Airbus security lab publications

Airbus security lab was previously known as, in chronological order:

• EADS CCR security lab
• EADS Innovation Works (IW) security lab
• Airbus Group Innovations security lab

Find all our tools on Github: https://github.com/airbus-seclab/.

2023

Publications

• Analyse de sécurité de NetBackup, logiciel de gestion de sauvegardes by Nicolas Devillers, Jean-Romain Garnier, Anaïs Gantet, Mouad Abouhali and Benoît Camredon at SSTIC : Slides , video

Articles

• Advanced binary fuzzing using AFL++-QEMU and libprotobuf: a practical case of grammar-aware in-memory persistent fuzzing by Jean-Romain Garnier, Anaïs Gantet

2022

Publications

• The unavoidable pain of backups: security deep-dive into the internals of NetBackup by Nicolas Devillers, Jean-Romain Garnier, Anaïs Gantet, Mouad Abouhali and Benoît Camredon at Hexacon: Slides (PDF, ODP) , Video

Vulnerabilities

• BMC Truesight Server Automation (RSCD) local privilege escalation: BMC advisories 1 2 3
• BMC Truesight Server Automation (RSCD) default password for the BladeLogicRSCDDC user: BMC advisories 1 2 3
• Netbackup Primary/Media Server:
  • VTS22-004 (CVE-2022-36984, CVE-2022-36985, CVE-2022-36987, CVE-2022-36988, CVE-2022-36989, CVE-2022-36990, CVE-2022-36991, CVE-2022-36992, CVE-2022-36993, CVE-2022-36994, CVE-2022-36995, CVE-2022-36996, CVE-2022-36997, CVE-2022-36998, CVE-2022-36999, CVE-2022-37000)
  • VTS22-010 (CVE-2022-42306, CVE-2022-42308)
  • VTS22-011 (CVE-2022-42302, CVE-2022-42303, CVE-2022-42304)
  • VTS22-012 (CVE-2022-42299, CVE-2022-42305, CVE-2022-42307)
  • VTS22-013 (CVE-2022-42300, CVE-2022-42301)
• NetBackup Client:
  • VTS22-008 (CVE-2022-36955)
  • VTS22-010 (CVE-2022-42306, CVE-2022-42308)
  • VTS22-012 (CVE-2022-42299, CVE-2022-42305, CVE-2022-42307)
• NetBackup OpsCenter: VTS22-009 (CVE-2022-36948, CVE-2022-36949, CVE-2022-36950, CVE-2022-36951, CVE-2022-36953, CVE-2022-36954, CVE-2022-23457)

2021

Publications

• Attacking Xerox multi function printers by Raphaël Rigo at INFILTRATE: Slides, Video
• GUSTAVE: Fuzz It Like It’s App by Stéphane Duverger and Anaïs Gantet at DMU Cyber Week: Slides
• HPE iLO 5 security – Go home cryptoprocessor, you’re drunk! by Alexandre Gazet (Airbus), Fabien Perigaud (Synacktiv) and Joffrey Czarny at SSTIC: Slides , Article , Video
• HPE iLO 5 security – Go home cryptoprocessor, you’re drunk! by Alexandre Gazet (Airbus), Fabien Perigaud (Synacktiv) and Joffrey Czarny at Black Hat USA: Slides

Articles

• A blog post series on QEMU Internals by Stéphane Duverger: Blog
• Getting the maximum of your C compiler, for security: Page

Vulnerabilities

• Xerox VersaLink remote command execution: XRX21D
• Xerox WorkCentre, ColorQube: XRX21F, XRX21G
• BMC Control-M: Security bulletin, security wall of fame

Tools

• GEA1_break: Implementation of the key recovery attack against GEA-1 keys (Eurocrypt 2021)
• BinCAT: v1.2 released

2020

Publications

• Sécurité des infrastructures basées sur Kubernetes by Xavier Mehrenberger at SSTIC: Slides , Article , Video
• Android_Emuroot: Outils de rooting d’un émulateur Android Google API PlayStore by Anaïs Gantet and Mouad Abouhali at SSTIC: Slides , Video , GitHub

Vulnerabilities

• Backdoor accounts, password encryption, remote command execution, and SQL injection on Xerox AltaLink printers: Xerox bulletins XRX20G, XRX20I, XRX20R, XRX20X.
• Remote command execution on Xerox Phaser, VersaLink and WorkCentre printers: Xerox bulletin XRX20K.
• Backdoor accounts, remote command execution, password encryption, buffer overflow, and arbitrary file read / delete on Xerox WorkCentre printers: Xerox bulletins XRX20L, XRX20M, XRX20V.

2019

Publications

• Tendances et contraintes de l’automatisation du fuzzing d’OS embarqué by Stéphane Duverger at GDR Sécurité
• Breaking Through Another Side: Bypassing Firmware Security Boundaries from Embedded Controller by Alex Matrosov (NVIDIA) and Alexandre Gazet at Black Hat USA: Slides

• GUSTAVE: Fuzz It Like It’s App by Stéphane Duverger and Anaïs Gantet at SSTIC: Slides Paper , GitHub, Video

• Riding the lightning: iLO4&5 BMC security wrap-up by Fabien Perigaud (Synacktiv), Alexandre Gazet and Joffrey Czarny (Medallia) at Insomni’hack: Slides

• Defeating NotPetya from your iLO by Joffrey Czarny (Medallia), Alexandre Gazet, Adrien Guinet (Quarkslab), Fabien Perigaud (Synacktiv): Whitepaper

• GUSTAVE: Fuzzing OS kernels like simple applications by Stéphane Duverger and Anaïs Gantet at THCon19: Slides

Vulnerabilities

• (CVE not yet assigned): Remote command execution as root in several Xerox printer models, backdoor account: Xerox bulletin XRX19AI, XRX19AP.

• CVE-2019-10880: Remote command execution vulnerability in several Xerox printer models: Xerox bulletins XRX19C, XRX19E, XRX19G, XRX19I, XRX19J, XRX19K, XRX19L, XRX19M and XRX19Q.

• CVE-2019-12091: Command execution vulnerability in Netskope client

• CVE-2019-10882: Memory corruption vulnerability in Netskope client

• CVE-2019-6171: ThinkPad embedded controller update vulnerability, Lenovo Security Advisory LEN-27764
• CVE-2019-19518: Unauthenticated remote command exec and arbitrary file access on CA Autonomic Sysload. Broadcom/CA advisory CA20191210-01
• CVE-2019-18337, CVE-2019-18338, CVE-2019-18339, CVE-2019-18340: Multiple vulnerabilities (auth bypasses, path traversal and obfuscated password storage) in Siemens SiNVR Video Management Solution. Advisory SSA-761617.

2018

Publications

• Turning your BMC into a revolving door by Fabien Perigaud, Alexandre Gazet and Joffrey Czarny at ZeroNights: Slides

• Android_Emuroot: Abusing Google Play emulator debugging to RE non-cooperative apps as root by Anaïs Gantet at Blackhoodie18: Slides , Demo, GitHub

• Backdooring your server through its BMC: the HPE iLO4 case by Fabien Perigaud, Alexandre Gazet and Joffrey Czarny at SSTIC: Slides , Slides , Paper , GitHub.

• Subverting your server through its BMC: the HPE iLO4 case by Fabien Perigaud, Alexandre Gazet and Joffrey Czarny at RECON (Brussels): Slides , GitHub.

• Deep dive into an ICS Firewall by Julien Lenoir, Benoît Camredon at Black Hat USA Slides

2017

Publications

• An analysis of the Warbird virtual-machine protection for the CI!g_pStore by Alexandre Gazet: Post , GitHub
• PowerSAP: PowerShell tool to assess SAP security by Joffrey Czarny at Troopers, Black Hat (USA and Europe), and UniverShell: Slides , GitHub
• BinCAT: purrfecting binary static analysis, by Philippe Biondi, Xavier Mehrenberger, Raphaël Rigo and Sarah Zennou:
  • REcon: Slides , GitHub.
  • SSTIC: Slides , Paper , GitHub.
• CrashOS by Anaïs Gantet:
  • CrashOS: Recherche de vulnérabilités système dans les hyperviseurs at SSTIC: Slides , Paper , GitHub.
  • CrashOS: Hypervisor testing tool at ISSRE: Slides
• cpu_rec.py, un outil statistique pour la reconnaissance d’architectures binaires exotiques by Louis Granboulan:
  • SSTIC: Slides , Paper , GitHub.
• Blackbox reconstruction of SD card accesses by Xavier Mehrenberger and Raphaël Rigo at BeeRumP: Slides .

Advisories

• Three vulnerabilities in Tofino Xenon Security Appliance - 3.10 and earlier by Julien Lenoir, details:
  • CVE-2017-11400: Incomplete firmware signature
  • CVE-2017-11401: DPI ModBus filter bypass
  • CVE-2017-11400: Firewall bypass

2016

• Dungeons and Dragons and Security by Tiphaine Romand-Latapie at Black Hat USA and THCon’17: Slides , Paper
• Gunpack: un outil générique d’unpacking de malwares by Julien Lenoir at SSTIC: Slides , Paper , Code.
• USB Toolkit by Benoit Camredon at SSTIC: Slides , Paper , GitHub (kernel), GitHub (user).
• App vs Wild by Stéphane Duverger at SSTIC and THCon’17: Slides , Paper , GitHub (ramooflax).
• Lost your “secure” HDD PIN? We can help! by Julien Lenoir & Raphaël Rigo:
  • H2HC, Slides
  • Ekoparty, Slides
• Secrets in Soft Token: A security study of HID Global Soft Token by Mouad Abouhali at Hack.lu: Slides

2015

• Failure is not an option (Keynote) by Philippe Biondi at GreHack: Slides , Video
• A peek under the Blue Coat by Raphaël Rigo at Black Hat Europe and Ruxcon: Slides, video
• Implementing Your Own Generic Unpacker by Julien Lenoir at HITB: Slides , Video, Code.
• REbus: a communication bus for security tools interactions by Philippe Biondi, Sarah Zennou, Xavier Mehrenberger at SSTIC, Slides , Paper , Video
• Active Directory security analysis with BTA tool by Joffrey Czarny and Philippe Biondi:
  • Presented at Hack.lu 2015, BlackHat USA Arsenal
  • Slides , Slides , Paper
  • Code
• Reverse Engineering: the case of encrypted hard drives by Joffrey Czarny & Raphaël Rigo at SSTIC and Hardwear.io: Slides , Slides , Paper
• The challenge of designing a secure encrypted hard drive by Raphaël Rigo at SyScan: Slides, Video

2014

• Active Directory security analysis with BTA tool by Joffrey Czarny and Philippe Biondi at SSTIC 2014

Articles

• Analyse de malware à la rescousse du CSIRT : de la rétro-conception aux IOC by Mouad Abouhali in MISC Magazine HS 10 , Article
• Contrôler la sécurité des objets de l’Active Directory avec BTA by Joffrey Czarny in MISC Magazine HS 10 , Article

2012

• Protection Against Reverse Engineering by Code Obfuscation by Axel Tillequin at PPREW’1

2011

• Sécurité du système Android (The security of Android) by Nicolas Ruff at SSTIC: Slides , Paper
• SSTIC challenge best solution by Axel Tillequin.
• Pre-boot virtualization of a physical appliance with ramooflax by Stéphane Duverger at
  • PacSec: Slides , Slides
  • SSTIC: Slides , Paper

2010

• Audit d’applications .NET complexes - le cas Microsoft OCS 2007 (.NET applications analysis the case of Microsoft OCS 2007) by Nicolas Ruff at SSTIC: Slides , Paper
• SSTIC challenge best solution: French and English by Arnaud Ebalard

2009

• Attacking Wifi networks with traffic injection by Cédric Blancher at SyScan: Slides
• Pourquoi la sécurité est un échec (et comment y remédier) by Nicolas Ruff at SSTIC: Slides , Paper

2008

• Dépérimetrisation: futur de la sécurité réseau ou pis aller passager ? by Cédric Blancher at SSTIC: Slides , Paper

2007

• IPv6 routing header security by Philippe Biondi and Arnaud Ebalard at CanSecWest: Slides
• Linux 2.6 kernel exploits by Stéphane Duverger at:
  • SSTIC: Slides , Paper
  • Syscan: Slides
• Analyse statique par interprétation abstraite (static analysis by abstract interpretation) by Charles Hymans and Xavier Allamigeon at SSTIC
• Aircraft Onboard Systems Security by Cédric Blancher at Bellua Cyber Security
• Autopsie d’une intrusion “tout en mémoire” sous Windows (Autopsy of a Windows in-memory intrusion) by Nicolas Ruff at SSTIC: Slides , Paper

2006

• Scapy and IPv6 Networking by Philippe Biondi and Arnaud Ebalard at HITB: Slides
• Skype research:
  • Vanilla Skype by Fabrice Desclaux and Kostya Kortchinsky at REcon: Slides part 1 and part 2
  • Epyks: reversing Skype by Fabrice Desclaux at SSTIC: Slides , Paper
  • Silver Needle in the Skype by Philippe Biondi and Fabrice Desclaux at Blackhat Europe: Slides
• Playing with ptrace for fun and profit by Nicolas Bareil at SSTIC: Slides , Paper
• La sécurité dans Mobile IPv6 (Security of mobile IPv6) by Arnaud Ebalard and Guillaume Valadon at SSTIC: Slides , Paper
• Sécurité des offres ADSL en France by Nicolas Ruff at SSTIC: Slides , Paper

2005

• Attacking WiFi with traffic injection by Cédric Blancher at Ruxcon (Slides), PacSec (Slides), SyScan (Slides), REcon (Slides)
• Scapy: explore the net with new eyes by Philippe Biondi at T2: Slides
• Network packet forgery with Scapy by Philippe Biondi at PacSec: Slides
• VoIP security by Nicolas Bareil at SSTIC: Slides , Paper
• Shellforge by Philippe Biondi at Libre Software Meeting LSM/RMLL: Slides
• Utilisation des outils Honeypot pour la détection d’intrusion by Philippe Biondi et Cédric Blancher at EUROSEC: Slides
• Protocoles réseau : grandeur et décadence by Cédric Blancher, Nicolas Fischbach and Pierre Betouin at SSTIC: Slides , Paper

2004

• About Shellcodes by Philippe Biondi at Syscan: Slides