Compass Security Blog

Offensive Defense

A Patchdiffing Journey – TP-Link Omada

Last year we participated in the Pwn2Own 2023 Toronto competition and successfully exploited the Synology BC500 camera. The DEVCORE Internship Program team managed to exploit a bug in the TP-Link Omada Gigabit VPN Router. So I was naturally curious and wanted to figure out how difficult it would be to recreate that exploit having access only to a high-level bug description and the firmware.

Continue reading

Blockchain / Smart Contract Bugs

To identify and understand threats and weaknesses of smart contracts, it is important to be at least familiar with common smart contract bugs and vulnerabilities, how they can be leveraged by a malicious attacker, and how these issues can be mitigated.

This blog article aims to raise awareness about common smart contract vulnerabilities and their corresponding mitigation strategies.

Continue reading

Pwn2Own Toronto 2023: Part 5 – The Exploit

In this final part of this series, we are finally going to explain how the stack-based buffer overflow vulnerability can be exploited to gain unauthenticated remote code execution (RCE) on the Synology BC500 camera.

Continue reading

Pwn2Own Toronto 2023: Part 4 – Memory Corruption Analysis

In this fourth part of the series, we analyze the memory corruption identified previously and manage to overwrite the program pointer!

Continue reading

Pwn2Own Toronto 2023: Part 3 – Exploration

In this third part of the series, we focus on the exposed web services running on TCP ports 80 and 443.

Since a valid exploit chain must achieve code execution without prior authentication, we focus on the available functionality that can be accessed without authentication.

Continue reading

Pwn2Own Toronto 2023: Part 2 – Exploring the Attack Surface

In this second blog post of the series, we start with the reconnaissance phase on the camera, a crucial step in understanding our target.

The aim here is to gather information about the target and identify potential vulnerabilities.

Continue reading

Pwn2Own Toronto 2023: Part 1 – How it all started

Around a year ago a few Compass analysts watched a talk at the Insomni’Hack conference about the Pwn2Own contest.

This is when they decided to take part! In this blog post, they talk about how they picked their target, got the firmware from the camera, and got into the shell.

Continue reading

Luring the Threat: Lessons from ICS Honeypots in Ukraine and Germany

In today’s interconnected world, it is a well-known fact that systems with Internet exposure are under continual threat of cyber-attacks. This risk extends from private websites to corporate infrastructure. With the increasing modernization of Industrial Control Systems (ICS), these vital components also become more exposed to such threats. But what is the extent and nature […]

Continue reading

Device Code Phishing – Add Your Own Sign-In Methods on Entra ID

TL;DR An attacker is able to register new security keys (FIDO) or other authentication methods (TOTP, Email, Phone etc.) after a successful device code phishing attack. This allows an attacker to backdoor the account (FIDO) or perform the self-service password reset for the account with the newly registered sign-in methods. Microsoft deemed this not a vulnerability.

Continue reading

Relaying to AD Certificate Services over RPC

In June last year, the good folks at SpecterOps dropped awesome research on Active Directory Certificate Services (AD CS) misconfigurations. Since then, we find and report these critical vulnerabilities at our customers regularly. One of these new attack path is relaying NTLM authentication to unprotected HTTP endpoints. This allows an attacker to get a valid […]

Continue reading

« Older posts