All I Want for Christmas is a CVE-2024-30085 Exploit

TLDR CVE-2024-30085 is a heap-based buffer overflow vulnerability affecting the Windows Cloud Files Mini Filter Driver cldflt.sys. By crafting a custom reparse point, it is possible to trigger the buffer overflow to corrupt an adjacent _WNF_STATE_DATA object. The corrupted _WNF_STATE_DATA object can be used to leak a kernel pointer from an ALPC handle table object. A second buffer overflow is then used to corrupt another _WNF_STATE_DATA object, which is then used to corrupt an adjacent PipeAttribute object....

December 24, 2024 · 21 min · Cherie-Anne Lee

Behind the Scenes: Understanding CVE-2022-24547

TL;dr Vulnerabilities can often be found in places we don’t expect, and CVE-2022-24547 in CastSrv.exe is one of the examples. CVE-2022-24547 is a privilege escalation vulnerability in CastSrv.exe, allowing attackers to bypass security and gain elevated privileges. We’ll break down how the bug works, its exploitation, and how to protect against it. Summary Vendor Microsoft Security Impact Elevation of Privilege CVE ID CVE-2022-24547 CVSS3....

December 24, 2024 · 5 min · Đào Tuấn Linh

#BadgeLife @ Off-By-One Conference 2024

Introduction As promised, we are releasing the firmware and this post for the Off-By-One badge about one month after the event, allowing interested participants the opportunity to explore it. If you’re interested in learning more about the badge design process, please let us know. We were thrilled to introduce the Octopus Badge at the first-ever Off-By-One Conference 2024. The badge was a one of the highlight at the conference, as it included hardware-focused CTF challenges....

July 22, 2024 · 13 min · Manzel Joseph Seet

Send()-ing Myself Belated Christmas Gifts - GitHub.com's Environment Variables & GHES Shell

Earlier this year, in mid-January, you might have come across this security announcement by GitHub. In this article, I will unveil the shocking story of how I discovered CVE-2024-0200, a deceptively simple, one-liner vulnerability which I initially assessed to likely be of low impact, and how I turned it into one of the most impactful bugs in GitHub’s bug bounty history. Spoiler: The vulnerability enabled disclosure of all environment variables of a production container on GitHub....

May 6, 2024 · 15 min · Ngo Wei Lin (@Creastery)

Route to Safety: Navigating Router Pitfalls

Introduction Wi-Fi routers have always been an attractive target for attackers. When taken over, an attacker may gain access to a victim’s internal network or sensitive data. Additionally, there has been an ongoing trend of attackers continually incorporating new router exploits into their arsenal for use in botnets, such as the Mirai Botnet. Consumer grade devices are especially attractive to attackers, due to many security flaws in them. Devices with lower security often contain multiple bugs that attackers can exploit easily, rendering them vulnerable targets....

March 18, 2024 · 48 min · Daniel Lim Wee Soong (@daniellimws)

Exploitation of a kernel pool overflow from a restrictive chunk size (CVE-2021-31969)

Introduction The prevalence of memory corruption bugs persists, posing a persistent challenge for exploitation. This increased difficulty arises from advancements in defensive mechanisms and the escalating complexity of software systems. While a basic proof of concept often suffices for bug patching, the development of a functional exploit capable of bypassing existing countermeasures provides valuable insights into the capabilities of advanced threat actors. This holds particularly true for the scrutinized driver, cldflt....

November 24, 2023 · 24 min · Chen Le Qi

Analysis of NodeBB Account Takeover Vulnerability (CVE-2022-46164)

Back in January 2023, I tasked one of our web security interns, River Koh (@oceankex), to perform n-day analysis of CVE-2022-46164 as part of his internship with STAR Labs. The overall goal is to perform an objective assessment of the vulnerability based on the facts gathered. In addition, I challenged him to reproduce the vulnerability without referencing any other materials besides the textual contents of the official advisory by NodeBB....

September 29, 2023 · 14 min · Ngo Wei Lin (@Creastery) & River Koh (@oceankex)