Deconstructing and Exploiting CVE-2020-6418

As part of my internship at STAR Labs, I conducted n-day analysis of CVE-2020-6418. This vulnerability lies in the V8 engine of Google Chrome, namely its optimizing compiler Turbofan. Specifically, the vulnerable version is in Google Chrome’s V8 prior to 80.0.3987.122. In this article, I will give a step-by-step analysis of the vulnerability, from the root cause to exploitation. Background In JavaScript, objects do not have a fixed type. Instead, V8 assigns each object a Map that reflects its type....

December 21, 2022 · 15 min · Daniel Toh Jing En

The Last Breath of Our Netgear RAX30 Bugs - A Tragic Tale before Pwn2Own Toronto 2022

Background Some time ago, we were playing with some Netgear routers and we learned so much from this target. However, Netgear recently patched several vulnerabilities in their RAX30 router firmware, including the two vulnerabilities in the DHCP interface for the LAN side and one remote code execution vulnerability on the WAN side which we prepared for Pwn2Own Toronto 2022. This blog post focuses on the vulnerabilities found in version 1.0.7.78You can download the firmware from this link, and easily extract the firmware by using binwalk....

December 6, 2022 · 10 min · Vu Thi Lan (@lanleft_), Nguyễn Hoàng Thạch (@hi_im_d4rkn3ss)

TheHole New World - how a small leak will sink a great browser (CVE-2021-38003)

Introduction CVE-2021-38003 is a vulnerability that exists in the V8 Javascript engine. The vulnerability affects the Chrome browser before stable version 95.0.4638.69, and was disclosed in October 2021 in google’s chrome release blog, while the bug report was made public in February 2022. The vulnerability will cause a special value in V8 called TheHole being leaked to the script. This can lead to a renderer RCE in a Chromium-based browser, and has been used in the wild....

December 6, 2022 · 19 min · Bruce Chen (@bruce30262)

Multiple Vulnerabilities in Proxmox VE & Proxmox Mail Gateway

Background Proxmox Virtual Environment (Proxmox VE or PVE) is an open-source type-1 hypervisor. It includes a web-based management interface programmed in Perl. Another Proxmox product written in Perl, Proxmox Mail Gateway (PMG), comes with a similar web management interface. They share some of the codebases. In this article, I will introduce how to debug PVE’s web service step-by-step and analyse three bugs I have found in PVE and PMG. [UPDATE] This is a quick and minor update to this blog post....

December 2, 2022 · 13 min · Li JianTao (@cursered)

Microsoft SharePoint Server Post-Authentication Server-Side Request Forgery vulnerability

Overview Disclaimer: No anime characters or animals were harmed during the research. The bug had been fixed but it did not meet that criterion required to get CVE. Recently, we have found a Server-Side Request Forgery (SSRF) in Microsoft SharePoint Server 2019 which allows remote authenticated users to send HTTP(S) requests to arbitrary URL and read the responses. The endpoint <site>/_api/web/ExecuteRemoteLOB is vulnerable to Server-Side Request Forgery (SSRF). The HTTP(S) request is highly customizable in request method, path, headers and bodies....

October 25, 2022 · 4 min · Li Jiantao (@CurseRed)

Apple CoreText - An Unexpected Journey to Learn about Failure

Late last year, I have focused my research on the CoreText framework for 2-3 months. In particular, the code related to the text shaping engine and the code responsible for parsing the AAT tables. During this research, I found an OOB (Out-Of-Bounds) Write in the morx table. This series of writeups is to document my whole process, from selecting this attack surface to finding the bug to writing an exploit for it in Safari....

September 29, 2022 · 71 min · Daniel Lim Wee Soong (@daniellimws)

Step-by-Step Walkthrough of CVE-2022-32792 - WebKit B3ReduceStrength Out-of-Bounds Write

Recently, ZDI released the advisory for a Safari out-of-bounds write vulnerability exploited by Manfred Paul (@_manfp) in Pwn2Own. We decided to take a look at the patch and try to exploit it. The patch is rather simple: it creates a new function (IntRange::sExt) that is used to decide the integer range after applying a sign extension operation (in rangeFor). Before this patch, the program assumes that the range stays the same after applying sign extension....

September 8, 2022 · 46 min · Daniel Lim Wee Soong (@daniellimws) & Đỗ Minh Tuấn (@tuanit96)