Today we release multiple vulnerabilities affecting Dell EMC Networker to the public. These issues can be exploited as an unauthenticated user in order to gain arbitrary file read or remote command execution.

This report outlines vulnerabilities found in Askey TCG300 cable modems provided by Orange Belgium to its subscribers. The modems are vulnerable to authenticated and unauthenticated remote code execution through the web administration server. These vulnerabilities arise from memory corruptions due to insecure function calls when handling HTTP requests. By exploiting these vulnerabilities, an attacker can gain unauthorized access to Orange Belgium customers LAN, fully compromise the router, and leave a persistent backdoor allowing direct remote access to the network.

In a previous life I came upon Dell EMC Networker in different environments and found different ways to exploit the nsrexecd daemon in similar ways than CVE-2017-8023, without ever being 100% sure that it indeed was that specific CVE. The CVE description clearly mentions “unauthenticated remote code execution vulnerability in the Networker Client execution service (nsrexecd) when oldauth authentication method is used”, so I decided to investigate Networker authentication mechanisms by the end of 2020.

This report outlines the VOOdoo vulnerabilities found in NETGEAR CG3100 and CG3700B cable modems provided by VOO to its subscribers. These modems use a weak algorithm to generate default WPA2 pre-shared keys, allowing an attacker in reception range of a vulnerable modem to derive the WPA2 pre-shared key from the access point MAC address. The modems are also vulnerable to remote code execution through the web administration panel. By chaining these vulnerabilities an attacker can gain unauthorized access to VOO customers LAN (over the Internet or by being in reception range of the access point), fully compromise the router, and leave a persistent backdoor allowing direct remote access to the network.

Starting around mid-december 2020, I started receiving a lot of sponsored content from Huawei about the decision that Belgium authorities took to block Huawei 5G gear from being deployed. The campaign was quite aggressive, so I took screenshots with the idea of coming back to it in the future.

In early 2019, I had to assess the latest version (at the time) of Pulse Secure Connect Client, an IPSEC/SSL VPN client developed by Juniper. Given that the client allow end users to save their credentials, one of my tests included verifying how an attacker could recover them. The attacker perspective was simple: access to an employee's laptop (either physical access or remote access with low privileges). Note that the ability to recover credentials can have serious effects given that they are *almost always* domain credentials.

This is the second part of a two part blog series on patch diffing Cisco RV firmware where I try to identify fixed flaws (namely CVE-2020-3323, CVE-2020-3330, and CVE-2020-3332). In the first part we identified the static credentials present in Cisco RV110 firmware up to version 1.2.2.5 included. In this post, we will perform more serious patch diffing to identify memory corruption and command injection issues in order to provide reduced test cases that can be used to develop a fully working exploit.

I received an email last week from someone looking into vulnerabilities affecting Cisco RV110W. They were wondering if I had any information about CVE-2020-3323, CVE-2020-3330, or CVE-2020-3331 that were released at the same time than the ones I had found. As I went through the advisories, I couldn't resist the urge to look into it, especially when these issues are similar to the ones I reported. I think it's a nice exercise in identifying my own blind spots :)

Cisco RV110W, RV130(W), and RV215W VPN routers are affected by authentication bypass, authenticated remote command execution, and information disclosure issues. By chaining them an unauthenticated remote attacker can fully compromise your device. Patch now.

A few months ago, Pentest Partners published an article explaining CVE-2019-1663, a stack buffer overflow affecting multiple low end devices from Cisco (RV110, RV130, RV225). I kinda missed doing binary exploitation on ARM based platform so I thought this would be a good opportunity to get back to it.

So this was an almost two years journey from initial report to this blog post series. I’ll now provide clear recommendations and a detailed coordinated disclosure timeline.

A few weeks passed after my report submission and I don’t know why but I had this realization: the custom protocol fingerpint is so unique that I should be able to identify these devices in Shodan. Immediately followed by no way people are exposing those devices publicly, this makes no sense.

In this fourth installation of my blog series about wireless presentation devices we’ll cover one of the part I really love: vulnerability research and development.

In this third installation of my blog series about wireless presentation devices, I’ll focus on how to discover exposed network services and how to reverse engineer proprietary network protocols.

In this post I’ll describe how I used hardware hacking techniques to get more information about the device and dump its internal storage.

Back in 2017 a small device appeared on my desk. A wireless presentation device that one of our customers wanted to deploy on its premises, but not before we had audited it first.

During a recent security audit I discovered a Node-RED instance running on the target server. I initially discarded it as being an offline editor to draw diagrams but then came back to it and figured out some of its features could be abused to gain remote command execution on the hosting server.

With the next rounds of elections approaching in Belgium (municipal elections in October 2018, federal elections in June 2019), I decided to take a look at the new system currently under development.

I recently came upon a Telnet-based service that was previously unidentified by network scanning tools. This blog post describes my encounter with this service and how I used Nmap fingerprinting and scripting capabilities to add detection, and Metasploit to gain command execution on it.

The introduction of Cottontail, a tool to capture all RabbitMQ messages being sent through a broker.

Ogone is an online payment service provider and payment risk management company that has been part of Ingenico since 2014. They started providing a mobile payment library for both iOS and Android to their clients back in 2012. One of the first organization publicly advertising its use of this mobile payment library is SNCB/NMBS, the belgian public transportation company. I’ll describe here a few security vulnerabilities that are affecting this mobile library. Those vulnerabilities are now difficult to exploit due to security mechanisms that have been put in place in Android by Google since 2012, that’s why I’ll try to give an historical perspective to those vulnerabilities so everyone can fully understand impact.

I've been invited to take part to a radio talk show this morning as a "Security Expert". Imposter syndrome apart, it is really hard to convey key talking points to a non-technical crowd within a few minutes. The aim of this article is to share my views on the subject in a more detailed and documented way.

I always worked for the red team but as I was going through my spam folder this morning I decided I’d give a try at analyzing malicious attachments. I also secretly always wanted to check out Didier Stevens’ oledump tool so this was a good excuse :)

Trend Micro Virtual Mobile Infrastructure is affected by a remote command execution vulnerability. This vulnerability can be exploited by authenticated user on the web administration panel of VMI to gain remote command execution with root privileges.

Trend Micro Safe Sync for Enterprise is affected by a remote command execution vulnerability. This vulnerability can be exploited by authenticated user on the web administration panel of Safe Sync for Enterprise to gain remote command execution with root privileges.

Trend Micro Smart Protection Server is affected by 3 directory traversal vulnerabilities, 9 vectors to gain remote command execution, and another to obtain elevated privileges from there. Those vulnerabilities can be exploited by authenticated user on the web administration panel of TMSPS.

Depuis la mise en fonction des systèmes de vote électronique en Belgique, chaque année d’élection a apporté son lot de problèmes techniques et de bugs à corriger. Certains plutôt risibles, d’autres carrément inquiétants. Grâce à une requête en transparence administrative effectuée par poureva en 1997 ayant obtenue gain de cause en 2001, le Ministère de l’Intérieur met à disposition le code source de ses applications destinées au vote électronique. Or, depuis cette date, aucun organisme indépendant excepté afront ne s’est lancé dans une analyse complète de ceux-ci. Plusieurs analyses “haut niveau” ont été effectuées par poureva, l’une abordant l’adn du code, le threat vector et le bug2505.

I recently had to play with BlackBerry devices during a penetration testing engagement. It’s quite difficult to find reliable information online about legacy devices (running BBOS < 7.x) so I though it would be a nice idea to share this here.

I’ve been playing with the android emulator recently and I kept thinking about how malwares could be using that emulator console to - quite aggresively - evade dynamic analysis by just killing the emulator that is used to analyze them.

I’m currently writing a tool to automate Android applications penetration testing and I discovered a bug in the Android emulator during this process.