Blog

Summary A command injection vulnerability exists in CS-Cart’s HTML to PDF converter (https://github.com/cscart/pdf) allowing unauthenticated attackers to achieve remote command execution (RCE). The vulnerability only affects the HTML to PDF converter service and the default hosted service at converter.cart-services.com (maintained by CS-Cart’s development team) used by the PDF converter plugin, and does not allow for RCE against base installations of CS-Cart. Product Background In CS-Cart v4.13.2, the HTML to PDF converter is an optional plugin (disabled by default) for printing PDF documents in CS-Cart....

Upon finding the vulnerability, our team member, Ngo Wei Lin (@Creastery), immediately reported it to the Microsoft Security Response Center (MSRC) on 19th March 2022, who fixed the important issue with a fix commited in the repo within seven days, which is impressive and a much faster response than other Microsoft bugs which we reported previously. The fix was pushed down to Azure Cosmos DB Explorer on 31st March 2022....

STAR LABS SG PTE. LTD. (STAR Labs) announced today that it has become a CVE Numbering Authority (CNA) for the Common Vulnerabilities and Exposures (CVE®) system, a global cybersecurity community. As a CNA, STAR LABS is authorized to assign CVE Identifiers（CVE IDs）to newly discovered vulnerabilities and publicly disclose information about these vulnerabilities through CVE Records. Identifying vulnerabilities with CVE IDs can speed up the awareness and understanding of those vulnerabilities, enabling security researchers and system managers to expedite solutions....

Background Lately, my focus has been on discovering any potential vulnerabilities in KEPServerEX. KEPServerEX is the industry’s leading connectivity platform that provides a single source of industrial automation data to all your applications. Users can connect, manage, monitor, and control diverse automation devices and software applications through one intuitive user interface. This software employs multiple anti-debugging measures, making it challenging to discover any vulnerabilities and performing fuzzing on it. In this regard, I would like to share my perspective on the issue and my strategy for circumventing these measures....

Introduction In this post, one of our recent intern, Wang Hengyue (@w_hy_04) was given the task to analyse CVE-2021-20617 & CVE-2021-20618 in acmailer since there isn’t any public information on it. Today, we’ll be sharing his journey in dissecting the vulnerabilities in acmailer. Both vulnerabilities were originally found by ma.la acmailer is a Perl-based email delivery application that provides functionality centered around sending mass emails, with associated functions such as registration and unregistration forms, surveys, and email templating....

As part of my internship at STAR Labs, I conducted n-day analysis of CVE-2020-6418. This vulnerability lies in the V8 engine of Google Chrome, namely its optimizing compiler Turbofan. Specifically, the vulnerable version is in Google Chrome’s V8 prior to 80.0.3987.122. In this article, I will give a step-by-step analysis of the vulnerability, from the root cause to exploitation. Background In JavaScript, objects do not have a fixed type. Instead, V8 assigns each object a Map that reflects its type....

Background Some time ago, we were playing with some Netgear routers and we learned so much from this target. However, Netgear recently patched several vulnerabilities in their RAX30 router firmware, including the two vulnerabilities in the DHCP interface for the LAN side and one remote code execution vulnerability on the WAN side which we prepared for Pwn2Own Toronto 2022. This blog post focuses on the vulnerabilities found in version 1.0.7.78You can download the firmware from this link, and easily extract the firmware by using binwalk....