Blog

Sharing information is a vital resource for critical infrastructure security and resilience. As a member of the broader security community, we feel a responsibility to provide access to learnings and resources to foster collaboration that helps protect organizations and defend against malicious threats.
“We publicly posted the virtual machine used to simulate the scenarios described in the white paper so others can use it to experiment and test out the attack scenarios. It’s important to us to not only to tell you what we’re doing, but to show you too.”
– Michael Milvich, Fellow
Spoofing Internal Packets for Multihomed Linux Devices
October 16, 2024
In short, the conntrack module, which tracks connections for the stateful firewall, does not account for the interface on which a connection was established. As a result, a firewall rule allowing…
Vulnerabilities in Homepage Dashboard
August 22, 2024
Homepage is an open-source dashboard with over 100 integrations. This article shows how multiple vulnerabilities were found and exploited in its latest version at that time (v0.8.13), for example, to achieve code execution in Jellyfin.
Introducing usb-racer
May 7, 2024
One issue that we are always on the lookout for when performing an embedded assessment are TOCTOU situations. Typically, these involve conditions where the authenticity of data is verified and then modified by an attacker before being consumed by the device.…
Galactical Bug Hunting: How we discovered new issues in CD Projekt Red’s Gaming Platform
April 4, 2024
The main purpose behind starting this research project was to get further understanding on how to review and exploit both Windows Applications and Environments…
NosyMonkey: API hooking and code injection made easy!
August 30, 2023
As a researcher I often run into situations in which I need to make a compiled binary do things that it wouldn’t normally do or change the way it works in some way. Of course, if one…
Compromising Garmin’s Sport Watches: A Deep Dive into GarminOS and its MonkeyC Virtual Machine
April 21, 2023
I reversed the firmware of my Garmin Forerunner 245 Music back in 2022 and found a dozen or so vulnerabilities in their support for Connect IQ applications. They can be exploited…
Userland Execution of Binaries Directly from Python
October 11, 2022
On a recent engagement I found myself testing a Kubernetes environment. Through application-level bugs I had gotten remote shell access to some of its containers. For further exploration and analysis…
nanopb Protobuf Decompiler
July 27, 2022
Here at Anvil we have increasingly run into embedded systems utilizing the nanopb - Protocol Buffers for Embedded Systems project. Nanopb is a small code size Protocol Buffer implementation targeting memory restricted systems. Nanopb.…
Information Security BASICS
May 31, 2022
This blog post is for the ambitious network administrator who has been promoted to head of information security and wants to demonstrably improve the organization's security in the first 90 days or so. I will talk about how to leverage your existing network administration knowledge…
Silly proof of concept: Anti-phishing using perceptual hashing algorithms
February 3, 2022
by Diego Freijo Welcome to the first dispatch coming out of the Ministry of Silly Ideas! It’s a space we’ve got inside Anvil where we encourage ourselves to come up with interesting-even-if-soundin...
Early-Career Security Engineer: Anvil Offers a Foundation for Growth
August 31, 2021
Introduction This blog post is written by Abhijeet Pate, who works as a security engineer at Anvil. The post talks about how he got started with Anvil, his transition from a student to a security e...
DHCP Games with Smart Router Devices
August 18, 2021
During a recent engagement, we identified a recurring and interesting scenario involving smart router devices. We define smart router devices as devices with functionality that requires them to pro...
Attempting to Bypass the AngularJS Sandbox from a DOM-Based Context in versions 1.5.9-1.5.11 (Part 2)
August 2, 2021
Introduction In Part 1 of this two-part blog series, we identified two checks introduced in AngularJS v1.5.9 to mitigate the vulnerabilities leveraged by the latest sandbox bypass: The ensureSaf...
Attempting to Bypass the AngularJS Sandbox from a DOM-Based Context in versions 1.5.9-1.5.11 (Part 1)
June 24, 2021
Introduction I recently found a Client-Side Template Injection (CSTI) vulnerability in a web application that uses AngularJS version 1.5.9. When I tried to leverage this issue to something more use...
Azure Sphere Reverse Engineering
October 20, 2020
Microsoft recently held a closed security bounty challenge for Azure Sphere, an application platform for internet-connected devices. While we did not participate in the three-month challenge which ...
Defeating Secure Boot with Symlink Attacks
August 11, 2020
Anvil is releasing a white paper today describing a technique that we have found useful to bypass secure boot on a number of embedded Linux devices where the file systems have been split into a sig...
Unpacking Bosch Surveillance Camera Firmware
July 16, 2020
While looking for new devices to perform reverse engineering on, I became interested in Bosch’s FlexiDome line of cameras, specifically the FlexiDome 7000, a day/night surveillance camera. This blo...
Hack-A-Sat 2020 CTF
June 1, 2020
Hack-A-Sat 2020 Hello! I am Michael Milvich and I recently joined Anvil's embedded security group. I have been a computer security consultant for over fifteen years with a focus on embedded systems,...
Culture – The Card That Completes Our Winning Hand
February 19, 2020
Finding and retaining talent is a priority for most any successful business. In the cybersecurity field, with a well-documented workforce shortage, it is doubly important. One of my responsibilitie...
A bug and a misconfigured file share: a tale in two parts
February 5, 2020
Introduction This is a story in two parts. First, sometime mid-2019 Anvil was asked by one of its customers to come in and help out with evaluating the security posture of their implementation of s...
A Strong Foundation
September 19, 2019
Since starting Anvil, and adding our first partner, Vincent Berg, in February 2017, a whole heck of a lot has changed. We have grown, added more employees, added Kim Bauer as another partner and co...
Capital One: Wake Up Call or Snooze Button?
August 1, 2019
This week’s data breach at Capital One was not shocking. Data breaches have been occurring for so many years at such a frequency that consumers have been numbed to the negligence that companies lik...
Cultivating Q2
June 28, 2019
When I began looking for my next professional adventure, I wanted to make sure that I ended up in a place that was an accurate reflection of the values and beliefs that I hold dear. One of the thin...
Looking inside the box
May 18, 2019
This blog post talks about reverse engineering the Dropbox client, breaking its obfuscation mechanisms, de-compiling it to Python code as well as modifying the client in order to use debug features...
Closing 2018 and Kick-Starting 2019: The Anvil Way
March 18, 2019
Friends and colleagues, I have been remiss in posting highlights for what has been going on for Anvil and want to make amends: so, here are some highlights about how we closed out 2018 and got 2019...
Linux Attack Surface Analysis
September 18, 2017
Recently on an application security review project I ended up having analyze a lot of before- and after- statuses when installing several pieces of software on Linux operating systems. It made me r...
Solving the Q4 Crunch for InfoSec Consulting
September 7, 2017
In information security consulting and especially in the area of bespoke penetration testing services, the fourth quarter tends to be a bit of a shit show for lack of a better term. It may have som...
Zero Days, Exploits, and Attribution. A Question of Ethics?
July 18, 2017
Background Recently, I was having lunch with a young hacker. This person brought an interesting situation to my attention and asked me for my thoughts. The young hacker worked for a research and co...
What Sets Anvil Apart – June 2017 Edition
June 30, 2017
People sometimes ask me why I started Anvil Ventures and what is so great about it. Based on who they are, I give them an appropriate response. Potential hires get the ESOP, Partner Track, Do Co...
Anvil Ventures Q1 2017
May 5, 2017
We have completed our first three (3) months of business. We have customers!!!! OK. We don’t have lots of customers but we have turned down more business than we have accepted. We are sticking to o...
3 New CyberSecurity Laws: How the Changing Landscape will Impact your Org
May 5, 2017
In the last few years we have seen an increase in public breaches and hacking events. Information security as an industry is booming because of it. But we are also seeing a number of new pieces of ...
Anvil Ventures Announces Vincent Berg Appointed as First Partner
February 20, 2017
Anvil Ventures, a boutique information security consulting partnership, announced today that Vincent Berg has been named the company's first full Partner, effective immediately. "I am honored to ta...
Introducing Anvil Ventures: An Information Security Consulting Partnership
February 9, 2017
By Chris Elbring Today we are excited to announce the formation of Anvil Ventures, LLC (“Anvil”). Anvil is a new information security consultancy formed by industry veteran Chris Elbring. Anvil offe...
Anvil Ventures & Our 3 Basic Differentiators
November 16, 2016
By Chris Elbring In my earlier post, I detailed some of the things that my new venture will be doing and I alluded to more information being forthcoming. The firm’s name is Anvil Ventures. Anvil Ven...
Emerging from Stealth Mode: My 4 Basic Tenets
October 17, 2016
Many of you know that at some point or another I have sworn off ever again being the person in charge and being fully responsible; been there and done that. And I made mistakes. We all do. But with...
99
Of the Top 10 US Tech Companies are Anvil Clients
99
Countries Where We Operate
99
Percent Three-Year Revenue Growth
99
Rank Among Security Companies on the Inc. 5000 List of Fastest-Growing US Companies