quarkslab

@[email protected]
422 Followers
0 Following
118 Posts
Securing every bit of your data
websitehttps://quarkslab.com
locationParis, France
quarkslab3d ago

Do you know how Entra ID applications work?
What about the security mess they can bring and what they can quietly break?

New blog post on Entra ID application permissions, the audit nightmare they create, and QAZPT, the open-source tool we built to actually make sense of it.

https://blog.quarkslab.com/auditing-application-permissions-in-microsoft-entra-id-hidden-risks-pitfalls-and-quarkslabs-qazpt-tool.html

quarkslabApr 16

Obfuscation vs The Optimizer: A Battle in LLVM Middle End.

@yates82 shows us how the continuous improvement of the LLVM optimizer defeats naive code obfuscation, and how the obfuscator can fight back.

An eternal fight in which all victories are ephemeral

https://blog.quarkslab.com/obfuscation-vs-the-optimizer-an-llvm-middle-end-arms-race.html

quarkslabApr 14
๐Ÿค”Ever wondered how your favorite tools work under the hood? During our work on SightHouse, we dug into BSIM, Ghidra's Binary function SIMilarity engine.

Many tools have been built around it, yet its internals remained undocumented. Until now ๐Ÿ‘‡
https://blog.quarkslab.com/bsim-explained-once-and-for-all.html
quarkslabApr 9
๐Ÿš— We traced a carโ€™s life from China to Poland.
By analyzing a BYD Telematic Control Unit, Romain Marchand reconstructed its journey and identified a real-world event from GPS logs alone.
Embedded forensics + OSINT = real stories hidden in data.
๐Ÿ‘‰ https://blog.quarkslab.com/tearing-down-a-car-telematic-unit-and-finding-an-accident-on-facebook.html
quarkslabApr 7
After @coiffeur0x90 found 3 LPEs in Intego antivirus for macOS, @kaluche_ had to check the Windows version too.
Spoiler: it was vulnerable.
Here's the full write up of a symlink attack to achieve Local Privilege Escalation๐Ÿ‘‡
https://blog.quarkslab.com/milking-the-last-drop-of-intego-time-for-windows-to-get-its-lpe.html
quarkslabApr 3

Tired of reversing the same libc for the 100th time? ๐Ÿ‘€

Meet SightHouse, our open-source tool that automatically detects third-party library functions in binaries.
High-confidence function mapping. Works with any disassembler. By @madsquirrel & Sami.

๐Ÿ”— https://blog.quarkslab.com/sighthouse-automated-function-identification.html

quarkslabMar 31

The dragon has a VM. Of course it does.

Our latest blog walks through the analysis of a complex C++ binary hiding behind a virtual machine, themed as a classic RPG fight.
QBDI & TritonDSE are your weapons of choice. The dragon doesn't stand a chance. ๐Ÿ‰

๐Ÿ”— https://blog.quarkslab.com/qbdi-vs-tritondse-against-a-vm-who-will-be-the-fastest.html

quarkslabMar 26

Rule 1๏ธโƒฃ : "In WAF we (should not) trust"

Your WAF is doing its best. That's just not enough ๐Ÿ˜ฎโ€๐Ÿ’จ
A deep dive into Web Application Firewall bypass techniques, discovering why blocked โ›” doesn't always mean safe.

https://blog.quarkslab.com/in-waf-we-should-not-trust.html

quarkslabMar 20

"Intego X9: Never trust my updates"

Read @coiffeur0x90's research showing how XPC interprocess communications and the update mechanism of the Intego antivirus for MacOS can be abused for local privilege escalation.

https://blog.quarkslab.com/intego_lpe_macos_3.html

quarkslabMar 12

"How does it even work?"

The question that keeps hackers' hearts pumping, blood pressure rising, and curiosity growing.

This is @virtualabs's reverse engineering journey into a cheap smartwatch that measures at least one of those.

https://blog.quarkslab.com/nerd-life-weeks-firmware-teardown-we-were-right.html