Tech Blog: IT Security Know-how am Puls der Zeit

Hacking a Secure Industrial Remote Access Gateway

In this blog post, we describe the security analysis and the found vulnerabilities in the industrial remote access solution Ewon Cosy+.

more ...

Firmware Security: Alcatel-Lucent ALE-DeskPhone

This blog post is about an analysis of firmware security in a VoIP deskphone. This analysis ties in with our previous research and the demonstrated exploitation of zero touch deployments (see Zero Touch Pwn). Introduction As we described in the blog post Zero Touch Pwn and demonstrated at BlackHat USA 2023, inadequate firmware security of Voice-over-IP (VoIP) devices can lead to a major secur...

more ...

Introducing M.A.T

In today’s increasingly interconnected data landscape, access to external data sources is crucial for the business processes of many companies. Microsoft SQL Server, in addition to local instances, also offers a powerful feature called “Linked Servers”, which allows seamless access to data sources outside your local SQL Server instance.

more ...

Introducing AzurEnum

As time goes on, organizations keep moving more and more IT assets into the cloud. More importantly, the Azure cloud plays a paramount role in the IT structure of most companies due to its merging capabilities with on-prem environments, leading to hybrid Active Directory landscapes.

more ...

Zero Touch Pwn: Abusing Zoom's Zero Touch Provisioning for Remote Attacks on Desk Phones

In this blog post, we describe several vulnerabilities that were discovered during a security analysis of AudioCodes desk phones and Zoom’s Zero Touch Provisioning. We also discuss and demonstrate the potential attack scenarios that could arise from these vulnerabilities. UPDATE (2023-08-18) UPDATE: The vendor informed us on August 17th, 2023, that the critical vulnerabilities described in t...

more ...

NetSupport RAT distributed via fake invoices

NetSupport Manager is a legitimate remote control software that is developed by a UK-based company. However, as uncovered in this analysis, the software is used in a currently active phishing campaign against German-speaking users.

more ...

The Blind Spots of BloodHound

Let’s get one thing straight: This article is not at all a dig on BloodHound.

more ...

Abusing Microsoft Teams Direct Routing

In this blog post, a practical problem and security issue when it comes to phone integration with Microsoft Teams Direct Routing is described.

more ...

Tampering with Thunderbird attachments under Windows

In this blog post a few techniques for tampering with Thunderbird attachments, which simplify social engineering (SE) attacks from an attacker perspective, are shown. Introduction Thunderbird under Microsoft Windows in version 102.02.0 and below is showing some unexpected behaviour which might be abused for social engineering or phishing attacks. Tests were performed with: Prod...

more ...

Hacking Some More Secure USB Flash Drives (Part II)

In the second article of this series, SySS IT security expert Matthias Deeg presents security vulnerabilities found in another crypto USB flash drive with AES hardware encryption.

more ...

Rooting Mitel Desk Phones Through the Backdoor (CVE-2022-29854, CVE-2022-29855)

Abstract During a security analysis of an enterprise communication infrastructure, IT security expert Moritz Abrell identified an “undocumented functionality” (backdoor) in the firmware of Mitel 6800/6900 desk phones, which allows a physical attacker gaining root privileges on the phone.

more ...

Hacking Some More Secure USB Flash Drives (Part I)

During a research project in the beginning of 2022, SySS IT security expert Matthias Deeg found several security vulnerabilities in different tested USB flash drives with AES hardware encryption.

more ...

Yet Another Local Privilege Escalation Attack via Razer Synapse Installer (CVE-2021-44226)

During a research project in fall 2021, SySS IT security expert Dr. Oliver Schwarz found a security vulnerability in the Razer Synapse installer for Windows which can be exploited in a local privilege escalation attack.

more ...

Abusing the MS Office protocol scheme

During a research project, SySS IT security consultant Matthias Zöllner found out that in a standard installation of Windows Office files can be opened directly via certain URLs. This article shows how this works.

more ...

Extracting Secrets from LSA by Use of PowerShell

During a research project, SySS IT security consultant Sebastian Hölzle worked on the problem of parsing Local Security Authority (LSA) process memory dumps using PowerShell and here are his results.

more ...

Attacking Oracle Native Network Encryption (CVE-2021-2351)

During a research project, SySS IT security expert Moritz Bechler found several security issues concerning the proprietary security protocol Oracle Native Network Encryption.

more ...

Hacking your Softphone with a malicious Call

Abstract Softphones are becoming increasingly popular and offer an alternative to desk phones, not least due to the increasing use of the mobile office. Based on this fact, SySS IT security expert Moritz Abrell analyzed the security of two Session Initiation Protocol (SIP) softphones. During this analysis, three vulnerabilities were discovered which allow an unauthenticated remote attacker cr...

more ...

Multiple vulnerabilities in MIK.starlight Server (SYSS-2021-035, SYSS-2021-036, SYSS-2021-037, SYSS-2021-038, SYSS-2021-039)

During a penetration test project, SySS IT security consultant Nicola Staller identified multiple issues in the MIK.starlight Server.

more ...

Introducing hallucinate: One-stop TLS traffic inspection and manipulation using dynamic instrumentation

Understanding an application’s network communication is commonly one of the major tasks when performing grey or black box application security analyses. To make this process as efficient and convenient as possible, we developed hallucinate, a dynamic binary instrumentation tool to inspect and manipulate application TLS traffic in clear-text form. SySS just released hallucinate as an open sourc...

more ...

Attacking Anti-Phishing Banners in E-Mails

Abstract Anti-phishing warning in a HTML e-mail Phishing mails pose a risk to e-mail users nearly every day. Especially in the context of companies and organizations, phishing e-mails represent a risk because internal networks can be accessed by phishing access data and sending malware.

more ...

On the Security of RFID-based TOTP Hardware Tokens

Introduction Time-based one-time passwords (TOTP) have been around for several years now and became more and more widespread as authentication factor in multi-factor authentication (MFA) methods. Protecting user accounts via two-factor authentication (2FA) using a static password and a TOTP is considered a good idea from a security standpoint and a best practice that can prevent different kinds...

more ...

To the Future and Back: Hacking a TOTP Hardware Token (SYSS-2021-007)

During a research project, SySS IT security expert Matthias Deeg found a security issue in the RFID-based TOTP hardware token Protectimus SLIM NFC.

more ...

Ihr direkter Kontakt zu SySS +49 (0)7071 - 40 78 56-0 oder anfrage@syss.de | IN DRINGENDEN FÄLLEN AUSSERHALB DER GESCHÄFTSZEITEN +49 (0)7071 - 40 78 56-99

Als Rahmenvertragskunde wählen Sie bitte die bereitgestellte Rufbereitschaftsnummer

Ihr direkter Kontakt zu SySS +49 (0)7071 - 40 78 56-0 oder anfrage@syss.de

IN DRINGENDEN FÄLLEN AUSSERHALB DER GESCHÄFTSZEITEN +49 (0)7071 - 40 78 56-99

Als Rahmenvertragskunde wählen Sie bitte die bereitgestellte Rufbereitschaftsnummer

Direkter Kontakt

+49 (0)7071 - 40 78 56-0 oder anfrage@syss.de

IN DRINGENDEN FÄLLEN AUSSERHALB DER GESCHÄFTSZEITEN

+49 (0)7071 - 40 78 56-99

Als Rahmenvertragskunde wählen Sie bitte die bereitgestellte Rufbereitschaftsnummer