The problem.... Recently, NVISO was tasked to do a penetration test on a web application that had very short authenticated sessions and that implemented anti CSRF tokens. This presented a unique challenge, as most of our automated tools and techniques had no reliable way of working as the base requests that were being used as [...]
Extracting Certificates From the Windows Registry
I helped a colleague with a forensic analysis by extracting certificates from the Windows registry. In this blog post, we explain how to do this. The Windows registry contains binary blobs, containing certificates. Like this one: Examples of locations where certificates can be found: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates Certificates, encoded in DER format, always start with value [...]
Intercepting traffic from Android Flutter applications
Update: The explanation below explains the step for ARMv7. For ARMv8 (64bit), see this blogpost. Flutter is Google's new open source mobile development framework that allows developers to write a single code base and build for Android, iOS, web and desktop. Flutter applications are written in Dart, a language created by Google more than 7 [...]
Solving Flaggy Bird (Google CTF 2019)
A few weekends ago we participated in the Google CTF. While we didn't make it to the top 10, we did manage to solve quite a few challenges. This is my writeup of FlaggyBird, the only mobile challenge that was available. The challenge The challenge was an .apk that did not require network connectivity. Installing [...]
Will they melt? Testing the resistance of flash memory chips
Firmware: the holy grail of most Internet of Things (IoT) security assessments! Sometimes, getting access to a device's firmware can be as easy as visiting the vendor's website. Other times, the only option is to dump it directly from the hardware, and this is where things get interesting. Some procedures used for dumping can expose [...]
Malicious SYLK Files with MS Excel 4.0 Macros
Since about a week, we are seeing an increase of SYLK files submitted to VirusTotal. A SYLK file (SYmbolic LinK) is a pure text file format used to store Excel spreadsheets with extension .slk. Although SYLK files can't contain VBA macros, they can still contain executable code, for example DDE commands or MS Excel 4.0 [...]
Optimizing Elasticsearch – Part 2: Index Lifecycle Management
In the previous blog post "Optimize Elasticsearch for log collection - Part 1: reduce the number of shards", we have seen one solution to recover a cluster suffering from the "too many shards syndrome" by merging indices that were too small. In this article, we'll see how we can rely on latest Elasticsearch feature to [...]
Solving a CTF challenge: Exploiting a Buffer Overflow (video)
Capture The Flag (CTF) competitions are an entertaining way to practice and/or improve your skills. NVISO staff regularly participates in CTF competitions, in particular when the competition focuses on IT security. We produced a video with step-by-step analysis of a CTF executable containing a buffer overflow. This executable is running on a server, and by [...]
Detecting and Analyzing Microsoft Office Online Video
A while ago, a new technique was developed to execute arbitrary code via a Word document: an online video is embedded and the HTML code for the embedded video is modified with JavaScript that launches a Windows executable. This technique does not rely on VBA macros and requires the use of the .docx format (for [...]
The Birds Fly away!
At first, it was just a simple team-building trip with less than ten participants. However, it became a tradition and year after year, more birds joined our nest and the trip grew bigger. After sharing stories and legends of previous years, both new joiners and veterans were waiting for the D-Day of this yearβs famous [...]
