Some Notes from the Lab – BlackNurse in the IPv6 Era

Dear readers,

Since BlackNurse was released on 10th of November, we asked ourselves whether this problem does also apply to ICMPv6 traffic. To answer this question, Christian Tanck (one of our students) build a lab with several firewall appliances. Kudos to him for testing and the following blog post.

Continue reading “Some Notes from the Lab – BlackNurse in the IPv6 Era”

Continue reading

Research Diary: IP-Cameras Part 2

Hi everybody,
This is the second entry in our research diary on IP cameras. If you haven’t done so yet, you should read the first entry in advance. This time we focused more on analysis and exploitation.

Another entry vector

After running a vulnerability scan on both devices, it was revealed that the M1033 has multiple buffer overflow vulnerabilities (CVE-2012-5958 to CVE-2012-5965), which are readily exploitable via Metasploit. This gave us another shell (in addition to the root shell mentioned in the last post), though this time it was not a root shell. By using the find command, we searched for executables having the setuid or setgid bit set. We hoped to use one of those to escalate privileges. To do so yourself add the parameter -perm -4000 to find and it will search for files having the setuid bit set. If you try that on your own unix-like device, for example it should yield /bin/passwd which is perfectly reasonable as you’re able to change your password without being root.

Continue reading “Research Diary: IP-Cameras Part 2”

Continue reading

Defending Democracy

I recently had the pleasure to attend two events organized by the Digital Society Institute, one was a workshop on software vulnerabilities and one was their annual conference. For both events I delivered input on the security of security products and their evaluation (slides can be found here). The DSI did a great job of assembling people from various areas (e.g. industry, academia, politics, and research) so there was a lot of input which is not covered by conferences I usually attend. The workshop I attended also resulted in a short policy recommendation when it comes to the security of security products which can be found here.


Thanks & so long,


Continue reading

CCS’16 – Day 2 – 25th October 2016

Hello again.

Andrei Costin (at project) is here, and this is the second post from a series of guest postings courtesy of ERNW (thanks Niki and Enno!).

Few days ago, the first CCS’16 summarization post went online:

It summarized five presentations of the 6th Annual Workshop on Security and Privacy in Smartphones (SPSM’16). In short, it contained presentations on: over-the-top and phone number abuse, smartphone fingerprinting, apps privacy increase and protection/security, and apps privacy ranking. Continue reading “CCS’16 – Day 2 – 25th October 2016”

Continue reading

Research Diary: IP-Cameras

As you probably know we perform research on a regular basis at ERNW. This post is the first entry on our – Benjamin’s and Pascal’s – research diary. You might already have seen Oliver’s post on setting up an research environment or Brian’s posts on IoT botnets (here and here). With that in mind we want to take a look at one of the market leaders for network camera equipment: AXIS.

Continue reading “Research Diary: IP-Cameras”

Continue reading

Research Diary: Bluetooth

As you probably know we perform research on a regular base at ERNW.

We – Olga and Rafael – started with a research project about Bluetooth. Our first goal was to gain some knowledge about the tools used by most Linux systems to communicate with Bluetooth hardware, such as BlueZ. A good help for that was the amazing Bluetooth hacking workshop we had before (check the link in our blog!)

Continue reading “Research Diary: Bluetooth”

Continue reading

Considerations on DMZ Design in 2016, Part 3: Some Notes on Firewall Rule Management

This is the 3rd part of this loose series on considerations of (operating) DMZs in 2016 (part 1 on the role of a DMZ is can be found here, part 2 on reverse proxies here).
Again, I dare to deviate a bit from the plan & order I initially had in mind – today I will cover one process whose maturity may significantly influence the overall security posture of a DMZ environment: firewall rule management.

Continue reading “Considerations on DMZ Design in 2016, Part 3: Some Notes on Firewall Rule Management”

Continue reading

IoT the S is for Secure – Unknown Administration Interface in Wireless Plug

Dear Readers,

just recently i bought a wireless plug on Amazon with the main use of controlling my coffee machine with an app. The installation of the wireless plug was quite easy and only requires me to set my Wifi SSID and my passphrase – that’s it. But what happened behind the scenes? I visited the control interface of my router and saw that along with the other devices there was a new one with the network name HF-LPB100 and a local IP address in my case First of all i wondered about the name itself, but ignored that and kept on looking for open ports.

Continue reading “IoT the S is for Secure – Unknown Administration Interface in Wireless Plug”

Continue reading

BlackHoodie 2016

This year’s BlackHoodie workshop rolled out with 28 amazing women from all parts of the world. It was a very vibrant group with students, professionals, engineers, researchers, physicists and what not. This is the second year that Marion Marschalek is running this reverse engineering workshop exclusively for women. There were a variety of topics that were covered. This includes anti emulation tricks, anti debuggers, packers, obfuscation, encryption/decryption functions, and a lot of fun with IDA.

Continue reading “BlackHoodie 2016”

Continue reading