Skip to navigation Skip to main content Skip to footer

Research Blog

Insights and research from our global cybersecurity team.

Filter content

Reset filters

Puckungfu 2: Another NETGEAR WAN Command Injection

A story on finding a zero day attacking the NETGEAR WAN interface after a last minute patch for Pwn2Own 2022, involving a command injection, predicting random numbers, boot timing and voltage supply variations.


Puckungfu: A NETGEAR WAN Command Injection

Summary Vulnerability Details Overview Execution Flow /bin/pucfu /usr/lib/libfwcheck.so get_check_fw fw_check_api curl_post /lib/libpu_util.so SetFileValue pegaPopen Check Firmware HTTPS Normal Request Response Exploitation Command Injection Response Root Shell Final Notes Patch Pwn2Own Note Summary This blog post describes a command injection vulnerability found and exploited in November 2022 by NCC Group in the Netgear RAX30 router’s WAN […]


MeshyJSON: A TP-Link tdpServer JSON Stack Overflow

Summary Target Binary tdpServer Architecture Mitigations Forks Understanding The Vulnerability Reaching The Vulnerable Function Broadcast Fork Flow Server Fork Flow JSON Array Stack Overflow Triggering The Bug Broadcast Fork Response Server Fork Request Vulnerability Constraints Storing Arbitrary Content In Memory cJSON Summarized cJSON Struct cJSON Data cJSON Heap Memory Single cJSON cJSON structure and key/value […]


Detecting Mimikatz with Busylight

In 2015 Raphael Mudge released an article [1] that detailed that versions of mimikatz released after 8th of October, 2015 had a new module that was utilising certain types of external USB devices to flash lights in different colours if mimikatz was executed. The technique presented in the article required certain kind of busylights that […]


SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)

Introduction netlink and nf_tables Overview Sets Expressions Set Expressions Stateful Expressions Expressions of Interest nft_lookup nft_dynset nft_connlimit Vulnerability Discovery CVE-2022-32250 Analysis Set Creation Set Deactivation Initial Limited UAF Write Exploitation Building an Initial Plan Offsets We Can Write at Into the UAF Chunk Hunting for Replacement Objects What Pointer Do We Want to Arbitrary Free? […]


Order Details Screens and PII

When ordering a product or service online, it’s fairly common to get a confirmation email from the provider, often with a link where you can view details of your order. This is all very helpful, but have you ever considered whether the link you can follow is secure, or if it might be vulnerable to […]


Rise of the Sensors: Securing LoRaWAN Networks

One of the current research priorities for NCC Group is smart cities. We perceive that in the future substantial investment will be made into deploying intelligent sensor systems into our cities: initially the focus being on passive applications, gathering and collecting data, but potentially in future leading to more active applications, integrating systems to automatically […]


Crave the Data: Statistics from 1,300 Phishing Campaigns

tl;dr 1,300 phishing campaigns were analysed involving over 360,000 users Targets in Charities to be over 3 times more likely to click than the Health Sector However once clicked half of all targets were likely to supply credentials regardless Best case 1/10 of targets will click a link Best case 1/20 of targets will supply […]


Properly Signed Certificates on CPE Devices

During late January 2020, a hot topic surfaced between security professionals on an issue that has historically had different proposed solutions. This blog post seeks to explore these solutions and identify pragmatic approaches to risk reduction on this specific issue concerning Customer Premises Equipment (CPE) security. Two security researchers (Tom Pohl and Nick Starke) analysed […]


Tool Release – Collaborator++

When testing for out-of-band vulnerabilities, Collaborator has been an invaluable tool since its initial release in 2015. By acting as a HTTP, DNS and SMTP server, Collaborator allows researchers to identify complex out-of-band interactions between target applications and external services aiding in the discovery of vulnerabilities such as server-side request forgery (SSRF), XML external entity […]