Shielder

16/01/2025

🚨 New Open Source Audit Alert! 🚨

Shielder, with Open Source Technology Improvement Fund, Inc (OSTIF) & Cloud Native Computing Foundation (CNCF), audited karmada-io:

🔍 6 issues found (1 high, 1 medium, 2 low, 2 info)
✔️ Most fixed, others planned.
🗣️ to SuidPit and TheZero

Full details in the blog post!

https://www.shielder.com/blog/2025/01/karmada-security-audit/

22/10/2024

Attending in the beautiful Bali🏝️?
Make sure not to miss suidpit's talk about his novel research on the macOS 🍎 sandbox and how to bypass it.
🗓️ Wednesday, October 23 - 15:10

20/09/2024

For the weekend, we gift you with not one, but TWO ways to escalate `sudo iptables` (+ a couple other boring preconditions) into a r00t shell - read how smaury and suidpit managed to climb your friendly neighborhood 🔥wall!

In this post, we demonstrate two techniques allowing a low privileged user to escalate their privileges to root in case they can run iptables and/or iptables-save as

22/05/2024

Back in December 2023 our researchers TheZero, SuidPit, and Mindless performed an audit sponsored by AWS and facilitated by OSTIF on boost.

It resulted in 7 findings and 15 new fuzzers.

The report is now public, check the details here:

Boost Security Audit, sponsored by Amazon Web Services (AWS), facilitated by Open Source Technology Improvement Fund (OSTIF) and performed by Shielder.

18/04/2024

Exciting news! We've just released a new blog post on mobile app security, where SuidPit and TheZero used their intent-fu to discover vulnerabilities (CVE-2024-26131, CVE-2024-26132) in Element, a matrix.org client for Android.

https://www.shielder.com/blog/2024/04/element-android-cve-2024-26131-cve-2024-26132-never-take-intents-from-strangers/

A writeup about two intent-based Android vulnerabilities CVE-2024-26131 and CVE-2024-26132 in Element (Matrix).

29/03/2024

We recently partnered with the Open Source Technology Improvement Fund (OSTIF) to perform a security audit sponsored by Amazon (AWS) on Bref.
The audit resulted in 5 findings promptly addresses by Matthieu Napoli.
The report is now public, check the details here:

Bref Security Audit, sponsored by Amazon Web Services (AWS), facilitated by Open Source Technology Improvement Fund (OSTIF) and performed by Shielder.

30/01/2024

Ever wondered how to binary diff router firmwares to write n-day exploits?
Learn how TheZero and Suidpit combined unblob, binexport, ghidra, Qiling, and an Asus router to write an exploit for CVE-2023-39228.
The outcome was unexpected ...

While attending Silvio Cesare's training at Cyber Saiyan's RomHack TheZero and Suidpit chose to do some practice. While looking at the news they discovered about some recently disclosed ASUS routers unauthenticated RCEs.

They quickly bin-diffed the firmware versions, found the vulnerabilities, emulated the vulnerable firmware, and wrote and exploit for one of them.
This was so fast they had a working exploit even before jumping off the wayback 🚂.

Once at home they used their research budget to buy a real device and prove the vulnerability there too, but ... it was not working 🤯
Know what? The vulnerability was not unauthenticated on the physical device!

After some intense debugging sessions they discovered that not only that one but also a lot of other ASUS routers' vulnerabilities were probably incorrectly deemed as unauthenticated.

Apparently most of the researchers are either keeping an authentication bypass private or they do their research in emulated environments only and no one ever checked the vulnerabilities before issuing the CVE numbers and releasing the advisories.

TL;DR
Product security folks: do not blindly trust the attack requirements shared by the researchers.
Security researchers: when testing embedded devices make sure to mimic correctly all their configurations (i.e. the NVRAM content).

Notes on patch diffing, reverse engineering and exploiting CVE-2023-39238, CVE-2023-39239, and CVE-2023-39240.

24/10/2023

Join Suidpit 🩺 in his journey into executing arbitrary code in 🏥 servers with files by creating an for CVE-2023-33466!

A recently disclosed CVE for the Orthanc DICOM server can be used to obtain Remote Code Ex*****on. As a PoC was not available, we wrote one.

10/07/2023

Time to pop something out of our publication queue!
Learn how Paupu found a way to combine and privileges to escalate his privileges in a fairly complex environment.

How to escalate your privileges in AWS by abusing CodeBuild and S3 permissions.

21/12/2022

🎁-time: Here you go two Cisco BroadWorks CommPilot Application Software vulnerabilities which our team (smaury, zi0black, thezero) found during an engagement for one of our customers.
CVE-2022-20951: Unauthenticated - https://www.shielder.com/advisories/cisco-broadworks-commpilot-ssrf/
CVE-2022-20958: Authenticated - https://www.shielder.com/advisories/cisco-broadworks-commpilot-authenticated-remote-code-execution/

05/09/2022

During a Red Teaming Assessment Maurizio Abdel Adim Oisfi and TheZero exploited CVE-2022-35405 on a Manage Engine Password Manager Pro instance, reversed the encryption/decryption routine to get the plaintext passwords and gain Domain Admin rights - learn how!

Reverse engineering and analysis of a fiscal printer device for fun and (real) profit.

16/05/2022

Wanna learn how to turn the SpiceT local vulnerabilities into a remote root chain?
Check out part 2 - expect some spaghetti code, old vulnerabilities, and bad design.

Reverse engineering and analysis of a fiscal printer device for fun and (real) profit.