Identifying Bugs in Router Firmware at Scale with Taint Analysis

In the past few months, Akash (@enigmatrix) and I (@daniellimws) worked on developing a taint analysis tool to find bugs in routers, with the guidance of Shi Ji (@puzzor) and Thach (@d4rkn3ss). We had developed a tool based on CVE-2019-8312 to CVE-2019-8319, which are command injection vulnerabilities on the D-Link DIR-878 router with firmware version 1.12A1. The goal was to automate the detection of such bugs. Ideally, the tool should be faster than finding the bugs manually....

August 4, 2021 · 17 min · Daniel Lim Wee Soong (@daniellimws)

Simple Vulnerability Regression Monitoring with V8Harvest

Introduction During my research into Javascript Engine (V8), I have created a small tool to help you view recent V8 bugs that contains regression test on a single page. Since most of the time, regression test often contains PoC to trigger the bug, it’s pretty useful to analyze them to find the root cause and writing exploit for the n-day bug. For example, regress-1053604.js contains the PoC to trigger the side-effect in kJSCreate opcode (CVE-2020-6418)....

June 25, 2021 · 3 min · Đào Tuấn Linh(@Tuan_Linh_98)

You Talking To Me?

What is WebDriver and How does it work? WebDriver is a protocol used for web browser automation. It can drive a browser to perform various tests on web pages as if a real user was navigating through them. It allows simulating user actions such as clicking links, entering text and submitting forms, which can help test if your website is working as intended. It is usually used for front-end testing and web crawling in a headless environment....

April 12, 2021 · 11 min · Li JianTao (@cursered)

Chrome 1-Day Hunting - Uncovering and Exploiting CVE-2020-15999

Introduction This blog post details the exploitation process for the vulnerability CVE 2020-15999 in Google Chrome 86.0.4222.0 on Linux. While CVE 2020-15999 is a heap-based buffer overflow in the font-loading library Freetype rather than Chrome proper, its extensive use in the latter enables us to achieve code execution in the browser’s renderer. This post will not be focused on the analysis of the bug, but rather its exploitation, as extensive explanation and analysis can be found here....

January 9, 2021 · 17 min · Chai Yi Chen (@Hacker_Chai)

Instrumenting Adobe Reader with Frida

Frida is an open-source dynamic instrumentation toolkit that has become popular in recent years, and its use in mobile security is especially prevalent. In this post, I would like to provide a general introduction to the tool and show some examples of how it can also be used on the Windows platform. ...

November 13, 2020 · 10 min · Alan Chang (@tcode2k16)

Analysis & Exploitation of a Recent TP-Link Archer A7 Vulnerability

This post provides detailed analysis and an exploit achieving remote code execution for CVE-2020-10882, which was used at Pwn2Own 2019, on the TP-Link Archer C7: This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer A7 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the tdpServer service, which listens on UDP port 20002 by default. When parsing the slave_mac parameter, the process does not properly validate a user-supplied string before using it to execute a system call....

October 16, 2020 · 18 min · Lucas Tay (@c3xp1r)

Pwn2Own 2020: Oracle VirtualBox Escape

In this post, we will cover the vulnerabilities used at Pwn2Own 2020 for the Oracle VirtualBox escape. These two vulnerabilities affect Oracle VirtualBox 6.1.4 and prior versions. ...

September 25, 2020 · 9 min · Pham Hong Phi (@4nhdaden)