Skip to navigation Skip to main content Skip to footer

Research Blog

Insights and research from our global cybersecurity team.

Filter content

Reset filters

SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)

Introduction netlink and nf_tables Overview Sets Expressions Set Expressions Stateful Expressions Expressions of Interest nft_lookup nft_dynset nft_connlimit Vulnerability Discovery CVE-2022-32250 Analysis Set Creation Set Deactivation Initial Limited UAF Write Exploitation Building an Initial Plan Offsets We Can Write at Into the UAF Chunk Hunting for Replacement Objects What Pointer Do We Want to Arbitrary Free? […]


Analyzing a PJL directory traversal vulnerability – exploiting the Lexmark MC3224i printer (part 2)

This post describes a vulnerability found and exploited in October 2021 by Alex Plaskett, Cedric Halbronn, and Aaron Adams working at the Exploit Development Group (EDG) of NCC Group. We successfully exploited it at Pwn2Own 2021 competition in November 2021. Lexmark published a public patch and their advisory in January 2022 together with the ZDI advisory. The vulnerability is now known as CVE-2021-44737.


Exploiting the Sudo Baron Samedit vulnerability (CVE-2021-3156) on VMWare vCenter Server 7.0

NCC Group’s Exploit Development Group document exploiting the sudo vulnerability on VMWare vCenter Server


Exploit mitigations: keeping up with evolving and complex software/hardware

We have been filling the knowledge gap by tracking all the exploit mitigations in summary tables present in modern operating systems


Wubes: Leveraging the Windows 10 Sandbox for Arbitrary Processes

Wubes is like Qubes but for Microsoft Windows. The idea is to leverage the Windows Sandbox technology to spawn applications in isolation. We currently support spawning a Windows Sandbox for the Firefox browser, with other applications easily added.


A WarCon 2017 Presentation: Cisco ASA – Exploiting the IKEv1 Heap Overflow – CVE-2016-1287

Exodus Intel released a proof of concept (POC) in early 2016, demonstrating how to obtain remote code execution on Cisco Adaptive Security Appliance (ASA) firewalls exposed to the internet. The POC exploits a pre-authentication vulnerability in Internet Key Exchange (IKE) aka CVE-2016-1287 and is highly critical. The POC works on 32-bit ASA 9.2.4 and supports […]


An adventure in PoEKmon NeutriGo land

TL;DR A full technical note explaining the analysis of a Flash file part of the Neutrino Exploit kit has been uploaded to our Cyber Defence Github repository. This document details a methodology to analyse all components of the original Flash file. It details how we manually deobfuscate most of its components and refers to many […]


Exploiting CVE-2015-2426, and How I Ported it to a Recent Windows 8.1 64-bit

tl;dr This paper details how I ported the CVE-2015-2426 (a.k.a. MS15-078) vulnerability, as originally exploited by Eugene Ching of Qavar Security on the January 2015 version of Windows 8.1 64-bit to the more recent July 2015 version of Windows 8.1 64-bit, the last version of Windows still vulnerable to this issue before it got patched by […]