Backdoors and other vulnerabilities in HiSilicon based hardware video encoders

bug

This article discloses critical vulnerabilities in IPTV/H.264/H.265 video encoders based on HiSilicon hi3520d hardware. The vulnerabilities exist in vendor application software running on these devices. All vulnerabilities are exploitable remotely and can lead to sensitive information exposure, denial of service, and remote code execution resulting in full takeover of the device. With multiple vendors affected, and no complete fixes at the time of the publication, these encoders should only be used on fully trusted networks behind firewalls. I hope that my detailed write-up serves as a guide for more security research in the IoT world.

continue reading...

OSWE review

Ten days ago, I’ve made my first attempt at OSWE certification, and today I received the official confirmation:

screenshot

I passed!!! Here is my review of the course and the exam.

continue reading...

How to install IPA on an iOS device

During a recent pentest, I needed to test an iOS app. Since the app was not in the App Store yet, it was given to me in the form of an .ipa file. I had to figure out a way to load it to my test iPhone. Apparently, there are several instructions on the Internet on how to do that, but I couldn’t find the one that worked for me out of the box, so here is my own…

continue reading...

Have my LastPass passwords been pwned?

“You’re one of 772,904,991 people pwned in the Collection #1 data breach”… Many of us have received an email with this subject line from Troy Hunt’s Have I Been Pwned service about 3 weeks ago. By design, that service doesn’t tell you exactly which account(s) or password(s) of yours have been pwned, you’ll need to find out yourself.

continue reading...

Deserialization: what, how and why [not]

Insecure deserialization was recently added to OWASP’s list of the top 10 most critical web application security risks, yet it is by no means a new vulnerability category. For years, data serialization and deserialization have been used in applications, services and frameworks, with many programming languages supporting them natively. Deserialization got more attention recently as a potential vehicle to conduct several types of attacks: data tampering, authentication bypass, privilege escalation, various injections and, ultimately, remote code execution. Two prominent vulnerabilities in Apache Commons and Apache Struts, both allowing remote code execution, also contributed to raising awareness of this risk.

There was a storm of talks and publications on the subject back in 2015-2016, but relatively few recently. While deserialization is a well researched class of vulnerabilities, and there is a lot of information out there, many non-security folks still don’t understand it well enough, which leads to new vulnerabilities in the code. We need to continually educate on the subject. I presented on this topic three times this year: at OWASP Portland, at Portland Java User Group, and at AppSec USA 2018.

continue reading...