The Research Blog

CAPTCHA-22: Breaking Text-Based CAPTCHAs with Machine Learning

A machine learning technique was developed to break text-based CAPTCHAs using an Attention-based OCR model. By manually labeling training data from a large dataset of CAPTCHA images, near-perfect accuracy was achieved in solving various CAPTCHA implementations. The study demonstrated how machine learning can effectively bypass traditional text-based CAPTCHA systems with minimal computational resources.

  • 11 Jan 2019

Attacking Kubernetes through Kubelet

A method of attacking Kubernetes clusters by exploiting the default kubelet configuration is detailed in this article. The vulnerability allows anonymous authentication to the kubelet API, enabling attackers to list pods, execute commands in containers, and potentially obtain service account tokens. These tokens can be used to access the kube-apiserver and gain deeper access to the Kubernetes cluster.

  • 21 Dec 2018

Twinkly Twinkly Little Star

Multiple security vulnerabilities were discovered in Twinkly IoT Christmas lights. The vulnerabilities include unencrypted local network communications, trivial authentication bypass, and potential remote control through MQTT and DNS rebinding attacks. These flaws could allow attackers to manipulate or control the lights remotely, potentially affecting thousands of connected devices.

  • 8 Nov 2018

Intro to Binary Analysis with Z3 and angr

A workshop presentation introduces binary analysis techniques using Z3 and angr for security professionals. The presentation covers SMT solvers and their applications in reverse engineering and vulnerability research. Sample code and labs are provided to help participants understand and apply SMT solving techniques.

  • 2 Nov 2018

HP NonStop Basics

HP NonStop is a fault-tolerant computing platform used in critical transaction systems since 1976. The system features a unique architecture with Guardian and Open System Services environments, and uses specialized security components like Safeguard for user management and access control. The platform employs a distinctive approach to user and file management, with unique identifiers, access control lists, and specific security configurations that differ significantly from standard Unix or Windows systems.

  • 31 Oct 2018

Undisable Restricted Admin

Restricted Admin mode is a Windows feature that prevents credential caching during RDP sessions by using network logons instead of interactive logons. The mode offers protection against lateral movement in network environments, though it introduces a minor pass-the-hash attack vector. Organizations can enable this control by modifying registry settings and group policy to enhance network security.

Apple Safari Pwn2Own 2018 Whitepaper

This whitepaper details two Safari vulnerabilities demonstrated at Desktop PWN2OWN 2018. The vulnerabilities (CVE-2018-4199 and CVE-2018-4196) allowed full compromise of macOS systems running Safari 11.0.3. The exploits could potentially breach user data on the affected systems.

Big Game Fuzzing Pwn2Own Safari T2

A presentation detailed vulnerability research targeting macOS Safari at Pwn2Own. The talk covered specialized fuzzing tools and exploit development techniques for browser security. Specific vulnerabilities were discussed, including a heap underflow in the browser and a sandbox breakout using uninitialized memory.

The Mate Escape - Huawei Pwn2Owning

A presentation at Hacktivity 2018 explored vulnerability discovery techniques targeting the Huawei Mate 9 Pro by focusing on logic bugs in Android platforms. The talk highlighted the expanding attack surface of logic vulnerabilities as memory corruption exploitation becomes increasingly challenging. Techniques for rapidly identifying potential remote compromise vulnerabilities across mobile handsets were discussed.

Debugging Released Xamarin Android Applications

A technical investigation revealed debugging techniques for released Xamarin Android applications. By manipulating system properties like 'debug.mono.runtime_args', method tracing can be performed on release builds. Code execution is possible through the Mono log profiler by creating a payload in the '.__override__' directory, allowing analysis of Xamarin applications without modifying the original APK.

  • 23 Aug 2018

DNS Rebinding Headless Browsers

A DNS rebinding attack technique targeting headless browsers running on AWS was demonstrated. The attack can exploit the AWS metadata endpoint by manipulating DNS and causing browsers to hang, potentially allowing exfiltration of sensitive AWS credentials. The method bypasses same-origin policy restrictions by dynamically changing domain IP addresses during browser interactions.

A Guide to Repacking iOS Applications

This technical guide details the process of repacking iOS applications for security research purposes. The methodology covers decrypting application binaries, patching with Frida, generating provisioning profiles, and resigning applications across different scenarios. Key techniques are demonstrated for repacking various types of iOS applications, including those with frameworks, app extensions, and WatchOS companion apps.