Enumerating System Management Interrupts
System Management Interrupts (SMI) provide a mechanism for entering System Management Mode (SMM) which primarily implements platform-specific functions related to power management. SMM is a privileged execution mode with access to the complete physical memory of the system, and to which the operating system has no visibility. This makes the code running in SMM an […]
Cross-Execute Your Linux Binaries, Don’t Cross-Compile Them
Lolbins? Where we’re going, we don’t need lolbins. At NCC Group, as a consultant in our hardware and embedded systems practice1, I often get to play with various devices, which is always fun, but getting your own software to run on them can be a bit of a pain.This article documents a few realisations and […]
Ghidra nanoMIPS ISA module
Introduction In late 2023 and early 2024, the NCC Group Hardware and Embedded Systems practice undertook an engagement to reverse engineer baseband firmware on several smartphones. This included MediaTek 5G baseband firmware based on the nanoMIPS architecture. While we were aware of some nanoMIPS modules for Ghidra having been developed in private, there was no […]
Puckungfu 2: Another NETGEAR WAN Command Injection
A story on finding a zero day attacking the NETGEAR WAN interface after a last minute patch for Pwn2Own 2022, involving a command injection, predicting random numbers, boot timing and voltage supply variations.
Technical Advisory: Sonos Era 100 Secure Boot Bypass Through Unchecked setenv() call
Vendor: Sonos Vendor URL: https://www.sonos.com/ Versions affected: * Confirmed 73.0-42060 Systems Affected: Sonos Era 100 Author: Ilya Zhuravlev Advisory URL: Not provided by Sonos. Sonos state an update was released on 2023-11-15 which remediated the issue. CVE Identifier: N/A Risk: High Summary Sonos Era 100 is a smart speaker released in 2023. A vulnerability exists […]
Shooting Yourself in the .flags – Jailbreaking the Sonos Era 100
Research performed by Ilya Zhuravlev supporting the Exploit Development Group (EDG). The Era 100 is Sonos’s flagship device, released on March 28th 2023 and is a notable step up from the Sonos One. It was also one of the target devices for Pwn2Own Toronto 2023. NCC found multiple security weaknesses within the bootloader of the […]
Public Report – Caliptra Security Assessment
During August and September of 2023, Microsoft engaged NCC Group to conduct a security assessment of Caliptra v0.9. Caliptra is an open-source silicon IP block for datacenter-focused server-class ASICs. It serves as the internal root-of-trust for both measurement and identity of a system-on-chip. The main use cases for Caliptra are to assure integrity of mutable […]
HITB Phuket 2023 – Exploiting the Lexmark PostScript Stack
Aaron Adams presented this talk at HITB Phuket on the 24th August 2023. The talk detailed how NCC Exploit Development Group (EDG) in Pwn2Own 2022 Toronto was able to exploit two different PostScript vulnerabilities in Lexmark printers. The presentation is a good primer for those interested in further researching the Lexmark PostScript stack, and also […]
LeaPFRogging PFR Implementations
Back in October of 2022, this announcement by AMI caught my eye. AMI has contributed a product named “Tektagon Open Edition” to the Open Compute Project (OCP). Tektagon OpenEdition is an open-source Platform Root of Trust (PRoT) solution with foundational firmware security features that detect platform firmware corruption, recover the firmware and protect firmware integrity. […]
SysPWN – VR for Pwn2Own
Alex Plaskett (@alexjplaskett) presented a talk on the 10th of August 2023 at @SysPWN covering vulnerability research for Pwn2Own. The first section of the talk covered a high-level perspective of the event, personal history, and teams. It then discussed some considerations needing to be made when deciding on target, experiences, and learnings from the competition. […]