Machine Learning 102: Attacking Facial Authentication with Poisoned Data

This blog post is the second in a series related to machine learning, and demonstrates exactly how a data poisoning attack might work to insert a backdoor into a facial authentication system. The simplified system has similarities to that which the TSA is running a proof of concept trial at the Detroit and Atlanta airports. As background, … Continue reading Machine Learning 102: Attacking Facial Authentication with Poisoned Data

Using Semgrep with Jupyter Notebook files

If you frequently deliver source code review assessments of products, including machine learning components, I'm sure you are used to reviewing Jupyter Notebook files (usually python). Although I spend most of my time reviewing the source code manually, I also use static analysis tools such as semgrep, using both public and private rules. This tool … Continue reading Using Semgrep with Jupyter Notebook files

Puckungfu: A NETGEAR WAN Command Injection

Summary Vulnerability Details Overview Execution Flow /bin/pucfu /usr/lib/libfwcheck.so get_check_fw fw_check_api curl_post /lib/libpu_util.so SetFileValue pegaPopen Check Firmware HTTPS Normal Request & Response Exploitation Command Injection Response Root Shell Final Notes Patch Pwn2Own Note Summary This blog post describes a command injection vulnerability found and exploited in November 2022 by NCC Group in the Netgear RAX30 router’s … Continue reading Puckungfu: A NETGEAR WAN Command Injection

MeshyJSON: A TP-Link tdpServer JSON Stack Overflow

Summary Target Binary tdpServer Architecture & Mitigations Forks Understanding The Vulnerability Reaching The Vulnerable Function Broadcast Fork Flow Server Fork Flow JSON Array Stack Overflow Triggering The Bug Broadcast Fork Response Server Fork Request Vulnerability Constraints Storing Arbitrary Content In Memory cJSON Summarized cJSON Struct cJSON Data cJSON Heap Memory Single cJSON cJSON structure and … Continue reading MeshyJSON: A TP-Link tdpServer JSON Stack Overflow

Machine Learning 101: The Integrity of Image (Mis)Classification?

Professor Ron Rivest observed the close relationship between cryptography and machine learning at the ASIACRYPT conference back in 1991. Cross-fertilization of common notions, such as integrity, privacy, confidentiality and authenticity, have only grown in the following three decades as these fields have become more central to our everyday lives. This blog post is the first in … Continue reading Machine Learning 101: The Integrity of Image (Mis)Classification?

A jq255 Elliptic Curve Specification, and a Retrospective

First things first: there is now a specification for the jq255e and jq255s elliptic curves; it is published on the C2SP initiative and is formally in (draft) version 0.0.1: https://github.com/C2SP/C2SP/blob/main/jq255.md The jq255e and jq255s groups are prime-order groups appropriate for building cryptographic protocols, and based on elliptic curves. These curves are from the large class … Continue reading A jq255 Elliptic Curve Specification, and a Retrospective

Technical Advisory – NXP i.MX SDP_READ_DISABLE Fuse Bypass (CVE-2022-45163)

Vendor: NXP Semiconductors Vendor URL: https://www.nxp.com Affected Devices: i.MX RT 101x, i.MX RT102x, i.MX RT1050/6x, i.MX 6 Family, i.MX 7 Family, i.MX8M Quad/Mini, Vybrid Author: Jon Szymaniak <jon.szymaniak(at)nccgroup.com> CVE: CVE-2022-45163 Advisory URL: https://community.nxp.com/t5/Known-Limitations-and-Guidelines/SDP-Read-Bypass-CVE-2022-45163/ta-p/1553565 Risk: 5.3 (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), 2.6 if C:L, 0.0 if C:N Summary NXP System-on-a-Chip (SoC) fuse configurations with the SDP READ_REGISTER operation disabled (SDP_READ_DISABLE=1) … Continue reading Technical Advisory – NXP i.MX SDP_READ_DISABLE Fuse Bypass (CVE-2022-45163)

Tool Release – Web3 Decoder Burp Suite Extension

Web3 Decoder is a Burp Suite Extension that allows to decode "web3" JSON-RPC calls that interact with smart contracts in a EVM blockchain. As it is said that a picture is worth a thousand words, the following two screenshots shows a Raw JSON-RPC call, and its decoded function call: Background When auditing a DApp (Decentralized … Continue reading Tool Release – Web3 Decoder Burp Suite Extension

Check out our new Microcorruption challenges!

New Microcorruption challenges created by Nick Galloway and Davee Morgan Today we are releasing several new challenges for the embedded security CTF, Microcorruption. These challenges highlight types of vulnerabilities that NCC Group’s Hardware and Embedded Systems practice have discovered in real products. The new challenges provide a simple interface to explore these vulnerabilities without having … Continue reading Check out our new Microcorruption challenges!