Quantcast
Channel: /dev/posts/
Browsing latest articles
Browse All 100 View Live

The broadband protocol stacks

The Broadband Forum as a lot of technical reports about the xDSL architecture but it is not so easy to find a good description of the global architecture. Those are ASCII-art protocol stack I inferred...

View Article


Private PostgreSQL instance

How to create a private on-demand PostgreSQL instance accessible only for the local user over UNIX socket.

View Article


Intel AMT discovery

There has been some articles lately about Intel Active Management Technology (AMT) and its impact on security, trust, privacy and free-software. AMT supposed to be widely deployed in newest Intel...

View Article

OpenSSH ProxyUseFdPass

While looking at the OpenSSH ssh_config manpage, I found the ProxyUseFdpass configuration I did not know about. It is apparently not widely known or used.

View Article

Using dig as a LLMNR or mDNS CLI Lookup utility

I was looking for a LLMNR commandline lookup utility. Actually, dig can do the job quite fine.

View Article


Disable Certificate Verification on Android with Frida

Some notes about how to write a Frida script with the (somewhat classic) example of disabling certificate verification for TLS communications on Android applications.

View Article

DNS rebinding vulnerability in Samsung SmartTV UPnP

I found a DNS rebinding vulnerability on the Universal Plug-and-Play (UPnP) interface of the Samsung TV UE40F6320 (v1.0), from 2011. This could be used, for example, to change the channel, to know...

View Article

DNS rebinding and CSRF vulnerabilites on Samsung TV DIAL implementation

I found a DNS rebinding vulnerability as well as a Cross Site Request Forgery (CSRF) vulnerability on the DIAL (Discovery And Launch) implementation of the Samsung TV UE40F6320 (v1.0), from 2011. This...

View Article


Introduction to UPnP

This post gives simple explanations of how UPnP (Universal Plug-and-Play) works, especially with the goal of testing the security devices such as routers, smart TVs, etc.

View Article


Firefox DoH DNS rebinding protection bypass using IPv4-mapped addresses

I found that the filtering of private IPv4 addresses in the DNS-over-HTTPS (DoH) implementation of Firefox could by bypassed. This is CVE-2020-26961 and Mozilla bug 1672528. It has been fixed in...

View Article

TUN/TAP interface (on Linux)

Some notes about using the TUN/TAP interface, especially on Linux.

View Article

DNS rebinding explained

A quick summary about how DNS rebinding attacks work. The main motivation for this post is to have a diagram to show when explaining DNS-rebinding attacks.

View Article

DNS rebinding vulnerability in pupnp and npupnp

I found that pupnp was vulnerable to DNS rebinding attacks. npupnp, a fork a pupnp, was impacted as well. This is demonstrated using Gerbera a UPnP MediaServer.

View Article


DNS rebinding vulnerability in GUPnP

GUPnP, a GNOME library for Universal Plug and Play (UPnP), was vulnerable to DNS rebinding attacks. This is CVE-2021-33516 and GUPnP issue #24. This was fixed in GUPnP 1.0.7 and GUPnP 1.2.5.

View Article

CSRF to RCE in GeckoDriver

A Cross-Site Request Forgery (CSRF) vulnerability I found in GeckoDriver which could be used to execute arbitrary shell commands. CVE-2020-15660 has been assigned to this vulnerability. This was fixed...

View Article


Cross-origin/same-site request forgery to RCE in chromedriver

I found a cross-origin/same-site request forgery vulnerability in chromedriver. It was rejected (won't fix) because it is only possible to trigger this from the cross-origin/same-site and not...

View Article

What is in my COVID-19 vaccination certificate?

Manually inspecting the content of a French COVID-19 vaccination certificate QR code. The main intent is to show with a concrete example which data is actually included in the certificate.

View Article


Introduction to the Diffie-Hellman key exchange

The Diffie-Hellman (DH) key exchange (and variants thereof) is widely used in many protocols (such as TLS, SSH, IKE (IPSec), Signal, etc.) to bootstrap some symmetric key material which may then be...

View Article

Introduction to TLS v1.2

Some notes about how TLS v1.2 (Transport Layer Security) works. The goal explain what is going on in a network traffic dump, the role of the different TLS extensions, the impact of the different cipher...

View Article

DNS rebinding vulnerability to RCE in geckodriver

A DNS rebinding vulnerability I found in geckodriver which could be used to execute arbitrary shell commands. This is bug #1652612 and CVE-2021-4138.

View Article

CSRF and DNS-rebinding to RCE in Selenium Server (Grid)

Vulnerabilities in found on the WebDriver endpoints of Selenium Server (Grid).

View Article


Introduction to TLS v1.3

Some notes about how TLS v1.3 works. This is a follow-up of the previous episode about TLS v1.2. As before, the goal is to have a high-level overview about how the protocol works, what is the role of...

View Article


DNS rebinding on ReadyMedia/minidlna v1.3.0 and below

A DNS rebinding vulnerability I found in ReadyMedia (formerly MiniDLNA) v1.3.0 and below. This is CVE-2022-26505.

View Article

Lack of X.509 TLS certificate validation in OWASP ZAP

Lack of X.509 TLS certificate validation in OWASP ZAP (Zed Attack Proxy) could be used for man-in-the-middle attacks.

View Article

Browser-based attacks on WebDriver implementations

Some context and analysis about attacks on in WebDriver implementations.

View Article


Impact of the different Wifi security modes

Comparing the different Wifi/WPA authentication and key distribution methods (PSK, EAP, SEA).

View Article

Extract the schema from a remote LDAP server

How to extract the schema from a remote LDAP server and use it on a OpenLDAP instance.

View Article

Stable diffusion on an AMD Ryzen 5 5600G

Executing the stable diffusion text-to-image model on an AMD Ryzen 5 5600G integrated GPU (iGPU).

View Article

Switching from Docker to Podman

Some notes about using Podman instead of Docker, on Linux. This has been tested on Podman v3.4.7.

View Article



Entering in Podman containers

Some commands for interacting with the namespaces of Podman containers.

View Article

OAuth 2.x and OpenID Connect sequence diagrams

Some sequence diagrams about OAuth 2.x and OpenID Connect.

View Article

Using a Kap&Link smart card reader with CPS3 smart cards on Linux

Tutorial on how to get Carte Professionnel de Santé 3 (CPS3) smart cards work with Firefox under Linux with a Kap&Link smart card reader. It has some information to understand the related lingo,...

View Article

Code execution through MIME-type association of Mono interpreter

A dangerous file type association in Debian which could be used to trigger arbitrary code execution.

View Article


MIME-type spoofing in Firefox/Thunderbird and file managers

An interesting spoofing attack resulting from the interaction between Firefox (or Thunderbird) MIME types handling and file managers.

View Article

Arbitrary file write in Stellarium file association

I found an arbitrary file write vulnerability (through path traversal) which would be exploited for arbitrary code execution in Stellarium (desktop version).

View Article

Shell command and Emacs Lisp injection in emacsclient-mail.desktop

Shell command injection and Emacs Lisp injection vulnerabilities in one of the Emacs Desktop Entry (emacsclient-mail.desktop) leading to arbitrary code execution through a crafted mailto: URI.

View Article


Simple terminal image display using the iTerm2 image protocol

A simple way to display image in a terminal using the iTerm2 image protocol. This is supported by iTerm2, WezTerm, recent versions of Konsole.

View Article


Analysing structured log files with simple tools

Some tools and other notes when you just want to analyze your structured log files locally using simple tools with a focus for newline-delimited JSON (NDJSON) / JSON lines / JSON Text Sequences.

View Article

Arbitrary code execution through kitty-open.desktop file association

In Debian kitty package, the kitty-open.desktop file would associate kitty +open with several MIME types. This could be used to arbitrary trigger code execution by serving a file with such a MIME...

View Article

Protocol Stack Diagrams

A collection of ASCII-art protocol stack diagrams.

View Article

OpenSSH tunneling guide

The OpenSSH client has a lot of very powerful features for tunneling applications through a SSH connections and is one of my favorite tools for quick-and-dirty network plumbing tasks. It can be very...

View Article


Notes on X3DH

Some notes on X3DH (Extended Triple Diffie-Hellman).

View Article

UMA 2.0 diagrams

Some diagrams (mostly sequence diagrams) about UMA 2.0.

View Article


On ad blockers

An interesting note from the FBI.

View Article

WebSub sequence diagram

A sequence diagram for WebSub.

View Article


Bypassing XSS filters

In this post, I am describing some payloads which I used to bypass two distinct XSS filter implementations (such as Web Application Firewalls (WAF)) as well as the approach to design them.

View Article

GitHub Copilot instructions

Extracting the system prompt from GitHub CoPilot.

View Article

Transformer-decoder language models

Some notes on how transformer-decoder language models work, taking GPT-2 as an example, and with lots references in order to dig deeper.

View Article

Exposing services in/out Podman containers

Some more tips for interacting with the namespaces of Podman containers.

View Article


Neural Network Distillation

Overview of neural network distillation as done in “Distilling the Knowledge in a Neural Network” (Hinton et al, 2014).

View Article

Browsing latest articles
Browse All 100 View Live