ZTE MF910 – An end of life router, running lots of vivacious hidden code

You might be here because you saw our talk at Defcon 27. You might want to watch that for the full rundown! The ZTE MF910 is a really interesting router for reversing, mainly because it’s full of nice debug calls, and underused functionality. Also, it’s never going to get patched, and it’s really...

Breaking the Android Bootloader on the Qualcomm Snapdragon 660

This post is a companion to the DEF CON 29 video available here. A few months ago I purchased an Android phone to do some research around a specific series of NFC chips, which required me to gain root access to the device in order to fully access its hardware capabilities. Gaining root access on...

Hive Ransomware is on the rise. How should you deal with it?

Why Now? Hive is not a new problem. It first surfaced in 2021 but it’s becoming a much bigger issue now. This is due to a growing number of affiliates and therefore attacks. 2022 has seen more widespread country and industry target interest too. Ransomware growth in general is becoming a massive...

Follina 0day exploit. Malicious code execution in Office docs

Disclaimer: I know this isn’t a unique post on the subject, and that many other outlets are covering it, but this zero-day is so serious that it needs as much coverage as possible. It simply needs shouting about. Updated 06/06/2022 following advice from Microsofts @reybango. The vulnerability was...

Reverse Engineering Tesla Hardware

TL;DR How does the Tesla Model S update its firmware? What did we find when reverse engineering the display and instrument cluster? Here’s the result of a couple of weeks work, working on a real vehicle that mostly worked after we had finished. Part 1: analysing the hardware, complete with a 14...

CVE-2020-1472/Zerologon. As an IT manager should I worry?

TL;DR Yes, apply the update from Microsoft. The new MS08-067? CVE-2020-1472 is an elevation of privilege vulnerability in a cryptographic authentication scheme used by the Netlogon service and was discovered and named Zerologon by Tom Tervoort at Secura. It does not require authentication. It can...

Reverse Engineering the Tesla Firmware Update Process

TL;DR How does the Tesla Model S update its firmware? What did we find when reverse engineering the display and instrument cluster? Here’s the result of a couple of weeks work, working on a real vehicle that mostly worked after we had finished. Part 1: analysing the hardware, complete with a 14...

EFB Tampering 3. Take-off pt2

Take-off Performance Part 2: Flap, Trim, Database and Sources of Data Target: FLAP SETTING There are various forms of flaps and slats. The difference between the two and the technicalities of how they work is outside the scope of this blog. As a general rule flaps extend from the rear/trailing ed...

Smart male chastity lock cock-up

TL;DR Smart Bluetooth male chastity lock, designed for user to give remote control to a trusted 3rd party using mobile app/API Multiple API flaws meant anyone could remotely lock all devices and prevent users from releasing themselves Removal then requires an angle grinder or similar, used in clo...

Cobalt Strike. Walkthrough for Red Teamers

What is Cobalt Strike? Raphael Mudge is the creator of Cobalt Strike CS, around 2010 he released a tool titled Armitage, which is described by wikipedia as a graphical cyber-attack management for the Metasploit Project, to put this more bluntly, Armitage is a gui that allows you to easily navigat...

The Cloud in the clouds

Heading back to the airport to sit in another 747 pilot seat chair is always exciting. After our first research session on a grounded airplane this time we spent more time looking at the IFE In-Flight Entertainment system. We found very different results from the first plane. Rather than an old...

Double-Free RCE in VLC. A honggfuzz how-to

Introduction I spent three months working on VLC using Honggfuzz, tweaking it to suit the target. In the process, I found five vulnerabilities, one of which was a high-risk double-free issue and merited CVE-2019-12874. Here’s the VLC advisory . Here’s how I found it. I hope you find the how-to...

Breaking (bad) firmware encryption. Case study on the Netgear Nighthawk M1

TL;DR The firmware encryption for the Netgear Nighthawk M1 is mainly XOR. It’s possible to derive the XOR key by statistical analysis, just from the firmware update file itself. It’s then possible to extract an AES key from what’s XOR’d, which can be used to decrypt other parts of the firmware...

Bloodhound walkthrough. A Tool for Many Tradecrafts

A walkthrough on how to set up and use BloodHound BloodHound is an application used to visualize active directory environments. The front-end is built on electron and the back-end is a Neo4j database, the data leveraged is pulled from a series of data collectors also referred to as ingestors whic...

Time Travel Debugging: finding Windows GDI flaws

Introduction Microsoft Patches for October 2018 included a total of 49 security patches. There were many interesting ones including kernel privilege escalation as well as critical ones which could lead to remote code execution such as the MSXML one. In this post we will be analysing a case of a W...

Oracle MAF store bypass, a how-to

On a recent assignment I was asked to look at the security of a cloud-based solution for expenses, the Oracle® ExpensesCloud with Fusion applications. It was being used for employees to create/save/edit/submit claims to the employer. TL;DR Having default hardcoded credentials allows an attacker...

Understanding Binary and Data Representation with CyberChef

A significant part of reverse engineering and attacking devices relies on viewing and recognising data in various forms and working out how to decode it. We typically use Linux tools and scripts to do this, but you can make the first few steps using a really neat online tool called CyberChef. Wha...

Reverse Engineering 4G Hotspots for fun, bugs and net financial loss

a.k.a. 4G hotspots and their Discontents You might be here because you saw our talk at Defcon 27. You might want to watch that for the full rundown! TL;DR We found multiple vulnerabilities in several well known vendors Mi-Fi devices, including pre- and post-auth command injection and code executi...

Don’t ‘Roley’ your own encryption, says Bob the Builder

The Uplogix 3200 is a console server for out-of-band management. It claims ‘high security’ as it’s a closed appliance with a locked-down OS. We were a little surprised therefore to find security flaws in the method they use to protect passwords on the device. We were even more surprised by their...

Azure AD. Attack of the Default Config

Uncloaking dangerous and default configurations within Azure. TL; DR There are several default configurations within the admin portal of Azure. The main affected area is Azure Active Directory Azure AD which is the primary area that controls user authentication, group memberships and privileges...

Dumping LSASS in memory undetected using MirrorDump

Introduction As I am sure some of you are aware from the occasional ramblings and screenshots on twitter, I am a big fan of .NET based offensive tooling. Not because it’s trendy or cool, but because of the development speed and ease of testing and debugging in comparison to C/C++. A month or so a...

PTP at DEF CON 27

Here's the lowdown on our 14 DEF CON 27 talks, workshops, and panel sessions: Main Stage Track 3 Paris: Saturday 13:00 Chris Wade presents Tag-side attacks against NFC Track 2 Paris: Saturday 15:00 G Richter presents Reverse-Engineering 4g Hotspots for Fun, Bugs and Net Financial Loss Villages...

Vehicle Telematics Security; getting it right

We spend a LOT of time looking at vehicle telematics security, sometimes on client projects but mostly doing vanilla research on telematics components that we’ve bought ourselves, or investigating our own vehicles. We have a pile of vehicle TCUs here that’s several feet high, plus a couple of...

Vulnerabilities that aren’t. Cross Site Tracing / XST

This is the first of my posts that explain why some common security vulnerabilities are most likely not real threats. They should be treated as security enhancements rather than vulnerabilities. Bearing in mind the number of scanning tools that rate such vulnerabilities as "high" its no wonder...

Hardware Router CTF

Here at Pen Test Partners we love hardware and also love a good CTF. So here's how I figured out my way through the hardware CTF that PTP set as a pre-requisite for some interviews. I'm pretty new to hardware, so learned quite a bit along the way. We have now moved on to a new 'interview' CTF so,...

Hacking Serial Networks on Ships

Three different ways to intercept and modify serial data on ship networks. The serial data that controls steering, engine control and so much more on board ship… How-to Vessels typically have two distinct networks on board; one IP/ethernet network for business systems, crew mail & web browsing an...

Hacking Swann & FLIR/Lorex home security camera video

A few weeks back we read a story on the BBC web site about a BBC employee seeing someone else’s video footage on the mobile app for their home security camera. It wasn’t clear how this happened, but we were intrigued, so we bought several of the cameras in question to see for ourselves. We put a...

Are you sharing your address on social media?

Do you share your full address on social media? No, of course not, or at least I hope you are not. But are you sharing enough information for someone to work out your address? Maybe! Over time we share seemingly small amounts of information that put together could allow attackers to find your...

Bridging the gaps between Red and Blue teaming

Red Team, Blue Team, Purple Team, Black Team… Rainbow team? What are all of these things and what do they all mean? Is this a new case of a new found buzzword bingo or do they have a place and a purpose? The coloured teams are something that is thrown around a lot and while some of them are bette...

eyeDisk. Hacking the unhackable. Again

Last year, about the time we were messing around with a virtually unheard-of hardware wallet we got a bit excited about the word “unhackable”. Long story short, I ended up supporting a selection of kickstarters that had the word “unhackable” or similar in their title. Of these, at least one got...

FLIR FX / Lorex video stream hijack: Disclosure train wreck

We found that anyone could access any video stream for certain Swann wireless home security cameras. The technical detail is here. It was a consequence of weak authorisation by the cloud service provider, Ozvision. They claim to provide the back end to 3 million cameras, so we started looking at...

Black Basta ransomware

What is Black Basta ransomware? Black Basta is a threat group that provides ransomware-as-a-service RaaS. The service is maintained by dedicated developers and is a highly efficient and professionally run operation; theres a TOR website that provides a victim login portal, a chat room, and a wall...

CVE-2019-12103 – Analysis of a Pre-Auth RCE on the TP-Link M7350, with Ghidra!

TL;DR The TP-Link M7350 V3 is affected by a pre-authentication CVE-2019-12103, and a few post-authentication CVE-2019-12104 command injection vulnerabilities. These injections can be exploited remotely, if the attacker is on the same LAN or otherwise able to get access to the router web interface...

Smart car chargers. Plug-n-play for hackers?

Over the last 18 months, we’ve been investigating the security of smart electric vehicle chargers. These allow the owner to remotely monitor and manage the charge state, speed and timing of their car charger, among many functions. We bought 6 different brands of chargers and also reviewed securit...

The not so ultra lock

This post couldn't have been written without @evstykas and @cybergibbons. I became aware of the Ultraloq from U-tec a few months ago. For a room door lock it has a range of what look like really good features: Ultraloq UL3 smart lever lock is designed to be "Real Keyless". You are free to use...

Docker Desktop for Windows PrivEsc (CVE-2020-11492)

TL;DR Docker Desktop for Windows suffers from a privilege escalation vulnerability to SYSTEM. The core of the issue lies with the fact that the Docker Desktop Service, the primary Windows service for Docker, communicates as a client to child processes using named pipes. The high privilege Docker...

OpSec Leaky Images

Hackers love your marketing department. Fact! Your marketing department love telling the world what happens in your company, then they attach images to the posts, often of staff at work. They ensure the subject is central and the image tells a story. The problem is often they tell hackers a...

Security vs User Journey

Something I often think about is how my recommendations for clients to fix small security issues can spoil / complicate their users journey. UX matters I understand that UX is hugely important, even subtle changes can influence whether a journey is completed or abandoned. The difference between...

Covert Keylogging: Sniping your Typing

There have been many attempts at making key logging devices or software over the years, however, whilst a DIY solution is usually made from large Raspberry Pi devices or Arduino boards, the KeyLogger PRO offering from Maltronics has raised a few eyebrows with regards to the wealth of features...

Cisco device config dumping

Quick guide to recovering configs from Cisco switches and routers We have recently done work in situations where recovering the Cisco config from one device e.g. an edge switch can give us useful information. This includes: VLANs even for VLANs that are not used on that piece of equipment Which...

Abusing RDP’s Remote Credential Guard with Rubeus PTT

TL;DR Microsoft’s Remote Credential Guard RCG for RDP protects creds if an RDP server is compromised. It leaves little scope for password or NTLM credential dumping when a user connects to the server. It does however introduce workstation attack vectors. Abusing a user’s Kerberos token allows...

Vulnerabilities that aren’t. ETag headers

This time were looking at the ETag Entity Tag header. I take some of the blame for this one as I first added a dissector of the header to Nikto’s headers plugin back in 2008, then other scanners added it. What Is It? The header is a simplistic method of helping the user-agent identify whether it...

Cisco RV130 – It’s 2019, but yet: strcpy

Yesterday Cisco released an advisory for CVE-2019-1663 – a pre-authentication code execution vulnerability in the RV110W, RV130W and RV215W router series. If you own one of the affected devices, check out that link for all remediation advice, including a new, patched firmware. We were one of two...

Burning down the house with IoT

For years we’ve been trying to set fire to ‘smart’ things by hacking them. We got some charring on the iKettle, but nothing more. Then we found some smart hair straighteners. The Glamoriser straighteners were promoted heavily on TV at Christmas; they piqued my interest because of the BLE...

Tour de Peloton: Exposed user data

An unauthenticated user could view sensitive information for all users, and snoop on live class statistics and its attendees, despite having a private mode. TL;DR Information disclosed included: - User IDs - Instructor IDs - Group Membership - Location - Workout stats - Gender and age - If they a...

SNMP – Simply Not My Problem. Or is it?

TL;DR: Use SNMPv3; long gone is default community strings, hello complex passwords! Remove from the internet, if required, implement a VPN solution to restrict access to only authorised parties. SNMP is a protocol used for the remote management of devices on a network. By remote, we mean access...

EFB Tampering 1. Introduction and Class Differences

TL;DR Electronic flight bags EFBs are devices that flight crews use to help with flight management tasks Different airlines use different devices e.g. iPads, netbooks, custom devices Some are carried on by flight crew, others are built-in to the cockpit Some important functions are carried out by...

How to make a software BTRFS RAID1 with LUKS2 FDE

The guide below is simplified in a way that preparing the boot partition is not covered. Software based btrfs RAID1 requires two devices, which conceptually dont even need to be on different disks. But for obvious reasons, its a good idea if they are… Having mirroring against encrypted storage...

Hacking Hardware Password Managers: The RecZone

TL:DR Hardware security can be difficult to fathom, so I set out to research three password vaults as a newbie, sharing my findings. I picked three popular hardware vaults, each with different components, requiring different skills and equipment. Here's how I learned about disassembly, chipset...

How To Do Firmware Analysis. Tools, Tips, and Tricks

So, you’ve got a firmware dump. Perhaps a raw read off a chip? An update file you downloaded off the internet? Now what? Taking a firmware dump and turning it into something useful can sometimes be painful. Sometimes you’ll be faced with proprietary barely documented file formats, strange raw dat...