Blogs

Moxa EDR-810 Command Injection and Logs disclosure

Abstract During an engagement for a client, RandoriSec found 2 vulnerabilities on Moxa EDR-810 Series Secure Routers. The first one is a command injection vulnerability found on the CLI allowing an authenticated user to obtain root privileges. And the other one is an improper access control found on the web server allowing to retrieve log files. As usual, we reported those issues directly to Moxa and ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) in order to “responsible disclose” them.

Continue reading

[Publication] Le réel danger des biais cognitifs en cybersécurité

Dans le MISC Hors série n° 20 (octobre / novembre 2019), vous trouverez un article de votre serviteur sur les biais cognitifs et leur importance dans le traitement de la sécurité, en particulier dans les contextes de gestion d’incident majeur ou de crise (l’article reprend la trame de ma master class au FIC 2019). Les biais cognitifs sont des traitements cognitifs, c’est à dire des mécanismes de la pensée - relativement systématiques - qui provoquent une altération du raisonnement et du jugement tout en préservant l’apparence de la raison logique.

Continue reading

[Training/Conference] DeepSec 2019 - Mobile Hacking / Abusing Google Play Billing

RandoriSec is going back to DeepSec (Vienna, Austria) this year. Guillaume Lopes will give a talk about abusing the Google Play Billing API and he’ll give a training with Davy Douhine. The Mobile Hacking training, running the 27 and 28 November, is intended for penetration testers, bug bounty researchers or just curious who would like to improve their security testing skills applied to the mobile ecosystem. The objective of the course is to introduce the basic toolset (Adb, Apktool, Jadx, Cycript, Drozer, Frida, Hopper, Needle, etc.

Continue reading

[Training/Conference] Hack In Paris 2019

RandoriSec was at Hack In Paris 2019 and it was wonderful! This 9th edition took place at Maison de la Chimie in Paris (of course;)). The event was divided in two parts: June 16th to 18th: 3 days of trainings with 13 different subjects (IoT, ICS, Windows exploitation, Web and mobile hacking, etc.) June 19th to 20th: 2 days of talks with a unique track.

Continue reading

[s04e01] RCE on Geutebruck IP Cameras

Abstract Those who follow our blog know that we like Geutebruck cameras: we found many trivial RCE on their products since 2016. A few months ago two attendees (Guillaume Gronnier and Romain Luyer from CEIS) of one of our pentest training found new ways to exploit two old RCE we found two years ago ! We dug further and found an additional way and as a bonus a stored XSS has even been found by an attendee.

Continue reading

[Conference] HITB Amsterdam 2019

Again, RandoriSec was at Hack In The Box for the 2019 edition in Amsterdam! It was really great! The first 3 days of the event are dedicated for the trainings. About that, we heard that the training from Nicolas Grégoire (aka @Agarri) was really great and got very good feedback from the attendees. If you want to improve your skills on Burp Suite Pro, you should attend this training.

Continue reading

[Conference] CLUSIF - Gestion des incidents de sécurité : résilience et amélioration

La semaine dernière j’ai participé à la table ronde de la conférence du CLUSIF “Gestion des incidents de sécurité : résilience et amélioration.” Mon intervention présentait un travail de recherche effectué en 2016-2017, qui peut se résumer par une question: comment éviter que des biais cognitifs ou organisationnels n’impactent la gestion de la sécurité? En général les décisions en sécurité se prennent sur la base d’avis d’experts, de fournisseurs, de benchmarks ou de discussions avec les pairs.

Continue reading

[Publication] Outils (open-source et gratuits) pour l’audit d’intrusions d’applications web

Nous avons écrit un article sur les outils open-source et gratuits pour l’audit d’intrusions d’applications web qui a été publié dans le hors-série n.97 du magazine Linux Magazine sur “Les bonnes pratiques du développement sécurisé” publié l’été dernier. Le magazine vient d’ailleurs d’être réédité. Nous avions opté pour une licence CC dans le but de mettre l’article à disposition de tout le monde dès l’expiration des droits d’auteur. C’est chose faite !

Continue reading

[Conference] BSides Dublin 2019 – Abusing Google Play Billing for fun and unlimited credits!

The March 23th, Guillaume Lopes gave a talk at BSides Dublin about how to bypass the payment on Google Play Billing API. Synopsis: In 2017, the estimated global in-app purchase revenue was projected to exceed $37 billion. Just in the Google Play Store, for 2018, more than 200 000 apps are offering in-app purchases. However, the Google Play Billing API is not offering a sufficient level of protection in order to ensure the security of the payment transactions.

Continue reading

[PrivExchange] From user to domain admin in less than 60sec !

Dirk-jan Mollema, a pentester working for Foxit, found a very clever attack allowing any user, owning an Exchange mailbox, to obtain Domain Admin privileges. The attack has been unveiled last week, strangely without a lot of media coverage (but things seem to change, the daily blogpost of the SANS ISC covered the subject yesterday). As there is still no fix (think software patch to install) from Microsoft, the term “0day” is around.

Continue reading