Exploring macOS Calendar Alerts: Part 2 – Exfiltrating data (CVE-2020-3882)

Using a carefully crafted calendar event, an attacker can retrieve semi-arbitrary files from a target victim’s macOS system, all the victim has to do is click on an invite.

Research Report – Zephyr and MCUboot Security Assessment

Over the years, NCC Group has audited countless embedded devices for our customers. Through these security assessments, we have observed that IoT devices are typically built using a hodgepodge of chipset vendor board support packages (BSP), bootloaders, SDKs, and an established Real Time Operating System (RTOS) such as Mbed or FreeRTOS. However, we have recently … Continue reading Research Report – Zephyr and MCUboot Security Assessment →

CVE-2018-8611 Exploiting Windows KTM Part 5/5 – Vulnerability detection and a better read/write primitive

The fifth and final blog posts exploring the detailed exploitation of CVE-2018-8611.

CVE-2018-8611 Exploiting Windows KTM Part 4/5 – From race win to kernel read and write primitive

The fourth of five blog posts exploring the detailed exploitation of CVE-2018-8611.

Using SharePoint as a Phishing Platform

Introduction The rise of endpoint protection and the use of mobile operating systems has created additional challenges when targeting corporate users with phishing payloads designed to execute code on their endpoint device. Credential capture campaigns offer an alternative chance to leverage remote working solutions such as VPNs or Desktop Gateways in order to gain access … Continue reading Using SharePoint as a Phishing Platform →

Shell Arithmetic Expansion and Evaluation Abuse

Introduction Recently we came across a class of vulnerability that was discovered some time ago yet is not very well known, despite the potential impact of its discovery and exploitation being critical. During the (re)discovery of this type of bug we managed to get a privileged shell on a Linux-based appliance that only presented a … Continue reading Shell Arithmetic Expansion and Evaluation Abuse →

CVE-2018-8611 Exploiting Windows KTM Part 3/5 – Triggering the race condition and debugging tricks

The third of five blog posts exploring the detailed exploitation of CVE-2018-8611.

Tool Release – Socks Over RDP

Introduction Remote Desktop Protocol (RDP) is used to create an interactive session on a remote Windows machine. This is a widely used protocol mostly used by Administrators to remotely access the resources of the operating system or network based services. As penetration testers we frequently find ourselves in a situation where the only access that … Continue reading Tool Release – Socks Over RDP →

Exploring macOS Calendar Alerts: Part 1 – Attempting to execute code

This post explores the potential abuse of some features within the macOS Calendar application. It covers multiple attack paths that could lead to code execution and discusses the protections Apple has in place to mitigate them.

CVE-2018-8611 Exploiting Windows KTM Part 2/5 – Patch analysis and basic triggering

The second of five blog posts exploring the detailed exploitation of CVE-2018-8611.