PT SWARM

Last barrier destroyed, or compromise of Fuse Encryption Key for Intel Security Fuses

Written by Mark Ermolov on March 20, 2025

Introduction

As experts who have spent years researching the security of hardware platforms developed by Intel, we acknowledge that Intel’s Converged Security and Management Engine security architecture is highly reliable and was designed by top-notch professionals.

From an architectural perspective, if all its individual components function as intended, it is challenging to find a vulnerability, that, even hypothetically, could lead to irreparable consequences, calling into question the correctness of the decisions made.

Undoubtedly, Intel’s confidence in the reliability of its lowest-level protection, also known as the Root of Trust (RoT), can be attributed to the highest level of privileges granted to the Intel CSME subsystem, including unrestricted access to memory and hardware containing user data. This RoT is based on cryptography, specifically the skilled application of asymmetric and symmetric encryption algorithms, to ensure the confidentiality and integrity of the executable code and data of Intel CSME and other platform subsystems.

Impossible XXE in PHP

Written by Aleksandr Zhurnakov on March 11, 2025

Writing secure code today is easier than making a mistake that would lead to an XXE vulnerability. While examining a library, I wondered: is its code truly secure? At first glance, everything appeared to be filtered, and the function didn’t have the attributes that could make it vulnerable.

However, I was able to exploit an almost impossible XXE vulnerability using a combination of techniques and features.

GigaVulnerability: readout protection bypass on GigaDevice GD32 MCUs

Written by a1exdandy on February 27, 2025

Disclaimer. This article is for informational purposes only and is not intended to instruct or encourage any illegal activity. Our goal is to describe the existing vulnerabilities that can be exploited by attackers, to warn users, and to provide recommendations on how to protect their personal information online. The authors are not responsible for how the information is used. Remember to always prioritize the security of your personal data.

When developing hardware solutions based on microcontrollers (MCUs), manufacturers seek to protect their firmware from falling into the hands of attackers, because it may contain sensitive information, encryption keys, unique valuable algorithms, and so on. To achieve this, most microcontrollers implement flash memory readout protection technologies. But do they really provide sufficient protection?

Xbox 360 security in details: the long way to RGH3

Written by Alexey Shalpegin on January 23, 2025

Hi there, it’s Positive Labs! Here we perform different kinds of embedded R&D. Regretfully, most of the cool stuff is not allowed to be shared due to the NDA, but I still want to introduce you to the awesome adventurous spirit of our lab. It happens that my current job is pretty similar to my long-time hobby, the security research of game consoles. So it’s high time to continue my Xbox 360 trilogy[1][2][3] (Rodrigo Copetty has a really good summary of it here). Yup, today’s topic is how the most used Xbox 360 modding method, RGH3, was born.

New dog, old tricks: DaMAgeCard attack targets memory directly thru SD card reader

Written by gesser on December 5, 2024

Did I ever tell you what the definition of insanity is? Insanity is doing the exact… same ******* thing… over and over again expecting… **** to change… That. Is. Crazy.
Far Cry 3

Intro

The peripheral device industry has once again sacrificed security in the name of speed. Media sizes have risen dramatically, and with them the requirements for how fast we can process media. It just takes too long to copy hundreds of gigabytes of RAW images, even with Ultra High Speed 2 (UHS-II) SD cards. And so the SD Association heard the cries of DSLR geeks, and made a move. They released SD Express¹.

Our team at Positive Labs have embedded and system security as a main focus, so we’ve kept our eyes on this development. The standard was in fact published in 2018, but SD Express hasn’t gotten much traction since — until recently. Which is somewhat sad — the speed gains are enormous. But speed is not what got our attention — the way it’s achieved is. It appears that the “express” bit in the name stands for “PCI Express”, and when we hear “PCI”, we think “A-ha! Possible memory access!”.

But alas, nobody wanted to integrate SD Express into their consumer electronics until around 2022. We’re even beginning to worry — maybe this time they’ll be serious on the DMA threat front, and everything will be secure and locked up.

So while we wait for more devices to implement it (or for the industry to abandon it), we will talk about why the honorable PCI bus gets so much of our attention.

Android Jetpack Navigation: Go Even Deeper

Written by Artem Kulakov on August 14, 2024

Previous research

Some time ago, my colleague discovered an interesting vulnerability in the Jetpack Navigation library, which allows someone to open any screen of the application, bypassing existing restrictions for components that are not exported and therefore inaccessible to other applications. The issue lies with an implicit deep link processing mechanism, which any application on the device can interact with. This investigation prompted Google to add the following warning to the library documentation:

The issue with this warning is that, based on the documentation, it only concerns the APIs for creating explicit deep links when the problem is actually much deeper. But let’s take it step by step.

From opcode to code: how AI chatbots can help with decompilation

Written by Nikita Petrov on July 30, 2024

Sometimes, when searching for vulnerabilities, you come across protected PHP code. Often, it’s protected by commercial encoders. These encoders perform a straightforward task: they compile the source code into Zend Engine bytecode and then encode it. The obfuscation result looks something like this:

Inside Xerox WorkCentre: Two Unauthenticated RCEs

Written by Arseniy Sharoglazov on June 28, 2024

Every organization has printers. Sometimes, there are Xerox WorkCentre among them, large machines that can weigh more than 100 kilos or 220 lbs.

In this writeup, I will cover two unauthenticated RCE vulnerabilities that I discovered in these printers. Next, I’ll provide a checklist for protecting your printers against attacks.

Getting XXE in Web Browsers using ChatGPT

Written by Igor Sak-Sakovskiy on May 22, 2024

A year ago, I wondered what a malicious page with disabled JavaScript could do.

I knew that SVG, which is based on XML, and XML itself could be complex and allow file access. Is the Same Origin Policy (SOP) correctly implemented for all possible XML and SVG syntaxes? Is access through the file:// protocol properly handled?

Since I was too lazy to read the documentation, I started generating examples using ChatGPT.

Android Jetpack Navigation: Deep Links Handling Exploitation

Written by Andrey Pesnyak on March 20, 2024

The androidx.fragment.app.Fragment class available in Android allows creating parts of application UI (so-called fragments). Each fragment has its own layout, lifecycle, and event handlers. Fragments can be built into activities or displayed within other fragments, which lends flexibility and modularity to app design.

Android IPC (inter-process communication) allows a third-party app to open activities exported from another app, but it does not allow it to open a fragment. To be able to open a fragment, the app under attack needs to process an incoming intent, and only then will the relevant fragment open, depending on the incoming data. In other words, it is the developer that defines which fragments to make available to a third-party app and implements the relevant handling.

The Navigation library from the Android Jetpack suite facilitates work with fragments. The library contains a flaw that allows a malicious actor to launch any fragments in a navigation graph associated with an exported activity.