Airbus security lab publications

Airbus security lab was previously known as, in chronological order:

EADS CCR security lab
EADS Innovation Works (IW) security lab
Airbus Group Innovations security lab

Find all our tools on Github: https://github.com/airbus-seclab.

2025

Publications

afl-cov-fast: code-coverage for AFL++ fuzzing campaigns by Jean-Romain Garnier at SSTIC: Slides , Video
soxy: services over Citrix, VMware Horizon and native Windows RDP by Arnaud Fontaine, Nicolas Devillers and Jean-Romain Garnier at SSTIC: Slides , Video

Tools

soxy: A suite of services (SOCKS, FTP, shell, etc.) over Citrix, VMware Horizon and native Windows RDP
afl-cov-fast: Tool to produce code coverage reports for AFL++ fuzzing campaigns with source code or in binary-only mode

2024

Vulnerabilities

FireEye EDR (Trellix Endpoint Security):
- Agent to Console XXE, zip bomb: Trellix advisory, CVE-2025-0617
- Tamper protection persistent denial of service: Trellix advisory, CVE-2025-0618

2023

Publications

Analyse de sécurité de NetBackup, logiciel de gestion de sauvegardes by Nicolas Devillers, Jean-Romain Garnier, Anaïs Gantet, Mouad Abouhali and Benoît Camredon at SSTIC: Slides , Video

Articles

Advanced binary fuzzing using AFL++-QEMU and libprotobuf: a practical case of grammar-aware in-memory persistent fuzzing by Jean-Romain Garnier, Anaïs Gantet

2022

Publications

The unavoidable pain of backups: security deep-dive into the internals of NetBackup by Nicolas Devillers, Jean-Romain Garnier, Anaïs Gantet, Mouad Abouhali and Benoît Camredon at Hexacon: Slides (PDF, ODP) , Video

Vulnerabilities

BMC Truesight Server Automation (RSCD) local privilege escalation: BMC advisories 1 2 3
BMC Truesight Server Automation (RSCD) default password for the BladeLogicRSCDDC user: BMC advisories 1 2 3
Netbackup Primary/Media Server:
NetBackup Client:
NetBackup OpsCenter: VTS22-009 (CVE-2022-36948, CVE-2022-36949, CVE-2022-36950, CVE-2022-36951, CVE-2022-36953, CVE-2022-36954, CVE-2022-23457)

2021

Publications

Attacking Xerox multi function printers by Raphaël Rigo at INFILTRATE: Slides , Video
GUSTAVE: Fuzz It Like It’s App by Stéphane Duverger and Anaïs Gantet at DMU Cyber Week: Slides
HPE iLO 5 security – Go home cryptoprocessor, you’re drunk! by Alexandre Gazet (Airbus), Fabien Perigaud (Synacktiv) and Joffrey Czarny at SSTIC: Slides , Article , Video
HPE iLO 5 security – Go home cryptoprocessor, you’re drunk! by Alexandre Gazet (Airbus), Fabien Perigaud (Synacktiv) and Joffrey Czarny at Black Hat USA: Slides

Articles

A blog post series on QEMU Internals by Stéphane Duverger: Blog
Getting the maximum of your C compiler, for security: Page

Vulnerabilities

Xerox VersaLink remote command execution: XRX21D
Xerox WorkCentre, ColorQube: XRX21F, XRX21G
BMC Control-M: Security bulletin, security wall of fame

Tools

GEA1_break: Implementation of the key recovery attack against GEA-1 keys (Eurocrypt 2021)
BinCAT: v1.2 released

2020

Publications

Sécurité des infrastructures basées sur Kubernetes by Xavier Mehrenberger at SSTIC: Slides , Article , Video
Android_Emuroot: Outils de rooting d’un émulateur Android Google API PlayStore by Anaïs Gantet and Mouad Abouhali at SSTIC: Slides , Video , GitHub

Vulnerabilities

Backdoor accounts, password encryption, remote command execution, and SQL injection on Xerox AltaLink printers: Xerox bulletins XRX20G, XRX20I, XRX20R, XRX20X.
Remote command execution on Xerox Phaser, VersaLink and WorkCentre printers: Xerox bulletin XRX20K.
Backdoor accounts, remote command execution, password encryption, buffer overflow, and arbitrary file read / delete on Xerox WorkCentre printers: Xerox bulletins XRX20L, XRX20M, XRX20V.

2019

Publications

Tendances et contraintes de l’automatisation du fuzzing d’OS embarqué by Stéphane Duverger at GDR Sécurité
Breaking Through Another Side: Bypassing Firmware Security Boundaries from Embedded Controller by Alex Matrosov (NVIDIA) and Alexandre Gazet at Black Hat USA: Slides
GUSTAVE: Fuzz It Like It’s App by Stéphane Duverger and Anaïs Gantet at SSTIC: Slides Paper , GitHub, Video
Riding the lightning: iLO4&5 BMC security wrap-up by Fabien Perigaud (Synacktiv), Alexandre Gazet and Joffrey Czarny (Medallia) at Insomni’hack: Slides
Defeating NotPetya from your iLO by Joffrey Czarny (Medallia), Alexandre Gazet, Adrien Guinet (Quarkslab), Fabien Perigaud (Synacktiv): Whitepaper
GUSTAVE: Fuzzing OS kernels like simple applications by Stéphane Duverger and Anaïs Gantet at THCon19: Slides

Vulnerabilities

(CVE not yet assigned): Remote command execution as root in several Xerox printer models, backdoor account: Xerox bulletin XRX19AI, XRX19AP.
CVE-2019-10880: Remote command execution vulnerability in several Xerox printer models: Xerox bulletins XRX19C, XRX19E, XRX19G, XRX19I, XRX19J, XRX19K, XRX19L, XRX19M and XRX19Q.
CVE-2019-12091: Command execution vulnerability in Netskope client
CVE-2019-10882: Memory corruption vulnerability in Netskope client
CVE-2019-6171: ThinkPad embedded controller update vulnerability, Lenovo Security Advisory LEN-27764
CVE-2019-19518: Unauthenticated remote command exec and arbitrary file access on CA Autonomic Sysload. Broadcom/CA advisory CA20191210-01
CVE-2019-18337, CVE-2019-18338, CVE-2019-18339, CVE-2019-18340: Multiple vulnerabilities (auth bypasses, path traversal and obfuscated password storage) in Siemens SiNVR Video Management Solution. Advisory SSA-761617.

2018

Publications

Turning your BMC into a revolving door by Fabien Perigaud, Alexandre Gazet and Joffrey Czarny at ZeroNights: Slides
Android_Emuroot: Abusing Google Play emulator debugging to RE non-cooperative apps as root by Anaïs Gantet at Blackhoodie18: Slides , Demo, GitHub
Backdooring your server through its BMC: the HPE iLO4 case by Fabien Perigaud, Alexandre Gazet and Joffrey Czarny at SSTIC: Slides , Slides , Paper , GitHub.
Subverting your server through its BMC: the HPE iLO4 case by Fabien Perigaud, Alexandre Gazet and Joffrey Czarny at RECON (Brussels): Slides , GitHub.
Deep dive into an ICS Firewall by Julien Lenoir, Benoît Camredon at Black Hat USA Slides

2017

Publications

An analysis of the Warbird virtual-machine protection for the CI!g_pStore by Alexandre Gazet: Post , GitHub
PowerSAP: PowerShell tool to assess SAP security by Joffrey Czarny at Troopers, Black Hat (USA and Europe), and UniverShell: Slides , GitHub
BinCAT: purrfecting binary static analysis, by Philippe Biondi, Xavier Mehrenberger, Raphaël Rigo and Sarah Zennou:
- REcon: Slides , GitHub.
- SSTIC: Slides , Paper , GitHub.
CrashOS by Anaïs Gantet:
- CrashOS: Recherche de vulnérabilités système dans les hyperviseurs at SSTIC: Slides , Paper , GitHub.
- CrashOS: Hypervisor testing tool at ISSRE: Slides
cpu_rec.py, un outil statistique pour la reconnaissance d’architectures binaires exotiques by Louis Granboulan:
- SSTIC: Slides , Paper , GitHub.
Blackbox reconstruction of SD card accesses by Xavier Mehrenberger and Raphaël Rigo at BeeRumP: Slides .

Advisories

Three vulnerabilities in Tofino Xenon Security Appliance - 3.10 and earlier by Julien Lenoir, details:
- CVE-2017-11400: Incomplete firmware signature
- CVE-2017-11401: DPI ModBus filter bypass
- CVE-2017-11400: Firewall bypass

2016

Dungeons and Dragons and Security by Tiphaine Romand-Latapie at Black Hat USA and THCon’17: Slides , Paper
Gunpack: un outil générique d’unpacking de malwares by Julien Lenoir at SSTIC: Slides , Paper , Code.
USB Toolkit by Benoit Camredon at SSTIC: Slides , Paper , GitHub (kernel), GitHub (user).
App vs Wild by Stéphane Duverger at SSTIC and THCon’17: Slides , Paper , GitHub (ramooflax).
Lost your “secure” HDD PIN? We can help! by Julien Lenoir & Raphaël Rigo:
- H2HC, Slides
- Ekoparty, Slides
Secrets in Soft Token: A security study of HID Global Soft Token by Mouad Abouhali at Hack.lu: Slides

2015

Failure is not an option (Keynote) by Philippe Biondi at GreHack: Slides , Video
A peek under the Blue Coat by Raphaël Rigo at Black Hat Europe and Ruxcon: Slides , Video
Implementing Your Own Generic Unpacker by Julien Lenoir at HITB: Slides , Video, Code.
REbus: a communication bus for security tools interactions by Philippe Biondi, Sarah Zennou, Xavier Mehrenberger at SSTIC, Slides , Paper , Video
Active Directory security analysis with BTA tool by Joffrey Czarny and Philippe Biondi:
- Presented at Hack.lu 2015, BlackHat USA Arsenal
- Slides , Slides , Paper
- Code
Reverse Engineering: the case of encrypted hard drives by Joffrey Czarny & Raphaël Rigo at SSTIC and Hardwear.io: Slides , Slides , Paper
The challenge of designing a secure encrypted hard drive by Raphaël Rigo at SyScan: Slides, Video

2014

Active Directory security analysis with BTA tool by Joffrey Czarny and Philippe Biondi at SSTIC 2014

Articles

Analyse de malware à la rescousse du CSIRT : de la rétro-conception aux IOC by Mouad Abouhali in MISC Magazine HS 10 , Article
Contrôler la sécurité des objets de l’Active Directory avec BTA by Joffrey Czarny in MISC Magazine HS 10 , Article

2012

Protection Against Reverse Engineering by Code Obfuscation by Axel Tillequin at PPREW’1

2011

Sécurité du système Android (The security of Android) by Nicolas Ruff at SSTIC: Slides , Paper
SSTIC challenge best solution by Axel Tillequin.
Pre-boot virtualization of a physical appliance with ramooflax by Stéphane Duverger at
- PacSec: Slides , Slides
- SSTIC: Slides , Paper

2010

Audit d’applications .NET complexes - le cas Microsoft OCS 2007 (.NET applications analysis the case of Microsoft OCS 2007) by Nicolas Ruff at SSTIC: Slides , Paper
SSTIC challenge best solution: French and English by Arnaud Ebalard

2009

Attacking Wifi networks with traffic injection by Cédric Blancher at SyScan: Slides
Pourquoi la sécurité est un échec (et comment y remédier) by Nicolas Ruff at SSTIC: Slides , Paper

2008

Dépérimetrisation: futur de la sécurité réseau ou pis aller passager ? by Cédric Blancher at SSTIC: Slides , Paper

2007

IPv6 routing header security by Philippe Biondi and Arnaud Ebalard at CanSecWest: Slides
Linux 2.6 kernel exploits by Stéphane Duverger at:
- SSTIC: Slides , Paper
- Syscan: Slides
Analyse statique par interprétation abstraite (static analysis by abstract interpretation) by Charles Hymans and Xavier Allamigeon at SSTIC
Aircraft Onboard Systems Security by Cédric Blancher at Bellua Cyber Security
Autopsie d’une intrusion “tout en mémoire” sous Windows (Autopsy of a Windows in-memory intrusion) by Nicolas Ruff at SSTIC: Slides , Paper

2006

Scapy and IPv6 Networking by Philippe Biondi and Arnaud Ebalard at HITB: Slides
Skype research:
- Vanilla Skype by Fabrice Desclaux and Kostya Kortchinsky at REcon: Slides part 1 and part 2
- Epyks: reversing Skype by Fabrice Desclaux at SSTIC: Slides , Paper
- Silver Needle in the Skype by Philippe Biondi and Fabrice Desclaux at Blackhat Europe: Slides
Playing with ptrace for fun and profit by Nicolas Bareil at SSTIC: Slides , Paper
La sécurité dans Mobile IPv6 (Security of mobile IPv6) by Arnaud Ebalard and Guillaume Valadon at SSTIC: Slides , Paper
Sécurité des offres ADSL en France by Nicolas Ruff at SSTIC: Slides , Paper

2005

Attacking WiFi with traffic injection by Cédric Blancher at Ruxcon (Slides ), PacSec (Slides ), SyScan (Slides ), REcon (Slides )
Scapy: explore the net with new eyes by Philippe Biondi at T2: Slides
Network packet forgery with Scapy by Philippe Biondi at PacSec: Slides
VoIP security by Nicolas Bareil at SSTIC: Slides , Paper
Shellforge by Philippe Biondi at Libre Software Meeting LSM/RMLL: Slides
Utilisation des outils Honeypot pour la détection d’intrusion by Philippe Biondi et Cédric Blancher at EUROSEC: Slides
Protocoles réseau : grandeur et décadence by Cédric Blancher, Nicolas Fischbach and Pierre Betouin at SSTIC: Slides , Paper

2004

About Shellcodes by Philippe Biondi at Syscan: Slides