Blog on STAR Labs

Three Bugs Walk Into a PDF: Prototype Pollution, Served Cold

Wed, 29 Apr 2026 00:00:00 +0000

TL;DR

In April 2026, Adobe disclosed three critical security issues (CVE-2026-34621,CVE-2026-34622,CVE-2026-34626) affecting Acrobat DC, Acrobat Reader DC, and Acrobat 2024. According to Adobe’s advisories, these vulnerabilities could allow attackers to execute arbitrary code and leak user information through a malicious PDF file via a prototype pollution chain and they were reportedly exploited in the wild. The initial issue, CVE-2026-34621, was first identified by EXPMON.

While several reports have already covered the threat intelligence and malware-analysis aspects of the ITW samples, we were more interested in the underlying vulnerabilities themselves and how Adobe patched them.

CHECK Removed, Context Confused, Checkmate Achieved

Wed, 01 Apr 2026 00:00:00 +0000

TL;DR

In January 2026, the Chrome Releases blog announced several security fixes across different Chrome components. One entry caught our attention: CVE-2026-0899, an Out-of-Bounds memory access in V8 discovered by @p1nky4745.

Vulnerabilities in V8, especially OOB and Type Confusions are always interesting from a security research perspective. We decided to take a closer look. At the time of writing, the issue was still restricted and no public proof-of-concept was available. After reverse engineering the patch fix, we identified the root cause of the vulnerability and developed a trigger PoC.

Pickling the Mailbox: A Deep Dive into CVE-2025-20393

Thu, 05 Feb 2026 00:00:00 +0000

TL;DR

In December 2025, Cisco published https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4 addressing CVE-2025-20393, a critical vulnerability (CVSS 10.0) affecting Cisco Secure Email Gateway and Secure Email and Web Manager. The advisory was notably sparse on technical details, describing only “Improper Input Validation” (CWE-20).

We decided to dig deeper. Through reverse engineering and code analysis of AsyncOS 15.5.3, we uncovered the root cause: a single-byte integer overflow in the EUQ RPC protocol that bypasses authentication and chains into Python pickle deserialization — achieving unauthenticated remote code execution with a single HTTP request.

8th Anniversary: Embrace the new but don't forget the old

Thu, 08 Jan 2026 00:00:00 +0000

Eight years ago today, I started STAR Labs by hiring several fresh grads with no working experiences.

Today, I stand here with a different group of faces. Some of you were there from the beginning. Some of you joined along the way. Some of you just started last month.

And some of the people who were here… weren’t anymore.

Not because they failed. Not because we failed them. But because life called them in different directions.

2025: WE BROKE THINGS, WE BUILT THINGS, WE BROKE EVEN MORE THINGS

Sat, 27 Dec 2025 00:00:00 +0000

Most will talk about the success in their year-end posts. Great. Nobody talks about the failures. Nobody talks about what ACTUALLY happened.

Well, we are going to tell you about OUR STORY - the success AND the failures. The whole thing. Because that’s how we actually learn…from our own mistakes.

So here it is, UNFILTERED. Buckle up.

PWN2OWN 2025 BERLIN & IRELAND

We could only bring one of our interns, Gerrard Tai, along with us to Pwn2Own. Not to watch from the sidelines, but to COMPETE. He was right there with us, building exploit chains, debugging our team members’ codes while under pressure and experiencing the absolute rush of pwning devices on the world stage.

HEX ADVENT 2025: Crack the Advent, Conquer the Threat 🐛

Tue, 18 Nov 2025 00:00:00 +0000

HEX ADVENT 2025: Crack the Advent, Conquer the Threat 🐛

Last chance to register! Registration closing on 20 Dec 2025, 09:00 SGT!

WELCOME TO HEX ADVENT 2025, ‘tis the season to Unwrap Your Potential! 🎁

HEX ADVENT 2025 is a Christmas-themed CTF Advent Calendar, designed for women, by women.

What to Expect

12 Days, 12 Challenges: A structured schedule to build mastery across different CTF categories.
Focus Areas:
- Pwn (Binary Exploitation)
- Cryptography
- Reverse Engineering
- Forensics
- OSINT
- Web Exploitation
Our Mission: To empower women in cybersecurity, create visible role models, and cultivate a robust local talent pool.

Date	What To Expect?
1 to 12 Dec 2025	New challenges unlocked at 09:00 SGT daily
1 to 31 Dec 2025	Challenges open until 31 Dec 2025, 23:59 SGT
1 Dec 2025 to 5 Jan 2026	Write-up submissions will close on 5 Jan 2026, 23:59 SGT

✍🏻➡️ REGISTER TO PLAY NOW

HEX ADVENT 2025: Rules & Information

Mon, 10 Nov 2025 00:00:00 +0000

Information

This is a solo CTF event open to women residing in Singapore or Malaysia.
To register and be eligible for the prizes:
- Register on CTFd, and select the “eligible” bracket.
- Confirm your eligibility by filling in the Google Form.
The flag format is described by this regex: /^HEX{.*}$/
There are a total of 12 challenges. One challenge will be released each day at 09:00 SGT within the period of 1 December 2025 to 12 December 2025. All challenges will be announced on the STAR Labs blog, and the challenges can be accessed through the CTFd platform within the period of 1 December 2025, 09:00 SGT to 31 December 2025, 23:59 SGT.

Breaking Into a Brother (MFC-J1010DW): Three Security Flaws in a Seemingly Innocent Printer

Mon, 03 Nov 2025 00:00:00 +0000

The Target: Brother MFC-J1010DW

Affected Models: Brother Printer MFC-J1010DW
Vulnerable Firmware: Version <= 1.18

TL;DR: The Vulnerability Chain

We discovered three vulnerabilities that when chained together, allow for complete remote compromise:

Authentication Bypass via SNMP - Retrieve the printer’s serial number without authentication, allowing attackers to derive the default admin password
Unauthenticated Firmware Rollback - Downgrade to vulnerable firmware versions over the network, no credentials required
Buffer Overflow via Referer Header - Execute arbitrary code by crafting malicious HTTP headers

The result? We made the printer display our chosen message of “STAR LABS!” on its screen—but this is just a proof of concept. A real attacker could do much worse.

Summer Pwnables: lz1 Solution

Mon, 15 Sep 2025 00:00:00 +0000

TL;DR 🚀

We’re turning a simple compression library into a shell delivery service! This writeup exploits a buffer overflow in lz1/lz77 decompression by crafting malicious compressed data that overflows the stack and chains ROP gadgets for code execution. Ever wondered how a simple file compression tool could hand you the keys to a system? Well, buckle up because we’re about to turn andyherbert’s innocent lz1 compressor into our personal shell delivery service! 🎭

Summer Pwnables: Temporal Paradox Engine Solution

Mon, 15 Sep 2025 00:00:00 +0000

Last month, Jacob asked me to create a CTF challenge for the Summer Pwnables event. I went with a kernel pwnable since my goal was to teach students some more advanced Linux kernel exploitation techniques - something that wouldn’t get solved in a day (and hopefully not by AI either).

After building both the challenge and solution, I figured students should be able to crack it within 3-7 days. Turns out I was right about the timeline, but only one person actually solved it. Jun Rong Lam, he is the first solver by solving this challenge in a week. The next week Lucas Tan Yi Je solved it. In third week, Elijah Chia solved this challenge, so 3 weeks in total. I really amaze by these students skills and persistence.

Lost in Translation: Apache Vulnerabilities That Don't Count (Literally)

Thu, 11 Sep 2025 00:00:00 +0000

During our security research in 2024, we discovered several vulnerabilities in Apache Foundation projects that seem to have gotten ’lost in translation’ between our bug reports and the CVE assignment process. While we’ve been patiently waiting for these findings to officially ‘count,’ they’ve apparently been stuck longer than a software update on a Friday afternoon. Almost a year went by without any CVEs assigned and which we completely forgot about until now. So we figured it was time to let these vulnerabilities see the light of day, even if they’re destined to remain the security world’s ‘ones that got away.’ The following vulnerabilities were responsibly disclosed to Apache and have been addressed, though they continue to exist in that special category of bugs that are real enough to fix but without CVEs.

Fuzzing a Printer: Pre-auth RCE in a Network IoT Device

Tue, 02 Sep 2025 00:00:00 +0000

Printers have three things going for them from an attacker’s perspective: they live on the corporate network, they trust far too much from far too many protocols, and nobody patches them. Over the last quarter we’ve been building out a fuzzing harness for enterprise MFPs.

The harness

We emulate the device’s firmware in a QEMU-based sandbox with a hooked network stack, then let AFL++ drive crafted PJL, SNMP, and IPP messages into the exposed listeners. The hard part isn’t the fuzzer. It’s the harness getting realistic enough that findings translate to the physical device.

[Updates] Summer Pwnables 🔥

Mon, 18 Aug 2025 00:00:00 +0000

[Updates] Summer Pwnables 2025

Major Announcement: ISD Sponsorship

We are pleased to announce that Internal Security Department (ISD) is sponsoring Summer Pwnables Challenge #0002 Challenge #003.

Distribution Rule

Challenge #002 and #003 are meant for Singaporean students.
Each Singaporean student can only win once across all challenges to ensure broader community recognition. However, they can still submit their solutions in order to win the new “Grand Prize”

Prizes are still $100 SGD + the “From Day Zero to Zero Day” book written by Eugene “Spaceraccoon” Lim for the first five solvers.

Summer Pwnables: When the Heat Rises, So Do the C-Shells 🔥

Tue, 12 Aug 2025 00:00:00 +0000

🌴☀️ SUMMER PWNABLES 2025 ☀️🌴

The hottest hacking challenge on this side of Southeast Asia!

Think you can handle the heat? Time to prove your l33t skills are more than just talk! 😎🔥

The summer sun isn’t the only thing burning bright – we have cooked up some seriously spicy challenges that will test whether you are a true shell wizard! 🧙‍♂️✨

📍 ELIGIBILITY REQUIREMENTS

This challenge is exclusively open to Singapore-based students only!
You must be currently enrolled in a Singapore educational institution to participate.

My `Blind Date` with CVE-2025-29824

Wed, 16 Jul 2025 00:00:00 +0000

In April 2025, Microsoft patched a vulnerability that had become a key component in sophisticated ransomware attack chains. CVE-2025-29824, an use-after-free bug in the Windows Common Log File System (CLFS) driver, wasn’t the initial entry point for attackers. Instead, threat actors first compromised Cisco ASA firewalls, then used this Windows kernel vulnerability as the crucial privilege escalation step that transformed limited network access into complete system domination. This multi-stage approach represents the evolution of modern ransomware operations: sophisticated threat actors chaining together network infrastructure vulnerabilities with Windows kernel bugs to devastating effect.

Fooling the Sandbox: A Chrome-atic Escape

Thu, 10 Jul 2025 00:00:00 +0000

For my internship, I was tasked by my mentor Le Qi to analyze CVE-2024-30088, a double-fetch race condition bug in the Windows Kernel Image ntoskrnl.exe. A public POC demonstrating EoP from Medium Integrity Level to SYSTEM is available on GitHub here.

Additionally, I was challenged (more like forced 💀) to chain the exploit to escape the Chrome Renderer Sandbox, achieving EoP from Untrusted Integrity Level to SYSTEM.

Easy, right? 🤡

Note: CVE-2024-30088 came out before 24H2, so I analyzed it using a 23H2 Windows VM instead

Solo: A Pixel 6 Pro Story (When one bug is all you need)

Thu, 05 Jun 2025 00:00:00 +0000

During my internship I was tasked to analyze a Mali GPU exploit on Pixel 7/8 devices and adapt it to make it work on another device: the Pixel 6 Pro.

While the exploit process itself is relatively straightforward to reproduce (in theory we just need to find the correct symbol offsets and signatures for our target device), what’s interesting about Pixel 6 Pro is that it uses a different Mali GPU from the Pixel 7/8, which lacked support for a feature that one of the two vulnerabilities within the exploit relied on:

Gone in 5 Seconds: How WARN_ON Stole 10 Minutes

Fri, 30 May 2025 00:00:00 +0000

As part of my internship at STAR Labs, I was tasked to conduct N-day analysis of CVE-2023-6241. The original PoC can be found here, along with the accompanying write-up.

In this blog post, I will explain the root cause as well as an alternative exploitation technique used to exploit the page UAF, achieving arbitrary kernel code execution.

The following exploit was tested on a Pixel 8 running the latest version available prior to the patch.

Badge & Lanyard Challenges @ OBO 2025

Wed, 28 May 2025 00:00:00 +0000

Introduction

We are back with Round 2 of the Off-By-One conference — where bits meet breadboards and bugs are celebrated! 🐛⚡

If you are into hardware and IoT security, you’ll know one thing’s for sure: the STAR Labs SG badge is not your average conference bling bling. This year’s badge isn’t just a collector’s item — it’s a playground for the curious, packed with new challenges inspired by months’s worth of research and hackery. And yes, the CTF is back, with even more nerdy goodness.

Lessons From Pwn2Own Berlin 2025: Building a Hypervisor Escape

Tue, 20 May 2025 00:00:00 +0000

At Pwn2Own Berlin 2025, STAR Labs took home Master of Pwn for a chain that escaped a major hypervisor from inside a guest VM. This is the short version of how we got there. Longer write-up to follow after all patches are deployed.

Target selection

We started with three candidate attack surfaces: the device-emulation path, the virtio back-ends, and the nested-virtualization code path. We picked device emulation because it sees the most attacker-controlled input per unit of code, and because prior research suggested the maintainers had been less aggressive about fuzzing it than the core dispatcher.

Breaking Out of Restricted Mode: XSS to RCE in Visual Studio Code

Wed, 14 May 2025 00:00:00 +0000

In April 2024, I discovered a high-severity vulnerability in Visual Studio Code (VS Code <= 1.89.1) that allows attackers to escalate a Cross-Site Scripting (XSS) bug into full Remote Code Execution (RCE)—even in Restricted Mode.

The desktop version of Visual Studio Code runs on Electron. Renderer processes are sandboxed and communicate with the main process through Electron’s IPC mechanism.

An XSS vulnerability in the newly-introduced minimal error rendering mode for Jupyter notebooks enables arbitrary JavaScript code to be executed within the vscode-app WebView for the notebook renderer. The vulnerability can be triggered by opening a crafted .ipynb file if the user has the setting enabled, or by opening a folder containing a crafted settings.json file in VS Code and opening a malicious ipynb file within the folder. This vulnerability can be triggered even when Restricted Mode is enabled (which is the default for workspaces that have not been explicitly trusted by the user).

CimFS: Crashing in memory, Finding SYSTEM (Kernel Edition)

Tue, 25 Mar 2025 00:00:00 +0000

Introduction

Many vulnerability writeups nowadays focus on the exploitation process when it comes to software bugs. The term “Exploit Developer” is also still used synonymously with Vulnerability Research, presumably coming from the early 2000s where bugs were easily discoverable and the community was just beginning to explore the art of exploitation. However nowadays with SDL and continuous fuzzing, the discovery of unknown vulnerabilities in crucial systems is getting more important, arguably more than the exploitation process. In order to encourage more writing on the aspect of Vulnerability Discovery, we are releasing this blogpost discussing the journey of finding and exploiting a kernel 0day in Windows 11 for Local Privilege Escalation.

STAR Labs Windows Exploitation Challenge 2025 Writeup

Mon, 17 Mar 2025 00:00:00 +0000

STAR Labs Windows Exploitation Challenge Writeup

Over the past few months, the STAR Labs team has been hosting a Windows exploitation challenge. I was lucky enough to solve it and got myself a ticket to Off-By-One conference. Here is my writeup for the challenge!

Analyzing the binary

We are given a Windows kernel driver. Basic analysis shows that it is used to receive and save messages sent from usermode.

Important structures

There are two key structures used in this driver: handle and message entry. Message entry is the storage unit that saves our message from usermode, its structure is described below:

Mali-cious Intent: Exploiting GPU Vulnerabilities (CVE-2022-22706 / CVE-2021-39793)

Sun, 02 Feb 2025 00:00:00 +0000

Imagine downloading a game from a third-party app store. You grant it seemingly innocuous permissions, but hidden within the app is a malicious exploit that allows attackers to steal your photos, eavesdrop on your conversations, or even take complete control of your device. This is the kind of threat posed by vulnerabilities like CVE-2022-22706 and CVE-2021-39793, which we’ll be dissecting in this post. These vulnerabilities affect Mali GPUs, commonly found in many Android devices, and allow unprivileged apps to gain root access.

CVE-2024-26230: Windows Telephony Service - It's Got Some Call-ing Issues (Elevation of Privilege)

Fri, 24 Jan 2025 00:00:00 +0000

Executive Summary

CVE-2024-26230 is a critical vulnerability found in the Windows Telephony Service (TapiSrv), which can lead to an elevation of privilege on affected systems. The exploit leverages a use-after-free in FreeDialogInstance. By manipulating the registry, an attacker controls memory allocation to create a fake object, triggering the UAF in TUISPIDLLCallback to gain code execution. This is further chained with techniques to bypass mitigations like CFG and ultimately load a malicious DLL, escalating privileges to SYSTEM via PrintSpoofer. In this blog post, we will take an in-depth look at how this vulnerability works, how it can be exploited, and the mitigation strategies that can help defend against it.

Celebrating 7 Years of STAR Labs SG

Sun, 12 Jan 2025 00:00:00 +0000

🎉🎊 Cheers to 7 Amazing Years! 🎊🎉

On 8th January 2018, STAR Labs SG Pte. Ltd. was born with a simple but bold idea: to do fun offensive research that protects customers. Seven years later, that spark of curiosity and innovation has grown into something extraordinary. 🚀

Our Humble Beginnings 🛠️

It all started when STAR Labs had a small, passionate group of researchers: Shi Ji, Wei Lei, Phạm Hồng Phi, Phan Thanh Duy, and Tạ Đình Sung. These pioneers didn’t just lay the foundation. They inspired others to join this wild roller coaster ride.

STAR Labs 2025 New Year Exploitation Challenge

Wed, 01 Jan 2025 00:00:00 +0000

Think you’ve got what it takes to pop shells and snag your ticket to… RE//verse and Off-By-One? 😏

🔥 Windows Exploitation Challenge 🔥

Get SYSTEM privileges by exploiting a bug in the downloadable driver below. (pwn it!)
Keep the OS alive and happy — no BSODs, no excuses!
Your exploit must work on Windows 11 24H2.
Submit your winning solutions(exploit source code and writeup) to info@starlabs.sg.
If you think you’ve figured out the bug but can’t exploit it in time, feel free to send us a writeup too describing how you would exploit it!

🏆 Prizes up for grabs!
🥇 First to submit a working exploit wins a conference ticket to RE//verse!
🥈 Second to submit bags a conference ticket to Off-By-One!

All I Want for Christmas is a CVE-2024-30085 Exploit

Tue, 24 Dec 2024 00:00:00 +0000

TLDR

CVE-2024-30085 is a heap-based buffer overflow vulnerability affecting the Windows Cloud Files Mini Filter Driver cldflt.sys. By crafting a custom reparse point, it is possible to trigger the buffer overflow to corrupt an adjacent _WNF_STATE_DATA object. The corrupted _WNF_STATE_DATA object can be used to leak a kernel pointer from an ALPC handle table object. A second buffer overflow is then used to corrupt another _WNF_STATE_DATA object, which is then used to corrupt an adjacent PipeAttribute object. By forging a PipeAttribute object in userspace, we are able to leak the token address and override privileges to escalate privileges to NT AUTHORITY\SYSTEM.

Behind the Scenes: Understanding CVE-2022-24547

Tue, 24 Dec 2024 00:00:00 +0000

TL;dr

Vulnerabilities can often be found in places we don’t expect, and CVE-2022-24547 in CastSrv.exe is one of the examples. CVE-2022-24547 is a privilege escalation vulnerability in CastSrv.exe, allowing attackers to bypass security and gain elevated privileges. We’ll break down how the bug works, its exploitation, and how to protect against it.

Summary


Vendor	Microsoft
Security Impact	Elevation of Privilege
CVE ID	CVE-2022-24547

CVSS3.1 Scoring System:

Base Score: 7.8 Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

#BadgeLife @ Off-By-One Conference 2024

Mon, 22 Jul 2024 00:00:00 +0000

Introduction

As promised, we are releasing the firmware and this post for the Off-By-One badge about one month after the event, allowing interested participants the opportunity to explore it. If you’re interested in learning more about the badge design process, please let us know. We were thrilled to introduce the Octopus Badge at the first-ever Off-By-One Conference 2024. The badge was a one of the highlight at the conference, as it included hardware-focused CTF challenges. In this post, we will explore the ideation and design process of the badge and discuss the concepts needed to solve the challenges.

Send()-ing Myself Belated Christmas Gifts - GitHub.com's Environment Variables & GHES Shell

Mon, 06 May 2024 00:00:00 +0000

Earlier this year, in mid-January, you might have come across this security announcement by GitHub.

In this article, I will unveil the shocking story of how I discovered CVE-2024-0200, a deceptively simple, one-liner vulnerability which I initially assessed to likely be of low impact, and how I turned it into one of the most impactful bugs in GitHub’s bug bounty history.

Spoiler: The vulnerability enabled disclosure of all environment variables of a production container on GitHub.com, including numerous access keys and secrets. Additionally, this vulnerability can be further escalated to achieve remote code execution (RCE) on GitHub Enterprise Servers (GHES), but not on GitHub.com. More on this later.

Send()-ing Myself Belated Christmas Gifts: GitHub.com's Environment Variables & GHES Shell

Mon, 15 Apr 2024 00:00:00 +0000

Short version: while poking at GitHub Enterprise Server (GHES) for an unrelated reason the day after Christmas, I noticed an unvalidated Kernel#send() call in the organization repository settings component. I expected it to be mildly useful, at most leaking file paths or affecting my own organisation. Production GitHub.com proved otherwise.

The primitive

The component in app/components/organizations/settings/repository_items_component.rb forwards a user-controlled rid_key parameter directly to send() on the repository dependency object. Ruby’s Kernel#send dispatches the argument as a method name, which (with the right object graph) gives you a read primitive over arbitrary methods of the target object.

Route to Safety: Navigating Router Pitfalls

Mon, 18 Mar 2024 00:00:00 +0000

Introduction

Wi-Fi routers have always been an attractive target for attackers. When taken over, an attacker may gain access to a victim’s internal network or sensitive data. Additionally, there has been an ongoing trend of attackers continually incorporating new router exploits into their arsenal for use in botnets, such as the Mirai Botnet.

Consumer grade devices are especially attractive to attackers, due to many security flaws in them. Devices with lower security often contain multiple bugs that attackers can exploit easily, rendering them vulnerable targets. On the other hand, there are more secure devices that offer valuable insights and lessons to learn from.

Exploitation of a kernel pool overflow from a restrictive chunk size (CVE-2021-31969)

Fri, 24 Nov 2023 00:00:00 +0000

Introduction

The prevalence of memory corruption bugs persists, posing a persistent challenge for exploitation. This increased difficulty arises from advancements in defensive mechanisms and the escalating complexity of software systems. While a basic proof of concept often suffices for bug patching, the development of a functional exploit capable of bypassing existing countermeasures provides valuable insights into the capabilities of advanced threat actors. This holds particularly true for the scrutinized driver, cldflt.sys, which has consistently received patches every Patch Tuesday since June. Notably, it has become a focal point for threat actors, following the exploits on clfs.sys and afd.sys drivers. In this article, we aim to highlight the significance of cldflt.sys and advocate for increased research into this driver and its associated components.

Analysis of NodeBB Account Takeover Vulnerability (CVE-2022-46164)

Fri, 29 Sep 2023 00:00:00 +0000

Back in January 2023, I tasked one of our web security interns, River Koh (@oceankex), to perform n-day analysis of CVE-2022-46164 as part of his internship with STAR Labs. The overall goal is to perform an objective assessment of the vulnerability based on the facts gathered. In addition, I challenged him to reproduce the vulnerability without referencing any other materials besides the textual contents of the official advisory by NodeBB.

About CVE-2022-46164

CVE-2022-46164 affects NodeBB, an open-source community forum platform built on Node.js with the addition of either a Redis, MongoDB, or PostgreSQL database. One of the features of the platform is the utilization of the Socket.IO for instant interactions and real-time notifications.

[P2O Vancouver 2023] SharePoint Pre-Auth RCE chain (CVE-2023–29357 & CVE-2023–24955)

Mon, 25 Sep 2023 00:00:00 +0000

Brief

I may have achieved successful exploitation of a SharePoint target during Pwn2Own Vancouver 2023. While the live demonstration lasted only approximately 30 seconds, it is noteworthy that the process of discovering and crafting the exploit chain consumed nearly a year of meticulous effort and research to complete the full exploit chain.

This exploit chain leverages two vulnerabilities to achieve pre-auth remote code execution (RCE) on the SharePoint server:

Authentication Bypass – An unauthenticated attacker can impersonate as any SharePoint user by spoofing valid JSON Web Tokens (JWTs), using the none signing algorithm to subvert signature validation checks when verifying JWT tokens used for OAuth authentication. This vulnerability has been found right after I started this project for two days.
Code Injection – A SharePoint user with Sharepoint Owners permission can inject arbitrary code by replacing /BusinessDataMetadataCatalog/BDCMetadata.bdcm file in the web root directory to cause compilation of the injected code into an assembly that is subsequently executed by SharePoint. This vulnerability was found on Feb 2022.

The specific part of the Authentication Bypass vuln is: it can access to SharePoint API only. So, the most difficult part is to find the post-auth RCE chain that using SP API.

nftables Adventures: Bug Hunting and N-day Exploitation (CVE-2023-31248)

Mon, 25 Sep 2023 00:00:00 +0000

During my internship, I have been researching and trying to find bugs within the nftables subsystem. In this blog post, I will talk about a bug I have found, as well as the exploitation of an n-day discovered by Mingi Cho – CVE-2023-31248.

Introduction to nftables

nftables is a modern packet filtering framework that aims to replace the legacy {ip,ip6,arp,eb}_tables (xtables) infrastructure. It reuses the existing netfilter hooks, which act as entry points for handlers that perform various operations on packets. Nftables table objects contain a list of chain objects, which contain a list of rule objects, which finally contain expressions, which perform the operations of the pseudo-state machine.

Under The Hood - Disassembling of IKEA-Sonos Symfonisk Speaker Lamp

Tue, 01 Aug 2023 00:00:00 +0000

We are excited to embark on a series of teardowns to explore the inner workings of various devices. In this particular teardown, our focus will be on the 1st-Generation of IKEA-SONOS SYMFONISK Speaker Lamp, unraveling its captivating inner workings.

Please note that due to prior testing, certain screws, wires, and components have been temporarily removed from the appliance and may not be present during this analysis. However, for the purpose of this exercise, we have meticulously reassembled the SYMFONISK to its approximate original state.

A new method for container escape using file-based DirtyCred

Tue, 25 Jul 2023 00:00:00 +0000

Recently, I was trying out various exploitation techniques against a Linux kernel vulnerability, CVE-2022-3910. After successfully writing an exploit which made use of DirtyCred to gain local privilege escalation, my mentor Billy asked me if it was possible to tweak my code to facilitate a container escape by overwriting /proc/sys/kernel/modprobe instead.

The answer was more complicated than expected; this led me down a long and dark rabbit hole…

In this post, I will discuss the root cause of the vulnerability, as well as the various methods I used to exploit it.

prctl anon_vma_name: An Amusing Linux Kernel Heap Spray

Tue, 25 Jul 2023 00:00:00 +0000

TLDR

prctl PR_SET_VMA (PR_SET_VMA_ANON_NAME) can be used as a (possibly new!) heap spray method targeting the kmalloc-8 to kmalloc-96 caches. The sprayed object, anon_vma_name, is dynamically sized, and can range from larger than 4 bytes to a maximum of 84 bytes. The object can be easily allocated and freed via the prctl syscall, and leaked information can be obtained via reading the proc/pid/maps file. The advantage of this method is that it does not require a cross-cache attack from cg/other caches (unlike other objects such as msg_msg) as anon_vma_name is allocated with the GFP_KERNEL flag.

Breaking the Code - Exploiting and Examining CVE-2023-1829 in cls_tcindex Classifier Vulnerability

Mon, 19 Jun 2023 00:00:00 +0000

Background

The discovery and analysis of vulnerabilities is a critical aspect of cybersecurity research. Today, we will dive into CVE-2023-1829, a vulnerability in the cls_tcindex network traffic classifier found by Valis. We will explore the process of exploiting and examining this vulnerability, shedding light on the intricate details and potential consequences. We have thoroughly tested our exploit on Ubuntu 22.04 with kernel version 5.15.0-25, which was built from the official 5.15.0-25.25 source code.

The Old, The New and The Bypass - One-click/Open-redirect to own Samsung S22 at Pwn2Own 2022

Wed, 14 Jun 2023 00:00:00 +0000

TLDR;

We began our work on Samsung immediately after the release of the Pwn2Own Toronto 2022 target list.

In this article, we will dive into the details of an open-redirect vulnerability discovered during the Pwn2Own 2022 event and how we exploited it on a Samsung S22 device. By breaking down the technical aspects and using code snippets, we aim to provide a comprehensive overview of this critical security flaw.

To begin, I revisited our team’s paper (written by Li Jiantao and Nguyễn Hoàng Thạch) from previous year, where two bugs were identified. One of these bugs was exploited in P2O, while the other was promptly addressed. Interestingly, detailed documentation on one of these bugs is available here, allowing readers to gain a better understanding of this specific vulnerability.

Microsoft Exchange Powershell Remoting Deserialization leading to RCE (CVE-2023-21707)

Fri, 28 Apr 2023 00:00:00 +0000

Introduction

While analyzing CVE-2022-41082, also known as ProxyNotShell, we discovered this vulnerability which we have detailed in this blog. However, for a comprehensive understanding, we highly recommend reading the thorough analysis written by team ZDI.

To aid in understanding, we present a visual representation of CVE-2022-41082 below.

The sink of ProxyNotShell:

//System.Management.Automation.InternalDeserializer.ReadOneObject()
internal object ReadOneObject(out string streamName)
{
    //...
    Type targetTypeForDeserialization = psobject.GetTargetTypeForDeserialization(this._typeTable); //[1]
    if (null != targetTypeForDeserialization)
    {
        Exception ex = null;
        try
        {
            object obj2 = LanguagePrimitives.ConvertTo(obj, targetTypeForDeserialization, true, CultureInfo.InvariantCulture, this._typeTable); //[2]
        }
    //...
}

At [2], if targetTypeForDeserialization != null, it will continue to call LanguagePrimitives.ConvertTo() to convert the original obj to the Type specified by targetTypeForDeserialization.

CS-Cart PDF Plugin Unauthenticated Command Injection

Fri, 03 Mar 2023 00:00:00 +0000

Summary

A command injection vulnerability exists in CS-Cart’s HTML to PDF converter (https://github.com/cscart/pdf) allowing unauthenticated attackers to achieve remote command execution (RCE). The vulnerability only affects the HTML to PDF converter service and the default hosted service at converter.cart-services.com (maintained by CS-Cart’s development team) used by the PDF converter plugin, and does not allow for RCE against base installations of CS-Cart.

Product Background

In CS-Cart v4.13.2, the HTML to PDF converter is an optional plugin (disabled by default) for printing PDF documents in CS-Cart. However, the plugin is built-in and enabled by default in CS-Cart v4.13.1 or below.

Microsoft Azure Account Takeover via DOM-based XSS in Cosmos DB Explorer

Fri, 24 Feb 2023 00:00:00 +0000

Upon finding the vulnerability, our team member, Ngo Wei Lin (@Creastery), immediately reported it to the Microsoft Security Response Center (MSRC) on 19th March 2022, who fixed the important issue with a fix commited in the repo within seven days, which is impressive and a much faster response than other Microsoft bugs which we reported previously. The fix was pushed down to Azure Cosmos DB Explorer on 31st March 2022.

About the DOM XSS Vulnerability

The Azure Cosmos DB Explorer incorrectly accepts and processs cross-origin messages from certain domains. A remote attacker can take over a victim Azure user’s account by delivering a DOM-based XSS payload via a cross-origin message.

STAR LABS SG PTE. LTD. has been authorized by the CVE Program as a CVE Numbering Authority (CNA)

Wed, 22 Feb 2023 00:00:00 +0000

STAR LABS SG PTE. LTD. (STAR Labs) announced today that it has become a CVE Numbering Authority (CNA) for the Common Vulnerabilities and Exposures (CVE®) system, a global cybersecurity community.

As a CNA, STAR LABS is authorized to assign CVE Identifiers（CVE IDs）to newly discovered vulnerabilities and publicly disclose information about these vulnerabilities through CVE Records. Identifying vulnerabilities with CVE IDs can speed up the awareness and understanding of those vulnerabilities, enabling security researchers and system managers to expedite solutions. Going forward, as a CNA, STAR LABS will practice responsible and timely disclosure when publishing CVE Records for vulnerabilities we discover, enhancing coverage and cyber security for the industry.

Gotta KEP-tcha 'Em All - Bypassing Anti-Debugging methods in KEPServerEX

Fri, 17 Feb 2023 00:00:00 +0000

Background

Lately, my focus has been on discovering any potential vulnerabilities in KEPServerEX. KEPServerEX is the industry’s leading connectivity platform that provides a single source of industrial automation data to all your applications. Users can connect, manage, monitor, and control diverse automation devices and software applications through one intuitive user interface.

This software employs multiple anti-debugging measures, making it challenging to discover any vulnerabilities and performing fuzzing on it. In this regard, I would like to share my perspective on the issue and my strategy for circumventing these measures.

Dissecting the Vulnerabilities - A Comprehensive Teardown of acmailer's N-Days

Thu, 16 Feb 2023 00:00:00 +0000

Introduction

In this post, one of our recent intern, Wang Hengyue (@w_hy_04) was given the task to analyse CVE-2021-20617 & CVE-2021-20618 in acmailer since there isn’t any public information on it. Today, we’ll be sharing his journey in dissecting the vulnerabilities in acmailer. Both vulnerabilities were originally found by ma.la

acmailer is a Perl-based email delivery application that provides functionality centered around sending mass emails, with associated functions such as registration and unregistration forms, surveys, and email templating.

Deconstructing and Exploiting CVE-2020-6418

Wed, 21 Dec 2022 00:00:00 +0000

As part of my internship at STAR Labs, I conducted n-day analysis of CVE-2020-6418. This vulnerability lies in the V8 engine of Google Chrome, namely its optimizing compiler Turbofan. Specifically, the vulnerable version is in Google Chrome’s V8 prior to 80.0.3987.122. In this article, I will give a step-by-step analysis of the vulnerability, from the root cause to exploitation.

Background

In JavaScript, objects do not have a fixed type. Instead, V8 assigns each object a Map that reflects its type. This Map is considered reliable if it is guaranteed to be correct at that specific point in time, and it is unreliable if it could have been modified by another node beforehand. If the Map is unreliable, the object must be checked to have the correct type before it is used. This is done by insertion of CheckMaps nodes or CodeDependencies. When trying to optimise, Turbofan aims to insert as few Map checks as possible, and tries to do so only when necessary (i.e when the Map is unreliable and is going to be accessed).

The Last Breath of Our Netgear RAX30 Bugs - A Tragic Tale before Pwn2Own Toronto 2022

Tue, 06 Dec 2022 00:00:00 +0000

Background

Some time ago, we were playing with some Netgear routers and we learned so much from this target.

However, Netgear recently patched several vulnerabilities in their RAX30 router firmware, including the two vulnerabilities in the DHCP interface for the LAN side and one remote code execution vulnerability on the WAN side which we prepared for Pwn2Own Toronto 2022. This blog post focuses on the vulnerabilities found in version 1.0.7.78You can download the firmware from this link, and easily extract the firmware by using binwalk. All vulnerabilities were found and tested in version 1.0.7.78 of Netgear RAX30. Versions 1.0.7.78 and earlier are known to be susceptible as well.

TheHole New World - how a small leak will sink a great browser (CVE-2021-38003)

Tue, 06 Dec 2022 00:00:00 +0000

Introduction

CVE-2021-38003 is a vulnerability that exists in the V8 Javascript engine. The vulnerability affects the Chrome browser before stable version 95.0.4638.69, and was disclosed in October 2021 in google’s chrome release blog, while the bug report was made public in February 2022.

The vulnerability will cause a special value in V8 called TheHole being leaked to the script. This can lead to a renderer RCE in a Chromium-based browser, and has been used in the wild.

Multiple Vulnerabilities in Proxmox VE & Proxmox Mail Gateway

Fri, 02 Dec 2022 00:00:00 +0000

Background

Proxmox Virtual Environment (Proxmox VE or PVE) is an open-source type-1 hypervisor. It includes a web-based management interface programmed in Perl. Another Proxmox product written in Perl, Proxmox Mail Gateway (PMG), comes with a similar web management interface. They share some of the codebases.

In this article, I will introduce how to debug PVE’s web service step-by-step and analyse three bugs I have found in PVE and PMG.

[UPDATE] This is a quick and minor update to this blog post. MITRE email back to us on 9th December 2022 assigned CVE-2022-35507 & CVE-2022-35508 for the remaining 2 bugs

Microsoft SharePoint Server Post-Authentication Server-Side Request Forgery vulnerability

Tue, 25 Oct 2022 00:00:00 +0000

Overview

Disclaimer: No anime characters or animals were harmed during the research. The bug had been fixed but it did not meet that criterion required to get CVE.

Recently, we have found a Server-Side Request Forgery (SSRF) in Microsoft SharePoint Server 2019 which allows remote authenticated users to send HTTP(S) requests to arbitrary URL and read the responses. The endpoint <site>/_api/web/ExecuteRemoteLOB is vulnerable to Server-Side Request Forgery (SSRF). The HTTP(S) request is highly customizable in request method, path, headers and bodies. An attacker with the ability to perform SSRF attacks can scan the internal network, check for the existence of services on the host’s local network and potentially exploit other web services.

Apple CoreText - An Unexpected Journey to Learn about Failure

Thu, 29 Sep 2022 00:00:00 +0000

Late last year, I have focused my research on the CoreText framework for 2-3 months. In particular, the code related to the text shaping engine and the code responsible for parsing the AAT tables.

During this research, I found an OOB (Out-Of-Bounds) Write in the morx table. This series of writeups is to document my whole process, from selecting this attack surface to finding the bug to writing an exploit for it in Safari. I hope this is helpful for anyone interested in starting researching in this area or who wants to help finish the exploit on Safari (because it’s not done yet) :D

Step-by-Step Walkthrough of CVE-2022-32792 - WebKit B3ReduceStrength Out-of-Bounds Write

Thu, 08 Sep 2022 00:00:00 +0000

Recently, ZDI released the advisory for a Safari out-of-bounds write vulnerability exploited by Manfred Paul (@_manfp) in Pwn2Own. We decided to take a look at the patch and try to exploit it.

The patch is rather simple: it creates a new function (IntRange::sExt) that is used to decide the integer range after applying a sign extension operation (in rangeFor). Before this patch, the program assumes that the range stays the same after applying sign extension. This is incorrect and can result in wrongly removing an overflow/underflow check.

Exploiting WebKit JSPropertyNameEnumerator Out-of-Bounds Read (CVE-2021-1789)

Fri, 19 Aug 2022 00:00:00 +0000

Initially, our team member, Đỗ Minh Tuấn, wanted to write about the RCA (Root Cause Analysis) of CVE-2021-1870 which APT used. But Maddie Stone pointed it to us that it was actually CVE-2021-1789. None-the-less, we would still want to share with everyone the analysis done by Đỗ Minh Tuấn.

The bug is assigned CVE-2021-1789 in security content of Safari 14.0.3. We successfully exploited it on WebKitGTK <= 2.30.5 or equivalent on WebKit.

JSPropertyNameEnumerator is an internal object that helps JSC handle for...in loop. JavaScriptCore (JSC) uses this object to cache information about the base object we put into the loop. JSC also allows iterating through the prototype chain of the base object, which means it can go through a proxy with a trap callback. However, JSC does not check the final size of the base object after iterating, leading to an out-of-bounds read.

Gitlab Project Import RCE Analysis (CVE-2022-2185)

Thu, 21 Jul 2022 00:00:00 +0000

At the beginning of this month, GitLab released a security patch for versions 14->15. Interestingly in the advisory, there was a mention of a post-auth RCE bug with CVSS 9.9.

The bug exists in GitLab’s Project Imports feature, which was found by @vakzz. Incidentally, when I rummaged in the author’s h1 profile. I discovered that four months ago, he also found a bug in the import project feature:

Initially, I thought it was tempting after seeing the bounty, so I started learning Rails and debugged this bug! (who would have thought that 30k wouldn’t be so easy ( ° ͜ʖ ͡°) )

io_uring - new code, new bugs, and a new exploit technique

Fri, 24 Jun 2022 00:00:00 +0000

For the past few weeks, I have been working on conducting N-day analysis and bug hunting in the io_uring subsystem of the Linux kernel with the guidance of my mentors, Billy and Ramdhan.

In this article, I will briefly discuss the io_uring subsystem, as well as my approach to discovering and developing a new kernel exploit technique during my N-day analysis of CVE-2021-41073. I will also discuss two bugs I found while analyzing a new io_uring feature.

Trying To Exploit A Windows Kernel Arbitrary Read Vulnerability

Tue, 07 Jun 2022 00:00:00 +0000

Introduction

I recently discovered a very interesting kernel vulnerability that allows the reading of arbitrary kernel-mode address. Sadly, the vulnerability was patched in Windows 21H2 (OS Build 22000.675), and I am unsure of the CVE being assigned to it. In this short blog post, I will share my journey of trying to exploit this vulnerability. Although I didn’t finish the exploit in the end, I have decided to share this with everyone anyway. This is also my attempt to find an answer based on this discussion.

New Wine in Old Bottle - Microsoft Sharepoint Post-Auth Deserialization RCE (CVE-2022-29108)

Thu, 12 May 2022 00:00:00 +0000

Introduction

Recently, I have had a some work which is related to Sharepoint, so I was learning on how to setup and debug old bugs of Sharepoint.

In February, there was a Deserialization bug CVE-2022-22005 (post-auth of course). There is already a detailed analysis blog post about that written by a Vietnamese guy (here). The blog is written with great enthusiasm and detail. I also rely on the details in that blog to setup and debug. And because the bug written in this article will be related to it, I recommend you read through the article above once to easily understand this article!

The Cat Escaped from the Chrome Sandbox

Fri, 21 Jan 2022 00:00:00 +0000

Introduction

On 13th September 2021, Google published the security advisory for Google Chrome. That advisory states that Google is aware of two vulnerabilities exploited in the wild, CVE-2021-30632 as RCE and CVE-2021-30633 as Sandbox Escape.

In this post, I will talk about the bypass sandbox vulnerability CVE-2021-30633. Man Yue Mo had published a very detailed blog post explaining CVE-2021-30632, which is a Type Confusion bug that leads to RCE in Chrome.

In summary, the sandbox bypass is made possible because of a Use-After-Free (UAF) bug in the IndexedDB API, chained with a Out-of-Bounds (OOB) Write bug in V8, and triggered via Mojo IPC connection. As a disclaimer, this is not a bug that I had found. I made this post to help me organise my thoughts to understand the bug and the exploit. I will carry out a root cause analysis of the Sandbox Escape and discuss my observation and understanding of the full-chain exploit.

Diving into Open-source LMS Codebases

Tue, 16 Nov 2021 00:00:00 +0000

Introduction

Looking to practice on source code review, I had been diving into how open-source LMS codebases are structured in order to find undiscovered vulnerabilities. Initially, my main focus had been on Chamilo LMS (their source code can be found on GitHub). Afterwards, I looked into Moodle LMS (their source code can also be found on GitHub).

The majority of the findings that were found are the ones you would think of when you hear the words “common web application vulnerabilities”, such as:

Analysis of CVE-2021-1758 (CoreText Out-Of-Bounds Read)

Tue, 14 Sep 2021 00:00:00 +0000

References:

STARLabs Advisory STAR-21-1758

In February, Peter found a OOB read vulnerability in libFontParser.dylib. The latest tested version with the vulnerability is macOS Catalina 10.15.4 (19E287).

I wrote a guide earlier on setting up a testing environment.

Mac Resource Fork Font File

References:

It turns out that macOS can load something called a Mac Resource Fork font file. Looks like a legacy thing.

Identifying Bugs in Router Firmware at Scale with Taint Analysis

Wed, 04 Aug 2021 00:00:00 +0000

In the past few months, Akash and I (@daniellimws) worked on developing a taint analysis tool to find bugs in routers, with the guidance of Shi Ji (@puzzor) and Thach (@d4rkn3ss). We had developed a tool based on CVE-2019-8312 to CVE-2019-8319, which are command injection vulnerabilities on the D-Link DIR-878 router with firmware version 1.12A1. The goal was to automate the detection of such bugs. Ideally, the tool should be faster than finding the bugs manually.

Simple Vulnerability Regression Monitoring with V8Harvest

Fri, 25 Jun 2021 00:00:00 +0000

Introduction

During my research into Javascript Engine (V8), I have created a small tool to help you view recent V8 bugs that contains regression test on a single page. Since most of the time, regression test often contains PoC to trigger the bug, it’s pretty useful to analyze them to find the root cause and writing exploit for the n-day bug.

For example, regress-1053604.js contains the PoC to trigger the side-effect in kJSCreate opcode (CVE-2020-6418).

You Talking To Me?

Mon, 12 Apr 2021 00:00:00 +0000

What is WebDriver and How does it work?

WebDriver is a protocol used for web browser automation. It can drive a browser to perform various tests on web pages as if a real user was navigating through them. It allows simulating user actions such as clicking links, entering text and submitting forms, which can help test if your website is working as intended. It is usually used for front-end testing and web crawling in a headless environment. WebDriver clients (such as Selenium WebDriver) interact with WebDriver servers (e.g. chromedriver, geckodriver) to launch and control browsers. In Capture-the-Flag (CTF) competitions, WebDriver clients are often used to play the role of a victim user (aka. XSS bot) and simulate user interactions to trigger player-supplied XSS payload.

Chrome 1-Day Hunting - Uncovering and Exploiting CVE-2020-15999

Sat, 09 Jan 2021 00:00:00 +0000

Introduction

This blog post details the exploitation process for the vulnerability CVE 2020-15999 in Google Chrome 86.0.4222.0 on Linux. While CVE 2020-15999 is a heap-based buffer overflow in the font-loading library Freetype rather than Chrome proper, its extensive use in the latter enables us to achieve code execution in the browser’s renderer. This post will not be focused on the analysis of the bug, but rather its exploitation, as extensive explanation and analysis can be found here. In essence, Truetype font files that contain bitmaps (i.e. raster images) store them in the sbix table of the font. When Freetype loads an embedded PNG image in the sbix table with dimensions exceeding the int16 limit, an integer overflow to buffer overflow (IO2BO) occurs. A PoC to achieve code execution in the renderer and pop calculator can be found in the last section of this post.

Instrumenting Adobe Reader with Frida

Fri, 13 Nov 2020 00:00:00 +0000

Frida is an open-source dynamic instrumentation toolkit that has become popular in recent years, and its use in mobile security is especially prevalent.

In this post, I would like to provide a general introduction to the tool and show some examples of how it can also be used on the Windows platform.

Analysis & Exploitation of a Recent TP-Link Archer A7 Vulnerability

Fri, 16 Oct 2020 00:00:00 +0000

This post provides detailed analysis and an exploit achieving remote code execution for CVE-2020-10882, which was used at Pwn2Own 2019, on the TP-Link Archer C7:

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer A7 AC1750 routers. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the tdpServer service, which listens on UDP port 20002 by default. When parsing the slave_mac parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the root user.

Pwn2Own 2020: Oracle VirtualBox Escape

Fri, 25 Sep 2020 00:00:00 +0000

In this post, we will cover the vulnerabilities used at Pwn2Own 2020 for the Oracle VirtualBox escape. These two vulnerabilities affect Oracle VirtualBox 6.1.4 and prior versions.

This Font is not Your Type

Fri, 04 Sep 2020 00:00:00 +0000

Half a year ago, I found a vulnerability in libFontParser.dylib, which is a part of CoreGraphics library that is widely used in macOS, iOS, iPadOS to parse and render fonts. This vulnerability was patched in iOS 13.5.1 & macOS 10.15.5. In this writeup, I will describe the bug in detail in hopes that it will help others to better understand this vulnerability. This issue could allow an attacker to execute code during the parsing of a malicious font.

ASUSWRT URL Processing Stack Buffer Overflow

Fri, 07 Aug 2020 00:00:00 +0000

While processing the URL for any blacklisted XSS list like the script tag in the check_xss_blacklist function, a stack buffer overflow is possible by extending the length of the URL when accessing the web interface of the ASUS Router. To exploit it, stack pivoting technique is used before chaining up ROP gadgets to call our own custom command. In this post, we show how this can be exploited to get a reverse shell.

Oracle VirtualBox VHWA Use-After-Free Privilege Escalation Vulnerability

Fri, 26 Jun 2020 00:00:00 +0000

As part of my month-long internship at STAR Labs, I was introduced to VirtualBox and learnt much about bug hunting and triaging, root-cause analysis and exploitation. This post will detail a use-after-free bug I found during the duration of the internship, and specifics on the VM escape exploit that I wrote utilising the bug. The latest version at the point of reporting was VirtualBox 6.1.2 r135662.

TianFu Cup 2019: Adobe Reader Exploitation

Fri, 10 Apr 2020 00:00:00 +0000

Last year, I participated in the TianFu Cup competition in Chengdu, China. The chosen target was the Adobe Reader. This post will detail a use-after-free bug of JSObject. My exploit is not clean and not an optimal solution. I have finished this exploit through lots of trial and error. It involves lots of heap shaping code which I no longer remember exactly why they are there. I would highly suggest that you read the full exploit code and do the debugging yourself if necessary. This blog post was written based on a Windows 10 host with Adobe Reader.

Adventures in Hypervisor: Oracle VirtualBox Research

Fri, 03 Apr 2020 00:00:00 +0000

I have been into the vulnerability research field for a while now, and VirtualBox is my very first target. I have learned a lot along the way and I hope that anyone who are interested in escaping hypervisors can find something useful from these notes. I assume that you have some basic knowledge on memory corruption, hypervisor architecture and device I/O.