RFID: Monotonic Counter Anti-Tearing Defeated

Tear-off techniques to the next level.

more ...

Audit of Session Secure Messaging Application

Oxen mandated Quarkslab to perform an audit of their instant messaging solution Session . This application, forked from Signal, aims to improve users privacy by using an onion routing mechanism . This mechanism differs from Tor's one by requiring a deposit in their own cryptocurrency to operate a Service Node (Snode ), the Oxen equivalent of a Tor Entry, Relay or Exit Node. While reviewing the architecture of this solution, we found some issues and provided recommendations to improve parts of the implementations.

more ...

Remote Denial-of-Service on CycloneTCP : CVE-2021-26788

This post is a quick vulnerability report summary for a vulnerability we found while fuzzing the TCP/IP stack CycloneTCP.

more ...

Analysis of a Windows IPv6 Fragmentation Vulnerability: CVE-2021-24086

In this blog post we analyze a denial of service vulnerability affecting the IPv6 stack of Windows. This issue, whose root cause can be found in the mishandling of IPv6 fragments, was patched by Microsoft in their February 2021 security bulletin.

more ...

Extending Emuroot: support for Android 10 & 11

A quick introduction to Android Emuroot, a Python script that allows to get root privileges on the fly on an Android Virtual Device (AVD). It explains the reverse engineering steps needed for the script to work with recent AVDs and provides a preview of specific Linux kernel structures in memory.

more ...

QBDI 0.8.0

This blog post introduces the release 0.8.0 of QBDI.

more ...

Bad Neighbor on FreeBSD: IPv6 Router Advertisement Vulnerabilities in rtsold (CVE-2020-25577)

This blog post provides details about four vulnerabilities we found in the IPv6 stack of FreeBSD, more specifically in rtsold(8), the router solicitation daemon. The bugs affected all supported versions of FreeBSD, and the most severe of them could allow an attacker attached to the same physical link to gain remote code execution as root on vulnerable systems. The vulnerabilities were discovered and reported to FreeBSD Security Team in November 2020. FreeBSD issued fixes for these bugs on December 1st, 2020 along with security advisory FreeBSD-SA-20:32.rtsold.

more ...

Technical Assessment of the herumi Libraries

The Ethereum Foundation mandated Quarkslab to perform an audit of the herumi libraries. They provide an API to perform BLS signatures, one of the core components of the new iteration of the Ethereum blockchain, named Ethereum 2.0. While reviewing the architecture of these libraries, their back ends and the adherence with the ongoing RFCs to standardize BLS signature usage, we found some issues primarily regarding their design. Although these are not considered critical, they impact the overall reliability of the libraries. We provide recommendations to improve the design of the libraries, the readability of the code and the usability of both projects.

more ...

RFID: New Proxmark3 Tear-Off Features and New Findings

Latest news from the Proxmark3 world, crunchy bits included...

more ...

How the MSVC Compiler Generates XFG Function Prototype Hashes

Microsoft is currently working on Xtended Flow Guard (XFG), an evolved version of Control Flow Guard (CFG), their own control flow integrity implementation. XFG works by restricting indirect control flow transfers based on type-based hashes of function prototypes. This blog post is a deep dive into how the MSVC compiler generates those XFG function prototype hashes.

more ...