awareness around finding and exploiting this type of vulnerability is out there for security researchers, developers can still struggle with securing their code especially when they are not fully aware of dangerous methods and functionalities…

  As part of our vulnerability research work at NCC Group we find many vulnerabilities (bugs) in commercial products and systems and for the past nine years we have kept a detailed internal log of these bugs. In this whitepaper prepared by Matt Lewis, Research Director at NCC Group, we…

In this whitepaper*, nine different implementations of TLS were tested against cache attacks and seven were found to be vulnerable: OpenSSL, Amazon s2n, MbedTLS, Apple CoreTLS, Mozilla NSS, WolfSSL, and GnuTLS. The cat remains alive, with two lives left thanks to BearSSL (developed by NCC Group’s Thomas Pornin) and Google’s BoringSSL. The issues were disclosed back in August, and the teams…

Third parties can provide an invaluable resource and service for your organisation. But how far should you go when validating a third party supplier? What does the third party need to be validated against? How can you be confident that the validation process is effective? Is the validating process detrimental…

Whenever an outage on one of these cloud providers occurs, or a data breach of information held by them, the immediate press coverage starts asking whether they really are as secure and reliable as traditionally managed servers. This whitepaper provides an overview of public cloud services and the steps to…

In the summer of 2018, Google engaged NCC Group to conduct a security assessment of the Android Cloud Backup/Restore feature, which premiered in Android Pie. This engagement focused on a threat model that included attacks by rogue Google employees (or other malicious insiders) with privileges up to and including root-in-production. The Android…

Vendor: MicrosoftVendor URL: https://www.microsoft.com/Systems Affected: Microsoft OutlookAuthor: Soroush DaliliCVE Identifiers: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8572, https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11927Risk: Medium – Possible SMB Hash Hijacking or User Tracking Summary Microsoft Outlook could be abused to send SMB handshakes externally after a victim opening or simply viewing an email. A WebDAV request was sent even when the SMB…

Vendor: libSSHVendor URL: https://www.libssh.org/Versions affected: Versions of libSSH 0.6 and above, prior to 0.7.6 or 0.8.4.Author: Peter Winter-Smith peter.winter-smith[at]nccgroup.comAdvisory URL / CVE Identifier: CVE-2018-10933 - https://www.libssh.org/security/advisories/CVE-2018-10933.txtRisk: Critical – Authentication Bypass Summary libSSH is a library written in C which implements the SSH protocol and can be used to implement both…

Vendor: MicrosoftVendor URL: https://www.microsoft.com/Versions affected: .NET Framework before July 2018 patchSystems Affected: .NET Framework Workflow libraryAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8284 Risk: Critical Summary In the .NET Framework, workflows can be created by compiling an XOML file using the libraries within the System.Workflow namespace. The workflow compiler…

Vendor: Mitel Vendor URL: https://www.mitel.com Versions affected: 5330e IP Phone Systems Affected: Mitel MiVoice Author: Mattia Reggiani mattia.reggiani[at]nccgroup[dot]trust Advisory URL: https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-18-0009 CVE Identifier: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15497 Risk: Low-High (case dependent) – Denial of Service and possible Remote Code Execution Summary The Mitel MiVoice 5330e VoIP device is affected by a memory corruption…

Singularity of Origin is a robust and easy-to-use tool to perform DNS rebinding attacks. It consists of a DNS and a web server, a web interface to configure and launch an attack, and sample attack payloads. We plan to support this tool and continue to add features and payloads. Singularity…

From February 26 to March 18, 2018, IronCore Labs engaged NCC Group’s Cryptographic Services Practice to perform a review of their proxy re-encryption protocol and implementation. IronCore’s Proxy re-encryption scheme allows delegation of decryption rights from one entity to another without sharing private keys. IronCore uses this to delegate access…

Vendor: MicrosoftVendor URL: https://www.microsoft.com/Versions affected: .NET Framework before September 2018 patchSystems Affected: .NET Framework Workflow libraryAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8421 Risk: Critical Summary In the .NET Framework, workflows can be created by compiling an XOML file using the libraries within the System.Workflow namespace. The workflow compiler…

Author: Robert C. Seacord The Jackson JSON processor offers an alternative to Java serialization by providing data binding capabilities to serialize Java objects to JSON and deserialize JSON back to Java objects. Poorly written Java code that deserializes JSON strings from untrusted sources can be vulnerable to a range of…

It’s not uncommon to find websites that attempt to validate user input and block code injection attacks using a blacklist of dangerous characters or keywords. Superficially, this might seem like a common-sense way to protect a website with minimum effort but it can prove to be extremely difficult to comprehensively…

Vendor: Virgin MediaVendor URL: https://www.virginmedia.com/Versions affected: products before Aug 2018 rollout / 9.1.116V and 9.1.885JSystems Affected: Hub 3.0Author: Balazs Bucsay (@xoreipeip)Advisory URL / CVE Identifier: NoneRisk: Critical Summary Multiple security vulnerabilities were found in the device’s firmware that could be chained and led to unauthenticated remote command execution. Location Multiple…

This paper discusses the similarities and differences between professional ethics in the information security industry and ethics in the hacker community. Sources of conflict and shared values of the two are discussed in order to find some reconciliation and come to an understanding of how a shared set of ethics…

It has been known for a while that deserialisation of untrusted data can often lead to serious security issues such as code execution. However, finding such issues might not be a trivial task during time-limited penetration testing. As a result, NCC Group has developed a Burp Suite extension called Freddy [1]…

Sobelow, released in 2017, is the first security-focused static analysis tool for the Phoenix framework. For security researchers, it is a useful tool for getting a quick view of points-of-interest. For project maintainers, it can be used to prevent the introduction of a number of common vulnerabilities. Over the last…

House is an open source web application that simplifies the testing process with Frida. With House, security researchers can easily generate Frida scripts to perform various tasks including enumeration, function hooking and intercepting. It also provides an easy-to-use web UI for researchers to generate, customise, and manage their Frida scripts. House…

How can we quickly identify which users and roles have access to a given action (and resource) in an AWS account? Erik Steringer built the Principal Mapper (pmapper) as the answer to that question. It uses the existing simulator APIs to determine which users and roles have access to each…

Abstract Side channels have long been recognised as a threat to the security of cryptographic applications. Implementations can unintentionally leak secret information through many channels, such as microarchitectural state changes in processors, changes in power consumption, or electromagnetic radiation. As a result of these threats, many implementations have been hardened to defend against these…

Vendors affected: Multiple Versions affected: Multiple Author: Keegan Ryan <keegan.ryan[at]nccgroup[dot]trust> <@inf_0_> Advisory URL / CVE Identifier: CVE-2018-0495 Risk: Medium (Key disclosure is possible, but only through certain side channels) Summary We have discovered an implementation flaw in multiple cryptographic libraries that allows a side-channel based attacker to recover ECDSA or…

Over the past few months, we have put Mallory through its paces. Scores of mobile applications have had their network streams MiTMd by Mallory. It has become one of a few important tools that we use on a daily basis. Because we use it so often, we sometimes forget that it may seem…

Welcome to the home of Mallory! Mallory is a transparent TCP and UDP proxy. It can be used to get at those hard to intercept network streams, assess those tricky mobile web applications, or maybe just pull a prank on your friend. You are probably here to get Mallory up…

The CyberVillainsCA is a small Java library for on-the-fly generation, duplication and substitution of X.509 certificates. It is intended for use in building or extending security testing tools, for example, WebScarab (example included). Generates a Certification Authority certificate for importation as a Trusted Root Automatically generates standard SSL server certificates…

DECTbeacon is a war driving application for DECT that includes support for GPS tracking of DECT fixed points. DECTbeacon can augment a wireless security assessment by detecting the presence and location of DECT fixed points, which may then be analyzed further to determine points of vulnerability including a gaps in…

Fuzzbox is a multi-codec media fuzzer. Prerequisites: Python py-vorbis 1.4 mutagen 1.11 Download Tool

Gizmo is a graphical web proxy written in Java. It is designed to be speedy, with the user interfaced centered around keyboard use. It should do what you want, and then get out of your way. Pre-Requisites: Java 1.6 Download Gizmo from Google Code.

Intent Sniffer is a tool that can be used on any device using the Google Android operating system (OS). On the Android OS, an Intent is description of an action to be performed, such as startService to start a service. The Intent Sniffer tool performs monitoring of runtime routed broadcasts Intents.…

HTTP Profiler is a simple program that summarizes packet traces of HTTP traffic, to highlight performance problems caused by excessive network traffic. Many web sites and applications cost more than they should, due to unoptimized network behavior.The original goal of httprof was to help people understand that, of all the…

Intent Fuzzer is a tool that can be used on any device using the Google Android operating system (OS). Intent Fuzzer is exactly what is seems, which is a fuzzer. It often finds bugs that cause the system to crash or performance issues on the device. The tool can either…

Transport Layer Security (TLS), commonly called SSL, is one of the most widely used protocols to secure network communications. As costs fall and user security and privacy expectations rise companies are deploying it more widely every year. Attacks against the CA system, SSL implementation flaws and aging protocol versions have…

Jailbreak is a tool for exporting certificates marked as non-exportable from the Windows certificate store. This can help when you need to extract certificates for backup or testing. You must have full access to the private key on the filesystem in order for jailbreak to work. Prerequisites: Win32   Please…

Package Play is a tool that can be used on any device using the Google Android operating system (OS). Package Play shows the user all installed packages on the mobile device. This helps the user in the following ways: Easy way to start exported Activities Shows defined and used permissions…

Manifest Explorer is a tool that can be used on any device using the Google Android operating system (OS). On Android, every application must have an AndroidManifest.xml file in its root directory. The AndroidManifest.xml files does a few things, which is all explained  here. From a security perspective, the file is…

ProxMon is an extensible Python based framework that reduces testing effort, improves consistency and reduces errors. Its use requires limited additional effort as it processes the proxy logs that you’re already generating and reports discovered issues. In addition to penetration testing, ProxMon is useful in QA, developer testing and regression…

This is a modified version of Todd Whiteman’s PySimReader code. This modified version allows users to write out arbitrary raw SMS PDUs to a SIM card. Additionally, debugging output has been added to allow the user to view all APDUs that are sent between the SIM card and PySimReader. Usage:#…

SAML Pummel is a BeanShell plug-in for WebScarab. It automates eight different injection attacks to assist in auditing the implementation of SAML 2.0 single sign-on systems. C14N Entity Expansion C14N Transforms Remote DTD Remote KeyInfo RetrievalMethod Remote KeyInfo WSSE Security Token Reference SignedInfo Remote Reference XSLT Transform URL Retrieval (Xalan)…

SecureBigIP is a command line tool to analyze the management security aspects of a F5 Big IP Load Balancer. Prerequisites: Win32 Download Tool

SecureCisco is a product that analyzes several security settings of a Cisco Router. SecureCisco’s analyzer includes over 25 checks for security. Additionally, for each finding, SecureCisco will provide a detailed recommendation with the exact syntax to mitigate any insecure security setting. The product is able to evaluate both global security…

SecureCookies is a tool to evaluate whether a given URL is utilizing the security options in the cookie. Prerequisites: Win32 Download Tool

SecureIE.ActiveX is a tool to evaluate the ActiveX security settings on Internet Explorer. Prerequisites: Win32 Download Tool

WebRATS is an homage to RATS, a tool to scan code and flag the use of dangerous APIs, identified hazards, and provide secure coding alternatives (RATS was originally created by Secure Software). WebRATS is intended for today’s web-enabled, distributed development methodologies. It was designed to integrate transparently into ordinary code…

Overview AWS Inventory is a tool that scans an AWS account looking for AWS resources. There are constantly new services being added to AWS and existing ones are being expanded upon with new features. This ecosystem allows users to piece together many different services to form a customized cloud experience.…

Extractor is a Burp Suite tool that allows users to define one or more decode steps and automatically apply them to all requests and responses. Users can then alter the decoded payload to have it properly re-encoded and injected back into the request. (This applies to modifiable requests, such as in…

CMakerer is a small open source tool that was created to deal with the problem of tricky-to-load C/C++ codebases. CMakerer scans for C/C++ files and parses their #include directives to identify potential include paths. It then generates a CMakeLists.txt file for the entire codebase. While such files will not likely…

This is a collection of tools used to attack applications that use Windows Interprocess Communication mechanisms. This package includes tools to intercept and fuzz named pipes, as well as a shared memory section fuzzer. Prerequisites: Windows Python Download Tool

WSBang is a Python-based tool used to perform automated security testing of SOAP based web services. Takes URL of WSDL as input Fuzzes all methods and parameters in the service Identifies all methods and parameters, including complex parameters Fuzzes parameters based on type specified in WSDL Reports SOAP responses and…

WSMap is a Python-based tool that helps penetration testers find web service endpoints and discovery files. Parses WebScarab logs to find testing targets Tests URLs and implies URLs found in log Tests for WSDL and DISCO web service discovery formats Prerequisites: WebScarab Python 2.4 pyCurl Download Tool

Nerve is a cross platform scriptable debugger built using our Ragweed library. Nerve consumes your breakpoint configuration files and then executes the ruby scripts you specify as debugger events occur. Nerve scripts have been used to implement hit tracers, in memory fuzzers and code coverage tools. You can find detailed documentation on…

Ragweed is our native code debugging library written in Ruby. It runs on Win32, OSX and Linux. That’s right, we implemented a native code debugger from the ground up using nothing but Ruby and FFI. You read that right, no 3rd party dependencies! Ragweed can be used to build powerful…

Kivlad is a decompiler for Android’s Dalvik binaries, with a highly customizable web-based navigation interface. Unlike existing decompilers for Dalvik, it works natively on Dalvik bytecode rather than converting back to Java bytecode; this means much higher quality results. Also unlike other tools having a static GUI, it takes in…

These tools are useful for testing any program which processes binary file inputs such as archivers and image file viewers. FileP is a python-based file fuzzer. It generates mutated files from a list of source files and feeds them to an external program in batches. Prerequisites: Python 2.4 FileH is a haskell-based…

Android SSL Bypass is an Android debugging tool that can be used for bypassing SSL verification on network connections, even when certificate pinning is implemented – as well as other debugging tasks. It runs as an interactive console. The tool is based on a scriptable JDWP debugger using the JDI…

Hiccupy is a Jython binding for the PortSwigger Burp Suite’s BurpExtender interface. It is intended to facilitate realtime traffic analysis and modification of plain text protocols using simple plugins. The tool hooks BurpExtender::processProxyMessage and executes plugin modules on both requests and responses. Plugins are written in Python and can be…

When performing a black box assessment of an iOS App, one of the main tasks of the tester is to intercept the application’s network communications using a proxy. This gives the tester the ability to see what is happening behind the scenes and how the application and the server communicate…

Correct implementation of SSL is crucial to secure transmission of data between clients and servers. However, this crucial task is frequently done improperly, due to complex APIs and lack of understanding of SSL fundamentals. The SSL Conservatory is intended to be a clearinghouse for well-documented and secure sample code to…

TLSPretense is a framework for testing client-side SSL/TLS certificate validation. Software that uses HTTPS and TLS, such as mobile applications and web service clients, often make mistakes configuring and implementing client-side TLS code. These mistakes are usually severe enough to allow an attacker to intercept the supposedly protected network traffic.…

Tcpprox is a simple command line tcp proxy written in Python. It is designed to have very minimal requirements – it runs directly from Python (tested in Python 2.7) from a single source file (unless the auto-certificate option is used). When running, the proxy accepts incoming TCP connections and copies…

YoNTMA (You’ll Never Take Me Alive!) is a tool designed to enhance BitLocker’s data protection on Windows laptops. YoNTMA ensures that if your laptop is physically stolen while it is powered on, sensitive data (such as disk encryption keys) does not persist in memory for an attacker to recover via…

Welcome to the Intrepidus Group Tattler project information page. Tattler is aSkype power tool that lets users track and monitor message modification in Skype. Tattler also provides a shell to the raw Skype API commands to allow for the manipulation and monitoring of many other Skype behaviors and activities. Features:  …

PeachFarmer facilitates fuzz testing in the cloud. PeachFarmer is designed to be used in conjunction with the Peach fuzzing framework. Peach allows the user to split up a fuzzing job among many machines, but does not offer a built-in way to gather the logs and crash dumps from all these separate…

This tool disables signature and permission checks for Android IPCs. This can be useful to test internal or restricted IPCs in specific cases/scenarios. The tool is available on Github project page.

This extension makes all applications running on the device debuggable; once installed, any application will accept a debugger to attach to them. The tool is available on Github here.

This tool hooks various methods in order to disable SSL certificate pinning, by forcing the Android application to accept any SSL certificate. Once installed, it works across all applications on a device. The tool is available on Github here.

Introspy for Android is a tool designed to help penetration testers understand what an Android application does at runtime, and to greatly facilitate the process of reviewing the application’s security mechanisms. Further details can be found here

RtspFuzzer, an open-source fuzzer for the real-time streaming protocol (RTSP) is now available on our Github page here.

A new version of SSLyze is now available. SSLyze is a Python tool that can analyze the SSL configuration of a server by connecting to it. The tool is available on Github here.

enced by a constant “2131099692”, which cannot be dereferenced and this is where apktool is very helpful. Before we get into apktool, we will try to understand what is being passed. getAction() will get whatever was set using setAction() in the MainActivity class. putExtra() sends additional parameters in the form of a…

Tools Required:   Android SDK (ADT bundle). Will use adb mostly. Dex2jar. (Used for unpacking .apk file) jd-gui. (Java Decompiler) apktool Mercury. Link Extractor tool like Winrar. Burp Suite free Virtuous Ten Studio (optional but highly recommended)   Preparation for taking apart the app:   Get your hands on the apk…

This is a collection of scripts that can be used to generate fuzzed files, fuzzed file systems, and file systems containing fuzzed files. These can be used to test the robustness of forensics tools and examination systems. Prerequisites: Linux/Python Download Tool

Open Technology Fund (OTF) engaged iSEC Partners (iSEC) to perform a source code assisted white box security assessment of Security First’s Umbrella mobile application. One iSEC consultant performed the engagement remotely over two weeks, from June 15th, 2015 to June 26th, 2015. Security First provided iSEC access to the mobile…

How does it work? Autochrome is simply a script that fetches the latest version of Google’s Chromium, creates a number of test profiles, and installs it. Rather than do extensive modifications to the Chromium source, we rely on the base executable built by Google and only modified the profiles so…

WSSiP is a tool for viewing, interacting with, and manipulating WebSocket messages between a browser and web server. WebSockets themselves are a newer option for client-side JavaScript code that allows browsers to connect to the web server in order to signify that the connection should be a TCP connection. As defined…

Summary AssetHook is a tool that enables Android security researchers and pentesters to modify the asset portions of Android applications on the fly, without modifying the APK itself. Such modifications allow researchers to alter embedded data to better assess and test mobile applications. AssetHook is easier to use than existing methods…

Call Map is a tool for navigating call graphs in Python, with plans to support other languages. A call graph is a natural way to traverse code, where the nodes are procedures and directed edges connect procedures that call each other. Many editors and IDEs prioritize first the text, then…

Sobelow is the first security‐focused static analysis tool for the Phoenix framework. For security researchers, it is a useful tool for getting a quick view of points‐of‐interest. For project maintainers, it can be used to prevent the introduction of a number of common vulnerabilities. Currently Sobelow detects some types of…

G-Scout is a tool made to help assess the security of Google Cloud Platform (GCP) environment configurations. By leveraging the Google Cloud API, G-Scout automatically gathers a variety of configuration data, and analyzes this data to determine security risks. It produces HTML output, which allows for convenient browsing of results.…

Burp Suite’s built-in decoder component, while useful, is missing important features and cannot be extended. To remedy this, Justin Moore developed Decoder Improved, a drop-in replacement Burp Suite plugin. It includes all of decoder’s functionality while fixing bugs, adding tabs, and includes an improved hex editor. Additionally, the plugin’s functionality…

RTTI can be an extremely helpful way to gain insight about a C++ binary during reverse engineering, and Python Class Informer’s visualization of the class hierarchies can strengthen these insights even further. We hope reverse engineers’ lives will become a little easier using the visualizations produced by this plugin. Currently,…

Burp Suite is an intercepting HTTP Proxy, and it is the defacto tool for performing web application security testing. While Burp Suite is a very useful tool, using it to perform authorization testing is often a tedious effort involving a “change request and resend” loop, which can miss vulnerabilities and…

TPM Genie is an Arduino-based man-in-the-middle (“interposer”) for the Trusted Platform Module I2C serial bus. This tool has been designed to aid in the security research of TPM hardware as well as the host-side drivers that communicate the with them. In its simplest usage scenario, TPM Genie is capable of…

The concept of Open Banking is an innovative one. However, as with any new developments surrounding sensitive financial information it is imperative to assess the security implications of these actions. Matthew Pettitt discusses the pros and cons of the planned implementation and potential risks of Open Banking in NCC Group’s…

Scenester – a tool to visually snapshot a website by supplying multiple user-agent. Designed to aid in discovery of different entry points into an application. For more information and to download the tool, visit our GitHub page here.

Automate NMAP scans and custom Nessus polices. Features include:  Discovers live devices Auto launches port scans on only the discoverd live devices Can run mulitple instances on multiple adaptors at once Creates client Ref directory for each scan Outputs all unique open ports in a Nessus ready format. Much faster…

A collection of tools to enumerate and analyse Windows DACLs: Tool 1: Process Perms Tool 2: Windows Stations and Desktops  Tool 3: Services  Tool 4: File Sytem  Tool 5 Registry   For more information and to download the tool visit our GitHub page here. 

umap is a USB host security assessment tool, based on Facedancer by Travis Goodspeed.  For more information and to download the tool visit our GitHub page here.

A tool to find and exploit servers vulnerable to Shellshock. To download the tool, please visit our Github page here.

Zulu is an interactive GUI based fuzzer. The tool is input and output agnostic, therefore when you are happy with using the fuzzing engine that’s driven by the GUI you are only limited by the input and output modules that have been developed for it. To download the tool, please…

This proto-type was originally designed a developed during Christmas 2008 / 2009 to show how a non signature based AV could reliably detect malicious code. For more information and to download the tool, visit our GitHub page here. 

vlan-hopping is a simple VLAN enumeration and hopping script, developed by Daniel Compton.  For more information and to download the tool, visit our GitHub page here. 

Tybocer is a new view on code review. When presented with a new piece of code to review it is useful to search through for common terms, or to hunt down specific definitions of particular functions. For more information and to download the tool visit our GitHub page here.

A network data locator using credentials obtained during penetration tests. Xcavator is a tool that scans a range of IP addresses for services that host files (FTP, FTPS and SMB at the moment) and for given credentials it will try to download everything it can and scan within the files…

A Microsoft Windows Process Lockdown Tool using Job Objects, developed by Ollie Whitehouse.  To download the tool visit our GitHub page here.

Azucar is a multi-threaded plugin-based tool to help assess the security of Azure Cloud environment subscription. By leveraging the Azure API , Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks. The script will not change…

Vendor: ManageEngineVendor URL: https://www.manageengine.com/products/desktop-central/Versions affected: 10.0.124 and 10.0.184 verified, all versions <= 10.0.184 suspectedSystems Affected: AllAuthor: Ben Lincoln <ben.lincoln[at]nccgroup[dot]trust>Advisory URLs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5337, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5338, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5339, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5340, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5341, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5342Risk: Critical (unauthenticated remote code execution) Summary Desktop Central is integrated desktop and mobile device management software that helps in managing servers, laptops, desktops, smartphones,…

The rise of blockchain technology has brought about the invention of Ethereum. The Ethereum Virtual Machine (EVM) is a trustless, distributed computer that stores its state on a blockchain. Developers can define logic in the form of smart contracts, which are pieces of code that can be executed by the…

BLEBoy is a great resource for learning about BLE security and provides a single BLE peripheral that can be used to experiment with each BLE pairing method. This release of BLEBoy includes a parts list, instructions for how to construct the device, source code that needs to be compiled and…

Vendor: MicrosoftVendor URL: https://www.microsoft.com/Versions affected: products before July 2018 patchSystems Affected: Visual Studio, .NET Framework, SharePointAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8172 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8260 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8300Risk: Medium to High Summary A number of deserialisation issues within the resource files (.resx and .resources) were reported to Microsoft in January 2018 by…

Vendor: RedgateVendor URL: https://www.red-gate.com/Versions affected: prior to 10.0.7.774 (24th July, 2018)Systems Affected: .NET ReflectorAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: https://documentation.red-gate.com/ref10/release-notes-and-other-versions/net-reflector-10-0-release-notes (CVE-2018-14581)Risk: Critical Summary It was possible to execute code by decompiling a compiled .Net object (such as DLL or EXE) with an embedded resource file. An attacker could…

Vendor: Jenkins Delivery Pipeline Plugin Vendor URL: https://plugins.jenkins.io/delivery-pipeline-plugin Versions affected: 1.0.7 (up to and including) Systems Affected: Jenkins Author: Viktor Gazdag viktor.gazdag[at]nccgroup[dot]trust Advisory URL / CVE Identifier: https://jenkins.io/security/advisory/2017-11-16/ Risk: Medium – 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) (Reflected Cross-Site Scripting) Summary The Delivery Pipeline Plugin is a Jenkins plugin that helps visualizing the delivery/build…

While there are many claims that cyber security is an indispensable necessary cost, there is also a body of opinion that cyber security does not always justify its costs and the financial impacts of a breach are frequently either exaggerated or unclear. As a response to these concerns, this whitepaper…

“We’re entering a new world in which data may be more important than software.” Tim O’Reilly Following from our recent CISO research council, our research team have put together this whitepaper, which explores the evolutionary steps in ransomware and malicious code and what NCC Group’s current perspective is. Ransomware as…

With the exponential increase of online services over the last decade, it is no surprise that the theft of credentials from poorly-secured applications is a growing concern and data breaches are becoming more of a regular occurrence. Even if we manage to secure and lock down these applications, do we…

Security is a high priority for most organisations. A string of high priority breaches in big multinational companies has brought home the threat that all organisations face in the modern world. Therefore, a growing number of companies are considering how to best protect themselves and reduce the impact of a…

Real-time, memory-level interoperability with a closed-source binary may be desired for a number of reasons. In order to read from and write to specific data structures within a target process’ memory, external software must have knowledge of how to access these structures at any given time. Since many objects are…

Nick Collisson, the author of Pointer Sequence Reverser (PSR), occasionally found himself with the need to write software that integrates deeply into an existing closed-source Windows binary and alters, or enhances, its behaviour. Such software must be able to access the data within the running process for reading and writing.…

Most of us interact with Artificial Intelligence (AI) or Machine Learning (ML) on a daily basis without even knowing; from Google translate, to facial recognition software on our mobile phones and digital assistance in financial services or call centres. It is a growing market with ever increasing possibilities across all…

Working closely with our clients both on site or at events, we are finding that several remain unclear on the topic of breach notification under GDPR. There seems to be little, focused guidance on the topic despite the fact that the new regulation will be enforced from May 2018. This…

NCC Group consultants Mason Hemmel and Jeff Dileo recently completed a one-week audit of the Kolide TUF client. The audit took place between August 28, 2017 and September 1, 2017. TUF, an acronym for The Update Framework, is a set-and-forget library for securing software updates. It combines a preponderance of…

Vendor: AdobeVendor URL: https://www.adobe.com/uk/products/coldfusion-family.htmlSystems Affected: ColdFusion 2016 update 4 and below, ColdFusion 11 update 12 and belowAuthor: Nick Bloor (@NickstaDB) / nick.bloor@nccgroup.comAdvisory URL: https://helpx.adobe.com/security/products/coldfusion/apsb17-30.htmlCVE Identifier: CVE-2017-11284Risk: Critical (unauthenticated remote code/command execution) Summary Adobe ColdFusion supports Flex integration to enable Flash applications to interact with ColdFusion components. This is achieved using…

Vendor: AdobeVendor URL: https://www.adobe.com/uk/products/coldfusion-family.htmlSystems Affected: ColdFusion 2016 update 4 and below, ColdFusion 11 update 12 and belowAuthor: Nick Bloor (@NickstaDB) / nick.bloor@nccgroup.comAdvisory URL: https://helpx.adobe.com/security/products/coldfusion/apsb17-30.htmlCVE Identifier: CVE-2017-11283Risk: Critical (unauthenticated remote code/command execution) Summary Adobe ColdFusion supports Flex integration to enable Flash applications to interact with ColdFusion components. This is achieved using…

Following from our recent CISO research council, our research team have put together this whitepaper, which explores the use of PowerShell in a modern corporate environment and how to mitigate the associated threats. Since its incarnation in 2006, PowerShell has grown to be a powerful and extensible management tool, allowing for…

Vendor: PAC4j Vendor URL: http://www.pac4j.org/ Versions affected: All versions through 3.0.0 (latest at time of writing) Author: James Chambers <james.chambers[at]nccgroup[dot]trust> Advisory URL / CVE Identifier: TBD Risk: High (an attacker can bypass path-based authentication rules) Summary Regular expressions used for path-based authentication by the play-pac4j library are evaluated against the…

Vendor: tsl0922Vendor URL: https://github.com/tsl0922/ttyd/ (https://tsl0922.github.io/ttyd/)Versions affected: 1.3.0 (<=)Author: Donato Ferrante <donato.ferrante[at]nccgroup[dot]trust>Patch URL: https://github.com/tsl0922/ttyd/commit/4d31e534c0ec20582d91210990969c19b68ab3b0Risk: Critical Summary ttyd is a cross platform (e.g. macOS, Linux, FreeBSD, OpenWrt/LEDE, Windows) tool for sharing a terminal over the web, inspired by GoTTY. ttyd may allow remote attackers to execute shell commands on a victim’s system,…

Continuous integration (CI) has long left the stage of experimental practices and moved into mainstream software development. It is used everywhere from start-ups to large organisations, in a variety of technology stacks and problem domains, from web applications to embedded software. However, the security implications of introducing CI are often…

The popularity of USB usage has grown and it has become a common vehicle for spreading malware. As such, the need to protect IT assets from a cyber attack is paramount and from a physical endpoint perspective, this presents a challenging dynamic when wanting to prevent a data breach via…

On the 17th April 2007 Oracle released their 10th Critical Patch Update. This brief discusses the database flaws and EM01 which relates to the Intelligent Agent. Many of the flaws being patched are old issues. For example, DB01 relates to an issue first reported to Oracle in 2002 and another in June…

Buffer Underruns and Stack Protection Starting with Windows 2003 Server, Microsoft introduced a number of Exploitation Prevention Mechanisms (XPMs) into their software. Over time these XPMs were refined as weaknesses were discovered [1][2] and more XPMs were introduced. Today the XPMs have been added to Windows XP Service Pack 2…

When drilling for data via SQL injection there are three classes of attack – inband, out-of-band and the relatively unknown inference attack. Inband attacks extract data over the same channel between the client and the web server, for example, results are embedded in a web page via a union select. Out-of-band attacks employ…

Exploiting well knows flaws in DNS services and the way in which host names are resolved to IP addresses, Phishers have upped the ante in the cyber war for control of a customer’s online identity for financial gain. A grouping attack vectors now referred to as “Pharming”, affects the fundamental…

The objective of this series of papers is to describe the mathematical properties of some of the more common pseudo-random sequence generators and to show how they can be attacked by illustrating the principles with real-world bugs. The series demonstrates how weak randomness can be identified, used to compromise real-world systems, and defended against.…

When exploiting PL/SQL injection flaws in SELECT/UPDATE/INSERT/DELETE statements it has long been known that if an attacker can create their own function, and inject this, then it is possible for them to execute arbitrary PL/SQL code – for example EXECUTE IMMEDIATE ‘GRANT DBA TO PUBLIC’. Of course, if the attacker can’t create their own…

This paper presents a number of technical discussion points relating to the potential for exploiting stack overflow vulnerabilities without having direct access to the application which is to be exploited. The points raised in this paper discuss the key issues which would need to be overcome in order to do this, as well…

Technology trail-blazing organisations such as large financial institutions have been working to secure their custom applications for several years, but the second-tier “technology following” organisations have been too slow to follow. This is now rapidly changing due to recent bad press following many highly publicised security compromises. In many of…

The paper is intended to be read by the portion of the security community responsible for creating protective mechanisms to guard against “shellcode” type security flaws; the intention is to remove the perception that Unicode buffer overflows are non exploitable and thereby improve the general state of network security. It…

This paper discusses the feasibility of violating the access control, authentication and audit mechanisms of a running process in the Windows server operating systems. Specifically, it discusses the feasibility of totally disabling application – enforced access control in a running service, taking SQL Server 2000 as a sizeable and meaningful…

Agenda The role of the BIOS Attacking a legacy BIOS Limitations of the legacy BIOS Introduction to the EFI environment Attacking the EFI environment UEFI, summary and conclusions Some Caveats… This talk is about rootkit persistenceThis persistence How to deploy a rootkit from the BIOS/EFIHow EFI Not concerned with what…

Objectives Discuss current “threat landscape” Introduce a new class of vulnerability Introduce a new method of attack Show practical demonstrations Look at some defences Download presentation Author: David Litchfield

Agenda Recap of ACPI BIOS rootkit and limitations Brief overview of the PCI Bus Abusing expansion ROMs Abusing PXE Detection, Prevention and the TPM Summary and conclusions Download presentation Author: John Heasman

The Past, Present and Future of Database Security In 2006 there were 335 publicized data breaches in the U.S. So far in 2007 there have been 276. With the 5th anniversary of the SQL Slammer worm drawing near, now is a good a time as any to look back on…

This paper presents several methods of bypassing the protection mechanism built into Microsoft’s Windows 2003 Server that attempts to prevent the exploitation of stack based buffer overflows. Recommendations about how to thwart these attacks are made where appropriate. Microsoft is committed to security. I’ve been playing with Microsoft products, as…

Over the last two decades, both Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks have been growing in frequency, complexity and volume. Traditionally, these attacks are associated with botnets and large amounts of traffic aimed at disrupting Internet-facing services. However, while the goal of these attacks remains…

VoIP Security Issues The issues brought up in VoIP security and throughout this presentation are not new and are not a surprise. Telephony experience and IP experience combined with a security focused mindset are enough to combat these issues. There is a lot of public coverage of VoIP issues, however…

Many IIS web servers running ASP applications will use the CDONTS.NEWMAIL object to provide the functionality for feedback or contact forms. This paper will examine how the CDONTS.NEWMAIL object can be used by attackers to send arbitrary e-mails via the vulnerable web server and what must be done to prevent an online ASP…

In Oracle, a failure to close cursors created and used by DBMS_SQL or a failure to clean up open cursors in the event of an exception can lead to a security hole. If the cursor in question has been created by higher privileged code and left hanging then it’s possible for a low…

This paper presents some unexpected consequences of running database servers on Windows XP with Simple File Sharing enabled. In the real world, this kind of setup would typically be a developer’s system and as it turns out, in some cases depending on the database software, you might not just be sharing your files…

DNS-based attacks can be used to perform a partial breach of browser same origin restrictions in some situations, enabling a malicious web site to perform two-way interaction with a different domain. The attacks that are normally conceived against browser-based DNS pinning are capable of being resolved through additional safeguards within…

Vendor: Microsoft Vendor URL: https://www.microsoft.com/ Versions affected: IE 10, 11, and Edge prior to July 2017 patch Systems Affected: Windows with above versions affected Author: Soroush Dalili Advisory URL / CVE Identifier: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8592 Risk: Low Summary Internet Explorer (or Edge) could be used to send arbitrary messages to a target…

This paper will examine the differences between the security posture of Microsoft’s SQL Server and Oracle’s RDBMS based upon flaws reported by external security researchers and since fixed by the vendor in question. Only flaws affecting the database server software itself have been considered in compiling this data so issues that affect, for example,…

This paper will examine the differences and commonality in the way a vulnerability common to both Windows and Linux is exploited on each system. The VulnerabilityThe vulnerability that will be discussed in this paper is a classic stack based overflow in OracleÕs RDBMS 9.2.0.1. As well as offering the standard SQL service,…

“Security within the Internet of Things (IoT) is currently below par.” The statement above derives from many observations across our work in IoT (and that of the wider security research community) in addition to a myriad of regular, publicly reported issues and security concerns with IoT devices and their infrastructures.…

Data Loss Prevention (DLP) is a security control aimed at highlighting when sensitive data leaves the corporate network or is accessed without authorisation. A DLP solution can be a great asset to a business and support a range of security goals and compliance. It can be an invaluable safety net…

With one click, his entire business was in the hands of someone else. Sensitive company information, bank account details, social media profiles, various other usernames and passwords. All stolen by a cyber criminal in a convincing phishing attempt. The email he’d received looked legitimate. It was just a simple request…

“By far the greatest danger of Artificial Intelligence is that people conclude too early that they understand it.”  Eliezer Yudkowsky At NCC Group, we are researching Machine Learning (ML) and Artificial Intelligence (AI) from a number of different angles in order to fully understand the pros and cons of ML…

Abstract Java Serialisation is an important and useful feature of Core Java that allows developers to transform a graph of Java objects into a stream of bytes for storage or transmission and then back into a graph of Java objects. Unfortunately, the Java Serialisation architecture is highly insecure and has led…

The modern vehicle has become increasingly computerised as the demand for cleaner emissions and better transport safety for drivers and pedestrians has grown. Numerous initiatives are currently underway to begin to address this threat and to bring the principles used within traditional enterprise environments (such as the Secure Development Lifecycle)…

Abstract Network-Attached Storage (NAS) devices are a popular way for people to store and share their photos, videos and documents. Securing these devices is essential as they can contain sensitive information and are often exposed to the Internet. Because  Synology is one of the top manufacturers of NAS devices, we chose to…

NCC Group’s Robert Seacord explores the underbelly of the Java language in his whitepaper on “Accessing Private Fields Outside of Classes in Java.” According to Robert, “The use of nested classes in Java programs weakens the accessibility guarantees of the language and allows private fields to be accessed from outside…

It is a widely held belief that the vast majority of threats to businesses are from outside attackers, with the stereotypical view of hackers trying to make money through crime.  The problem with this viewpoint is that it does not consider the threat from a malicious insider. There is a…

Biometric facial recognition is becoming an increasingly popular mechanism for authenticating users in online and mobile environments. In addition, it is continually being adopted for physical access control, whether at border controls such as airports or within secure facilities to enforce strict access control (and/or time and attendance tracking) to…

Following from our recent CISO research council, our research team have put together this whitepaper, which explores encryption at rest. Encryption at rest is not a panacea to data protection due to its complexity and the utility of data. Often, misconceptions can (and do) arise whereby it is believed that…

An NCC Group whitepaper: Applying normalised compression distance for architecture classification When working with malware research and black box penetration testing, it is not always clear what data you are working on and in order to disassemble binaries properly, one needs to know the architecture that the binary has been…

Title                                  D-LINK DIR-850L web admin interface vulnerable to stack-based buffer overflow Reference                         VT-95 Discoverer                …

Vendor: Oracle Vendor URL: http://www.oracle.com/  Versions affected: 11.1.2.4 (previous versions may also be affected) Systems Affected: Oracle Hyperion Financial Reporting Web Studio Author: Mathew Nash Mathew.Nash[at]nccgroup[dot]trust, Fabio Pires Fabio.pires[at]nccgroup[dot]trust Advisory URL: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html  CVE Identifier: CVE-2017-10310 Risk: High (Unauthenticated local file read, server-side request forgery or denial of service) Summary The…

“GDPR is about giving people back control of their personal data.” The EU General Data Protection Regulation (GDPR) will come into force across all member states, including the UK, on 25 May 2018. It will provide a common baseline for data protection across all of the member states and its consistent approach and requirements will benefit…

Vendor: macvim-dev Vendor URL: http://macvim.org Versions affected: snapshot-110 Author: Daniel Crowley <daniel.crowley[at]nccgroup[dot]trust> Bug discovery credit: Anonymous Advisory URL / CVE Identifier: TBD Risk: Critical Summary MacVim is a Mac OS port of Vim. MacVim is vulnerable to shell injection in mvim:// URIs through the column parameter, allowing attacks through a…

Vendor: Atlassian Vendor URL: http://atlassian.com Versions affected: v1.9.8 known affected version, earlier versions possible Systems Affected: Mac OS X known affected, others possible Author: Daniel Crowley <daniel.crowley[at]nccgroup[dot]trust> Advisory URL / CVE Identifier: https://jira.atlassian.com/browse/SRCTREE-4481 Risk: Critical (reliable remote code execution) Summary SourceTree is a product for working with various types of…

Vendor: Accellion, Inc. Vendor URL: http://www.accellion.com/ Versions affected: FTA_9_12_40, FTA_9_12_51, FTA_9_12_110, others likely Systems Affected: Accellion File Transfer Appliance Author: Daniel Crowley <daniel.crowley[at]nccgroup[dot]trust> Advisory URL / CVE Identifier: TBD Risk: Critical Summary The Accellion File Transfer Appliance (FTA) is an alternative to traditional email and FTP services for file transfers.…

An NCC Group whitepaper Regardless of the size, scope, geography or sector of your organisation, there are common elements that should be considered when it comes to cyber security due diligence during the M A process. This whitepaper aims to cover the risks, opportunities and responsibilities associated with cyber security…

Title                                  Privilege Escalation in CA Common Services casrvc due to Arbitrary WriteReference                        VT-37Discoverer                      …

In today’s modern society the requirement for employees to be based within a corporate office is minimal, largely due to remote working gaining prominence. The cost to provide remote working or mobile technology to employees can, however, be expensive. An ideal solution to this cost issue is enabling the employee…

Vendor: Rapid7, Inc.Vendor URL: http://rapid7.comVersions affected: 6.4.9 2016-11-30 and potentially all prior releases.Systems Affected: Nexpose Vulnerability ScannerAuthor: Noah Beddome, Justin Lemay, and Ben LincolnAdvisory URL / CVE Identifier: 2017-5230Risk: Medium - Requires specific access criteria Summary The Nexpose vulnerability scanner by Rapid7 is widely used to identify network and application…

Title                             Java RMI Registry.bind() Unvalidated DeserializationReference                   VT-87Discoverer                  Nick Bloor (@NickstaDB)Vendor                  …

Every organisation faces uncertainty and this is often a key challenge in achieving its objectives. Much of this uncertainty comes from an inability to accurately predict future events. Generally, we can define a potential future event that could affect an organisation’s objectives as a ‘risk’ and the process of forecasting…

Title                           iOS MobileSlideShow USB Image Class arbitrary code executionRelease Date           15 December 2016Reference                 NCC00249Discoverer                Andy DavisVendor  …

Title                             Denial of Service in Parsing a URL by ierutil.dllReference                   VT-20Discoverer                  Soroush DaliliVendor            …

These slides are from David Middlehurst’s presentation at the BSides Manchester conference. The presentation includes information on a new open source tool called ‘UPnP Pentest Tookit’. Download Presentation

These slides are from Jerome Smith’s presentation at BSides MCR 2014. It tackles the subject of SSL/TLS testing from the viewpoint of a penetration tester. It is a practical guide, broad in scope, focusing on pitfalls and how to check issues manually (as much as possible). Download presentation

These slides are from Robert Ray’s presentation at the Trust Forum in Edinburgh. The presentation looks at the common social engineering tactics and provides hints and tips on how to detect, prevent and respond to a social engineering attack. Download presentation

Ben Williams, security consultant at NCC Group, presented his talk, External Enumeration and Exploitation of Email and Web Security Solutions at Black Hat USA. He also produced two whitepapers which include statistical analysis of the filtering products, services and policies used by some of the world’s top companies. Download presentation…

These slides are from Panagiotis Gkatziroulis’ presentation at the Trust Forum in London. It looks at the common social engineering methods, tools and mitigation involved in social engineering attacks. Download presentation

These slides are from Shaun Jones’ presentation at the Trust Forum in Manchester. He gave examples of real-life phishing attacks and provided tips on how you can protect yourself. Download presentation

These slides are from David Cannings presentation at the 44CON Breakfast Briefing. The talk is titled Automating extraction from malware and recent campaign analysis, and includes an overview of some recent targeted campaigns. Download presentation

DDoS Common Approaches and Failings This webinar looks at the reasons that DDoS mitigation may not be working and what you should be thinking about to protect your business from a DDoS attack, including examples of some testing we have done and common approaches. Download presentation

These slides are from Rory McCunes’ presentation at the Trust Forum in Edinburgh. In his presentation he looked at everything from celebrity hacking to the Heartbleed bug can be explained by a lack of context, and what you can do to avoid the trap of absolute security. Download presentation

These slides are from Irene Michlin’s presentation at the Trust Forum in London. It looked at how much training staff should have on cyber security. Download presentation

Andy Davis, research director at NCC Group, delivered this presentation at the  escar Embedded Security in Cars Conference in Hamburg. His talk focused on how USB security affects embedded systems within vehicles. It covered an overview of USB basics and some classic examples of where vulnerabilities have been previously identified.…

Cyber Essentials Scheme These slides are from Matt Storey’ presentation at the Trust Forum in Manchester. He discussed what Cyber Essentials is, who it is for and the benefits it has to your organisation. Download presentation

This webinar talked through the changes to the new PCI SSC version 3.0 standard in detail and how they will affect your business, the things you need to be thinking about now and the timescales in which you have to react to the changes. Download our presentation Download the presentation…

David Cannings, Principal Consultant at NCC Group, delivered a fantastic webinar on four key considerations when building a robust incident response plan.  The webinar covered: An introduction – why a plan is needed What the risks are Four key considerations Case studies for each consideration More resources on incident response…

These slides are from David FB.Page presentation at the Manchester Trust Forum. The presentation includes information on cloud security and how the different types of cloud implementations could affect your organisation’s security. Download presentation

These slides were presented as part of the SMACK, SKIP-TLS FREAK SSL/TLS vulnerabilities webinar series Our Technical Director, Ollie Whitehouse covered: High level overview of the threat Impact of the threat What is affected/impacted by it Details on how the exploitation works Details on Man in the Middle How to…

Revealing Embedded Fingerprints: Deriving intelligence from USB stack interactions These slides come from Andy Davis’ presentation at Black Hat USA 2013. Andy’s presentation covers the topic of using techniques to analyse USB stack interactions to provide information such as the OS running on the embedded device, the USB drivers installed…

A memory searching utility across multiple processes, that allows you to: Opens each process. Works out the valid memory pages. Search for ascii and unicode incarnation of the string. To download the tool, visit our GitHub page here.

The NCC Group Game from 44CON 2013 – a knowledge based multiple choice game for conferences.  For more information and to download the game, visit our GitHub page here. 

A primitive website scanner currently under development by an NCC Group employee and University graduate with 20% research time. creep currently crawls a site, and searches for potentially interesting information within each page. creep will crawl your (HTTP only) target and pull interesting info on the site, including: Source code…

NCC Code Navi the Text Viewer and Searcher for Code Reviewers, which allows: Easily search across code Ability to have multiple instances of the same file / search queries open concurrently Inbuilt note keeper Send different aspects of filenames, path, code to the note keep easily Select a word or…

Raw bytes manipulation utility, able to apply well known and less well-known transformations. For more information and to download the tool, visit our GitHub page here. 

A web service written in Python designed to identify registered yet mistyped DNS domains. This utility will check if web server, mobile and mail handling DNS records have also been registered. In addition geo IP is used to locate the country that the registered IPv4 and IPv4 addresses are present…

This tool encompasses two distinct features. It guesses the IOCTL values that the driver accepts and also their valid size limitations and store the results are in a file for future reuse. The second feature is comprised of 3 dumb fuzzers: a pure random fuzzer, a sliding DWORD fuzzer and…

IODIDE – The IOS Debugger and Integrated Disassembler Environment Released as open source by NCC Group Plc Developed by Andy Davis, andy dot davis at nccgroup dot com To download visit: https://github.com/nccgroup/IODIDE Released under AGPL see LICENSE for more information Includes the PowerPC disassembler from cxmon by Christian Bauer, Marc…

CECSTeR is the Consumer Electronics Control Security Testing Resource – a GUI-based tool to perform security testing against the HDMI CEC (Consumer Electronics Control) and HEC (HDMI Ethernet Channel) protocols.  For more information and to download the tool visit our GitHub page here.

Cisco SNMP enumeration, brute force, config downloader and password cracking script. For more information and to download the tool, visit our GitHub page here.

Small script to check if the .NET web application is vulnerable to padding Oracle. This script actually verify if the oracle is present and exploitable, not just if the patch has been installed. For more information and to download the tool, visi out GitHub page here.

NCC Code Navi the Text Viewer and Searcher for Code Reviewers. For more information and to download the tool, visit our GitHub page here. 

This tool is an Easy Windows Domain Access Script which finds common password hashes on Windows networks (pass the hash), and Locates logged in Domain Administrator accounts.  For more information and to download the tool, vist our GitHub page here. 

A tool for fuzzing Enhanced Display Identification Data, developed by Andy Davis. For more information and to download the tool visit our GitHub page here.

Fat-Finger extends the original finger.nse and attempts to enumerate current logged on users through a full match of the username and a partial match of the GECOS field in /etc/passwd.  For more information and to download the tool, visit our GitHub page here. 

firstexecution is a collection of different ways to execute code outside of the expected entry points.  For more information and to download the tool, visit our GitHub page here. 

Grepify the GUI Regex Text Scanner for Code Reviewers.  For more information and to download the tool, visit our GitHub page here.

FrisbeeLite is a GUI-based USB device fuzzer, developed by Andy Davis.  For more information and to download the tool, visit our GitHub page here.

Email was not designed to be used the way it is today. Organisations rely on email for daily business communication and while most are protecting against low-level threats, more sophisticated email-based attacks are on the rise. This NCC Group whitepaper highlights the overall risks that organisations face when using email…

We’ve published a short eBook based on our experience of dealing with numerous ransomware cases in the last few years. The eBook is designed to provide real-world advice as to what organisations should do to minimise the likelihood of initial infection as well as limit any impact should that fail.…

A Windows application to help out with external infrastructure scans that can be used for the following: Convert a file of IP addresses to hostnames (output a straight list of hostnames or comma separated list of IP Address, Hostname) Convert a file of hostnames to IP addresses (output a straight…

Lapith is a Python GUI tool that presents Nessus results in a format more useful for penetration testers. Results can be viewed by issue as opposed to by host. It is therefore easier to report all the hosts affected by an issue, rather than all of the issues affecting the…

Metasploit payload generator that avoids most Anti-Virus products. For more information and to download the tool, visit our GitHub page here.

This presentation about maritime cyber security, delivered at the CIRM Annual Meeting in Cyprus, looks at the cyber threats to the maritime industry, an overview of the attack surface, the impact of some of the risks they face and a look at what solutions are available in the short, medium…

A tool to generate Snort rules or Cisco IDS signatures based on public IP/domain reputation data.  For more information and to download the tool, visit our GitHub page here.

This presentation about the “lameness of passwords” was delivered by Ben Williams, senior security consultant at NCC Group, at the 44Con Café event at the IP Expo in Manchester. Williams talked about his experience of breaking into networks and applications with a variety of password attack tools and techniques. It…

These slides are from Matt Storey’s presentation at the Edinburgh Trust Forum. This presentation looks at security testing frameworks, the scheduling aspects of the various forms of testing and other options, such as using STAR or red team assessments to test gaps in IT security controls. Download presentation

Broadcasting your attack – DAB security This presentation was presented at Black Hat USA 2015  Digital Audio Broadcasting (DAB) radio receivers can be found in many new cars and are often integrated into what has become known as the “infotainment system” – typically a large screen in the dashboard that…

These slides are from a presentation, “The Role of Security Research in Improving Cyber Security” by Andy Davis. The presentation discusses the role of security research in helping to improve cyber security.  Download presentation

Matt Lewis, associate director at NCC Group presented a talk at the Oredev conference in Sweden on how self-driving cars is no longer science fiction. Investment is already being made into this area and commercially available vehicles will be available in the next decade. Matt’s talk discusses the possibilities and…

These slides are from Ben Williams’ presentation “They ought to know better: Exploiting Security Gateways via their Web Interfaces”, that he presented at Black Hat Europe in 2012. In this presentation Ben will discuss the 40+ exploits that have been discovered and ways that some of these can be used…

In this presentation Ollie Whitehouse will be discussing How to develop or purchase COTS mobile apps for my enterprise while ensuring security.  Download presentation

These slides come from Alex Stamos Tom Ritter’s presentation, “The Myth of Twelve More Bytes: Security on the Post-Scarcity Internet” from Black Hat USA in 2012. In this presentation will cover the new changes to the internet’s infrastructure and the concerns around this. Download presentation

These slides come from Justine Osborne Alban Diquet’s presentation from Black Hat USA 2012. In this presentation they will explain what certificate pinning is and how it works in the IOS and Android systems. Download Presentation

These slides come from Andy Davis’ presentation from Black Hat USA in 2011. In this presentation Andy will discuss some of the security vulnerabilities around using USBs and the impact these vulnerabilities could have on your organisation.  Dowload Presentation There is also a white paper on this subject, you can…

These slides come from Ollie Whitehouse’s presentation “Software Security Austerity Security Debt in Modern Software Development” that he gave at 44Con in 2012. In this presentation Ollie will explain software security debt and ways that this debt can be managed. Download presentation

These slides are from Ollie Whitehouse’s presentation from the 2012 RSA Conference, eFraud Global Forum in London. In this presentation Ollie will discuss some of the big trends in mobile security form 2012, providing some technical details and real world examples, and then he will give his predictions for threats…

These slides are from Ollie Whitehouse’s presentation from Hack in the Box in Kuala Lumpur. In the presentation Ollie will discuss the What, Why and How of discovering weak link in binaries.  Download presentation

These slides come from Andy Davis’ presentation from BlackHat Europe 2013. In this presentation he will explain why docking stations are an attractive target for an attacker, how they can be attacked and discuss ways to detect and prevent such attacks.  Download Presentation You can also read the white paper…

These slides come from Marc Blanchou’s presentation at Black Hat Europe, Harnessing GP Us: Building Better Browser Based Botnets. In the presentation Marc discusses Harnessing GPUs with browser-based botnets for distributed and cheaper cracking, and will consider botnet impact, cost, stealth requirements and portability when building better browser based botnets.…

Author: Wade Alcorn, Christian Frichot, Michele Orru Michele Orru, from the Group’s  Fort Consult Division, has co-authored The Browser Hacker’s Handbook, with former NCC Group security consultant Wade Alcorn. The book gives practical understanding of hacking the everyday web browser. It contains expert advice on topics such as ARP spoofing,…

Author: Bill Grindlay , David Litchfield Bill Grindlay, principal software architect at NCC Group, has co-authored SQL Server Security. The book provides in-depth coverage of the installation, administration, and programming of secure Microsoft SQL Server environments and applications. It covers some of the latest techniques such as Installing and configuring…

Author: David Litchfield, Chris Anley, John Heasman, Bill Grindlay  NCC Group’s Bill Grindlay, principal software architect and Chris Anley, chief technical scientist, has co-authored The Database Hacker’s Handbook. The book helps readers to understand how to break into and defend the seven most popular database servers. It contains expert advice…

Author: Gavin Watson, Richard Ackroyd, Andrew Mason Gavin Watson and Richard Ackroyd, security engineers at RandomStorm, part of NCC Group, have co-authored a book with former RandomStorm engineer Andrew Mason. The book includes information on practical methodology and everything you need to plan and execute a social engineering penetration test…

FPGA stands for field-programmable gate array. An FPGA is a logic device whose function can be changed while the device is in place within its working environment, allowing the hardware processing of a system to be altered by an external configuration loading process. Their very nature creates potential security risks, and…

In August 2016, Zcash engaged NCC Group to perform a targeted review of the Zcash cryptocurrency implementation. The review was performed in two parts, conducted simultaneously. The first part, performed by the Group’s Cryptography Services practice, focused on validating that Zcash’s implementation adhered to the Zcash Protocol Specification. An assessment…

Abstract ISPs have moved to managed routers due to increased customer service calls with the question “What is my Wi-Fi password?” Managed routers allow complete remote management of a user’s home network and have facilitated customer service centers across ISPs. In this paper, we discuss the process of finding vulnerabilities in remotely managed routers,…

Peeling back the layers on defence in depth…knowing your onions An NCC Group whitepaper Is your organisation fully prepared for malicious attacks from both motivated external attackers and internal threat actors? As the threat landscape continues to evolve it is vital that organisations understand where the threats are and how…

End-of-life pragmatism – an NCC Group whitepaper Does your organisation have a robust IT Refresh Policy in place? One of the main concerns relating to the replacement of IT infrastructure is the cost.  The risk of introducing compatibility issues and, ultimately, downtime  also causes anxiety. However, exploitation of vulnerabilities in…

Vulnerability Summary Title: Microsoft Office Memory Corruption VulnerabilityRelease Date: 10 March 2016Reference: NCC00886Discoverer: Richard WarrenVendor: MicrosoftVendor: Reference MS16-029Systems Affected: Tested on Microsoft Office 2010 on Windows 7CVE Reference: CVE-2016-0021Risk: MediumStatus: Fixed Download technical advisory

Vulnerability Summary Title                                     Windows 10 USB Mass Storage driver arbitrary code execution in kernel mode Release Date                     10 March 2016 Reference  …

UK plc wants tougher cyber regulation and more punishment for failings 71% of UK board directors want companies to be penalised for failing to meet basic cyber security requirements, according to new research from global cyber security and risk mitigation expert NCC Group. In what appears to be a sea…

Title                           Flash local-with-filesystem Bypass in navigateToURLReference                 VT-19Discoverer                Soroush Dalili and Matthew EvansVendor                    …

Title                                  D-Link routers vulnerable to Remote Code Execution (RCE) Release Date                   11 Aug 2016 Reference                    …

Author: David Thiel This book is the definitive guide for hackers and developers allowing readers to understand and eliminate security holes in iOS Application Security. Former NCC Group security consultant, David Thiel, authored this book, which includes information about common iOS coding mistakes that create serious security problems and how…

Author: Dominic Chell, Tyrone Erasmus, Shaun Colley, Ollie Whitehouse.  Ollie Whitehouse, technical director at NCC Group, has co-authored The Mobile Application Hacker’s Handbook.  The book helps readers to understand how to secure mobile phones by approaching the issue from a hacker’s point of view. It contains expert guidance on topics…

NCC Group’s latest Research Insights paper provides a view on modern vulnerability discovery approaches.The identification of vulnerabilities and understanding what is involved in their exploitation has numerous applications in both the attack and defence side of cyber security. The way in which software vulnerabilities are discovered has evolved considerably over…

Organisations that need to keep long-term secrets, or which are designing systems that will be in use for ten or more years, need to plan for a post-quantum-computing world. This whitepaper gives a short introduction and overview of post-quantum cryptography. We discuss why post-quantum crypto is needed and provide handles…

Author(s): Chris Anley, John Heasman, Felix Lindner and Gerardo Richarte. The Shellcoder’s Handbook takes a detailed look at why security holes appear, how to discover them and how to close them so that they can’t be exploited. In this revised 2007 second edition, many new exploitation techniques are explored that were…

We’ve published a short eBook about the potential impact General Data Protection Regulation (GDPR) may have on your marketing activity. Regardless of when or how the various negotiations develop with the EU, the UK’s data protection standards will have to be equivalent to the EU’s GDPR. The eBook is designed…

Vulnerability Summary Title                               Potential false redirection of web site content in Internet in SAP NetWeaver web applications Release Date               8 March 2016 Reference              …

Vulnerability Summary Title                               Multiple security vulnerabilities in SAP NetWeaver BSP Logon Release Date               8 March 2016 Reference                    NCC00837 Discoverer      …

Voice biometrics are becoming an attractive mechanism for authenticating users in online and mobile environments. They may, however, not always be the best choice of authentication mechanism, depending on the performance and assurance requirements of the underlying application. A feasibility study should always be performed on the use of biometrics…

Andrew Tanenbaum once said, “The great thing about standards is there are so many to choose from.” That’s especially true in the realm of web and mobile application authentication. From Base-64 to OAuth, there are nearly as many ways to send your password to a server as there are ways…

Lately, several backdoors in cryptographic constructions, protocols and implementations have been surfacing in the wild: Dual EC in RSA’s B-Safe product, a modified Dual EC in Juniper Networks’s operating system ScreenOS and a non-prime modulus in the open-source tool socat. Many papers have already discussed the fragility of cryptographic constructions…

A common misconception by Windows system administrators is that keeping operating systems fully updated is sufficient to keep them secure. However, even on a network which is fully patched and using the latest Windows operating systems, it is often trivial for an internal attacker to obtain user credentials, and in…

Authored by: Tom Ritter Download Whitepaper

Authored by: Paul Youn Download whitepaper

Authored by: Brad Hill Download whitepaper

Authored by: Scott Stender Download whitepaper

Authored by: Scott Stender Download whitepaper

Authored by: Kate McKinley Download whitepaper

Authored by: Brad Hill Download whitepaper

Authored by: Brad Hill Download whitepaper

Authored by: Jesse Burns Download whitepaper

Also published on the MicroSoft | TechNet Library. Authored by: Brad Hill | Geng Yang Download whitepaper

Authored by: Himanshu Dwivedi | Zane Lackey Download whitepaper

Authored by: Jonathan Wilkins Download whitepaper