{"version": "https://jsonfeed.org/version/1", "title": "/dev/posts/ - Archive for 2021", "home_page_url": "https://www.gabriel.urdhr.fr", "feed_url": "/2021/feed.json", "items": [{"id": "http://www.gabriel.urdhr.fr/2021/11/30/tls1.2-intro/", "title": "Introduction to TLS v1.2", "url": "https://www.gabriel.urdhr.fr/2021/11/30/tls1.2-intro/", "date_published": "2021-11-30T00:00:00+01:00", "date_modified": "2024-11-23T01:15:07+01:00", "tags": ["computer", "web", "network", "tls", "cryptography", "protocol"], "content_html": "<p>Some notes\nabout how <a href=\"https://datatracker.ietf.org/doc/html/rfc5246\">TLS v1.2</a>\n(Transport Layer Security) works.\nThe goal explain what is going on in a network traffic dump,\nthe role of the different TLS extensions,\nthe impact of the different cipher suites on security, etc.\nIt includes several diagrams and many references.</p>\n"}, {"id": "http://www.gabriel.urdhr.fr/2021/10/19/diffie-hellman-intro/", "title": "Introduction to the Diffie-Hellman key exchange", "url": "https://www.gabriel.urdhr.fr/2021/10/19/diffie-hellman-intro/", "date_published": "2021-10-19T00:00:00+02:00", "date_modified": "2021-10-19T00:00:00+02:00", "tags": ["computer", "network", "cryptography", "tls", "diffie-hellman"], "content_html": "<p>The Diffie-Hellman (DH) key exchange (and variants thereof) is widely used\nin many protocols\n(such as TLS, SSH, IKE (IPSec), Signal, etc.)\nto bootstrap some symmetric key material\nwhich may then be used to secure communication channel between two parties.\nThis introduction\nfocuses on the different ways the DH key exchange\nis used in practice\nin several protocols (especially TLS)\nand the impact of these different approaches on the security.\nThis is intended as a prelude for the upcoming <a href=\"https://www.gabriel.urdhr.fr/2021/11/30/tls1.2-intro/\">next episodes</a>\nabout how TLS works.</p>\n"}, {"id": "http://www.gabriel.urdhr.fr/2021/09/22/whats-in-my-covid-cert/", "title": "What is in my COVID-19 vaccination certificate?", "url": "https://www.gabriel.urdhr.fr/2021/09/22/whats-in-my-covid-cert/", "date_published": "2021-09-22T00:00:00+02:00", "date_modified": "2021-09-22T00:00:00+02:00", "tags": ["computer", "covid-19", "cbor", "cwt", "cose", "hcert", "privacy"], "content_html": "<p>Manually inspecting the content of a French COVID-19 vaccination certificate QR code.\nThe main intent is to show with a concrete example\nwhich data is actually included in the certificate.</p>\n"}, {"id": "http://www.gabriel.urdhr.fr/2021/08/16/chromedriver-cross-origin-request-forgery-rce/", "title": "Cross-origin/same-site request forgery to RCE in chromedriver", "url": "https://www.gabriel.urdhr.fr/2021/08/16/chromedriver-cross-origin-request-forgery-rce/", "date_published": "2021-08-16T23:22:56+02:00", "date_modified": "2022-02-13T23:19:32+01:00", "tags": ["computer", "security", "web", "vulnerability", "webdriver", "csrf"], "content_html": "<p>I found a cross-origin/same-site request forgery vulnerability\nin chromedriver.\nIt was <a href=\"https://bugs.chromium.org/p/chromium/issues/detail?id=1100097\">rejected</a> (won't fix) because it is only\npossible to trigger this from the cross-origin/same-site and not cross-site.\nIn practice, it means it is really only possible to trigger this from another\nlocalhost-bound web application.</p>\n"}, {"id": "http://www.gabriel.urdhr.fr/2021/08/16/geckodriver-csrf-rce/", "title": "CSRF to RCE in GeckoDriver", "url": "https://www.gabriel.urdhr.fr/2021/08/16/geckodriver-csrf-rce/", "date_published": "2021-08-16T23:00:48+02:00", "date_modified": "2021-08-16T23:00:48+02:00", "tags": ["computer", "security", "web", "vulnerability", "webdriver", "firefox", "csrf"], "content_html": "<p>A Cross-Site Request Forgery (CSRF) vulnerability I found in\nGeckoDriver which could be used to execute arbitrary shell commands.\n<a href=\"https://nvd.nist.gov/vuln/detail/CVE-2020-15660\">CVE-2020-15660</a>\nhas been assigned to this vulnerability.\nThis was fixed by <a href=\"https://github.com/mozilla/geckodriver/releases/tag/v0.27.0\">GeckoDriver v0.27.0</a>\nin 2020-07-27.\nThis is <a href=\"https://bugzilla.mozilla.org/show_bug.cgi?id=1648964\">bug #1648964</a>.</p>\n"}, {"id": "http://www.gabriel.urdhr.fr/2021/06/24/gupnp-dns-rebinding/", "title": "DNS rebinding vulnerability in GUPnP", "url": "https://www.gabriel.urdhr.fr/2021/06/24/gupnp-dns-rebinding/", "date_published": "2021-06-24T00:00:00+02:00", "date_modified": "2021-07-05T18:50:55+02:00", "tags": ["computer", "security", "upnp", "dns-rebinding", "vulnerability"], "content_html": "<p>GUPnP, a GNOME library for Universal Plug and Play (UPnP),\nwas vulnerable to <a href=\"https://www.gabriel.urdhr.fr/2021/06/02/dns-rebinding-explained/\">DNS rebinding</a> attacks.\nThis is <a href=\"https://nvd.nist.gov/vuln/detail/CVE-2021-33516\">CVE-2021-33516</a>\nand <a href=\"https://gitlab.gnome.org/GNOME/gupnp/-/issues/24\">GUPnP issue #24</a>.\nThis <a href=\"https://discourse.gnome.org/t/security-relevant-releases-for-gupnp-issue-cve-2021-33516/6536/3\">was fixed</a>\nin GUPnP 1.0.7 and GUPnP 1.2.5.</p>\n"}, {"id": "http://www.gabriel.urdhr.fr/2021/06/12/pupnp-dns-rebinding/", "title": "DNS rebinding vulnerability in pupnp and npupnp", "url": "https://www.gabriel.urdhr.fr/2021/06/12/pupnp-dns-rebinding/", "date_published": "2021-06-12T00:00:00+02:00", "date_modified": "2021-06-12T00:00:00+02:00", "tags": ["computer", "security", "upnp", "dns-rebinding", "vulnerability"], "content_html": "<p>I found that <a href=\"https://github.com/pupnp/pupnp\">pupnp</a> was vulnerable to DNS rebinding attacks.\n<a href=\"https://framagit.org/medoc92/npupnp\">npupnp</a>, a fork a pupnp, was impacted as well.\nThis is demonstrated using Gerbera a UPnP MediaServer.</p>\n"}, {"id": "http://www.gabriel.urdhr.fr/2021/06/02/dns-rebinding-explained/", "title": "DNS rebinding explained", "url": "https://www.gabriel.urdhr.fr/2021/06/02/dns-rebinding-explained/", "date_published": "2021-06-02T00:00:00+02:00", "date_modified": "2021-06-02T00:00:00+02:00", "tags": ["computer", "security", "dns-rebinding", "dns"], "content_html": "<p>A quick summary about how DNS rebinding attacks work.\nThe main motivation for this post is to have\na diagram to show when explaining DNS-rebinding attacks.</p>\n"}, {"id": "http://www.gabriel.urdhr.fr/2021/05/08/tuntap/", "title": "TUN/TAP interface (on Linux)", "url": "https://www.gabriel.urdhr.fr/2021/05/08/tuntap/", "date_published": "2021-05-08T00:00:00+02:00", "date_modified": "2021-05-08T00:00:00+02:00", "tags": ["computer", "system", "network", "tun", "tap", "linux", "vpn"], "content_html": "<p>Some notes about using the TUN/TAP interface, especially on Linux.</p>\n"}, {"id": "http://www.gabriel.urdhr.fr/2021/04/05/firefox-doh-dns-rebinding-protection-bypass/", "title": "Firefox DoH DNS rebinding protection bypass using IPv4-mapped addresses", "url": "https://www.gabriel.urdhr.fr/2021/04/05/firefox-doh-dns-rebinding-protection-bypass/", "date_published": "2021-04-05T00:00:00+02:00", "date_modified": "2021-04-05T00:00:00+02:00", "tags": ["computer", "security", "vulnerability", "web", "dns-rebinding", "firefox"], "content_html": "<p>I found that\nthe filtering of private IPv4 addresses\nin the <a href=\"https://tools.ietf.org/html/rfc8484\">DNS-over-HTTPS</a> (DoH) implementation of Firefox could by bypassed.\nThis is <a href=\"https://nvd.nist.gov/vuln/detail/CVE-2020-26961\">CVE-2020-26961</a>\nand <a href=\"https://bugzilla.mozilla.org/show_bug.cgi?id=1672528\">Mozilla bug 1672528</a>.\nIt has been fixed in <a href=\"https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/\">Firefox 83</a>,\n<a href=\"https://www.mozilla.org/en-US/security/advisories/mfsa2020-51/\">Firefox ESR 78.5</a>\nand <a href=\"https://www.mozilla.org/en-US/security/advisories/mfsa2020-52/\">Thunderbird 78.5</a>.</p>\n"}, {"id": "http://www.gabriel.urdhr.fr/2021/03/22/introduction-to-upnp/", "title": "Introduction to UPnP", "url": "https://www.gabriel.urdhr.fr/2021/03/22/introduction-to-upnp/", "date_published": "2021-03-22T23:24:42+01:00", "date_modified": "2021-03-22T23:24:42+01:00", "tags": ["computer", "network", "upnp", "security", "csrf", "dns-rebinding"], "content_html": "<p>This post gives simple explanations of how UPnP (Universal Plug-and-Play) works,\nespecially with the goal of testing the security devices\nsuch as <a href=\"https://www.gabriel.urdhr.fr/2020/09/23/dns-rebinding-freebox/\">routers</a>,\n<a href=\"https://www.gabriel.urdhr.fr/samsung-tv-upnp-dns-rebinding/\">smart TVs</a>, etc.</p>\n"}, {"id": "http://www.gabriel.urdhr.fr/2021/03/22/samsung-tv-dial/", "title": "DNS rebinding and CSRF vulnerabilites on Samsung TV DIAL implementation", "url": "https://www.gabriel.urdhr.fr/2021/03/22/samsung-tv-dial/", "date_published": "2021-03-22T23:17:24+01:00", "date_modified": "2021-03-22T23:17:24+01:00", "tags": ["computer", "security", "vulnerability", "dial", "dns-rebinding", "csrf"], "content_html": "<p>I found\na DNS rebinding vulnerability as well as a Cross Site Request Forgery\n(CSRF) vulnerability\non the <a href=\"http://www.dial-multiscreen.org/\">DIAL</a> (Discovery And Launch)\nimplementation of the Samsung TV UE40F6320 (v1.0), from 2011.\nThis can be used to open any installed application (eg. Netflix and Youtube)\nand force the visualization of a given video in the applications.</p>\n"}, {"id": "http://www.gabriel.urdhr.fr/2021/03/22/samsung-tv-upnp-dns-rebinding/", "title": "DNS rebinding vulnerability in Samsung SmartTV UPnP", "url": "https://www.gabriel.urdhr.fr/2021/03/22/samsung-tv-upnp-dns-rebinding/", "date_published": "2021-03-22T23:15:29+01:00", "date_modified": "2021-03-22T23:15:29+01:00", "tags": ["computer", "security", "vulnerability", "dns-rebinding", "upnp"], "content_html": "<p>I found\na DNS rebinding vulnerability on the Universal Plug-and-Play (UPnP)\ninterface of the Samsung TV UE40F6320 (v1.0), from 2011.\nThis could be used, for example, to change the channel, to know\nwhich channel is currently used or open the builtin browser to any URI.</p>\n"}, {"id": "http://www.gabriel.urdhr.fr/2021/03/17/frida-disable-certificate-check-on-android/", "title": "Disable certificate verification on Android with Frida", "url": "https://www.gabriel.urdhr.fr/2021/03/17/frida-disable-certificate-check-on-android/", "date_published": "2021-03-17T00:00:00+01:00", "date_modified": "2021-03-17T00:00:00+01:00", "tags": ["computer", "system", "security", "android", "frida", "tls", "reverse-engineering"], "content_html": "<p>Some notes about how to write a <a href=\"https://frida.re/\">Frida</a> script\nwith the (somewhat classic) example of disabling certificate verification\nfor TLS communications on Android applications.</p>\n"}]}