• Jun 12, 2021

    So Many Ways to Own Dell EMC Networker

    Today we release multiple vulnerabilities affecting Dell EMC Networker to the public. These issues can be exploited as an unauthenticated user in order to gain arbitrary file read or remote command execution.
  • Apr 25, 2021

    A Clockwork Orange - Remotely Compromising Orange Belgium Cable Modems

    This report outlines vulnerabilities found in Askey TCG300 cable modems provided by Orange Belgium to its subscribers. The modems are vulnerable to authenticated and unauthenticated remote code execution through the web administration server. These vulnerabilities arise from memory corruptions due to insecure function calls when handling HTTP requests. By exploiting these vulnerabilities, an attacker can gain unauthorized access to Orange Belgium customers LAN, fully compromise the router, and leave a persistent backdoor allowing direct remote access to the network.
  • Mar 11, 2021

    Dell EMC Networker - oldauth is not auth !

    In a previous life I came upon Dell EMC Networker in different environments and found different ways to exploit the nsrexecd daemon in similar ways than CVE-2017-8023, without ever being 100% sure that it indeed was that specific CVE. The CVE description clearly mentions “unauthenticated remote code execution vulnerability in the Networker Client execution service (nsrexecd) when oldauth authentication method is used”, so I decided to investigate Networker authentication mechanisms by the end of 2020.

  • Mar 9, 2021

    VOOdoo - Remotely Compromising VOO Cable Modems

    This report outlines the VOOdoo vulnerabilities found in NETGEAR CG3100 and CG3700B cable modems provided by VOO to its subscribers. These modems use a weak algorithm to generate default WPA2 pre-shared keys, allowing an attacker in reception range of a vulnerable modem to derive the WPA2 pre-shared key from the access point MAC address. The modems are also vulnerable to remote code execution through the web administration panel. By chaining these vulnerabilities an attacker can gain unauthorized access to VOO customers LAN (over the Internet or by being in reception range of the access point), fully compromise the router, and leave a persistent backdoor allowing direct remote access to the network.
  • Dec 29, 2020

    Huawei Weird Attempt at Astroturfing Brussels

    Starting around mid-december 2020, I started receiving a lot of sponsored content from Huawei about the decision that Belgium authorities took to block Huawei 5G gear from being deployed. The campaign was quite aggressive, so I took screenshots with the idea of coming back to it in the future.

  • Oct 27, 2020

    Reversing Pulse Secure Client Credentials Store

    In early 2019, I had to assess the latest version (at the time) of Pulse Secure Connect Client, an IPSEC/SSL VPN client developed by Juniper. Given that the client allow end users to save their credentials, one of my tests included verifying how an attacker could recover them. The attacker perspective was simple: access to an employee's laptop (either physical access or remote access with low privileges). Note that the ability to recover credentials can have serious effects given that they are *almost always* domain credentials.
  • Oct 1, 2020

    Patch Diffing a Cisco RV110W Firmware Update (Part II)

    This is the second part of a two part blog series on patch diffing Cisco RV firmware where I try to identify fixed flaws (namely CVE-2020-3323, CVE-2020-3330, and CVE-2020-3332). In the first part we identified the static credentials present in Cisco RV110 firmware up to version included. In this post, we will perform more serious patch diffing to identify memory corruption and command injection issues in order to provide reduced test cases that can be used to develop a fully working exploit.
  • Sep 23, 2020

    Ghetto Patch Diffing a Cisco RV110W Firmware Update

    I received an email last week from someone looking into vulnerabilities affecting Cisco RV110W. They were wondering if I had any information about CVE-2020-3323, CVE-2020-3330, or CVE-2020-3331 that were released at the same time than the ones I had found. As I went through the advisories, I couldn't resist the urge to look into it, especially when these issues are similar to the ones I reported. I think it's a nice exercise in identifying my own blind spots :)
  • Jul 14, 2020

    Breaking Cisco RV110W, RV130, RV130W, and RV215W. Again.

    Cisco RV110W, RV130(W), and RV215W VPN routers are affected by authentication bypass, authenticated remote command execution, and information disclosure issues. By chaining them an unauthenticated remote attacker can fully compromise your device. Patch now.
  • Aug 30, 2019

    Exploiting CVE-2019-1663

    A few months ago, Pentest Partners published an article explaining CVE-2019-1663, a stack buffer overflow affecting multiple low end devices from Cisco (RV110, RV130, RV225). I kinda missed doing binary exploitation on ARM based platform so I thought this would be a good opportunity to get back to it.
  • Apr 23, 2019

    Man-in-the-Conference Room - Part VI (Conclusion)

    So this was an almost two years journey from initial report to this blog post series. I’ll now provide clear recommendations and a detailed coordinated disclosure timeline.

  • Mar 28, 2019

    Man-in-the-Conference-Room - Part V (Hunting OEMs)

    A few weeks passed after my report submission and I don’t know why but I had this realization: the custom protocol fingerpint is so unique that I should be able to identify these devices in Shodan. Immediately followed by no way people are exposing those devices publicly, this makes no sense.

  • Mar 27, 2019

    Man-in-the-Conference-Room - Part IV (Vulnerability Research & Development)

    In this fourth installation of my blog series about wireless presentation devices we’ll cover one of the part I really love: vulnerability research and development.
  • Mar 26, 2019

    Man-in-the-Conference-Room - Part III (Network Assessment)

    In this third installation of my blog series about wireless presentation devices, I’ll focus on how to discover exposed network services and how to reverse engineer proprietary network protocols.
  • Mar 25, 2019

    Man-in-the-Conference-Room - Part II (Hardware Hacking)

    In this post I’ll describe how I used hardware hacking techniques to get more information about the device and dump its internal storage.
  • Mar 25, 2019

    Man-in-the-Conference-Room - Part I (Intro)

    Back in 2017 a small device appeared on my desk. A wireless presentation device that one of our customers wanted to deploy on its premises, but not before we had audited it first.
  • Sep 7, 2018

    Gaining RCE by abusing Node-RED

    During a recent security audit I discovered a Node-RED instance running on the target server. I initially discarded it as being an offline editor to draw diagrams but then came back to it and figured out some of its features could be abused to gain remote command execution on the hosting server.
  • Jun 18, 2018

    Shedding some light on the new Belgian eVoting system

    With the next rounds of elections approaching in Belgium (municipal elections in October 2018, federal elections in June 2019), I decided to take a look at the new system currently under development.
  • Feb 13, 2018

    OSGi Console - Gateway to (s)hell

    I recently came upon a Telnet-based service that was previously unidentified by network scanning tools. This blog post describes my encounter with this service and how I used Nmap fingerprinting and scripting capabilities to add detection, and Metasploit to gain command execution on it.
  • Aug 28, 2017

    How to silently capture RabbitMQ messages

    The introduction of Cottontail, a tool to capture all RabbitMQ messages being sent through a broker.
  • Mar 23, 2017

    A look at Ogone mobile payment library

    Ogone is an online payment service provider and payment risk management company that has been part of Ingenico since 2014. They started providing a mobile payment library for both iOS and Android to their clients back in 2012. One of the first organization publicly advertising its use of this mobile payment library is SNCB/NMBS, the belgian public transportation company. I’ll describe here a few security vulnerabilities that are affecting this mobile library. Those vulnerabilities are now difficult to exploit due to security mechanisms that have been put in place in Android by Google since 2012, that’s why I’ll try to give an historical perspective to those vulnerabilities so everyone can fully understand impact.
  • Feb 5, 2017

    My views on hacking and electronic voting

    I've been invited to take part to a radio talk show this morning as a "Security Expert". Imposter syndrome apart, it is really hard to convey key talking points to a non-technical crowd within a few minutes. The aim of this article is to share my views on the subject in a more detailed and documented way.
  • Jan 29, 2017

    Analyzing maldocs with oledump

    I always worked for the red team but as I was going through my spam folder this morning I decided I’d give a try at analyzing malicious attachments. I also secretly always wanted to check out Didier Stevens’ oledump tool so this was a good excuse :)
  • Oct 8, 2016

    Trend Micro Bug Hunting - Part III

    Trend Micro Virtual Mobile Infrastructure is affected by a remote command execution vulnerability. This vulnerability can be exploited by authenticated user on the web administration panel of VMI to gain remote command execution with root privileges.
  • Sep 6, 2016

    Trend Micro Bug Hunting - Part II

    Trend Micro Safe Sync for Enterprise is affected by a remote command execution vulnerability. This vulnerability can be exploited by authenticated user on the web administration panel of Safe Sync for Enterprise to gain remote command execution with root privileges.
  • Aug 8, 2016

    Trend Micro Bug Hunting - Part I

    Trend Micro Smart Protection Server is affected by 3 directory traversal vulnerabilities, 9 vectors to gain remote command execution, and another to obtain elevated privileges from there. Those vulnerabilities can be exploited by authenticated user on the web administration panel of TMSPS.
  • May 12, 2015

    How not to build an electronic voting system

    Depuis la mise en fonction des systèmes de vote électronique en Belgique, chaque année d’élection a apporté son lot de problèmes techniques et de bugs à corriger. Certains plutôt risibles, d’autres carrément inquiétants. Grâce à une requête en transparence administrative effectuée par poureva en 1997 ayant obtenue gain de cause en 2001, le Ministère de l’Intérieur met à disposition le code source de ses applications destinées au vote électronique. Or, depuis cette date, aucun organisme indépendant excepté afront ne s’est lancé dans une analyse complète de ceux-ci. Plusieurs analyses “haut niveau” ont été effectuées par poureva, l’une abordant l’adn du code, le threat vector et le bug2505.

  • Mar 30, 2015

    Legacy BlackBerry Penetration Testing

    I recently had to play with BlackBerry devices during a penetration testing engagement. It’s quite difficult to find reliable information online about legacy devices (running BBOS < 7.x) so I though it would be a nice idea to share this here.

  • Feb 10, 2015

    Using the Android qemu console for dynamic analysis evasion

    I’ve been playing with the android emulator recently and I kept thinking about how malwares could be using that emulator console to - quite aggresively - evade dynamic analysis by just killing the emulator that is used to analyze them.
  • Jan 6, 2015

    Hunting for bugs in the Android emulator

    I’m currently writing a tool to automate Android applications penetration testing and I discovered a bug in the Android emulator during this process.