STAR Labs

Pickling the Mailbox: A Deep Dive into CVE-2025-20393

Thu, 05 Feb 2026 00:00:00 +0000

TL;DR In December 2025, Cisco published https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4 addressing CVE-2025-20393, a critical vulnerability (CVSS 10.0) affecting Cisco Secure Email Gateway and Secure Email and Web Manager. The advisory was notably sparse on technical details, describing only “Improper Input Validation” (CWE-20). We decided to dig deeper. Through reverse engineering and code analysis of AsyncOS 15.5.3, we uncovered the root cause: a single-byte integer overflow in the EUQ RPC protocol that bypasses authentication and chains into Python pickle deserialization — achieving unauthenticated remote code execution with a single HTTP request.

8th Anniversary: Embrace the new but don't forget the old

Thu, 08 Jan 2026 00:00:00 +0000

Eight years ago today, I started STAR Labs by hiring several fresh grads with no working experiences. Today, I stand here with a different group of faces. Some of you were there from the beginning. Some of you joined along the way. Some of you just started last month. And some of the people who were here… weren’t anymore. Not because they failed. Not because we failed them. But because life called them in different directions.

2025: WE BROKE THINGS, WE BUILT THINGS, WE BROKE EVEN MORE THINGS

Sat, 27 Dec 2025 00:00:00 +0000

Most will talk about the success in their year-end posts. Great. Nobody talks about the failures. Nobody talks about what ACTUALLY happened. Well, we are going to tell you about OUR STORY - the success AND the failures. The whole thing. Because that’s how we actually learn…from our own mistakes. So here it is, UNFILTERED. Buckle up. PWN2OWN 2025 BERLIN & IRELAND We could only bring one of our interns, Gerrard Tai, along with us to Pwn2Own.

HEX ADVENT 2025: Crack the Advent, Conquer the Threat 🐛

Tue, 18 Nov 2025 00:00:00 +0000

× HEX ADVENT 2025: Crack the Advent, Conquer the Threat 🐛 Last chance to register! Registration closing on 20 Dec 2025, 09:00 SGT! WELCOME TO HEX ADVENT 2025, ‘tis the season to Unwrap Your Potential! 🎁 HEX ADVENT 2025 is a Christmas-themed CTF Advent Calendar, designed for women, by women. What to Expect 12 Days, 12 Challenges: A structured schedule to build mastery across different CTF categories.

HEX ADVENT 2025: Rules & Information

Mon, 10 Nov 2025 00:00:00 +0000

Information This is a solo CTF event open to women residing in Singapore or Malaysia. To register and be eligible for the prizes: Register on CTFd, and select the “eligible” bracket. Confirm your eligibility by filling in the Google Form. The flag format is described by this regex: /^HEX{.*}$/ There are a total of 12 challenges. One challenge will be released each day at 09:00 SGT within the period of 1 December 2025 to 12 December 2025.

Pwn2Own Ireland 2025

Tue, 04 Nov 2025 00:00:00 +0000

Pwn2Own is a computer hacking contest held annually by Trend Micro’s Zero Day Initiative - ZDI. Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. Winners of the contest receive the device that they exploited and a cash prize. The total prize for each contest is up to millions of dollars. The 2025 Autumn edition of Pwn2Own (Pwn2Own Ireland) was held from 21st October to 23rd October 2025 in a on-site format where participants are back to competing in-person.

Breaking Into a Brother (MFC-J1010DW): Three Security Flaws in a Seemingly Innocent Printer

Mon, 03 Nov 2025 00:00:00 +0000

The Target: Brother MFC-J1010DW Affected Models: Brother Printer MFC-J1010DW Vulnerable Firmware: Version <= 1.18 TL;DR: The Vulnerability Chain We discovered three vulnerabilities that when chained together, allow for complete remote compromise: Authentication Bypass via SNMP - Retrieve the printer’s serial number without authentication, allowing attackers to derive the default admin password Unauthenticated Firmware Rollback - Downgrade to vulnerable firmware versions over the network, no credentials required Buffer Overflow via Referer Header - Execute arbitrary code by crafting malicious HTTP headers The result?

Summer Pwnables: lz1 Solution

Mon, 15 Sep 2025 00:00:00 +0000

TL;DR 🚀 We’re turning a simple compression library into a shell delivery service! This writeup exploits a buffer overflow in lz1/lz77 decompression by crafting malicious compressed data that overflows the stack and chains ROP gadgets for code execution. Ever wondered how a simple file compression tool could hand you the keys to a system? Well, buckle up because we’re about to turn andyherbert’s innocent lz1 compressor into our personal shell delivery service!

Summer Pwnables: Temporal Paradox Engine Solution

Mon, 15 Sep 2025 00:00:00 +0000

Last month, Jacob asked me to create a CTF challenge for the Summer Pwnables event. I went with a kernel pwnable since my goal was to teach students some more advanced Linux kernel exploitation techniques - something that wouldn’t get solved in a day (and hopefully not by AI either). After building both the challenge and solution, I figured students should be able to crack it within 3-7 days. Turns out I was right about the timeline, but only one person actually solved it.

Lost in Translation: Apache Vulnerabilities That Don't Count (Literally)

Thu, 11 Sep 2025 00:00:00 +0000

During our security research in 2024, we discovered several vulnerabilities in Apache Foundation projects that seem to have gotten ’lost in translation’ between our bug reports and the CVE assignment process. While we’ve been patiently waiting for these findings to officially ‘count,’ they’ve apparently been stuck longer than a software update on a Friday afternoon. Almost a year went by without any CVEs assigned and which we completely forgot about until now.

[Updates] Summer Pwnables 🔥

Mon, 18 Aug 2025 00:00:00 +0000

[Updates] Summer Pwnables 2025 Major Announcement: ISD Sponsorship We are pleased to announce that Internal Security Department (ISD) is sponsoring Summer Pwnables Challenge #0002 Challenge #003. Distribution Rule Challenge #002 and #003 are meant for Singaporean students. Each Singaporean student can only win once across all challenges to ensure broader community recognition. However, they can still submit their solutions in order to win the new “Grand Prize” Prizes are still $100 SGD + the “From Day Zero to Zero Day” book written by Eugene “Spaceraccoon” Lim for the first five solvers.

Summer Pwnables: When the Heat Rises, So Do the C-Shells 🔥

Tue, 12 Aug 2025 00:00:00 +0000

🌴☀️ SUMMER PWNABLES 2025 ☀️🌴 The hottest hacking challenge on this side of Southeast Asia! Think you can handle the heat? Time to prove your l33t skills are more than just talk! 😎🔥 The summer sun isn’t the only thing burning bright – we have cooked up some seriously spicy challenges that will test whether you are a true shell wizard! 🧙‍♂️✨ 📍 ELIGIBILITY REQUIREMENTS This challenge is exclusively open to Singapore-based students only!

My `Blind Date` with CVE-2025-29824

Wed, 16 Jul 2025 00:00:00 +0000

In April 2025, Microsoft patched a vulnerability that had become a key component in sophisticated ransomware attack chains. CVE-2025-29824, an use-after-free bug in the Windows Common Log File System (CLFS) driver, wasn’t the initial entry point for attackers. Instead, threat actors first compromised Cisco ASA firewalls, then used this Windows kernel vulnerability as the crucial privilege escalation step that transformed limited network access into complete system domination. This multi-stage approach represents the evolution of modern ransomware operations: sophisticated threat actors chaining together network infrastructure vulnerabilities with Windows kernel bugs to devastating effect.

Fooling the Sandbox: A Chrome-atic Escape

Thu, 10 Jul 2025 00:00:00 +0000

For my internship, I was tasked by my mentor Le Qi to analyze CVE-2024-30088, a double-fetch race condition bug in the Windows Kernel Image ntoskrnl.exe. A public POC demonstrating EoP from Medium Integrity Level to SYSTEM is available on GitHub here. Additionally, I was challenged (more like forced 💀) to chain the exploit to escape the Chrome Renderer Sandbox, achieving EoP from Untrusted Integrity Level to SYSTEM. Easy, right? 🤡

Solo: A Pixel 6 Pro Story (When one bug is all you need)

Thu, 05 Jun 2025 00:00:00 +0000

During my internship I was tasked to analyze a Mali GPU exploit on Pixel 7/8 devices and adapt it to make it work on another device: the Pixel 6 Pro. While the exploit process itself is relatively straightforward to reproduce (in theory we just need to find the correct symbol offsets and signatures for our target device), what’s interesting about Pixel 6 Pro is that it uses a different Mali GPU from the Pixel 7/8, which lacked support for a feature that one of the two vulnerabilities within the exploit relied on:

Gone in 5 Seconds: How WARN_ON Stole 10 Minutes

Fri, 30 May 2025 00:00:00 +0000

As part of my internship at STAR Labs, I was tasked to conduct N-day analysis of CVE-2023-6241. The original PoC can be found here, along with the accompanying write-up. In this blog post, I will explain the root cause as well as an alternative exploitation technique used to exploit the page UAF, achieving arbitrary kernel code execution. The following exploit was tested on a Pixel 8 running the latest version available prior to the patch.

Badge & Lanyard Challenges @ OBO 2025

Wed, 28 May 2025 00:00:00 +0000

Introduction We are back with Round 2 of the Off-By-One conference — where bits meet breadboards and bugs are celebrated! 🐛⚡ If you are into hardware and IoT security, you’ll know one thing’s for sure: the STAR Labs SG badge is not your average conference bling bling. This year’s badge isn’t just a collector’s item — it’s a playground for the curious, packed with new challenges inspired by months’s worth of research and hackery.

Pwn2Own Berlin 2025

Sat, 17 May 2025 00:00:00 +0000

Pwn2Own is a computer hacking contest held annually by Trend Micro’s Zero Day Initiative - ZDI. Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. Winners of the contest receive the device that they exploited and a cash prize. The total prize for each contest is up to millions of dollars. The 2025 spring edition of Pwn2Own (Pwn2Own Berlin) was held from 15th May to 17th May 2025 in a on-site format where participants are back to competing in-person.

Breaking Out of Restricted Mode: XSS to RCE in Visual Studio Code

Wed, 14 May 2025 00:00:00 +0000

In April 2024, I discovered a high-severity vulnerability in Visual Studio Code (VS Code <= 1.89.1) that allows attackers to escalate a Cross-Site Scripting (XSS) bug into full Remote Code Execution (RCE)—even in Restricted Mode. The desktop version of Visual Studio Code runs on Electron. Renderer processes are sandboxed and communicate with the main process through Electron’s IPC mechanism. An XSS vulnerability in the newly-introduced minimal error rendering mode for Jupyter notebooks enables arbitrary JavaScript code to be executed within the vscode-app WebView for the notebook renderer.

CimFS: Crashing in memory, Finding SYSTEM (Kernel Edition)

Tue, 25 Mar 2025 00:00:00 +0000

Introduction Many vulnerability writeups nowadays focus on the exploitation process when it comes to software bugs. The term “Exploit Developer” is also still used synonymously with Vulnerability Research, presumably coming from the early 2000s where bugs were easily discoverable and the community was just beginning to explore the art of exploitation. However nowadays with SDL and continuous fuzzing, the discovery of unknown vulnerabilities in crucial systems is getting more important, arguably more than the exploitation process.

STAR Labs Windows Exploitation Challenge 2025 Writeup

Mon, 17 Mar 2025 00:00:00 +0000

STAR Labs Windows Exploitation Challenge Writeup Over the past few months, the STAR Labs team has been hosting a Windows exploitation challenge. I was lucky enough to solve it and got myself a ticket to Off-By-One conference. Here is my writeup for the challenge! Analyzing the binary We are given a Windows kernel driver. Basic analysis shows that it is used to receive and save messages sent from usermode. Important structures There are two key structures used in this driver: handle and message entry.

Mali-cious Intent: Exploiting GPU Vulnerabilities (CVE-2022-22706 / CVE-2021-39793)

Sun, 02 Feb 2025 00:00:00 +0000

Imagine downloading a game from a third-party app store. You grant it seemingly innocuous permissions, but hidden within the app is a malicious exploit that allows attackers to steal your photos, eavesdrop on your conversations, or even take complete control of your device. This is the kind of threat posed by vulnerabilities like CVE-2022-22706 and CVE-2021-39793, which we’ll be dissecting in this post. These vulnerabilities affect Mali GPUs, commonly found in many Android devices, and allow unprivileged apps to gain root access.

CVE-2024-26230: Windows Telephony Service - It's Got Some Call-ing Issues (Elevation of Privilege)

Fri, 24 Jan 2025 00:00:00 +0000

Executive Summary CVE-2024-26230 is a critical vulnerability found in the Windows Telephony Service (TapiSrv), which can lead to an elevation of privilege on affected systems. The exploit leverages a use-after-free in FreeDialogInstance. By manipulating the registry, an attacker controls memory allocation to create a fake object, triggering the UAF in TUISPIDLLCallback to gain code execution. This is further chained with techniques to bypass mitigations like CFG and ultimately load a malicious DLL, escalating privileges to SYSTEM via PrintSpoofer.

Celebrating 7 Years of STAR Labs SG

Sun, 12 Jan 2025 00:00:00 +0000

🎉🎊 Cheers to 7 Amazing Years! 🎊🎉 On 8th January 2018, STAR Labs SG Pte. Ltd. was born with a simple but bold idea: to do fun offensive research that protects customers. Seven years later, that spark of curiosity and innovation has grown into something extraordinary. 🚀 Our Humble Beginnings 🛠️ It all started when STAR Labs had a small, passionate group of researchers: Shi Ji, Wei Lei, Phạm Hồng Phi, Phan Thanh Duy, and Tạ Đình Sung.

STAR Labs 2025 New Year Exploitation Challenge

Wed, 01 Jan 2025 00:00:00 +0000

Think you’ve got what it takes to pop shells and snag your ticket to… RE//verse and Off-By-One? 😏 🔥 Windows Exploitation Challenge 🔥 Get SYSTEM privileges by exploiting a bug in the downloadable driver below. (pwn it!) Keep the OS alive and happy — no BSODs, no excuses! Your exploit must work on Windows 11 24H2. Submit your winning solutions(exploit source code and writeup) to info@starlabs.sg. If you think you’ve figured out the bug but can’t exploit it in time, feel free to send us a writeup too describing how you would exploit it!

All I Want for Christmas is a CVE-2024-30085 Exploit

Tue, 24 Dec 2024 00:00:00 +0000

TLDR CVE-2024-30085 is a heap-based buffer overflow vulnerability affecting the Windows Cloud Files Mini Filter Driver cldflt.sys. By crafting a custom reparse point, it is possible to trigger the buffer overflow to corrupt an adjacent _WNF_STATE_DATA object. The corrupted _WNF_STATE_DATA object can be used to leak a kernel pointer from an ALPC handle table object. A second buffer overflow is then used to corrupt another _WNF_STATE_DATA object, which is then used to corrupt an adjacent PipeAttribute object.

Behind the Scenes: Understanding CVE-2022-24547

Tue, 24 Dec 2024 00:00:00 +0000

TL;dr Vulnerabilities can often be found in places we don’t expect, and CVE-2022-24547 in CastSrv.exe is one of the examples. CVE-2022-24547 is a privilege escalation vulnerability in CastSrv.exe, allowing attackers to bypass security and gain elevated privileges. We’ll break down how the bug works, its exploitation, and how to protect against it. Summary Vendor Microsoft Security Impact Elevation of Privilege CVE ID CVE-2022-24547 CVSS3.

(CVE-2024-6781) Calibre Arbitrary File Read

Wed, 31 Jul 2024 00:00:00 +0000

Summary Product Calibre Vendor Calibre Severity High - Unprivileged adversaries may exploit software vulnerabilities to perform relative path traversal to achieve arbitrary file read Affected Versions <= 7.14.0 (latest version as of writing) Tested Versions 7.14.0 CVE Identifier CVE-2024-6781 CVE Description Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability allows Relative Path Traversal CWE Classification(s) CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) CAPEC Classification(s) CAPEC-139 Relative Path Traversal CVSS3.

(CVE-2024-6782) Calibre Remote Code Execution

Wed, 31 Jul 2024 00:00:00 +0000

Summary Product Calibre Vendor Calibre Severity Critical - Unprivileged adversaries may exploit software vulnerabilities to perform remote code execution Affected Versions 6.9.0 ~ 7.14.0 (latest version as of writing) Tested Versions 7.14.0 CVE Identifier CVE-2024-6782 CVE Description Improper Access Control in Calibre Content Server allows remote code execution CWE Classification(s) CWE-863: Incorrect Authorization CAPEC Classification(s) CAPEC-253: Remote Code Inclusion CVSS3.

(CVE-2024-7008) Calibre Reflected Cross-Site Scripting (XSS)

Wed, 31 Jul 2024 00:00:00 +0000

Summary Product Calibre Vendor Calibre Severity Medium Affected Versions <= 7.15.0 (latest version as of writing) Tested Versions 7.15.0 CVE Identifier CVE-2024-7008 CWE Classification(s) CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) CAPEC Classification(s) CAPEC-591 Reflected XSS CVSS3.1 Scoring System Base Score: 5.4 (Medium) Vector String: CVSS:3.

(CVE-2024-7009) Calibre SQLite Injection

Wed, 31 Jul 2024 00:00:00 +0000

Summary Product Calibre Vendor Calibre Severity Medium Affected Versions <= 7.15.0 (latest version as of writing) Tested Versions 7.15.0 CVE Identifier CVE-2024-7009 CWE Classification(s) CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) CAPEC Classification(s) CAPEC-66 SQL Injection CVSS3.1 Scoring System Base Score: 4.2 (Medium) Vector String: CVSS:3.

(CVE-2024-1837) Singtel RT5703W Unauthenticated Command Injection RCE via Login Vulnerability

Mon, 22 Jul 2024 00:00:00 +0000

Summary Product Singtel WI-FI 6 ROUTER RT5703W Vendor Singtel/Askey Severity Critical - Adversaries may exploit software vulnerabilities to execute arbitrary commands on the underlying OS with root privileges. Affected Versions V1.6.4-5194 (latest version as of writing) Tested Versions V1.6.4-5194 (latest version as of writing) Internal Identifier STAR-2023-0097 CVE Identifier TBD CVE Description OS command injection vulnerability in net.

(CVE-2024-1838) Singtel RT5703W Authenticated Command Injection RCE via SetLoginPwd Vulnerability

Mon, 22 Jul 2024 00:00:00 +0000

Summary Product Singtel WI-FI 6 ROUTER RT5703W Vendor Singtel/Askey Severity High - Adversaries may exploit software vulnerabilities to execute arbitrary commands on the underlying OS with root privileges. Affected Versions V1.6.4-5194 (latest version as of writing) Tested Versions V1.6.4-5194 (latest version as of writing) Internal Identifier STAR-2023-0098 CVE Identifier TBD CVE Description OS command injection vulnerability in net.

#BadgeLife @ Off-By-One Conference 2024

Mon, 22 Jul 2024 00:00:00 +0000

Introduction As promised, we are releasing the firmware and this post for the Off-By-One badge about one month after the event, allowing interested participants the opportunity to explore it. If you’re interested in learning more about the badge design process, please let us know. We were thrilled to introduce the Octopus Badge at the first-ever Off-By-One Conference 2024. The badge was a one of the highlight at the conference, as it included hardware-focused CTF challenges.

Send()-ing Myself Belated Christmas Gifts - GitHub.com's Environment Variables & GHES Shell

Mon, 06 May 2024 00:00:00 +0000

Earlier this year, in mid-January, you might have come across this security announcement by GitHub. In this article, I will unveil the shocking story of how I discovered CVE-2024-0200, a deceptively simple, one-liner vulnerability which I initially assessed to likely be of low impact, and how I turned it into one of the most impactful bugs in GitHub’s bug bounty history. Spoiler: The vulnerability enabled disclosure of all environment variables of a production container on GitHub.

Pwn2Own Vancouver 2024

Fri, 22 Mar 2024 00:00:00 +0000

Pwn2Own is a computer hacking contest held annually by Trend Micro’s Zero Day Initiative - ZDI. Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. Winners of the contest receive the device that they exploited and a cash prize. The total prize for each contest is up to millions of dollars. The 2024 spring edition of Pwn2Own (Pwn2Own Vancouver) was held from 20th March to 21st March 2024 in a hybrid format where participants are back to competing in-person and in virtual.

Route to Safety: Navigating Router Pitfalls

Mon, 18 Mar 2024 00:00:00 +0000

Introduction Wi-Fi routers have always been an attractive target for attackers. When taken over, an attacker may gain access to a victim’s internal network or sensitive data. Additionally, there has been an ongoing trend of attackers continually incorporating new router exploits into their arsenal for use in botnets, such as the Mirai Botnet. Consumer grade devices are especially attractive to attackers, due to many security flaws in them. Devices with lower security often contain multiple bugs that attackers can exploit easily, rendering them vulnerable targets.

(CVE-2023-3368) Chamilo LMS Unauthenticated Command Injection