August 23, 2021

Zoom RCE from Pwn2Own 2021

On April 7 2021, Thijs Alkemade and Daan Keuper demonstrated a zero-click remote code execution exploit in the Zoom video client during Pwn2Own 2021. Now that related bugs have been fixed for all users (see ZDI-21-971 and ZSB-22003) we can safely detail the bugs we exploited and how we found them. In this blog post, we wanted to not only explain the bugs and our exploit, but provide a log of our entire process.

October 7, 2020

iOS VPN support: 3 different bugs

Recently, we spent some time looking at the support for IPsec VPNs in iOS. In particular, we where interested in whether a malicious VPN app could, in some way, attack the OS itself.

July 1, 2020

Sign in with Apple - authentication bypass

Last year Apple launched Sign in with Apple, which allows you to sigin in to services using your Apple ID. We identified a critical vulnerability in the service from Apple, which allowed an attacker to obtain authentication tokens which could be used to access a users iCloud account.

January 30, 2020

Jenkins - authentication bypass

During a short review of the Jenkins source code, we found a vulnerability that can be used to bypass the mutual authentication when using the JNLP3 remoting protocol. In particular, this allows anyone to impersonate a client and thereby gain access to the information and functionality that should only be available to that client.

November 25, 2019

DNS rebinding for HTTPS

DNS rebinding attacks are a common attack technique against local applications, in order to bypass the same origin policy. The use of HTTPS has always been considered to be an effective mitigation against this attack. In this post we describe a new technique that enables the DNS rebinding attack against a HTTPS target.

July 4, 2019

Spring Security - insufficient cryptographic randomness

The `SecureRandomFactoryBean` class in Spring Security by Pivotal has a vulnerability in certain versions that could lead to the generation of predictable random values when a custom seed is supplied. This vulnerability could lead to predictable keys or tokens in applications that depend on cryptographically-secure randomness. Applications that use this class may need to evaluate if any predictable tokens were generated that should be revoked.