Would you like to join our research team? We currently have an opening! https://www.computest.nl/en/careers-at-computest/vacancies/senior-vulnerability-researcher-hardware-hacker/
Computest Security
| Blog | https://sector7.computest.nl |
Sector 7
- 15 Followers
- 1 Following
- 23 Posts
Sector 7 is the security research division of
Computest Security
Computest Security
Today on our blog we have a guest post from René Ammerlaan about multiple vulnerabilities he found in Ruckus Unleashed. The most impressive part was how he chained some of them together to go from access to the guest WiFi network to RCE on the controller itself!
Ruckus Unleashed: Multiple vulnerabilities exploited
This blog post describes multiple vulnerabilities found in the firmware of Ruckus Unleashed and ZoneDirector. The vulnerabilities were found and reported to CommScope by René Ammerlaan, a guest writer for this blog post. I will take you through all the vulnerabilities and demonstrate how they can be exploited by an attacker.
TrendAI Zero Day InitiativeConfirmed! In the penultimate attempt of Day 2, @daankeuper, @xnyhps, and @notkmhn from @sector7_nl combined 4 bugs, including a command injection and a path traversal to going from the QNAP QHora-322 to the TrueNAS Mini X. They earn $25,000 and 10 Master of Pwn points. #Pwn2Own
Boom! Daan Keuper (@daankeuper), Thijs Alkemade (@xnyhps), and Khaled Nassar (@notkmhn) from Computest Sector 7 (@sector7_nl) took no time in executing their SOHO smashup - going from the QNAP QHora-322 to the TrueNAS Mini X. TThey're off to the disclosure room. #Pwn2Own
We have published the third and final writeup of our #Pwn2Own EV charger exploits: the Autel MaxiCharger!
Unlike the other two, this one had authentication on the Bluetooth functionality!
…but that had a “backdoor”. 😅
https://sector7.computest.nl/post/2024-08-pwn2own-automotive-autel-maxicharger/
Pwn2Own Automotive 2024: Hacking the Autel MaxiCharger
During Pwn2Own Automotive 2024 in Tokyo, we demonstrated exploits against three different EV chargers: the Autel MaxiCharger (MAXI US AC W12-L-4G), the ChargePoint Home Flex and the JuiceBox 40 Smart EV Charging Station with WiFi. This is our writeup of the research we performed on the Autel MaxiCharger, the bugs we found (CVE-2024-23958, CVE-2024-23959 and CVE-2024-23967) and the exploits we developed. During the competition, we were able to execute arbitrary code on this charger with no other prerequisites than being in range of Bluetooth.
We have published the 2nd writeup about the EV vulnerabilities we exploited for #Pwn2Own Automotive: the JuiceBox 40.
Despite what the @thezdi advisories say, these bugs were NOT fixed by the vendor! SiLabs has declared the product EOL and won't fix it.
https://sector7.computest.nl/post/2024-08-pwn2own-automotive-juicebox-40/
Pwn2Own Automotive 2024: Hacking the JuiceBox 40
During Pwn2Own Automotive 2024 in Tokyo, we demonstrated exploits against three different EV chargers: the Autel MaxiCharger (MAXI US AC W12-L-4G), the ChangePoint Home Flex and the JuiceBox 40 Smart EV Charging Station with WiFi. This is our writeup of the research that we performed on the JuiceBox 40 Smart EV Charging Station. We discovered one vulnerability which has, since the event, been assigned CVE-2024-23938. During the competition, we were able to exploit CVE-2024-23938 to execute arbitrary code on the charger while requiring only network access for practical reasons at the event.
Having given our talk on hacking EV-chargers at #BHUSA yesterday, we have just published the first writeup with the vulnerabilities we found in the ChargePoint Home Flex. Including how we accidentally hacked their entire cloud infrastructure. 😄
https://sector7.computest.nl/post/2024-08-pwn2own-automotive-chargepoint-home-flex/
Pwn2Own Automotive 2024: Hacking the ChargePoint Home Flex (and their cloud...)
During Pwn2Own Automotive 2024 in Tokyo, we demonstrated exploits against three different EV chargers: the Autel MaxiCharger (MAXI US AC W12-L-4G), the ChangePoint Home Flex and the JuiceBox 40 Smart EV Charging Station with WiFi. This is our writeup of the research we performed on the ChargePoint Home Flex, the bugs we found and the exploits we developed (CVE-2024-23920, CVE-2024-23921, CVE-2024-23970 and CVE-2024-23971). During the competition, we were able to execute arbitrary code on this charger with no other prerequisites than being in range of Bluetooth.
We assisted Team High Tech Crime from the Dutch police by writing a decryptor for the #DoNex ransomware. Its encryption method had a flaw that makes it possible to recover all files without knowing the key. Our decryptor has now been published on No More Ransom.
https://sector7.computest.nl/post/2024-04-donex-darkrace-ransomware/
DoNex/DarkRace Ransomware Decryptor
Computest Sector 7 was asked by Team High-Tech Crime of the Dutch Police to help with writing a decryptor for the DoNex/DarkRace ransomware. DoNex is a relatively new ransomware group, which probably explains why its encryptor contains a simple to abuse mistake. It appears to be the same group that was working under the name DarkRace last year, as the DoNex encryptor we investigated is essentially the same as a DarkRace encryptor we looked at.
We've published our writeup of CVE-2024-20693, a vulnerability in Windows that allowed spoofing the code signature of binaries by placing them on an SMB share. This research originally was about something different, but we ran into a signature check...
https://sector7.computest.nl/post/2024-06-cve-2024-20693-windows-cached-code-signature-manipulation/
CVE-2024-20693: Windows cached code signature manipulation
In the Patch Tuesday update of April 2024, Microsoft released a fix for CVE-2024-20693, a vulnerability we reported. This vulnerability allowed manipulating the cached signature signing level of an executable or DLL. In this post, we’ll describe how we found this issue and what the impact could be on Windows 11. Background Last year, we started a project to improve our knowledge of Windows internals, specifically about local vulnerabilities such as privilege escalation.
