Vulnerability

Authored by Willem Zeeman and Yun Zheng Hu This blog is part of a series written by various Dutch cyber security firms that have collaborated on the Cactus ransomware group, which exploits Qlik Sense servers for initial access. To view all of them please check the central blog by Dutch…

Ollama is an open-source system for running and managing large language models (LLMs). NCC Group identified a DNS rebinding vulnerability in Ollama that permits attackers to access its API without authorization, and perform various malicious activities, such as exfiltrating sensitive file data from vulnerable systems.

A story on finding a zero day attacking the NETGEAR WAN interface after a last minute patch for Pwn2Own 2022, involving a command injection, predicting random numbers, boot timing and voltage supply variations.

Introduction This is the third Technical Advisory post in a series wherein I audit the security of popular Remote Monitoring and Management (RMM) tools. The first post in the series can be found at Multiple Vulnerabilities in Faronics Insight, the second post can be found at Multiple Vulnerabilities in Nagios…

Introduction This is the second Technical Advisory post in a series wherein I audit the security of popular Remote Monitoring and Management (RMM) tools. (First: Multiple Vulnerabilities in Faronics Insight). I was joined in this security research by Colin Brum, Principal Security Consultant at NCC Group. In this post I…

Vendor: Sonos Vendor URL: https://www.sonos.com/ Versions affected: * Confirmed 73.0-42060 Systems Affected: Sonos Era 100 Author: Ilya Zhuravlev Advisory URL: Not provided by Sonos. Sonos state an update was released on 2023-11-15 which remediated the issue. CVE Identifier: N/A Risk: High Summary Sonos Era 100 is a smart speaker released…

Research performed by Ilya Zhuravlev supporting the Exploit Development Group (EDG). The Era 100 is Sonos’s flagship device, released on March 28th 2023 and is a notable step up from the Sonos One. It was also one of the target devices for Pwn2Own Toronto 2023. NCC found multiple security weaknesses…

Multiple vulnerabilities identified in Adobe ColdFusion allow an unauthenticated attacker to obtain the service account NTLM password hash, verify the existence of a file or directory on the underlying operating system, and configure central config server settings.

Summary The com.proxyman.NSProxy.HelperTool application (version 1.4.0), a privileged helper tool distributed with the Proxyman application (up to an including versions 4.10.1) for macOS 13 Ventura and earlier allows a local attacker to use earlier versions of the Proxyman application to maliciously change the System Proxy settings and redirect traffic to…

Connectize’s G6 WiFi router was found to have multiple vulnerabilities exposing its owners to potential intrusion in their local Wi-Fi network and browser. The Connectize G6 router is a general consumer Wi-Fi router with an integrated web admin interface for configuration, and is available for purchase by the general public.…

Aaron Adams presented this talk at HITB Phuket on the 24th August 2023. The talk detailed how NCC Exploit Development Group (EDG) in Pwn2Own 2022 Toronto was able to exploit two different PostScript vulnerabilities in Lexmark printers. The presentation is a good primer for those interested in further researching the…

Back in October of 2022, this announcement by AMI caught my eye. AMI has contributed a product named “Tektagon Open Edition” to the Open Compute Project (OCP).  Tektagon OpenEdition is an open-source Platform Root of Trust (PRoT) solution with foundational firmware security features that detect platform firmware corruption, recover the…

Alex Plaskett (@alexjplaskett) presented a talk on the 10th of August 2023 at @SysPWN covering vulnerability research for Pwn2Own. The first section of the talk covered a high-level perspective of the event, personal history, and teams. It then discussed some considerations needing to be made when deciding on target, experiences,…

Description The NSIS uninstaller package did not enforce appropriate permissions on the temporary directory used during the uninstall process. Furthermore, it did not ensure that the temporary directory was removed before running executable content from it. This could potentially result in privilege escalation under certain scenarios. Impact A low-privileged, local…

Overview This article explains how to write a custom ROP (Return Oriented Programming) chain to bypass Data Execution Prevention (DEP) on a Windows 10 system. DEP makes certain parts of memory (e.g., the stack) used by an application non-executable. This means that overwriting EIP with a “JMP ESP” (or similar)…

Introduction Faronics Insight is a feature rich software platform which is deployed on premises in schools. The application enables teachers to administer, control and interact with student devices. The application contains numerous features, including allowing teachers to transfer files to/from students and remotely viewing the contents of student screens. Generally…

A detailed analysis on multiple vulnerabilities which were identified on the NETGEAR Nighthawk WiFi 6 Router (RAX AX2400) and may exist on other NETGEAR router models.

Alex Plaskett and McCaulay Hudson presented this talk at HITB AMS on the 20th April 2023. The talk showcased NCC Exploit Development Group (EDG) in Pwn2Own 2022 Toronto targeting all consumer routers (Netgear, TP-Link and Synology) from both a LAN and WAN perspective.  The talk also described how we compromised…

About four months ago, in October 2022, I was idly poking around the “ICE TEA” leak. This leak was of particular interest to me, because it happened to expose the source code for Intel’s Alder Lake platform BIOS. It’s always fun to finally get to see the code for modules…

The Cisco AnyConnect client has received a fair amount of scrutiny from the security community over the years, with a particular focus on leveraging the vpnagent.exe service for privilege escalation. A while ago, we started to look at whether AnyConnect could be used to deliver payloads during red team engagements…

Summary U-Boot is a popular and feature-rich bootloader for embedded systems. It includes optional support for the USB Device Firmware Update (DFU) protocol, which can be used by devices to download new firmware, or upload their current firmware. The U-Boot DFU implementation does not bound the length field in USB…

Summary Vulnerability Details Overview Execution Flow /bin/pucfu /usr/lib/libfwcheck.so get_check_fw fw_check_api curl_post /lib/libpu_util.so SetFileValue pegaPopen Check Firmware HTTPS Normal Request Response Exploitation Command Injection Response Root Shell Final Notes Patch Pwn2Own Note Summary This blog post describes a command injection vulnerability found and exploited in November 2022 by NCC Group in…

Summary Target Binary tdpServer Architecture Mitigations Forks Understanding The Vulnerability Reaching The Vulnerable Function Broadcast Fork Flow Server Fork Flow JSON Array Stack Overflow Triggering The Bug Broadcast Fork Response Server Fork Request Vulnerability Constraints Storing Arbitrary Content In Memory cJSON Summarized cJSON Struct cJSON Data cJSON Heap Memory Single…

This blog post details the steps taken to replicate a udhcpc process crash on BusyBox 1.24.2 using NVD – CVE-2016-2147 (nist.gov), and to produce a working denial of service exploit. We will be using the symbolic execution engine called KLEE to help identify parameters that can cause the specific crash…

Have you ever heard about Prompt Injection Attacks[1]? Prompt Injection is a new vulnerability that is affecting some AI/ML models and, in particular, certain types of language models using prompt-based learning.  This vulnerability was initially reported to OpenAI by Jon Cefalu (May 2022)[2] but it was kept in a responsible…

Summary NXP System-on-a-Chip (SoC) fuse configurations with the SDP READ_REGISTER operation disabled (SDP_READ_DISABLE=1) but other serial download functionality still enabled (SDP_DISABLE=0) can be abused to read memory contents in warm and cold boot attack scenarios. In lieu of an enabled SDP READ_REGISTER operation, an attacker can use a series of…

Vendor: OpenJDK Project Vendor URL: https://openjdk.java.net Versions affected: 8-17+ (and likely earlier versions) Systems Affected: All supported systems Author: Jeff Dileo <jeff.dileo[at]nccgroup[dot]com> Advisory URL / CVE Identifier: TBD Risk: Low (implicit data validation bypass) Summary The private static InetAddress::getAllByName(String,InetAddress) method is used internally and by the public static InetAddress::getAllByName(String) to…

Juplink’s RX4-1800 WiFi router was found to have multiple vulnerabilities exposing its owners to potential intrusion in their local WiFi network and complete overtake of the device. An attacker can remotely take over a device after using a targeted or phishing attack to change the router’s administrative password, effectively locking…

UNISOC (formerly Spreadtrum) is a rapidly growing semiconductor company that is nowadays focused on the Android entry-level smartphone market. While still a rare sight in the west, the company has nevertheless achieved impressive growth claiming 11% of the global smartphone application processor market, according to Counterpoint Research. Recently, it’s been…

Introduction netlink and nf_tables Overview Sets Expressions Set Expressions Stateful Expressions Expressions of Interest nft_lookup nft_dynset nft_connlimit Vulnerability Discovery CVE-2022-32250 Analysis Set Creation Set Deactivation Initial Limited UAF Write Exploitation Building an Initial Plan Offsets We Can Write at Into the UAF Chunk Hunting for Replacement Objects What Pointer Do…

Cedric Halbronn, Aaron Adams, Alex Plaskett and Catalin Visinescu presented two talks at NCC Con Europe 2022. NCC Con is NCC Group’s annual private internal conference for employees. We have decided to publish these 2 internal presentations as it is expected that the wider security community could benefit from understanding…

Authored by: Jesús Miguel Calderón Marín Introduction Two years ago I carried out research into online casino games specifically focusing on roulette. As a result, I composed a detailed guide with information on classification of online roulette, potential vulnerabilities and the ways to detect them[1]. Although this guideline was particularly…

The following vulnerabilities were found as part of a research project looking at the state of security of the different Nuki (smart lock) products. The main goal was to look for vulnerabilities which could affect to the availability, integrity or confidentiality of the different devices, from hardware to software. Eleven…

This blog post discusses two erroneous computation patterns in Golang. By erroneous computation we mean simply that given certain input, a computer program with certain state returns incorrect output or enters an incorrect state.

Summary ExpressLRS is a high-performance open source radio control link. It aims to provide a low latency radio control link while also achieving maximum range. It runs on a wide variety of hardware in both 900 Mhz and 2.4 GHz frequencies. ExpressLRS is very popular in FPV drone racing and…

By Nicolas Bidron, and Nicolas Guigo. [Editor’s note: This is an updated/expanded version of these advisories which we originally published on June 3 2022.] U-boot is a popular boot loader for embedded systems with implementations for a large number of architectures and prominent in most linux based embedded systems such…

The Trendnet TEW-831DR WiFi Router was found to have multiple vulnerabilities exposing the owners of the router to potential intrusion of their local WiFi network and possible takeover of the device. Five vulnerabilities were discovered. Below are links to the associated technical advisories: Technical Advisory: Stored XSS in Web Interface…

By Nicolas Bidron, and Nicolas Guigo. U-boot is a popular boot loader for embedded systems with implementations for a large number of architectures and prominent in most Linux based embedded systems such as ChromeOS and Android Devices. Two vulnerabilities were uncovered in the IP Defragmentation algorithm implemented in U-Boot, with…

On the 6th of April 2022, NCC Group's Fox-IT discovered two separate flaws in FUJITSU CentricStor Control Center V8.1 which allows an attacker to gain remote code execution on the appliance without prior authentication or authorization.

Current Vendor: SerComm Vendor URL: https://www.sercomm.com Systems Affected: SerComm h500s Versions affected: lowi-h500s-v3.4.22 Authors: Diego Gómez Marañón @rsrdesarrollo CVE Identifier: CVE-2021-44080 Risk: 6.6(Medium)- AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Summary The h500s is a router device manufactured by SerComm and packaged by a few telecoms providers in Spain (and possibly other regions) to provide CPE…

Summary The Kwikset/Weiser Kevo line of smart locks support Bluetooth Low Energy (BLE) passive entry through their Touch-to-Open functionality. When a user touches the exterior portion of the lock, the lock checks that an authorized BLE device is exterior to and within a short distance of the smart lock, and…

Summary The Tesla Model 3 and Model Y employ a Bluetooth Low Energy (BLE) based passive entry system. This system allows users with an authorized mobile device or key fob within a short range of the vehicle to unlock and operate the vehicle, with no user interaction required on the…

Summary Many products implement Bluetooth Low Energy (BLE) based proximity authentication, where the product unlocks or remains unlocked when a trusted BLE device is determined to be nearby. Common examples of such products include automotive Phone-as-a-Key systems, residential smart locks, BLE-based commercial building access control systems, and smartphones and laptops…

Summary Ruby on Rails is a web application framework that follows the Model-view-controller (MVC) pattern. It offers some protections against Cross-site scripting (XSS) attacks in its helpers for the views. Several tag helpers in ActionView::Helpers::FormTagHelper and ActionView::Helpers::TagHelper are vulnerable against XSS because their current protection does not restrict properly the…

This blog post describes an unchecked return value vulnerability found and exploited in September 2021 by Alex Plaskett, Cedric Halbronn and Aaron Adams working at the Exploit Development Group (EDG) of NCC Group. We successfully exploited it at Pwn2Own 2021 competition in November 2021 when targeting the Western Digital PR4100.

Summary In October 2021, Apple released a fix for CVE-2021-30833. This was an arbitrary file-write vulnerability in the xar utility and was due to improper handling of path separation (forward-slash) characters when processing files contained within directory symlinks. Whilst analysing the patch for CVE-2021-30833, an additional vulnerability was identified which…

This blog post describes a stack-based overflow vulnerability found and exploited in September 2021 in the Netgear R6700v3

This post describes a vulnerability found and exploited in October 2021 by Alex Plaskett, Cedric Halbronn, and Aaron Adams working at the Exploit Development Group (EDG) of NCC Group. We successfully exploited it at Pwn2Own 2021 competition in November 2021. Lexmark published a public patch and their advisory in January…

tl;dr Run our new tool by adding -javaagent:log4j-jndi-be-gone-1.0.0-standalone.jar to all of your JVM Java stuff to stop log4j from loading classes remotely over LDAP. This will prevent malicious inputs from triggering the “Log4Shell” vulnerability and gaining remote code execution on your systems. . In this post, we first offer some…

Summary SonicWall SMA 100 Series appliances running firmware versions 10.2.0.8-37sv, 10.2.1.1-19sv and below suffer from an unauthenticated arbitrary file-delete vulnerability which can be exploited by a remote attacker to delete arbitrary files from the underlying Operating System. This vulnerability exists in the sonicfiles RAC_DOWNLOAD_TAR method, which allows users to download…

Summary SonicWall SMA 100 Series appliances running firmware versions 10.2.0.8-37sv, 10.2.1.1-19sv and below suffer from a Stored Cross-Site Scripting (XSS) vulnerability within the management interface. This vulnerability arises due to lack of sufficient output encoding when displaying postscript file names within the management interface. Due to CVE-2021-20040, this issue can…

Summary SonicWall SMA 100 Series appliances running firmware versions 10.2.0.8-37sv, 10.2.1.1-19sv and below, are vulnerable to multiple stack-based and heap-based buffer overflows in the fileexplorer component, which can be reached by an unauthenticated attacker, calling the sonicfiles RAC_COPY_TO method. These vulnerabilities arise due to the unchecked use of strcpy with…

Summary SonicWall SMA 100 Series appliances running firmware versions 10.2.0.8-37sv, 10.2.1.1-19sv suffer from a post-authenticated command injection vulnerability, which can be exploited to execute arbitrary commands with root privileges. The vulnerability exists in the Python management API, which is exposed remotely via HTTP, and is accessible to authenticated administrative users.…

Summary SonicWall SMA 100 Series appliances running firmware versions 10.2.0.8-37sv, 10.2.1.1-19sv and below suffer from a heap-based buffer overflow vulnerability in the sonicfiles RAC_GET_BOOKMARKS_HTML5 API. This vulnerability arises due to the unchecked use of the strcat function on a fixed size buffer, when displaying user bookmarks. This vulnerability requires authentication…

Summary SonicWall SMA 100-series appliances running versions 10.2.0.8-37sv, 10.2.1.1-19sv and earlier, suffer from an unauthenticated file upload vulnerability. This could allow an unauthenticated remote attacker to use path traversal to upload files outside of the intended directory. Impact An unauthenticated attacker may be able to write files with controlled content…

Summary The Network Flow Analysis software (formerly known as CA Network Flow Analysis) is a network traffic monitoring solution, which is used to monitor and optimize the performance of network infrastructures. The “Interfaces” Section of the Network Flow Analysis web application made use of a Flash application, which performed SOAP…

Following on from our previous blog post ‘The Challenges of Fuzzing 5G Protocols’, in this post, we demonstrate how an attacker could use the results from the fuzz testing to produce an exploit and potentially gain access to a 5G core network. In this blog post we will be using…

Slides Alex Plaskett presented "Pwning the Windows 10 Kernel with NTFS and WNF" at Power Of Community (POC) on the 11th of November 2021

Summary XAR is a file archive format used in macOS, and is part of various file formats, including .xar, .pkg, .safariextz, and .xip files. XAR archives are extracted using the xar command-line utility. XAR was initially developed under open source, however, the original project appears to be no longer maintained.…

Author: Jelle Vergeer This blog will be a technical deep-dive into CyberArk credential files and how the credentials stored in these files are encrypted and decrypted. I discovered it was possible to reverse engineer the encryption and key generation algorithms and decrypt the encrypted vault password. I also provide a…

Summary When connecting to the UPF port for the PFCP protocol (8805) and sending an Association Setup Request followed by a Session Establishment Request with a PDI Network Instance set to ‘internet’, it causes a stack corruption to occur. Impact Exploitation of this vulnerability would lead to denial of service…

Summary McAfee’s Complete Data Protection package contained the Drive Encryption (DE) software. This software was used to transparently encrypt the drive contents. The versions prior to 7.3.0 HF1 had a vulnerability in the kernel driver MfeEpePC.sys that could be exploited on certain Windows systems for privilege escalation or DoS. Impact…

Summary Garuda is a modern Linux distribution based on Arch Linux with nice blur effects and icons.  Garuda Linux performs an insecure user creation and authentication, that allows a local attacker  to impersonate a user account while it is being created.  The user is created in two steps:  First the user is created without…

We look at exploitation without the CVE-2021-31955 information disclosure, enabling better exploit primitives through PreviousMode, reliability, stability and exploit clean-up and well as thoughts on detection

Summary The Pulse Connect Secure appliance suffers from an uncontrolled archive extraction vulnerability which allows an attacker to overwrite arbitrary files, resulting in Remote Code Execution as root. This vulnerability is a bypass of the patch for CVE-2020-8260. Impact Successful exploitation of this issue results in Remote Code Execution on…

NCC Group's Exploit Development Group look at exploiting CVE-2021-31956 - the Windows Kernel (NTFS with WNF)

Summary Thin clients are often found in secure environments as their diskless operation reduces physical security risks. Wyse Management Suite (WMS) acts a central hub for Dell’s thin client hardware, providing centralised provisioning and configuration. The Wyse Management Suite web interface and the configuration services used by the Thin Clients…

NCC Group's Exploit Development Group document exploiting the sudo vulnerability on VMWare vCenter Server

We have been filling the knowledge gap by tracking all the exploit mitigations in summary tables present in modern operating systems

Summary Upon start of the ParcelTrack application any data contained on the global pasteboard (iOS) or clipboard (Android) will be sent to Parcel Track’s servers. Impact Sensitive PII such as credit card numbers and passwords often live on the global pasteboard. If any sensitive data is contained on the pasteboard…

The Single Sign-On (SSO) approach to authentication controls and identity management was quickly adopted by both organizations and large online services for its convenience and added security. The benefits are clear; for end-users, it is far easier to authenticate to a single service and gain access to all required applications.…

Summary When running PC-Doctor modules, the Dell SupportAssist service attempted to load DLLs from a world-writable directory. Furthermore, it did not validate the signature of libraries loaded from this directory, leading to a “DLL Hijacking” vulnerability. Impact Successful exploitation of this issue would allow a low privileged user to execute…

Multiple vulnerabilities were found in Netgear ProSafe Plus JGS516PE switches that may pose a serious risk to their users. The most critical vulnerability could allow unauthenticated users to gain arbitrary code execution. The following vulnerabilities were the most relevant identified during the internal research: Unauthenticated Remote Code Execution (CVE-2020-26919) NSDP…

Current Vendor: Belkin (Linksys) Vendor URL: https://www.linksys.com/sg/p/P-WRT160NL/ Versions affected: 1.0.04 build 2 (FW_WRT160NL_1.0.04.002_US_20130619_code.bin) Systems Affected: Linksys WRT160NL Authors: Manuel Ginés - Manuel.Gines[at]nccgroup[dot]com Diego Gómez Marañón – Diego.GomezMaranon[at]nccgroup[dot]com CVE Identifier: CVE-2021-25310 Risk: 8.8 (High) - AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Summary The Linksys WRT160NL is a switch device initially owned by Cisco and, after the…

Preface Half way through 2020, UK independent consumer champion Which? magazine reached out to us and asked if we could assist investigating the security of a series of domestic IoT devices and to perform a vulnerability assessment of each device. The assessments included smart plugs and smart/connected doorbells. We also…

This post is a technical discussion of the underlying vulnerability of CVE-2020-15257, and how it can be exploited. Our technical advisory on this issue is available here, but this post goes much further into the process that led to finding the issue, the practicalities of exploiting the vulnerability itself, various…

Summary Based on the Oracle product documentation page, “Oracle Communications Diameter Signaling Router is a market-leading cloud-ready Diameter signaling controller solution that centralizes routing, traffic management and load balancing, creating an architecture that enables IMS and LTE networks to be truly elastic and adapt to increasing service and traffic demands…

Current Vendor: Jitsi Vendor URL: https://jitsi.org Versions affected: 1.x.x Systems Affected: Jitsi Meet Electron Authors: Robert Wessen robert[dot]wessen[at]nccgroup[dot]com CVE Identifier: CVE-2020-27162 Risk: 8.3 (High) – AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Summary Jitsi is an open source online communication suite. It includes a variety of audio, video, text and screen sharing capabilities. Both server, client,…

Current Vendor: Jitsi Vendor URL: https://jitsi.org Versions affected: 1.x.x Systems Affected: Jitsi Meet Electron Authors: Robert Wessen robert[dot]wessen[at]nccgroup[dot]com CVE Identifier: CVE-2020-27161 Risk: 5.3 (Medium) AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N Summary Impact Jitsi Meet Electron includes apparent debugging code which ignores certificate validation errors, and therefore allows for man-in-the-middle attacks against limited, specially named Jitsi…

Current Vendor: Belkin Vendor URL: https://www.linksys.com/sg/p/P-WRT160NL/ Versions affected: Latest FW version - 1.0.04 build 2 (FW_WRT160NL_1.0.04.002_US_20130619_code.bin) Systems Affected: Linksys WRT160NL (maybe others) Authors: Diego Gómez Marañón – Diego.GomezMaranon[at]nccgroup[dot]com CVE Identifier: CVE-2020-26561 Risk: 8.8 (High) – AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Summary The Linksys WRT160NL is a switch device initially owned by Cisco and, after…

This research was conducted by our intern Ilya Zhuravlev, who has returned to school but will be rejoining our team after graduation, and was advised by Jeremy Boone of NCC Group’s Hardware Embedded Systems Practice. With the advent of affordable toolchains, such as ChipWhisperer, fault injection is no longer an…

Vendor: Pulse Secure Vendor URL: https://www.pulsesecure.net/ Versions affected: Pulse Connect Secure (PCS) 9.1Rx or below, Pulse Policy Secure (PPS) 9.1Rx or below Systems Affected: Pulse Connect Secure (PCS) Appliances Authors: Richard Warren - richard.warren[at]nccgroup[dot]com, David Cash – david.cash[at]nccgroup[dot]com CVE Identifier: CVE-2020-8243 Advisory URL: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44588 Risk: 7.2 High CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Summary Pulse…

Summary: Lansweeper is an application that gathers hardware and software information of computers and other devices on a computer network for management and compliance and audit purposes. The application also encompasses a ticket based help desk system and capabilities for software updates on target devices. Location: http://[LANSWEEPER_URL]/configuration/HelpdeskUsers/HelpdeskusersActions.aspx Impact: An attacker…

wolfSSL is a C-language-based SSL/TLS library targeted at IoT, embedded, and RTOS environments. wolfSSL incorrectly implements the TLS 1.3 client state machine. This allows attackers in a privileged network position to completely impersonate any TLS 1.3 servers and read or modify potentially sensitive information between clients using the wolfSSL library…

Multiple HTML injection vulnerabilities were found in several KaiOS mobile applications that are pre-installed on KaiOS mobile devices. The following vulnerabilities affected multiple KaiOS mobile devices: KaiOS Email Application HTML Injection (CVE-2019-14756) KaiOS Contacts Application HTML Injection (CVE-2019-14757) KaiOS File Manager Application HTML Injection (CVE-2019-14758) KaiOS Recorder Application HTML Injection…

Summary: The User Control Panel (UCP) application is vulnerable to multiple authenticated SQL Injection vulnerabilities which can result in the compromise of administrative accounts as well as the PBX appliance itself. FreePBX has a sizable install base, with Shodan showing over 32 thousand public results for the Sangoma Apache server…

Yesterday, the Microsoft Security Response Center announced their Most Valuable Security Researchers for 2020 (MVRs). This honour, awarded annually by Microsoft during Black Hat USA, is a part of MSRC’s Researcher Recognition program, and recognizes the top security researchers globally based upon the volume, accuracy, and impact of their vulnerability…

Preface During the Covid-19 pandemic, the battle to secure and protect businesses as well as consumers changed from the office environment to our homes, but this did not stop us from working on research projects aimed at contributing to the creation of a safer online world. Working from home, this…

Vendor: TP-Link Vendor URL: https://www.tp-link.com/uk/ Versions affected: 1.7.0 Systems Affected: Tapo C200 Author: Dale Pavey Risk: High Summary: The device is vulnerable to the heartbleed vulnerability and a Pass-the-Hash attack. Impact: Successfully exploiting the Heartbleed vulnerability leads to the device being remotely taken over using the memory-leaked user hash and…

CVE-2020-5902 was disclosed on July 1st, 2020 by F5 Networks in K52145254 as a CVSS 10.0 remote code execution vulnerability in the Big-IP administrative interface. This blog looks at the root causes of both the exploit paths discovered which boil down to subtle configuration issues and differences in behavior between…

Summary: KwikTag is a digital document management solution. KwikTag Web Admin is used to administrate accounts and permissions of the KwikTag instance. KwikTag Web Admin grants an active session without properly validating expired admin credentials. Location: ~/ktadmin/Default.aspx Impact: An attacker can gain administrative access to KwikTag Web Admin by logging…

A local macOS user or process may be able to modify or replace files executed by Installer. This could allow a low-privileged user or process to gain arbitrary code execution with root privileges, effectively leading to a full system compromise.

This vulnerability applied to a 5 year old end of life version of CobaltStrike and is being published in the spirit of archaeological interest in the vulnerability. tl;dr This blog looks at some of the communication and encryption internals of Cobalt Strike between Beacons and the Team Server in the…

Vendor: ARM Vendor URL: https://os.mbed.com/ Versions affected: Prior to 5.15.2 Systems Affected: ARM Mbed OS Author: Ilya Zhuravlev Risk: High Summary: The ARM Mbed operating system contains a USB Mass Storage driver (USBMD), which allows emulation of a mass storage device over USB. This driver contains a three (3) memory…

Using a carefully crafted calendar event, an attacker can retrieve semi-arbitrary files from a target victim’s macOS system, all the victim has to do is click on an invite.

Introduction Recently we came across a class of vulnerability that was discovered some time ago yet is not very well known, despite the potential impact of its discovery and exploitation being critical. During the (re)discovery of this type of bug we managed to get a privileged shell on a Linux-based…

When ordering a product or service online, it’s fairly common to get a confirmation email from the provider, often with a link where you can view details of your order. This is all very helpful, but have you ever considered whether the link you can follow is secure, or if…

By Aleksandar Kircanski and Terence Tarvis A good amount of effort has been dedicated to surveying and systematizing Ethereum smart contract security bug classes. There is, however, a gap in literature when it comes to surveying implementation-level security bugs that commonly occur in basic PoW blockchain node implementations, discovered during…

Written by Cedric Halbronn On Saturday 15th February, I gave a talk titled “How CVE-2018-8611 Can be Exploited to Achieve Privilege Escalation on Windows 10 1809 (RS5) and Earlier”. This research was done by Aaron Adams and myself and was presented by Aaron at POC2019 at the end of last…

Summary: PlaySMS is an open source SMS gateway, which has a web management portal written in PHP. PlaySMS supports a custom PHP templating system, called tpl (https://github.com/antonraharja/tpl). PlaySMS double processes a server-side template, resulting in unauthenticated user control of input to the PlaySMS template engine. The template engine’s implementation then…

Several months ago, I was having a poke at the Mozilla WebThings IoT gateway. The gateway essentially allows a user to host their own IoT cloud from a device (such as a Raspberry Pi) on their local network. It creates a tunnel to a personal subdomain of mozilla-iot.org for managing…

TL; DR We bought a medical infusion pump device from eBay and from it, forensically retrieved the WPA key and server authentication credentials for a real-world hospital’s wireless network and medical pump management server. In the wrong hands, such capability could be life-threatening given the level of network-based access this…

Introduction In our blog post on ASP.NET resource files and deserialization issues [1], we showed how to run code by abusing deserialization features when uploading a RESX or RESOURCES file. In this blog post, similarly we show abuse of XAMLX file capabilities to run commands on a server when such…

Introduction During a recent Active Directory assessment we had access as a low-privilege user to a fully-patched and secured domain workstation. After trying a number of different approaches to elevate privileges locally, we came across the blog post “Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory” [1]…

Jenkins is an open source tool supporting building, deploying and automating software development and delivery, and can be extended by plugins to introduce additional functionalities like Active Directory authentication, or solve reoccurring tasks such as executing a static code analyser or copying a compiled software to a CIFS share. Similar…

Introduction A few weeks ago we published a config decrypter[1] for a sample that we believe is related with the Chafer group. Chafer is a well-known group which has primarily been operating in the Middle East. Their arsenal includes several custom-made tools, variants of the Remexi malware and open-source/publically available…

Introduction During a recent security assessment at NCC Group I found a .NET v2.0 application that used .NET Remoting to communicate with its server over HTTP by sending SOAP requests. After decompiling the application I realised that the server had set the TypeFilterLevel to Full which is dangerous as it can potentially lead to…

All of this research was performed by our Managing Security Consultant, Balazs Bucsay @xoreipeip (https://twitter.com/xoreipeip) during the winter of 2016/2017. After changing Internet provider at my home in 2016, I received a new broadband modem; the Virgin Media Hub 3.0. Somehow I always get this itchy feeling whenever a new device is…

This is a short blog post on the PNG Dropper malware that has been developed and used by the Turla Group [1]. The PNG Dropper was first discovered back in August 2017 by Carbon Black researchers. Back in 2017 it was being used to distribute Snake, but recently NCC Group…

In July 2018 a security researcher named Simon Choi reported that a group, which goes by the name Group123 (also known as APT37 or Reaper), used spear-phishing emails to spread their malicious payload [1]. Shortly afterwards it was revealed that the attacker was using an exploit for a vulnerability in…

This is a story about a penetration test, where it was not possible to get a shell on a target device. We pentesters love to think that getting a shell is the goal of a penetration test and this story shows how frustrating it can sometimes be when trying to…

Ben Humphrey – Malware Researcher In late April 2018, NCC Group researchers discovered a small number of documents exploiting CVE-2017-8570 and dropping the same payload. The purpose of these documents is to install a Remote Access Trojan (RAT) on the victims’ machine. This article gives a deep analysis of both…

Introduction Hacking groups linked to the Chinese state are not a new threat. In fact, for the last couple years they have tended to be the most active along with Russian state affiliated hacking groups. One of these groups is the ‘Emissary Panda’ group, also known as TG-3390, APT 27…

Brief description Microsoft (MS) Outlook could be abused to send SMB handshakes externally after a victim opened or simply viewed an email. A WebDAV request was sent even when the SMB port was blocked. This could be used to crack a victim’s password when the SMB hash was sent externally,…

During a forensic investigation in March 2018 we were able to retrieve some files which appeared to be linked with a well-known group named Iron Tiger. From our research, we believe that the perpetrator hasn’t shown any advanced technical capabilities in this attack. In fact, the main goal was to…

In the first days of 2018, a number of vulnerabilities were disclosed that are present in many modern-day CPUs. In this blog post we address the most frequently asked questions about Spectre and Meltdown with a focus on providing you with actionable guidance about what to do. This post is…

In November, US-CERT published two alerts about malicious activity by the North Korean government, referred to as HIDDEN COBRA [1][2]. These alerts addressed the remote administration tool FALLCHILL and a Trojan called Volgmer. We’ll focus on the latter in this blog post. Volgmer is a backdoor Trojan that was designed…

This article is part of a series of blog posts. We recommend that you start at the beginning. Alternatively, scroll to the bottom of this article to navigate through the whole series. Exodus Intel released how they exploited [1] CVE-2016-1287 for IKEv2 in February 2016, but there wasn’t anything public for…

This article is part of a series of blog posts. We recommend that you start at the beginning. Alternatively, scroll to the bottom of this article to navigate through the whole series. As part of our ongoing series we would like to talk about Cisco’s Checkheaps security and stability mechanism. More…

This article is part of a series of blog posts. We recommend that you start at the beginning. Alternatively, scroll to the bottom of this article to navigate through the whole series. In part six, we document some of the details around Cisco ASA mempools and how the mempool-related functions wrap…

This article is part of a series of blog posts. We recommend that you start at the beginning. Alternatively, scroll to the bottom of this article to navigate through the whole series. This article is meant to provide a summary of some key functionality for dlmalloc-2.8.x and introduce a debugging plugin…

This article is part of a series of blog posts. We recommend that you start at the beginning. Alternatively, scroll to the bottom of this article to navigate through the whole series. We have developed a small framework of tools to automate the debugging of most Cisco ASA firmware files using…

This article is part of a series of blog posts. If you haven’t already, we recommend that you read the introduction article prior to this one. During our research, we ended up wanting to analyse a large number of Cisco ASA firmware files. Most importantly, we needed to mine exploit targets for…

We’ve spent a bunch of time investigating Cisco ASA devices and their firmware while looking into exploiting CVE-2016-1287, CVE-2016-6366, and other bugs. Part of this research has involved data mining numerous Cisco ASA firmware files to generate new exploit targets. We took the time to write some tools to more…

Tl;dr – we were engaged by a client back in June 2017 to rebuild NotPetya from scratch. However, instead of the data destruction payload, they asked for telemetry and safeguards. Why? Because they wanted to measure what the impact of NotPetya would have been. Below, you’ll find part one of the…

In a recent blog post, Fortinet discussed a new version of Poison Ivy[1] spreading through malicious PowerPoint files. The PowerPoint file includes a .NET loader in a stream which goes on to load a variant of Poison Ivy. But there is some debate regarding whether this is a pure Poison…

While on an engagement I came across a thin client running the eLux Linux distribution. Designed as a secure, streamlined environment for users to access applications such as a browser, Citrix and terminal services, the vendor describes eLux as: “… a hardware-independent operating system for cloud computing environments. It is…

In this blog post, we will demonstrate how attackers can serve malicious HTML Application (HTA) [1] files in a way that may bypass traditional proxy filtering. We will also cover some defensive mechanisms that can be used to prevent such attacks. Background When carrying out Red Team engagements for our clients, we…

On Tuesday 27 June, we saw another outbreak of ransomware. This blog is live and will be updated as we know more. The ransomware is currently being discussed as a variant of Petya, which also modifies the Master Boot Record (MBR), although this ransomware also has traits similar to WannaCry in…

Exodus Intel released a proof of concept (POC) in early 2016, demonstrating how to obtain remote code execution on Cisco Adaptive Security Appliance (ASA) firewalls exposed to the internet. The POC exploits a pre-authentication vulnerability in Internet Key Exchange (IKE) aka CVE-2016-1287 and is highly critical. The POC works on…

NCC Group is currently aware of a zero-day vulnerability targeting Microsoft Office users which is being exploited in the wild by a number of threat actors including organised criminal gangs. NCC Group has identified various samples exploiting this issue from as far back as 2016. Click here to see NCC…

This post will detail how it is possible to compromise a System Center Operations Manager (SCOM) server and extract the plaintext RunAs credentials from the database. We will also provide tips on how to detect such attacks. What are RunAs credentials? In brief, when creating a SCOM workflow, RunAs profiles…

In this blog post we will take a brief look at the remote access Trojan (RAT) used by a group called Greenbug[1]. According to Symantec, an APT group used this RAT – along with other tools – to collect user information which was later used when executing the wiper malware…

This blog post focuses on some interesting features of a Tomcat server configured to expose the Java Management Extension (JMX) service to external network interfaces for remote monitoring and management purposes. These features might be abused by an attacker to gain control over a system by using the JConsole tool…

TL;DR A full technical note explaining the analysis of a Flash file part of the Neutrino Exploit kit has been uploaded to our Cyber Defence Github repository. This document details a methodology to analyse all components of the original Flash file. It details how we manually deobfuscate most of its…

TL;DR; Ransomware has grown into a significant industry for criminal enterprises due to its relatively low sophistication and the ability for it to be performed remotely, and the fact that it is supported by the existence of crypto currencies which facilitate remuneration. As a result, the likelihood of the perpetrators…

Introduction This post is aimed at those new to exploit development and wanting to understand the end-to-end process and types of techniques that need to be employed in order to realise a working exploit against a buffer overflow vulnerability. I acknowledge that there are more sophisticated techniques that can be…

Introduction In April this year a file was uploaded to VirusTotal which NCC Group’s technical intelligence flagged as the Sakula malware.  Two interesting things stood out: firstly, the implant itself is never stored on disk.  Secondly, a legitimate executable from Kaspersky is used to load part of the malware by…

This post is about one of those vulnerabilities that you don’t envisage seeing again for some time but, nevertheless, still contains some valuable lessons, especially when it comes to how vulnerabilities can combine to produce different attack scenarios. While the scenario is rare for Internet-facing websites, developers and architects responsible…

The ongoing breach stories of targeted email campaigns harbouring malicious attachments made me think of writing up a summary of a presentation I gave at the amazing NCC Con held in Dublin in January this year. The talk was based on a pentesting war story that started off exploiting the old (but…

Introduction Securely erasing media is an important process for any IT department. There are numerous methods of ensuring that sensitive data is removed before items are reissued or disposed. And the removal of such data is also mandated by various standards such as ISO 27001, which states:  A.11.2.7 – “All…

A number of weeks back, security researcher Parvez Anwar posted a number of DLL hijacking vulnerabilities within Microsoft Office on Twitter [1]. The following week, Microsoft released MS15-132, which addressed some of these vulnerabilities, along with a large number of very similar bugs reported by others in various guises. [2] [3]. The vulnerabilities that were…

Why Car Parking? Companies running paid-for parking schemes across the UK are introducing mobile applications as an alternative to paying with coins and/or card at the parking meter. Many NCC Group consultants travel extensively to support the work that they do for clients. In most cases consultants will drive, and…

Until November 2013 (CVE-2013-3906), exploit primitives for Object Linking and Embedding (OLE) objects were not discussed publicly. This changed at BlackHat USA 2015, when Haifei Bing presented “Attacking Interoperability: An OLE Edition”. This talk examined the internals of OLE embedding. Over the past few months, several malware campaigns targeting high-profile…

TypeScript is a programming language, developed by Microsoft, which is a strict superset of JavaScript. It is intended to be used to aid in the development of large applications by adding static typing, class-based object-oriented programming, and modularity to JavaScript. TypeScript uses a transpiler, a source-to-source compiler which takes TypeScript…

tl;dr This paper details how I ported the CVE-2015-2426 (a.k.a. MS15-078) vulnerability, as originally exploited by Eugene Ching of Qavar Security on the January 2015 version of Windows 8.1 64-bit to the more recent July 2015 version of Windows 8.1 64-bit, the last version of Windows still vulnerable to this issue…

Digital Audio Broadcasting (DAB) radio receivers can be found in many new cars and are often integrated into what has become known as the “infotainment system” – typically a large screen in the dashboard that the vehicle occupants interact with to control anything from what music is playing, to making…

tl;dr Earlier this year I worked on an exploit for an interesting use-after-free vulnerability in win32k.sys (CVE-2015-0057) and was able to develop a reliable exploit on both 32-bit and 64-bit, affecting XP through Windows 8.1 (with a few exceptions). This writeup describes in detail how I approached exploitation on both…

tl;dr In 2014 a paper [http://www.scs.stanford.edu/brop/bittau-brop.pdf] which introduces Blind Return Oriented Programming (BROP), a state-of-the-art exploitation technique, was released by researchers from Stanford University. The paper discusses a general approach in which BROP is used to exploit services which are both vulnerable to stack-based buffer overflows and automatically recover after…

Introduction One of the first steps when looking to gain access to a host, system, or application is to enumerate usernames. Once usernames are guessed or enumerated targeted password based attacks can then be launched against those found usernames.  In this blog post, we discuss common techniques that are used…

tl;dr; This is a summary of a vulnerability in Xen I found earlier in 2015, and why it’s not very useful in practice. Basically you can leak small amounts of memory from the hypervisor stack, but due to the way the associated hypercall is compiled, it turns out you can’t…

Introduction One of our clients recently approached us for assistance with recovering data from a laptop hard drive which had been encrypted using TrueCrypt. A hardware repair gone wrong had led to problems booting the operating system and a variety of attempted fixes had been unsuccessful. They had already sent…

Introduction In a previous blog post [1] I talked about my experience exploiting the SYSRET bug on Xen. I noted that I was able to bypass SMEP, but was leaving the information for a future blog post because I wanted to do some additional research — I thought the technique…

tl;dr It was found that Ubuntu 12.04 32-bit and Debian 7 Samba binaries contained a stack layout that was suitable for exploiting the recent _netr_ServerPasswordSet bug. I was able to develop a reliable exploit that grants pre-authenticated remote root against both systems. Introduction On March 2, 2015 I posted a…

NCC Group’s Cyber Defence Operations team has released a technical note about the Derusbi Server variant, which we encountered on an engagement at the end of last year. The Derusbi Server variant is typically associated with advanced attackers (APT groups) and was the most sophisticated attempt to retain persistence on…

Previous current event This is a current event and as such this blog post is subject to change over the course of the next couple of days as we perform further supplementary research and analysis. 1.0: Initial version. 1.1: Revised to include further vulnerable software, alpha signature and small clarifications.…

tl;dr This is my analysis of the recent pre-auth Samba remote tracked by CVE-2015-0240[1]. It doesn’t appear to be very exploitable to me, but I’d love to be proven wrong. Note that since the time when I originally did this analysis someone has released their own PoC and analysis [8]…

tl;dr In today’s (28 February) closing keynote talk at the Abertay Ethical Hacking Society’s Securi-Tay conference, NCC Group was present and I discussed how it was possible to build a malicious Blu-ray disc. By combining different vulnerabilities in Blu-ray players we have built a single disc which will detect the type of player…

tl;dr This post is about my experience trying to exploit the Xen SYSRET bug (CVE-2012-0217). This issue was patched in June 2012 and was disclosed in Xen Security Advisory 7 [1]. The bug was found by Rafal Wojtczuk and Jan Beulich. Rafal gave a talk about it at BlackHat USA…

In a report [1] by US TV show “60 Minutes” about DARPA [2] and the Internet of Things, the Department of Defence has shown that it can hack the General Motors OnStar [3] system to remotely control a last-generation Chevrolet Impala. DARPA has been investigating the cyber security of vehicle systems and…

Executive Summary An alert about a severe vulnerability discovered by the Qualys security team was issued on Tuesday, January 27 2015. This vulnerability allows a local or remote attacker to execute code within the context of an application linked with certain versions of the glibc library. The vulnerability is triggered by a…

Background freenode is a large IRC network providing services to Free and Open Source Software communities, and in September the freenode staff team blogged about a potential compromise of an IRC server. NCC Group’s Cyber Defence Operations team provided pro bono digital forensic and reverse engineering services to assist the freenode…

Current event – 1.1 of post This is a current event and as such the blog post is subject to change over the course of a couple of days as we performed further supplementary research and analysis by NCC Group’s Cyber Defence Operations and Security Consulting divisions. v1.1 – updated…

Introduction Since the BadUSB talk [1] by Karsten Nohl and Jakob Lell at Black Hat USA in August there has been much discussion about the implications of this class of USB attack. The discussions gained additional momentum when Adam Caudill and Brandon Wilson investigated the attack further and publicly released…

Introduction As more of our services move to rented virtual servers, applying centralised protective monitoring becomes more of a challenge. Offerings such as Assuria’s Cloud Security Suite and Splunk’s Storm show the demand for elastic and easily configurable monitoring that can be deployed on cloud provisioned infrastructure. Amazon has responded…

Current event – 1.2 of post This is a current event and as such the blog post is subject to change over the course of the next few days  as we perform further supplementary research and analysis by NCC Group’s Cyber Defence Operations and Security Consulting divisions. v1.2 – Link…

Introduction In May 2014 FireEye[1]and Crowdstrike[2] produced reports about the activities of “Flying Kitten”, otherwise known as the Ajax Security Team. In July 2014 NCC Group’s Cyber Defence Operations team encountered several executables in our malware zoo that appear to be updated versions of the “Stealer” malware reported by FireEye…

Background In March Microsoft published security advisory 2953095, detailing a remote code execution vulnerability in multiple versions of Microsoft Office (CVE-2014-1761).  A Technet blog was released at the same time which contained excellent information on how a typical malicious document would be constructed. NCC Group’s Cyber Defence Operations team used the information in…

This blog walks through the methodology and process of writing robust Yara rules to detect either Heartbleed vulnerable OpenSSL statically linked or shared libraries which omit version information. Although Yara is designed for pattern matching and typically used by malware researchers we’ll show how we can also use it to detect vulnerable binaries. One…

Archived current event – v1.2 of post This was a current event and as such this blog post was subject to change as we performed further supplementary research and analysis. 1.2: Updated to include Struts v1 1.1: Final public release of this blog post 1.0: Initial version Background The Struts…

A colleague and I were discussing retro-gaming in the office, reminiscing about the classic text adventures from the 1980s. He really enjoyed Infocom adventures whereas I was a big fan of the Magnetic Scrolls series. They can all still be played under various emulators like Frotz and Magnetic. For nostalgia’s sake, I showed him Jinxter, one of the…

Previous current event – v1.8 of post This was a current event and as such the blog post was subject to change over the course of a couple of days as we performed further supplementary research and analysis. 1.8: Update to include Bro detection and further analysis. This is likely…

Geofencing apps, which use the global positioning system (GPS) to create virtual barriers to enable different functionality in applications, or devices, depending on geographical area, are not as secure as they could be. We carried out a range of tests and have discovered a number of vulnerabilities in various apps.…

I’ve been re-reading the Mandiant report on the notorious APT1 group, and it occurred to me that the tools and techniques used by this relatively unsophisticated (but very successful) group are similar to those used by penetration testers. That isn’t to say that penetration testers, or pen testers as they are colloquially…

USB hosts are everywhere – laptops, TVs, tablets, car infotainment systems, even aeroplane seat-backs. All of these hosts need to understand the capabilities of devices that are connected to them – a process is known as enumeration. It is basically a conversation between the device and the host upon insertion…