The broadband protocol stacks
The Broadband Forum as a lot of technical reports about the xDSL architecture but it is not so easy to find a good description of the global architecture. Those are ASCII-art protocol stack I inferred...
View ArticlePrivate PostgreSQL instance
How to create a private on-demand PostgreSQL instance accessible only for the local user over UNIX socket.
View ArticleIntel AMT discovery
There has been some articles lately about Intel Active Management Technology (AMT) and its impact on security, trust, privacy and free-software. AMT supposed to be widely deployed in newest Intel...
View ArticleOpenSSH ProxyUseFdPass
While looking at the OpenSSH ssh_config manpage, I found the ProxyUseFdpass configuration I did not know about. It is apparently not widely known or used.
View ArticleUsing dig as a LLMNR or mDNS CLI Lookup utility
I was looking for a LLMNR commandline lookup utility. Actually, dig can do the job quite fine.
View ArticleDisable Certificate Verification on Android with Frida
Some notes about how to write a Frida script with the (somewhat classic) example of disabling certificate verification for TLS communications on Android applications.
View ArticleDNS rebinding vulnerability in Samsung SmartTV UPnP
I found a DNS rebinding vulnerability on the Universal Plug-and-Play (UPnP) interface of the Samsung TV UE40F6320 (v1.0), from 2011. This could be used, for example, to change the channel, to know...
View ArticleDNS rebinding and CSRF vulnerabilites on Samsung TV DIAL implementation
I found a DNS rebinding vulnerability as well as a Cross Site Request Forgery (CSRF) vulnerability on the DIAL (Discovery And Launch) implementation of the Samsung TV UE40F6320 (v1.0), from 2011. This...
View ArticleIntroduction to UPnP
This post gives simple explanations of how UPnP (Universal Plug-and-Play) works, especially with the goal of testing the security devices such as routers, smart TVs, etc.
View ArticleFirefox DoH DNS rebinding protection bypass using IPv4-mapped addresses
I found that the filtering of private IPv4 addresses in the DNS-over-HTTPS (DoH) implementation of Firefox could by bypassed. This is CVE-2020-26961 and Mozilla bug 1672528. It has been fixed in...
View ArticleTUN/TAP interface (on Linux)
Some notes about using the TUN/TAP interface, especially on Linux.
View ArticleDNS rebinding explained
A quick summary about how DNS rebinding attacks work. The main motivation for this post is to have a diagram to show when explaining DNS-rebinding attacks.
View ArticleDNS rebinding vulnerability in pupnp and npupnp
I found that pupnp was vulnerable to DNS rebinding attacks. npupnp, a fork a pupnp, was impacted as well. This is demonstrated using Gerbera a UPnP MediaServer.
View ArticleDNS rebinding vulnerability in GUPnP
GUPnP, a GNOME library for Universal Plug and Play (UPnP), was vulnerable to DNS rebinding attacks. This is CVE-2021-33516 and GUPnP issue #24. This was fixed in GUPnP 1.0.7 and GUPnP 1.2.5.
View ArticleCSRF to RCE in GeckoDriver
A Cross-Site Request Forgery (CSRF) vulnerability I found in GeckoDriver which could be used to execute arbitrary shell commands. CVE-2020-15660 has been assigned to this vulnerability. This was fixed...
View ArticleCross-origin/same-site request forgery to RCE in chromedriver
I found a cross-origin/same-site request forgery vulnerability in chromedriver. It was rejected (won't fix) because it is only possible to trigger this from the cross-origin/same-site and not...
View ArticleWhat is in my COVID-19 vaccination certificate?
Manually inspecting the content of a French COVID-19 vaccination certificate QR code. The main intent is to show with a concrete example which data is actually included in the certificate.
View ArticleIntroduction to the Diffie-Hellman key exchange
The Diffie-Hellman (DH) key exchange (and variants thereof) is widely used in many protocols (such as TLS, SSH, IKE (IPSec), Signal, etc.) to bootstrap some symmetric key material which may then be...
View ArticleIntroduction to TLS v1.2
Some notes about how TLS v1.2 (Transport Layer Security) works. The goal explain what is going on in a network traffic dump, the role of the different TLS extensions, the impact of the different cipher...
View ArticleDNS rebinding vulnerability to RCE in geckodriver
A DNS rebinding vulnerability I found in geckodriver which could be used to execute arbitrary shell commands. This is bug #1652612 and CVE-2021-4138.
View ArticleCSRF and DNS-rebinding to RCE in Selenium Server (Grid)
Vulnerabilities in found on the WebDriver endpoints of Selenium Server (Grid).
View ArticleIntroduction to TLS v1.3
Some notes about how TLS v1.3 works. This is a follow-up of the previous episode about TLS v1.2. As before, the goal is to have a high-level overview about how the protocol works, what is the role of...
View ArticleDNS rebinding on ReadyMedia/minidlna v1.3.0 and below
A DNS rebinding vulnerability I found in ReadyMedia (formerly MiniDLNA) v1.3.0 and below. This is CVE-2022-26505.
View ArticleLack of X.509 TLS certificate validation in OWASP ZAP
Lack of X.509 TLS certificate validation in OWASP ZAP (Zed Attack Proxy) could be used for man-in-the-middle attacks.
View ArticleBrowser-based attacks on WebDriver implementations
Some context and analysis about attacks on in WebDriver implementations.
View ArticleImpact of the different Wifi security modes
Comparing the different Wifi/WPA authentication and key distribution methods (PSK, EAP, SEA).
View ArticleExtract the schema from a remote LDAP server
How to extract the schema from a remote LDAP server and use it on a OpenLDAP instance.
View ArticleStable diffusion on an AMD Ryzen 5 5600G
Executing the stable diffusion text-to-image model on an AMD Ryzen 5 5600G integrated GPU (iGPU).
View ArticleSwitching from Docker to Podman
Some notes about using Podman instead of Docker, on Linux. This has been tested on Podman v3.4.7.
View ArticleEntering in Podman containers
Some commands for interacting with the namespaces of Podman containers.
View ArticleOAuth 2.x and OpenID Connect sequence diagrams
Some sequence diagrams about OAuth 2.x and OpenID Connect.
View ArticleUsing a Kap&Link smart card reader with CPS3 smart cards on Linux
Tutorial on how to get Carte Professionnel de Santé 3 (CPS3) smart cards work with Firefox under Linux with a Kap&Link smart card reader. It has some information to understand the related lingo,...
View ArticleCode execution through MIME-type association of Mono interpreter
A dangerous file type association in Debian which could be used to trigger arbitrary code execution.
View ArticleMIME-type spoofing in Firefox/Thunderbird and file managers
An interesting spoofing attack resulting from the interaction between Firefox (or Thunderbird) MIME types handling and file managers.
View ArticleArbitrary file write in Stellarium file association
I found an arbitrary file write vulnerability (through path traversal) which would be exploited for arbitrary code execution in Stellarium (desktop version).
View ArticleShell command and Emacs Lisp injection in emacsclient-mail.desktop
Shell command injection and Emacs Lisp injection vulnerabilities in one of the Emacs Desktop Entry (emacsclient-mail.desktop) leading to arbitrary code execution through a crafted mailto: URI.
View ArticleSimple terminal image display using the iTerm2 image protocol
A simple way to display image in a terminal using the iTerm2 image protocol. This is supported by iTerm2, WezTerm, recent versions of Konsole.
View ArticleAnalysing structured log files with simple tools
Some tools and other notes when you just want to analyze your structured log files locally using simple tools with a focus for newline-delimited JSON (NDJSON) / JSON lines / JSON Text Sequences.
View ArticleArbitrary code execution through kitty-open.desktop file association
In Debian kitty package, the kitty-open.desktop file would associate kitty +open with several MIME types. This could be used to arbitrary trigger code execution by serving a file with such a MIME...
View ArticleOpenSSH tunneling guide
The OpenSSH client has a lot of very powerful features for tunneling applications through a SSH connections and is one of my favorite tools for quick-and-dirty network plumbing tasks. It can be very...
View ArticleBypassing XSS filters
In this post, I am describing some payloads which I used to bypass two distinct XSS filter implementations (such as Web Application Firewalls (WAF)) as well as the approach to design them.
View ArticleTransformer-decoder language models
Some notes on how transformer-decoder language models work, taking GPT-2 as an example, and with lots references in order to dig deeper.
View ArticleExposing services in/out Podman containers
Some more tips for interacting with the namespaces of Podman containers.
View ArticleNeural Network Distillation
Overview of neural network distillation as done in “Distilling the Knowledge in a Neural Network” (Hinton et al, 2014).
View Article