Home on STAR Labs

CHECK Removed, Context Confused, Checkmate Achieved

Wed, 01 Apr 2026 00:00:00 +0000

TL;DR

In January 2026, the Chrome Releases blog announced several security fixes across different Chrome components. One entry caught our attention: CVE-2026-0899, an Out-of-Bounds memory access in V8 discovered by @p1nky4745.

Vulnerabilities in V8, especially OOB and Type Confusions are always interesting from a security research perspective. We decided to take a closer look. At the time of writing, the issue was still restricted and no public proof-of-concept was available. After reverse engineering the patch fix, we identified the root cause of the vulnerability and developed a trigger PoC.

Pickling the Mailbox: A Deep Dive into CVE-2025-20393

Thu, 05 Feb 2026 00:00:00 +0000

TL;DR

In December 2025, Cisco published https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4 addressing CVE-2025-20393, a critical vulnerability (CVSS 10.0) affecting Cisco Secure Email Gateway and Secure Email and Web Manager. The advisory was notably sparse on technical details, describing only “Improper Input Validation” (CWE-20).

We decided to dig deeper. Through reverse engineering and code analysis of AsyncOS 15.5.3, we uncovered the root cause: a single-byte integer overflow in the EUQ RPC protocol that bypasses authentication and chains into Python pickle deserialization — achieving unauthenticated remote code execution with a single HTTP request.

8th Anniversary: Embrace the new but don't forget the old

Thu, 08 Jan 2026 00:00:00 +0000

Eight years ago today, I started STAR Labs by hiring several fresh grads with no working experiences.

Today, I stand here with a different group of faces. Some of you were there from the beginning. Some of you joined along the way. Some of you just started last month.

And some of the people who were here… weren’t anymore.

Not because they failed. Not because we failed them. But because life called them in different directions.

2025: WE BROKE THINGS, WE BUILT THINGS, WE BROKE EVEN MORE THINGS

Sat, 27 Dec 2025 00:00:00 +0000

Most will talk about the success in their year-end posts. Great. Nobody talks about the failures. Nobody talks about what ACTUALLY happened.

Well, we are going to tell you about OUR STORY - the success AND the failures. The whole thing. Because that’s how we actually learn…from our own mistakes.

So here it is, UNFILTERED. Buckle up.

PWN2OWN 2025 BERLIN & IRELAND

We could only bring one of our interns, Gerrard Tai, along with us to Pwn2Own. Not to watch from the sidelines, but to COMPETE. He was right there with us, building exploit chains, debugging our team members’ codes while under pressure and experiencing the absolute rush of pwning devices on the world stage.

AI Accelerated Exploiting: Compromising MTE Enabled Pixel from DSP Coprocessor

Tue, 18 Nov 2025 00:00:00 +0000

Talk delivered at CODE BLUE 2025 (Tokyo, November 2025).

Slides available on GitHub

Dancing with Exynos Coprocessor: Pwning Samsung for Fun and "Profit"

Tue, 18 Nov 2025 00:00:00 +0000

Talk delivered at CODE BLUE 2025 (Tokyo, November 2025).

Slides available on GitHub

HEX ADVENT 2025: Crack the Advent, Conquer the Threat 🐛

Tue, 18 Nov 2025 00:00:00 +0000

HEX ADVENT 2025: Crack the Advent, Conquer the Threat 🐛

Last chance to register! Registration closing on 20 Dec 2025, 09:00 SGT!

WELCOME TO HEX ADVENT 2025, ‘tis the season to Unwrap Your Potential! 🎁

HEX ADVENT 2025 is a Christmas-themed CTF Advent Calendar, designed for women, by women.

What to Expect

12 Days, 12 Challenges: A structured schedule to build mastery across different CTF categories.
Focus Areas:
- Pwn (Binary Exploitation)
- Cryptography
- Reverse Engineering
- Forensics
- OSINT
- Web Exploitation
Our Mission: To empower women in cybersecurity, create visible role models, and cultivate a robust local talent pool.

Date	What To Expect?
1 to 12 Dec 2025	New challenges unlocked at 09:00 SGT daily
1 to 31 Dec 2025	Challenges open until 31 Dec 2025, 23:59 SGT
1 Dec 2025 to 5 Jan 2026	Write-up submissions will close on 5 Jan 2026, 23:59 SGT

✍🏻➡️ REGISTER TO PLAY NOW

HEX ADVENT 2025: Rules & Information

Mon, 10 Nov 2025 00:00:00 +0000

Information

This is a solo CTF event open to women residing in Singapore or Malaysia.
To register and be eligible for the prizes:
- Register on CTFd, and select the “eligible” bracket.
- Confirm your eligibility by filling in the Google Form.
The flag format is described by this regex: /^HEX{.*}$/
There are a total of 12 challenges. One challenge will be released each day at 09:00 SGT within the period of 1 December 2025 to 12 December 2025. All challenges will be announced on the STAR Labs blog, and the challenges can be accessed through the CTFd platform within the period of 1 December 2025, 09:00 SGT to 31 December 2025, 23:59 SGT.

Breaking Into a Brother (MFC-J1010DW): Three Security Flaws in a Seemingly Innocent Printer

Mon, 03 Nov 2025 00:00:00 +0000

The Target: Brother MFC-J1010DW

Affected Models: Brother Printer MFC-J1010DW
Vulnerable Firmware: Version <= 1.18

TL;DR: The Vulnerability Chain

We discovered three vulnerabilities that when chained together, allow for complete remote compromise:

Authentication Bypass via SNMP - Retrieve the printer’s serial number without authentication, allowing attackers to derive the default admin password
Unauthenticated Firmware Rollback - Downgrade to vulnerable firmware versions over the network, no credentials required
Buffer Overflow via Referer Header - Execute arbitrary code by crafting malicious HTTP headers

The result? We made the printer display our chosen message of “STAR LABS!” on its screen—but this is just a proof of concept. A real attacker could do much worse.

Pwn2Own Ireland 2025

Thu, 23 Oct 2025 00:00:00 +0000

Pwn2Own is a computer hacking contest held annually by Trend Micro’s Zero Day Initiative - ZDI. Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. Winners of the contest receive the device that they exploited and a cash prize. The total prize for each contest is up to millions of dollars.

The 2025 Autumn edition of Pwn2Own (Pwn2Own Ireland) was held from 21st October to 23rd October 2025 in an on-site format where participants competed in-person.

(CVE-2025-55336) Windows Cloud Files Mini Filter Driver Information Disclosure

Tue, 14 Oct 2025 00:00:00 +0000

CVE: CVE-2025-55336

Affected Versions: Windows 10 (21H2, 22H2, 1809), Windows 11 (22H2, 23H2, 24H2, 25H2), Windows Server 2019, 2022, 2022 23H2, 2025

CVSS3.1: 5.5 (Medium) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

Product	Windows Cloud Files Mini Filter Driver (`cldflt.sys`)
Vendor	Microsoft
Severity	Medium — an unprivileged local attacker may exploit this to leak kernel addresses
Affected Versions	Windows 10 (21H2, 22H2, 1809), Windows 11 (22H2, 23H2, 24H2, 25H2), Windows Server 2019 / 2022 / 2022 23H2 / 2025
Tested Versions	Windows 11 24H2 (Build 26100.2161)
CVE Identifier	CVE-2025-55336
CVE Description	A side channel in the Windows Cloud Files Mini Filter Driver allows an unprivileged local attacker to leak the `EPROCESS` kernel address of the current process
CWE Classification(s)	CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CVSS3.1 Scoring System

Base Score: 5.5 (Medium) Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summer Pwnables: lz1 Solution

Mon, 15 Sep 2025 00:00:00 +0000

TL;DR 🚀

We’re turning a simple compression library into a shell delivery service! This writeup exploits a buffer overflow in lz1/lz77 decompression by crafting malicious compressed data that overflows the stack and chains ROP gadgets for code execution. Ever wondered how a simple file compression tool could hand you the keys to a system? Well, buckle up because we’re about to turn andyherbert’s innocent lz1 compressor into our personal shell delivery service! 🎭

Summer Pwnables: Temporal Paradox Engine Solution

Mon, 15 Sep 2025 00:00:00 +0000

Last month, Jacob asked me to create a CTF challenge for the Summer Pwnables event. I went with a kernel pwnable since my goal was to teach students some more advanced Linux kernel exploitation techniques - something that wouldn’t get solved in a day (and hopefully not by AI either).

After building both the challenge and solution, I figured students should be able to crack it within 3-7 days. Turns out I was right about the timeline, but only one person actually solved it. Jun Rong Lam, he is the first solver by solving this challenge in a week. The next week Lucas Tan Yi Je solved it. In third week, Elijah Chia solved this challenge, so 3 weeks in total. I really amaze by these students skills and persistence.

Lost in Translation: Apache Vulnerabilities That Don't Count (Literally)

Thu, 11 Sep 2025 00:00:00 +0000

During our security research in 2024, we discovered several vulnerabilities in Apache Foundation projects that seem to have gotten ’lost in translation’ between our bug reports and the CVE assignment process. While we’ve been patiently waiting for these findings to officially ‘count,’ they’ve apparently been stuck longer than a software update on a Friday afternoon. Almost a year went by without any CVEs assigned and which we completely forgot about until now. So we figured it was time to let these vulnerabilities see the light of day, even if they’re destined to remain the security world’s ‘ones that got away.’ The following vulnerabilities were responsibly disclosed to Apache and have been addressed, though they continue to exist in that special category of bugs that are real enough to fix but without CVEs.

(CVE-2025-54098) Windows Hyper-V vhdmp.sys Arbitrary File Write Leading to Elevation of Privilege

Tue, 09 Sep 2025 00:00:00 +0000

CVE: CVE-2025-54098

Affected Versions: Windows 10 (1507, 1607, 1809, 21H2, 22H2); Windows 11 (22H2, 23H2, 24H2); Windows Server 2008 R2 SP1 through 2025

CVSS3.1: 7.8 (High) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Product	Windows Hyper-V (`vhdmp.sys`)
Vendor	Microsoft
Severity	High — a local unprivileged attacker may write arbitrary data to any file on the system
Affected Versions	Windows 10 (1507, 1607, 1809, 21H2, 22H2); Windows 11 (22H2, 23H2, 24H2); Windows Server 2008 R2 SP1 – 2025
Tested Versions	Windows 11 24H2 (Build 26100.4061)
CVE Identifier	CVE-2025-54098
CVE Description	Improper access control in Windows Hyper-V allows an authorized attacker to elevate privileges locally
CWE Classification(s)	CWE-284: Improper Access Control

CVSS3.1 Scoring System

Base Score: 7.8 (High) Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

(CVE-2025-39682) Linux Kernel net/tls Use-After-Free in tls_sw_recvmsg Leading to Privilege Escalation

Fri, 05 Sep 2025 00:00:00 +0000

CVE: CVE-2025-39682

Affected Versions: Linux kernel 6.0 through 6.1.148; 6.2 through 6.6.102; 6.7 through 6.12.43; 6.13 through 6.16.3; 6.17-rc1 and 6.17-rc2

CVSS3.1: 7.1 (High) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Summary

Product	Linux Kernel (`net/tls`)
Vendor	Linux
Severity	High — a local unprivileged attacker may exploit the vulnerability to elevate privileges to root
Affected Versions	Linux 6.0–6.1.148; 6.2–6.6.102; 6.7–6.12.43; 6.13–6.16.3; 6.17-rc1 and 6.17-rc2
Tested Versions	Linux 6.12.41
CVE Identifier	CVE-2025-39682
CVE Description	A use-after-free vulnerability in the Linux kernel net/tls can be exploited to achieve local privilege escalation
CWE Classification(s)	CWE-416: Use After Free

CVSS3.1 Scoring System

Base Score: 7.1 (High) Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Fuzzing a Printer: Pre-auth RCE in a Network IoT Device

Tue, 02 Sep 2025 00:00:00 +0000

Printers have three things going for them from an attacker’s perspective: they live on the corporate network, they trust far too much from far too many protocols, and nobody patches them. Over the last quarter we’ve been building out a fuzzing harness for enterprise MFPs.

The harness

We emulate the device’s firmware in a QEMU-based sandbox with a hooked network stack, then let AFL++ drive crafted PJL, SNMP, and IPP messages into the exposed listeners. The hard part isn’t the fuzzer. It’s the harness getting realistic enough that findings translate to the physical device.

[Updates] Summer Pwnables 🔥

Mon, 18 Aug 2025 00:00:00 +0000

[Updates] Summer Pwnables 2025

Major Announcement: ISD Sponsorship

We are pleased to announce that Internal Security Department (ISD) is sponsoring Summer Pwnables Challenge #0002 Challenge #003.

Distribution Rule

Challenge #002 and #003 are meant for Singaporean students.
Each Singaporean student can only win once across all challenges to ensure broader community recognition. However, they can still submit their solutions in order to win the new “Grand Prize”

Prizes are still $100 SGD + the “From Day Zero to Zero Day” book written by Eugene “Spaceraccoon” Lim for the first five solvers.

Cracking the Pixel 8: Exploiting the Undocumented DSP to Bypass MTE

Fri, 15 Aug 2025 00:00:00 +0000

Talk delivered at HITCON 2025 (Taipei, August 2025).

Slides available on GitHub

(CVE-2025-50170) Windows Cloud Files Mini Filter Driver Elevation of Privilege

Tue, 12 Aug 2025 00:00:00 +0000

CVE: CVE-2025-50170

Affected Versions: Windows 10 (1809, 21H2, 22H2), Windows 11 (22H2, 23H2, 24H2), Windows Server 2019, 2022, 2025

CVSS3.1: 7.8 (High) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Product	Windows Cloud Files Mini Filter Driver (`cldflt.sys`)
Vendor	Microsoft
Severity	High — an unprivileged local attacker may corrupt arbitrary files to achieve code execution as SYSTEM
Affected Versions	Windows 10 (1809, 21H2, 22H2), Windows 11 (22H2, 23H2, 24H2), Windows Server 2019 / 2022 / 2025
Tested Versions	Windows 11 23H2 (Build 22631.4249)
CVE Identifier	CVE-2025-50170
CVE Description	A logic error in the Windows Cloud Files Mini Filter Driver allows an unprivileged local attacker to corrupt arbitrary files and execute code as SYSTEM
CWE Classification(s)	CWE-280: Improper Handling of Insufficient Permissions or Privileges

CVSS3.1 Scoring System

Base Score: 7.8 (High) Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summer Pwnables: When the Heat Rises, So Do the C-Shells 🔥

Tue, 12 Aug 2025 00:00:00 +0000

🌴☀️ SUMMER PWNABLES 2025 ☀️🌴

The hottest hacking challenge on this side of Southeast Asia!

Think you can handle the heat? Time to prove your l33t skills are more than just talk! 😎🔥

The summer sun isn’t the only thing burning bright – we have cooked up some seriously spicy challenges that will test whether you are a true shell wizard! 🧙‍♂️✨

📍 ELIGIBILITY REQUIREMENTS

This challenge is exclusively open to Singapore-based students only!
You must be currently enrolled in a Singapore educational institution to participate.

My `Blind Date` with CVE-2025-29824

Wed, 16 Jul 2025 00:00:00 +0000

In April 2025, Microsoft patched a vulnerability that had become a key component in sophisticated ransomware attack chains. CVE-2025-29824, an use-after-free bug in the Windows Common Log File System (CLFS) driver, wasn’t the initial entry point for attackers. Instead, threat actors first compromised Cisco ASA firewalls, then used this Windows kernel vulnerability as the crucial privilege escalation step that transformed limited network access into complete system domination. This multi-stage approach represents the evolution of modern ransomware operations: sophisticated threat actors chaining together network infrastructure vulnerabilities with Windows kernel bugs to devastating effect.

Fooling the Sandbox: A Chrome-atic Escape

Thu, 10 Jul 2025 00:00:00 +0000

For my internship, I was tasked by my mentor Le Qi to analyze CVE-2024-30088, a double-fetch race condition bug in the Windows Kernel Image ntoskrnl.exe. A public POC demonstrating EoP from Medium Integrity Level to SYSTEM is available on GitHub here.

Additionally, I was challenged (more like forced 💀) to chain the exploit to escape the Chrome Renderer Sandbox, achieving EoP from Untrusted Integrity Level to SYSTEM.

Easy, right? 🤡

Note: CVE-2024-30088 came out before 24H2, so I analyzed it using a 23H2 Windows VM instead

(CVE-2025-47985) Windows Event Tracing Insufficient Validation Leading to Elevation of Privilege

Tue, 08 Jul 2025 00:00:00 +0000

CVE: CVE-2025-47985

Affected Versions: Windows 11

CVSS3.1: 7.8 (High) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Product	Windows Event Tracing (ETW)
Vendor	Microsoft
Severity	High — a local attacker may exploit this to elevate privileges to SYSTEM
Affected Versions	Windows 11
Tested Versions	Windows 11 23H2 (Build 22631.4660)
CVE Identifier	CVE-2025-47985
CVE Description	Insufficient validation in Event Tracing for Windows (ETW) in Microsoft Windows 11 may allow an unprivileged attacker to execute code as SYSTEM
CWE Classification(s)	CWE-125: Out-of-Bounds Read

CVSS3.1 Scoring System

Base Score: 7.8 (High) Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

(CVE-2025-49660) Windows Event Tracing Reference Count Overflow Leading to Use-After-Free and Elevation of Privilege

Tue, 08 Jul 2025 00:00:00 +0000

CVE: CVE-2025-49660

Affected Versions: Windows 11

CVSS3.1: 7.8 (High) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Product	Windows Event Tracing (ETW)
Vendor	Microsoft
Severity	High — a local attacker may exploit this to elevate privileges to SYSTEM
Affected Versions	Windows 11
Tested Versions	Windows 11 23H2 (Build 22631.4660)
CVE Identifier	CVE-2025-49660
CVE Description	Insufficient checks in Event Tracing for Windows (ETW) in Microsoft Windows 11 may allow an unprivileged attacker to execute code as SYSTEM
CWE Classification(s)	CWE-190: Integer Overflow or Wraparound; CWE-416: Use After Free

CVSS3.1 Scoring System

Base Score: 7.8 (High) Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Solo: A Pixel 6 Pro Story (When one bug is all you need)

Thu, 05 Jun 2025 00:00:00 +0000

During my internship I was tasked to analyze a Mali GPU exploit on Pixel 7/8 devices and adapt it to make it work on another device: the Pixel 6 Pro.

While the exploit process itself is relatively straightforward to reproduce (in theory we just need to find the correct symbol offsets and signatures for our target device), what’s interesting about Pixel 6 Pro is that it uses a different Mali GPU from the Pixel 7/8, which lacked support for a feature that one of the two vulnerabilities within the exploit relied on:

(CVE-2025-23095) Samsung Exynos NPU Driver Double Free Leading to Privilege Escalation

Wed, 04 Jun 2025 00:00:00 +0000

CVE: CVE-2025-23095

Affected Versions: Samsung Galaxy S24+ (samsung/e2sxxx/e2s:14/UP1A.231005.007/S926BXXS3AXGD:user/release-keys); Samsung Exynos 1280, 2200, 1380, 1480, 2400

CVSS3.1: 7.8 (High) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Product	Samsung Exynos NPU Driver
Vendor	Samsung
Severity	High — a local attacker within `untrusted_app` SELinux context may exploit this to achieve local privilege escalation
Affected Versions	Samsung Galaxy S24+ (Android 14); Exynos 1280, 2200, 1380, 1480, 2400
Tested Versions	Samsung Galaxy S24+ (`S926BXXS3AXGD`)
CVE Identifier	CVE-2025-23095
CVE Description	A double free in the Samsung Exynos mobile processor NPU driver leads to privilege escalation
CWE Classification(s)	CWE-415: Double Free

CVSS3.1 Scoring System

Base Score: 7.8 (High) Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

(CVE-2025-23099) Samsung Exynos NPU Driver Out-of-Bounds Write Leading to Privilege Escalation

Mon, 02 Jun 2025 00:00:00 +0000

CVE: CVE-2025-23099

Affected Versions: Samsung Galaxy S24+ (samsung/e2sxxx/e2s:14/UP1A.231005.007/S926BXXS3AXGD:user/release-keys); Samsung Exynos 1480, 2400

CVSS3.1: 7.8 (High) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Product	Samsung Exynos NPU Driver
Vendor	Samsung
Severity	High — a local attacker within `untrusted_app` SELinux context may exploit this to achieve local privilege escalation
Affected Versions	Samsung Galaxy S24+ (Android 14); Exynos 1480, 2400
Tested Versions	Samsung Galaxy S24+ (`S926BXXS3AXGD`)
CVE Identifier	CVE-2025-23099
CVE Description	A missing length check in the Samsung Exynos NPU driver leads to out-of-bounds writes, exploitable for local privilege escalation
CWE Classification(s)	CWE-787: Out-of-Bounds Write

CVSS3.1 Scoring System

Base Score: 7.8 (High) Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

(CVE-2025-23096) Samsung Exynos NPU Driver Double Free in IMB Memory Buffer Leading to Privilege Escalation

Sun, 01 Jun 2025 00:00:00 +0000

CVE: CVE-2025-23096

Affected Versions: Samsung Galaxy S24+ (samsung/e2sxxx/e2s:14/UP1A.231005.007/S926BXXS3AXGD:user/release-keys); Samsung Exynos 1280, 2200, 1380, 1480, 2400

CVSS3.1: 7.8 (High) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Product	Samsung Exynos NPU Driver
Vendor	Samsung
Severity	High — a local attacker within `untrusted_app` SELinux context may exploit this to achieve local privilege escalation
Affected Versions	Samsung Galaxy S24+ (Android 14); Exynos 1280, 2200, 1380, 1480, 2400
Tested Versions	Samsung Galaxy S24+ (`S926BXXS3AXGD`)
CVE Identifier	CVE-2025-23096
CVE Description	A double free in the Samsung Exynos mobile processor NPU driver leads to privilege escalation
CWE Classification(s)	CWE-415: Double Free

CVSS3.1 Scoring System

Base Score: 7.8 (High) Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

(CVE-2025-23098) Samsung Exynos NPU Driver Use-After-Free in IMB Memory Buffer Leading to Privilege Escalation

Sun, 01 Jun 2025 00:00:00 +0000

CVE: CVE-2025-23098

Affected Versions: Samsung Galaxy S24+ (samsung/e2sxxx/e2s:14/UP1A.231005.007/S926BXXS3AXGD:user/release-keys); Samsung Exynos 980, 990, 1080, 2100, 1280, 2200, 1380

CVSS3.1: 7.8 (High) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Product	Samsung Exynos NPU Driver
Vendor	Samsung
Severity	High — a local attacker within `untrusted_app` SELinux context may exploit this to achieve local privilege escalation
Affected Versions	Samsung Galaxy S24+ (Android 14); Exynos 980, 990, 1080, 2100, 1280, 2200, 1380
Tested Versions	Samsung Galaxy S24+ (`S926BXXS3AXGD`)
CVE Identifier	CVE-2025-23098
CVE Description	A use-after-free in the Samsung Exynos mobile processor NPU driver leads to privilege escalation
CWE Classification(s)	CWE-416: Use After Free

CVSS3.1 Scoring System

Base Score: 7.8 (High) Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

(CVE-2025-23100) Samsung Exynos NPU Driver Null Pointer Dereference Leading to Denial of Service

Sun, 01 Jun 2025 00:00:00 +0000

CVE: CVE-2025-23100

Affected Versions: Samsung Galaxy S24+ (samsung/e2sxxx/e2s:16/BP2A.250605.031.A3/S926BXXU9CYI5:user/release-keys); Samsung Exynos 1280, 2200, 1380, 1480, 2400

CVSS3.1: 5.5 (Medium) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Summary

Product	Samsung Exynos NPU Driver
Vendor	Samsung
Severity	Medium — a local attacker within `untrusted_app` SELinux context may exploit this to cause denial of service
Affected Versions	Samsung Galaxy S24+ (Android 16); Exynos 1280, 2200, 1380, 1480, 2400
Tested Versions	Samsung Galaxy S24+ (`S926BXXU9CYI5`)
CVE Identifier	CVE-2025-23100
CVE Description	The absence of a null check in the Samsung Exynos NPU driver leads to a denial of service
CWE Classification(s)	CWE-476: NULL Pointer Dereference

CVSS3.1 Scoring System

Base Score: 5.5 (Medium) Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

(CVE-2025-23103) Samsung Exynos NPU Driver Out-of-Bounds Write via Unbounded Loop Counter

Sun, 01 Jun 2025 00:00:00 +0000

CVE: CVE-2025-23103

Affected Versions: Samsung Galaxy S24+ (samsung/e2sxxx/e2s:14/UP1A.231005.007/S926BXXS3AXGD:user/release-keys); Samsung Exynos 1480, 2400

CVSS3.1: 7.8 (High) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Product	Samsung Exynos NPU Driver
Vendor	Samsung
Severity	High — a local attacker within `untrusted_app` SELinux context may exploit this to achieve local privilege escalation
Affected Versions	Samsung Galaxy S24+ (Android 14); Exynos 1480, 2400
Tested Versions	Samsung Galaxy S24+ (`S926BXXS3AXGD`)
CVE Identifier	CVE-2025-23103
CVE Description	A missing length check in the Samsung Exynos NPU driver leads to out-of-bounds writes, exploitable for local privilege escalation
CWE Classification(s)	CWE-787: Out-of-Bounds Write

CVSS3.1 Scoring System

Base Score: 7.8 (High) Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

(CVE-2025-23107) Samsung Exynos NPU Driver Out-of-Bounds Write via Undersized User Buffer

Sun, 01 Jun 2025 00:00:00 +0000

CVE: CVE-2025-23107

Affected Versions: Samsung Galaxy S24+ (samsung/e2sxxx/e2s:14/UP1A.231005.007/S926BXXS3AXGD:user/release-keys); Samsung Exynos 1480, 2400

CVSS3.1: 7.8 (High) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Product	Samsung Exynos NPU Driver
Vendor	Samsung
Severity	High — a local attacker within `untrusted_app` SELinux context may exploit this to achieve local privilege escalation
Affected Versions	Samsung Galaxy S24+ (Android 14); Exynos 1480, 2400
Tested Versions	Samsung Galaxy S24+ (`S926BXXS3AXGD`)
CVE Identifier	CVE-2025-23107
CVE Description	A missing length check in the Samsung Exynos NPU driver leads to out-of-bounds writes, exploitable for local privilege escalation
CWE Classification(s)	CWE-787: Out-of-Bounds Write

CVSS3.1 Scoring System

Base Score: 7.8 (High) Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Gone in 5 Seconds: How WARN_ON Stole 10 Minutes

Fri, 30 May 2025 00:00:00 +0000

As part of my internship at STAR Labs, I was tasked to conduct N-day analysis of CVE-2023-6241. The original PoC can be found here, along with the accompanying write-up.

In this blog post, I will explain the root cause as well as an alternative exploitation technique used to exploit the page UAF, achieving arbitrary kernel code execution.

The following exploit was tested on a Pixel 8 running the latest version available prior to the patch.

Badge & Lanyard Challenges @ OBO 2025

Wed, 28 May 2025 00:00:00 +0000

Introduction

We are back with Round 2 of the Off-By-One conference — where bits meet breadboards and bugs are celebrated! 🐛⚡

If you are into hardware and IoT security, you’ll know one thing’s for sure: the STAR Labs SG badge is not your average conference bling bling. This year’s badge isn’t just a collector’s item — it’s a playground for the curious, packed with new challenges inspired by months’s worth of research and hackery. And yes, the CTF is back, with even more nerdy goodness.

Lessons From Pwn2Own Berlin 2025: Building a Hypervisor Escape

Tue, 20 May 2025 00:00:00 +0000

At Pwn2Own Berlin 2025, STAR Labs took home Master of Pwn for a chain that escaped a major hypervisor from inside a guest VM. This is the short version of how we got there. Longer write-up to follow after all patches are deployed.

Target selection

We started with three candidate attack surfaces: the device-emulation path, the virtio back-ends, and the nested-virtualization code path. We picked device emulation because it sees the most attacker-controlled input per unit of code, and because prior research suggested the maintainers had been less aggressive about fuzzing it than the core dispatcher.

Pwn2Own Berlin 2025: Master of Pwn

Sat, 17 May 2025 00:00:00 +0000

The 2025 spring edition of Pwn2Own (Pwn2Own Berlin) was held from 15th May to 17th May 2025 in an on-site format where participants competed in-person.

(CVE-2025-37890) Linux Kernel net_sched netem Double Enqueue Leading to Use-After-Free and Local Privilege Escalation

Fri, 16 May 2025 00:00:00 +0000

CVE: CVE-2025-37890

Affected Versions: Linux kernel 5.0.1 through 6.15-rc4

CVSS3.1: 7.8 (High) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Product	Linux Kernel (net_sched)
Vendor	Linux Kernel
Severity	High — a local unprivileged attacker may exploit this to achieve local privilege escalation
Affected Versions	Linux kernel 5.0.1 through 6.15-rc4
CVE Identifier	CVE-2025-37890
CVE Description	A use-after-free in the Linux kernel net scheduler HFSC module via netem’s re-entrant enqueue behaviour leads to local privilege escalation
CWE Classification(s)	CWE-416: Use After Free

CVSS4.0 Scoring System

Base Score: 8.5 Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Breaking Out of Restricted Mode: XSS to RCE in Visual Studio Code

Wed, 14 May 2025 00:00:00 +0000

In April 2024, I discovered a high-severity vulnerability in Visual Studio Code (VS Code <= 1.89.1) that allows attackers to escalate a Cross-Site Scripting (XSS) bug into full Remote Code Execution (RCE)—even in Restricted Mode.

The desktop version of Visual Studio Code runs on Electron. Renderer processes are sandboxed and communicate with the main process through Electron’s IPC mechanism.

An XSS vulnerability in the newly-introduced minimal error rendering mode for Jupyter notebooks enables arbitrary JavaScript code to be executed within the vscode-app WebView for the notebook renderer. The vulnerability can be triggered by opening a crafted .ipynb file if the user has the setting enabled, or by opening a folder containing a crafted settings.json file in VS Code and opening a malicious ipynb file within the folder. This vulnerability can be triggered even when Restricted Mode is enabled (which is the default for workspaces that have not been explicitly trusted by the user).

(CVE-2025-37797) Linux Kernel hfsc_change_class TOCTOU Leading to Use-After-Free and Local Privilege Escalation

Fri, 02 May 2025 00:00:00 +0000

CVE: CVE-2025-37797

Affected Versions: Linux kernel (multiple stable branches through 6.15-rc)

CVSS3.1: 7.8 (High) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Product	Linux Kernel (net_sched)
Vendor	Linux Kernel
Severity	High — a local unprivileged attacker may exploit this to achieve local privilege escalation
Affected Versions	Linux kernel (multiple stable branches through 6.15-rc)
CVE Identifier	CVE-2025-37797
CVE Description	A TOCTOU flaw in the Linux kernel HFSC qdisc’s hfsc_change_class allows an empty class to be inserted into the vttree, leading to a use-after-free and local privilege escalation
CWE Classification(s)	CWE-416: Use After Free

CVSS4.0 Scoring System

Base Score: 8.5 Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

(CVE-2025-37798) Linux Kernel fq_codel_dequeue qlen Mismatch Leading to Use-After-Free and Local Privilege Escalation

Fri, 02 May 2025 00:00:00 +0000

CVE: CVE-2025-37798

Affected Versions: Linux kernel 3.5 through 6.15-rc1

CVSS3.1: 7.8 (High) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Product	Linux Kernel (net_sched)
Vendor	Linux Kernel
Severity	High — a local unprivileged attacker may exploit this to achieve local privilege escalation
Affected Versions	Linux kernel 3.5 through 6.15-rc1
CVE Identifier	CVE-2025-37798
CVE Description	A qlen mismatch in the Linux kernel fq_codel dequeue path allows dropped packets to go unreported to the parent qdisc, leading to a use-after-free and local privilege escalation
CWE Classification(s)	CWE-416: Use After Free

CVSS4.0 Scoring System

Base Score: 8.5 Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CimFS: Crashing in memory, Finding SYSTEM (Kernel Edition)

Tue, 25 Mar 2025 00:00:00 +0000

Introduction

Many vulnerability writeups nowadays focus on the exploitation process when it comes to software bugs. The term “Exploit Developer” is also still used synonymously with Vulnerability Research, presumably coming from the early 2000s where bugs were easily discoverable and the community was just beginning to explore the art of exploitation. However nowadays with SDL and continuous fuzzing, the discovery of unknown vulnerabilities in crucial systems is getting more important, arguably more than the exploitation process. In order to encourage more writing on the aspect of Vulnerability Discovery, we are releasing this blogpost discussing the journey of finding and exploiting a kernel 0day in Windows 11 for Local Privilege Escalation.

STAR Labs Windows Exploitation Challenge 2025 Writeup

Mon, 17 Mar 2025 00:00:00 +0000

STAR Labs Windows Exploitation Challenge Writeup

Over the past few months, the STAR Labs team has been hosting a Windows exploitation challenge. I was lucky enough to solve it and got myself a ticket to Off-By-One conference. Here is my writeup for the challenge!

Analyzing the binary

We are given a Windows kernel driver. Basic analysis shows that it is used to receive and save messages sent from usermode.

Important structures

There are two key structures used in this driver: handle and message entry. Message entry is the storage unit that saves our message from usermode, its structure is described below:

Mali-cious Intent: Exploiting GPU Vulnerabilities (CVE-2022-22706 / CVE-2021-39793)

Sun, 02 Feb 2025 00:00:00 +0000

Imagine downloading a game from a third-party app store. You grant it seemingly innocuous permissions, but hidden within the app is a malicious exploit that allows attackers to steal your photos, eavesdrop on your conversations, or even take complete control of your device. This is the kind of threat posed by vulnerabilities like CVE-2022-22706 and CVE-2021-39793, which we’ll be dissecting in this post. These vulnerabilities affect Mali GPUs, commonly found in many Android devices, and allow unprivileged apps to gain root access.

CVE-2024-26230: Windows Telephony Service - It's Got Some Call-ing Issues (Elevation of Privilege)

Fri, 24 Jan 2025 00:00:00 +0000

Executive Summary

CVE-2024-26230 is a critical vulnerability found in the Windows Telephony Service (TapiSrv), which can lead to an elevation of privilege on affected systems. The exploit leverages a use-after-free in FreeDialogInstance. By manipulating the registry, an attacker controls memory allocation to create a fake object, triggering the UAF in TUISPIDLLCallback to gain code execution. This is further chained with techniques to bypass mitigations like CFG and ultimately load a malicious DLL, escalating privileges to SYSTEM via PrintSpoofer. In this blog post, we will take an in-depth look at how this vulnerability works, how it can be exploited, and the mitigation strategies that can help defend against it.

Celebrating 7 Years of STAR Labs SG

Sun, 12 Jan 2025 00:00:00 +0000

🎉🎊 Cheers to 7 Amazing Years! 🎊🎉

On 8th January 2018, STAR Labs SG Pte. Ltd. was born with a simple but bold idea: to do fun offensive research that protects customers. Seven years later, that spark of curiosity and innovation has grown into something extraordinary. 🚀

Our Humble Beginnings 🛠️

It all started when STAR Labs had a small, passionate group of researchers: Shi Ji, Wei Lei, Phạm Hồng Phi, Phan Thanh Duy, and Tạ Đình Sung. These pioneers didn’t just lay the foundation. They inspired others to join this wild roller coaster ride.

STAR Labs 2025 New Year Exploitation Challenge

Wed, 01 Jan 2025 00:00:00 +0000

Think you’ve got what it takes to pop shells and snag your ticket to… RE//verse and Off-By-One? 😏

🔥 Windows Exploitation Challenge 🔥

Get SYSTEM privileges by exploiting a bug in the downloadable driver below. (pwn it!)
Keep the OS alive and happy — no BSODs, no excuses!
Your exploit must work on Windows 11 24H2.
Submit your winning solutions(exploit source code and writeup) to info@starlabs.sg.
If you think you’ve figured out the bug but can’t exploit it in time, feel free to send us a writeup too describing how you would exploit it!

🏆 Prizes up for grabs!
🥇 First to submit a working exploit wins a conference ticket to RE//verse!
🥈 Second to submit bags a conference ticket to Off-By-One!

All I Want for Christmas is a CVE-2024-30085 Exploit

Tue, 24 Dec 2024 00:00:00 +0000

TLDR

CVE-2024-30085 is a heap-based buffer overflow vulnerability affecting the Windows Cloud Files Mini Filter Driver cldflt.sys. By crafting a custom reparse point, it is possible to trigger the buffer overflow to corrupt an adjacent _WNF_STATE_DATA object. The corrupted _WNF_STATE_DATA object can be used to leak a kernel pointer from an ALPC handle table object. A second buffer overflow is then used to corrupt another _WNF_STATE_DATA object, which is then used to corrupt an adjacent PipeAttribute object. By forging a PipeAttribute object in userspace, we are able to leak the token address and override privileges to escalate privileges to NT AUTHORITY\SYSTEM.

Behind the Scenes: Understanding CVE-2022-24547

Tue, 24 Dec 2024 00:00:00 +0000

TL;dr

Vulnerabilities can often be found in places we don’t expect, and CVE-2022-24547 in CastSrv.exe is one of the examples. CVE-2022-24547 is a privilege escalation vulnerability in CastSrv.exe, allowing attackers to bypass security and gain elevated privileges. We’ll break down how the bug works, its exploitation, and how to protect against it.

Summary


Vendor	Microsoft
Security Impact	Elevation of Privilege
CVE ID	CVE-2022-24547

CVSS3.1 Scoring System:

Base Score: 7.8 Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

(CVE-2024-43626) Windows Telephony Service Heap Out-of-Bounds Read/Write Leading to Elevation of Privilege

Tue, 12 Nov 2024 00:00:00 +0000

CVE: CVE-2024-43626

Affected Versions: Windows 10 (1507, 1607, 1809, 21H2, 22H2); Windows 11 (22H2, 23H2, 24H2); Windows Server 2008 and later

CVSS3.1: 7.8 (High) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Product	Windows Telephony Service (`tapisrv.dll`)
Vendor	Microsoft
Severity	High — a local unprivileged attacker may exploit this to elevate privileges to SYSTEM
Affected Versions	Windows 10 (1507, 1607, 1809, 21H2, 22H2); Windows 11 (22H2, 23H2, 24H2); Windows Server 2008 and later
Tested Versions	Windows 11 23H2 (Build 22631.3593)
CVE Identifier	CVE-2024-43626
CVE Description	Improper input validation in Windows Telephony Server in Microsoft Windows may allow an unprivileged attacker to execute code as SYSTEM
CWE Classification(s)	CWE-122: Heap-based Buffer Overflow

CVSS3.1 Scoring System

Base Score: 7.8 (High) Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

GPUAF: Two Ways of Rooting All Qualcomm-based Android Phones

Thu, 07 Nov 2024 00:00:00 +0000

Talk delivered at Power of Community (POC) 2024 (Seoul, November 2024).

Slides available on GitHub

VMware Workstation: Escaping via a New Route - Virtual Bluetooth

Thu, 07 Nov 2024 00:00:00 +0000

Talk delivered at Power of Community (POC) 2024 (Seoul, November 2024).

Slides available on GitHub

SpiritCyber 2024

Fri, 18 Oct 2024 00:00:00 +0000

SpiritCyber is a Capture the Flag (CTF) competition held in Singapore, focused on offensive security and vulnerability research challenges.

At SpiritCyber 2024, STAR Labs co-organised the event alongside Nanyang Technological University (NTU) and Ensign InfoSecurity. The competition was held on 18 October 2024 as part of the Singapore International Cyber Week (SICW).

References

SpiritCyber 2024 Hackathon Highlights (Facebook)

(CVE-2024-9370) Google Chrome V8 Maglev Escape Analysis Incorrect Optimization Bug

Tue, 01 Oct 2024 00:00:00 +0000

CVE: CVE-2024-9370

Affected Versions: Google Chrome prior to stable channel update of October 1, 2024

Summary

Product	Google Chrome (V8 JavaScript Engine)
Vendor	Google
Severity	High
Affected Versions	Google Chrome prior to stable channel update of October 1, 2024
CVE Identifier	CVE-2024-9370
CVE Description	An incorrect optimization in V8’s Maglev compiler escape analysis allows a specially crafted HTML page to trigger a CHECK failure, potentially exploitable for arbitrary code execution in the renderer process
CWE Classification(s)	CWE-682: Incorrect Calculation

CVSS3.1 Scoring System

Base Score: 8.8 (High) Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

(CVE-2024-6781) Calibre Arbitrary File Read

Wed, 31 Jul 2024 00:00:00 +0000

Summary

Product	Calibre
Vendor	Calibre
Severity	High - Unprivileged adversaries may exploit software vulnerabilities to perform relative path traversal to achieve arbitrary file read
Affected Versions	<= 7.14.0 (latest version as of writing)
Tested Versions	7.14.0
CVE Identifier	CVE-2024-6781
CVE Description	Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability allows Relative Path Traversal
CWE Classification(s)	CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CAPEC Classification(s)	CAPEC-139 Relative Path Traversal

CVSS3.1 Scoring System

Base Score: 7.5 (High) Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

(CVE-2024-6782) Calibre Remote Code Execution

Wed, 31 Jul 2024 00:00:00 +0000

Summary

Product	Calibre
Vendor	Calibre
Severity	Critical - Unprivileged adversaries may exploit software vulnerabilities to perform remote code execution
Affected Versions	6.9.0 ~ 7.14.0 (latest version as of writing)
Tested Versions	7.14.0
CVE Identifier	CVE-2024-6782
CVE Description	Improper Access Control in Calibre Content Server allows remote code execution
CWE Classification(s)	CWE-863: Incorrect Authorization
CAPEC Classification(s)	CAPEC-253: Remote Code Inclusion

CVSS3.1 Scoring System

Base Score: 9.8 (Critical) Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Metric	Value
Attack Vector (AV)	Network
Attack Complexity (AC)	Low
Privileges Required (PR)	None
User Interaction (UI)	None
Scope (S)	Unchanged
Confidentiality (C)	High
Integrity (I)	High
Availability (A)	High

Product Overview

Calibre is a cross-platform free and open-source suite of e-book software. Calibre supports organizing existing e-books into virtual libraries, displaying, editing, creating and converting e-books, as well as syncing e-books with a variety of e-readers. Editing books is supported for EPUB and AZW3 formats. Books in other formats like MOBI must first be converted to those formats, if they are to be edited. Calibre also has a large collection of community contributed plugins.

(CVE-2024-7008) Calibre Reflected Cross-Site Scripting (XSS)

Wed, 31 Jul 2024 00:00:00 +0000

Summary

Product	Calibre
Vendor	Calibre
Severity	Medium
Affected Versions	<= 7.15.0 (latest version as of writing)
Tested Versions	7.15.0
CVE Identifier	CVE-2024-7008
CWE Classification(s)	CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’)
CAPEC Classification(s)	CAPEC-591 Reflected XSS

CVSS3.1 Scoring System

Base Score: 5.4 (Medium) Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Metric	Value
Attack Vector (AV)	Network
Attack Complexity (AC)	Low
Privileges Required (PR)	None
User Interaction (UI)	Required
Scope (S)	Unchanged
Confidentiality (C)	Low
Integrity (I)	Low
Availability (A)	None

Product Overview

(CVE-2024-7009) Calibre SQLite Injection

Wed, 31 Jul 2024 00:00:00 +0000

Summary

Product	Calibre
Vendor	Calibre
Severity	Medium
Affected Versions	<= 7.15.0 (latest version as of writing)
Tested Versions	7.15.0
CVE Identifier	CVE-2024-7009
CWE Classification(s)	CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
CAPEC Classification(s)	CAPEC-66 SQL Injection

CVSS3.1 Scoring System

Base Score: 4.2 (Medium) Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Metric	Value
Attack Vector (AV)	Network
Attack Complexity (AC)	High
Privileges Required (PR)	Low
User Interaction (UI)	None
Scope (S)	Unchanged
Confidentiality (C)	Low
Integrity (I)	Low
Availability (A)	None

Product Overview

(CVE-2024-1837) Singtel RT5703W Unauthenticated Command Injection RCE via Login Vulnerability

Mon, 22 Jul 2024 00:00:00 +0000

Summary

Product	Singtel WI-FI 6 ROUTER RT5703W
Vendor	Singtel/Askey
Severity	Critical - Adversaries may exploit software vulnerabilities to execute arbitrary commands on the underlying OS with root privileges.
Affected Versions	V1.6.4-5194 (latest version as of writing)
Tested Versions	V1.6.4-5194 (latest version as of writing)
Internal Identifier	STAR-2023-0097
CVE Identifier	TBD
CVE Description	OS command injection vulnerability in net.cgi in Singtel WI-FI 6 ROUTER RT5703W V1.6.4-5194 allows an unauthenticated attacker on LAN to execute arbitrary OS commands via the /cgi-bin/Login endpoint.
CWE Classification(s)	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
CAPEC Classification(s)	CAPEC-88: OS Command Injection

CVSS3.1 Scoring System

Base Score: 9.3 (Critical) Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

(CVE-2024-1838) Singtel RT5703W Authenticated Command Injection RCE via SetLoginPwd Vulnerability

Mon, 22 Jul 2024 00:00:00 +0000

Summary

Product	Singtel WI-FI 6 ROUTER RT5703W
Vendor	Singtel/Askey
Severity	High - Adversaries may exploit software vulnerabilities to execute arbitrary commands on the underlying OS with root privileges.
Affected Versions	V1.6.4-5194 (latest version as of writing)
Tested Versions	V1.6.4-5194 (latest version as of writing)
Internal Identifier	STAR-2023-0098
CVE Identifier	TBD
CVE Description	OS command injection vulnerability in net.cgi in Singtel WI-FI 6 ROUTER RT5703W V1.6.4-5194 allows an authenticated attacker on LAN to execute arbitrary OS commands via the /cgi-bin/login endpoint.
CWE Classification(s)	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
CAPEC Classification(s)	CAPEC-88: OS Command Injection

CVSS3.1 Scoring System

Base Score: 8.8 (High) Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

#BadgeLife @ Off-By-One Conference 2024

Mon, 22 Jul 2024 00:00:00 +0000

Introduction

As promised, we are releasing the firmware and this post for the Off-By-One badge about one month after the event, allowing interested participants the opportunity to explore it. If you’re interested in learning more about the badge design process, please let us know. We were thrilled to introduce the Octopus Badge at the first-ever Off-By-One Conference 2024. The badge was a one of the highlight at the conference, as it included hardware-focused CTF challenges. In this post, we will explore the ideation and design process of the badge and discuss the concepts needed to solve the challenges.

(CVE-2024-26923) Android AF_UNIX Garbage Collector Race Condition Leading to Use-After-Free

Mon, 01 Jul 2024 00:00:00 +0000

CVE: CVE-2024-26923

Affected Versions: Android 14 (google/bluejay/bluejay:14/AP1A.240405.002/11480754:user/release-keys); Linux kernel >= 2.6.23

CVSS3.1: 7.8 (High) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Product	Android
Vendor	Google
Severity	High — exploitable from within `untrusted_app` or `isolated_app` SELinux context to achieve local privilege escalation
Affected Versions	Android 14 (`AP1A.240405.002`); Linux kernel >= 2.6.23 through 6.8.x
CVE Identifier	CVE-2024-26923
CVE Description	A race condition in the Linux kernel AF_UNIX garbage collector leads to a dangling pointer in `gc_inflight_list`, exploitable for local privilege escalation on Android
CWE Classification(s)	CWE-362: Concurrent Execution Using Shared Resource with Improper Synchronization (Race Condition)

CVSS3.1 Scoring System

Base Score: 7.8 (High) Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

(CVE-2024-34594) Samsung Galaxy Kernel Information Disclosure via Debug proc Entry Leading to KASLR Bypass

Mon, 01 Jul 2024 00:00:00 +0000

CVE: CVE-2024-34594

Affected Versions: Samsung Galaxy S22 (samsung/r0qcsx/r0q:14/UP1A.231005.007/S901WVLS4DWL3:user/release-keys); Select Android 12, 13, 14 devices with Qualcomm chipsets

CVSS3.1: 5.5 (Medium) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

Product	Samsung Galaxy Kernel (RKP Test Driver)
Vendor	Samsung
Severity	Medium — a local unprivileged attacker can read kernel memory addresses, bypassing KASLR
Affected Versions	Samsung Galaxy S22 (Android 14); select Android 12, 13, 14 devices with Qualcomm chipsets; prior to SMR Jul-2024 Release 1
Tested Versions	Samsung Galaxy S22 (`S901WVLS4DWL3`)
CVE Identifier	CVE-2024-34594
CVE Description	Exposure of sensitive information in the proc file system in Samsung Galaxy kernels allows local attackers to access kernel memory addresses prior to SMR Jul-2024 Release 1
CWE Classification(s)	CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CVSS3.1 Scoring System

Base Score: 5.5 (Medium) Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

(CVE-2024-36972) Linux Kernel Race Condition in unix_gc on oob_skb Leading to Double Free

Thu, 16 May 2024 00:00:00 +0000

CVE: CVE-2024-36972

Affected Versions: Linux kernel >= 6.8 (introduced by commit 1279f9d9, 3 Feb 2024)

CVSS3.1: 7.8 (High) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Product	Linux Kernel
Vendor	Linux
Severity	High — local attackers may exploit this vulnerability to elevate privileges to root
Affected Versions	Linux kernel >= 6.8 (upstream), introduced by commit `1279f9d9` (3 Feb 2024)
CVE Identifier	CVE-2024-36972
CVE Description	A use-after-free vulnerability in the Linux kernel unix socket can be exploited to achieve local privilege escalation
CWE Classification(s)	CWE-415: Double Free

CVSS3.1 Scoring System

Base Score: 7.8 (High) Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

(CVE-2024-27828) Apple IOSurfaceRoot Reference Count Leak Leading to Kernel Panic and Code Execution

Mon, 13 May 2024 00:00:00 +0000

CVE: CVE-2024-27828

Affected Versions: iOS and iPadOS before 17.5; tvOS before 17.5; watchOS before 10.5; visionOS before 1.2

CVSS3.1: 7.8 (High) — CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

Product	Apple IOSurface (`IOSurfaceRoot`)
Vendor	Apple
Severity	High — an app may be able to execute arbitrary code with kernel privileges
Affected Versions	iOS/iPadOS < 17.5; tvOS < 17.5; watchOS < 10.5; visionOS < 1.2
Tested Versions	iOS/macOS 14.1 beta (23B5056e)
CVE Identifier	CVE-2024-27828
CVE Description	A memory handling issue may allow an app to execute arbitrary code with kernel privileges; addressed via improved memory handling
CWE Classification(s)	CWE-786: Access of Memory Location Before Start of Buffer; CWE-788: Access of Memory Location After End of Buffer

CVSS3.1 Scoring System

Base Score: 7.8 (High) Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Send()-ing Myself Belated Christmas Gifts - GitHub.com's Environment Variables & GHES Shell

Mon, 06 May 2024 00:00:00 +0000

Earlier this year, in mid-January, you might have come across this security announcement by GitHub.

In this article, I will unveil the shocking story of how I discovered CVE-2024-0200, a deceptively simple, one-liner vulnerability which I initially assessed to likely be of low impact, and how I turned it into one of the most impactful bugs in GitHub’s bug bounty history.

Spoiler: The vulnerability enabled disclosure of all environment variables of a production container on GitHub.com, including numerous access keys and secrets. Additionally, this vulnerability can be further escalated to achieve remote code execution (RCE) on GitHub Enterprise Servers (GHES), but not on GitHub.com. More on this later.

Send()-ing Myself Belated Christmas Gifts: GitHub.com's Environment Variables & GHES Shell

Mon, 15 Apr 2024 00:00:00 +0000

Short version: while poking at GitHub Enterprise Server (GHES) for an unrelated reason the day after Christmas, I noticed an unvalidated Kernel#send() call in the organization repository settings component. I expected it to be mildly useful, at most leaking file paths or affecting my own organisation. Production GitHub.com proved otherwise.

The primitive

The component in app/components/organizations/settings/repository_items_component.rb forwards a user-controlled rid_key parameter directly to send() on the repository dependency object. Ruby’s Kernel#send dispatches the argument as a method name, which (with the right object graph) gives you a read primitive over arbitrary methods of the target object.

Pwn2Own Vancouver 2024

Fri, 22 Mar 2024 00:00:00 +0000

The 2024 spring edition of Pwn2Own (Pwn2Own Vancouver) was held from 20th March to 21st March 2024 in a hybrid format where participants are back to competing in-person and in virtual.

Route to Safety: Navigating Router Pitfalls

Mon, 18 Mar 2024 00:00:00 +0000

Introduction

Wi-Fi routers have always been an attractive target for attackers. When taken over, an attacker may gain access to a victim’s internal network or sensitive data. Additionally, there has been an ongoing trend of attackers continually incorporating new router exploits into their arsenal for use in botnets, such as the Mirai Botnet.

Consumer grade devices are especially attractive to attackers, due to many security flaws in them. Devices with lower security often contain multiple bugs that attackers can exploit easily, rendering them vulnerable targets. On the other hand, there are more secure devices that offer valuable insights and lessons to learn from.

(CVE-2024-27791) Apple PMP Firmware Out-of-Bounds Write via ApplePMPv2 writeDashboard

Mon, 22 Jan 2024 00:00:00 +0000

CVE: CVE-2024-27791

Affected Versions: iOS and iPadOS before 16.7.5 and before 17.3; macOS Monterey before 12.7.3; macOS Ventura before 13.6.4; macOS Sonoma before 14.3; tvOS before 17.3

CVSS3.1: 7.1 (High) — CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Summary

Product	Apple PMP Firmware (`ApplePMPv2`)
Vendor	Apple
Severity	High — an app may be able to corrupt co-processor memory
Affected Versions	iOS/iPadOS < 16.7.5, < 17.3; macOS Monterey < 12.7.3; macOS Ventura < 13.6.4; macOS Sonoma < 14.3; tvOS < 17.3
Tested Versions	macOS 13.3 beta3 (Mac Studio); iOS 16.4 latest beta
CVE Identifier	CVE-2024-27791
CVE Description	An app may be able to corrupt coprocessor memory due to improper memory buffer operations; addressed via improved validation
CWE Classification(s)	CWE-119: Improper Restriction of Operations within Memory Buffer Bounds

CVSS3.1 Scoring System

Base Score: 7.1 (High) Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

(CVE-2023-3368) Chamilo LMS Unauthenticated Command Injection

Tue, 28 Nov 2023 00:00:00 +0000

Summary

Product	Chamilo
Vendor	Chamilo
Severity	High - Adversaries may exploit software vulnerabilities to obtain unauthenticated remote code execution.
Affected Versions	<= v1.11.20
Tested Versions	v1.11.20 (latest version as of writing)
CVE Identifier	CVE-2023-3368
CVE Description	Command injection in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to obtain remote code execution via improper neutralisation of special characters. This is a bypass of CVE-2023-34960.
CWE Classification(s)	CWE-78: Improper Neutralization of Special Elements used in an OS Command
CAPEC Classification(s)	CAPEC-88 OS Command Injection

CVSS3.1 Scoring System

Base Score: 9.8 (Critical)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:N/C:H/I:H/A:H

(CVE-2023-3533) Chamilo LMS Unauthenticated Remote Code Execution via Arbitrary File Write

Tue, 28 Nov 2023 00:00:00 +0000

Summary

Product	Chamilo
Vendor	Chamilo
Severity	High - Adversaries may exploit software vulnerabilities to obtain unauthenticated remote code execution.
Affected Versions	<= v1.11.20
Tested Versions	v1.11.20 (latest version as of writing)
CVE Identifier	CVE-2023-3533
CVE Description	Path traversal in file upload functionality in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via arbitrary file write.
CWE Classification(s)	CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CAPEC Classification(s)	CAPEC-139: Relative Path Traversal, CAPEC-76: Manipulating Web Input to File System Calls

CVSS3.1 Scoring System

Base Score: 9.8 (Critical)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:N/C:H/I:H/A:H

(CVE-2023-3545) Chamilo LMS Htaccess File Upload Security Bypass

Tue, 28 Nov 2023 00:00:00 +0000

Summary

Product	Chamilo
Vendor	Chamilo
Severity	High - Adversaries may exploit software vulnerabilities to obtain unauthenticated remote code execution.
Affected Versions	<= v1.11.20
Tested Versions	v1.11.20 (latest version as of writing)
CVE Identifier	CVE-2023-3545
CVE Description	Improper sanitisation in `main/inc/lib/fileUpload.lib.php` in Chamilo LMS <= v1.11.20 on Windows and Apache installations allows unauthenticated attackers to bypass file upload security protections and obtain remote code execution via uploading of `.htaccess` file. This vulnerability may be exploited by privileged attackers or chained with unauthenticated arbitrary file write vulnerabilities, such as CVE-2023-3533, to achieve remote code execution.
CWE Classification(s)	CWE-178: Improper Handling of Case Sensitivity
CAPEC Classification(s)	CAPEC-650: Upload a Web Shell to a Web Server

CVSS3.1 Scoring System

Base Score: 9.8 (Critical)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:N/C:H/I:H/A:H

(CVE-2023-4220) Chamilo LMS Unauthenticated Big Upload File Remote Code Execution

Tue, 28 Nov 2023 00:00:00 +0000

Summary

Product	Chamilo
Vendor	Chamilo
Severity	High - Adversaries may exploit software vulnerabilities to obtain unauthenticated remote code execution.
Affected Versions	<= v1.11.24
Tested Versions	v1.11.24 (latest version as of writing)
CVE Identifier	CVE-2023-4220
CVE Description	Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in Chamilo LMS <= v1.11.24 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via uploading of web shell.
CWE Classification(s)	CWE-434: Unrestricted Upload of File with Dangerous Type
CAPEC Classification(s)	CAPEC-650: Upload a Web Shell to a Web Server

CVSS3.1 Scoring System

Base Score: 8.1 (High)
Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

(CVE-2023-4221) Chamilo LMS Learning Path PPT2LP OpenofficePresentation Command Injection

Tue, 28 Nov 2023 00:00:00 +0000

Summary

Product	Chamilo
Vendor	Chamilo
Severity	High - Adversaries may exploit software vulnerabilities to obtain unauthenticated remote code execution.
Affected Versions	<= v1.11.24
Tested Versions	v1.11.24 (latest version as of writing)
CVE Identifier	CVE-2023-4221
CVE Description	Command injection in `main/lp/openoffice_presentation.class.php` in Chamilo LMS <= v1.11.24 allows users permitted to upload Learning Paths to obtain remote code execution via improper neutralisation of special characters.
CWE Classification(s)	CWE-78: Improper Neutralization of Special Elements used in an OS Command
CAPEC Classification(s)	CAPEC-88 OS Command Injection

CVSS3.1 Scoring System

Base Score: 7.2 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:N/C:H/I:H/A:H

(CVE-2023-4222) Chamilo LMS Learning Path PPT2LP OpenofficeTextDocument Command Injection

Tue, 28 Nov 2023 00:00:00 +0000

Summary

Product	Chamilo
Vendor	Chamilo
Severity	High - Adversaries may exploit software vulnerabilities to obtain unauthenticated remote code execution.
Affected Versions	<= v1.11.24
Tested Versions	v1.11.24 (latest version as of writing)
CVE Identifier	CVE-2023-4222
CVE Description	Command injection in `main/lp/openoffice_text_document.class.php` in Chamilo LMS <= v1.11.24 allows users permitted to upload Learning Paths to obtain remote code execution via improper neutralisation of special characters.
CWE Classification(s)	CWE-78: Improper Neutralization of Special Elements used in an OS Command
CAPEC Classification(s)	CAPEC-88 OS Command Injection

CVSS3.1 Scoring System

Base Score: 7.2 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:N/C:H/I:H/A:H

(CVE-2023-4223) Chamilo LMS Document Ajax File Upload Functionality Remote Code Execution

Tue, 28 Nov 2023 00:00:00 +0000

Summary

Product	Chamilo
Vendor	Chamilo
Severity	High - Adversaries may exploit software vulnerabilities to obtain unauthenticated remote code execution.
Affected Versions	<= v1.11.24
Tested Versions	v1.11.24 (latest version as of writing)
CVE Identifier	CVE-2023-4223
CVE Description	Unrestricted file upload in `/main/inc/ajax/document.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.
CWE Classification(s)	CWE-434: Unrestricted Upload of File with Dangerous Type
CAPEC Classification(s)	CAPEC-650: Upload a Web Shell to a Web Server

CVSS3.1 Scoring System

Base Score: 8.8 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

(CVE-2023-4224) Chamilo LMS Dropbox Ajax File Upload Functionality Remote Code Execution

Tue, 28 Nov 2023 00:00:00 +0000

Summary

Product	Chamilo
Vendor	Chamilo
Severity	High - Adversaries may exploit software vulnerabilities to obtain unauthenticated remote code execution.
Affected Versions	<= v1.11.24
Tested Versions	v1.11.24 (latest version as of writing)
CVE Identifier	CVE-2023-4224
CVE Description	Unrestricted file upload in `/main/inc/ajax/dropbox.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.
CWE Classification(s)	CWE-434: Unrestricted Upload of File with Dangerous Type
CAPEC Classification(s)	CAPEC-650: Upload a Web Shell to a Web Server

CVSS3.1 Scoring System

Base Score: 8.8 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

(CVE-2023-4225) Chamilo LMS Exercise Ajax File Upload Functionality Remote Code Execution

Tue, 28 Nov 2023 00:00:00 +0000

Summary

Product	Chamilo
Vendor	Chamilo
Severity	High - Adversaries may exploit software vulnerabilities to obtain unauthenticated remote code execution.
Affected Versions	<= v1.11.24
Tested Versions	v1.11.24 (latest version as of writing)
CVE Identifier	CVE-2023-4225
CVE Description	Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.
CWE Classification(s)	CWE-434: Unrestricted Upload of File with Dangerous Type
CAPEC Classification(s)	CAPEC-650: Upload a Web Shell to a Web Server

CVSS3.1 Scoring System

Base Score: 8.8 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

(CVE-2023-4226) Chamilo LMS Work Ajax File Upload Functionality Remote Code Execution

Tue, 28 Nov 2023 00:00:00 +0000

Summary

Product	Chamilo
Vendor	Chamilo
Severity	High - Adversaries may exploit software vulnerabilities to obtain unauthenticated remote code execution.
Affected Versions	<= v1.11.24
Tested Versions	v1.11.24 (latest version as of writing)
CVE Identifier	CVE-2023-4226
CVE Description	Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.
CWE Classification(s)	CWE-434: Unrestricted Upload of File with Dangerous Type
CAPEC Classification(s)	CAPEC-650: Upload a Web Shell to a Web Server

CVSS3.1 Scoring System

Base Score: 8.8 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitation of a kernel pool overflow from a restrictive chunk size (CVE-2021-31969)

Fri, 24 Nov 2023 00:00:00 +0000

Introduction

The prevalence of memory corruption bugs persists, posing a persistent challenge for exploitation. This increased difficulty arises from advancements in defensive mechanisms and the escalating complexity of software systems. While a basic proof of concept often suffices for bug patching, the development of a functional exploit capable of bypassing existing countermeasures provides valuable insights into the capabilities of advanced threat actors. This holds particularly true for the scrutinized driver, cldflt.sys, which has consistently received patches every Patch Tuesday since June. Notably, it has become a focal point for threat actors, following the exploits on clfs.sys and afd.sys drivers. In this article, we aim to highlight the significance of cldflt.sys and advocate for increased research into this driver and its associated components.

(CVE-2023-1713) Bitrix24 Remote Command Execution (RCE) via Insecure Temporary File Creation

Wed, 01 Nov 2023 00:00:00 +0000

Summary

Product	Bitrix24
Vendor	Bitrix24
Severity	High
Affected Versions	Bitrix24 22.0.300 (latest version as of writing)
Tested Versions	Bitrix24 22.0.300 (latest version as of writing)
CVE Identifier	CVE-2023-1713
CVE Description	Insecure temporary file creation in bitrix/modules/crm/lib/order/import/instagram.php in Bitrix24 22.0.300 hosted on Apache HTTP Server allows remote authenticated attackers to execute arbitrary code via uploading a crafted “.htaccess” file.
CWE Classification(s)	CWE-73 External Control of File Name or Path; CWE-434 Unrestricted Upload of File with Dangerous Type
CAPEC Classification(s)	CAPEC-549 Local Execution of Code

CVSS3.1 Scoring System

Base Score: 8.8 (High) Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

(CVE-2023-1714) Bitrix24 Remote Command Execution (RCE) via Unsafe Variable Extraction

Wed, 01 Nov 2023 00:00:00 +0000

Summary:

Product	Bitrix24
Vendor	Bitrix24
Severity	High
Affected Versions	Bitrix24 22.0.300 (latest version as of writing)
Tested Versions	Bitrix24 22.0.300 (latest version as of writing)
CVE Identifier	CVE-2023-1714
CVE Description	Unsafe variable extraction in bitrix/modules/main/classes/general/user_options.php in Bitrix24 22.0.300 allows remote authenticated attackers to execute arbitrary code via (1) appending arbitrary content to existing PHP files or (2) PHAR deserialization.
CWE Classification(s)	CWE-73 External Control of File Name or Path; CWE-502 Deserialization of Untrusted Data
CAPEC Classification(s)	CAPEC-549 Local Execution of Code

Product	Bitrix24
Vendor	Bitrix24
Severity	High
Affected Versions	Bitrix24 22.0.300 (latest version as of writing)
Tested Versions	Bitrix24 22.0.300 (latest version as of writing)
CVE Identifier	CVE-2023-1720
CVE Description	Lack of mime type response header in Bitrix24 22.0.300 allows authenticated remote attackers to execute arbitrary JavaScript code in the victim’s browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via uploading a crafted HTML file through /desktop_app/file.ajax.php?action=uploadfile.
CWE Classification(s)	CWE-434 Unrestricted Upload of File with Dangerous Type
CAPEC Classification(s)	CAPEC-592 Stored XSS

CVSS3.1 Scoring System:

Base Score: 9.6 (Critical) Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Pwn2Own Toronto 2023

Fri, 27 Oct 2023 00:00:00 +0000

The 2023 fall edition of Pwn2Own (Pwn2Own Toronto) was held from 24th October to 27th October 2023 in a hybrid format (offline and online).

SpiritCyber 2023

Wed, 18 Oct 2023 00:00:00 +0000

SpiritCyber is a Capture the Flag (CTF) competition held in Singapore, focused on offensive security and vulnerability research challenges.

At SpiritCyber 2023, STAR Labs researchers competed across two separate teams and claimed both 2nd and 3rd place in the competition.

The teams comprised Billy Jheng Bing-Jhong, Pan Zhenpeng, Li Jiantao, Daniel Lim Wee Soong, Muhammad Alifa Ramdhan, and Nguyễn Hoàng Thạch.

References

STAR Labs — SpiritCyber 2023 (LinkedIn)

A Year Fuzzing XNU Mach IPC

Fri, 13 Oct 2023 00:00:00 +0000

Talk delivered at Hexacon 2023 (Paris, October 2023), covering a sustained fuzzing campaign against XNU’s Mach IPC subsystem. The presentation walks through the fuzzer architecture, corpus construction, bug triage, and a selection of findings uncovered over the course of the year.

Slides available on GitHub

(CVE-2023-4197) Dolibarr ERP CRM (<= 18.0.1) Improper Input Sanitization Authenticated RCE

Wed, 11 Oct 2023 00:00:00 +0000

Summary:

Product	Dolibarr ERP CRM
Vendor	Dolibarr
Severity	High
Affected Versions	<= 18.0.1
Tested Versions	17.0.1, 18.0.1
CVE Identifier	CVE-2023-4197
CVE Description	Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.
CWE Classification(s)	CWE-20: Improper Input Validation
CAPEC Classification(s)	CAPEC-248 Command Injection CAPEC-153: Input Data Manipulation

CVSS3.1 Scoring System:

Base Score: 7.5 (High)
Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

(CVE-2023-4198) Dolibarr ERP CRM (<= 17.0.3) Improper Access Control

Wed, 11 Oct 2023 00:00:00 +0000

Summary:

Product	Dolibarr ERP CRM
Vendor	Dolibarr
Severity	High
Affected Versions	<= 17.0.3
Tested Versions	17.0.1, 17.0.3
CVE Identifier	CVE-2023-4198
CVE Description	Improper Access Control in Dolibarr ERP CRM v17.0.3 allows unauthorized users to read a database table containing sensitive third-party customers’ information via the ajaxcompanies.php endpoint.
CWE Classification(s)	CWE-862 Missing Authorization
CAPEC Classification(s)	CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs

CVSS3.1 Scoring System:

Base Score: 6.5 (Medium)
Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

(CVE-2023-30591) NodeBB Pre-Authentication Denial-of-Service

Fri, 29 Sep 2023 00:00:00 +0000

Summary:

Product	NodeBB
Vendor	NodeBB
Severity	High - Unprivileged attackers are able to cause NodeBB to crash and exit permanently
Affected Versions	< v2.8.11 (Commit 82f0efb)
Tested Versions	v2.8.9 (Commit fb100ac)
CVE Identifier	CVE-2023-30591
CVE Description	Denial-of-service in NodeBB <= v2.8.10 allows unauthenticated attackers to trigger a crash, when invoking `eventName.startsWith()` or `eventName.toString()`, while processing Socket.IO messages via crafted Socket.IO messages containing array or object type for the event name respectively.
CWE Classification(s)	CWE-241: Improper Handling of Unexpected Data Type
CAPEC Classification(s)	CAPEC-153: Input Data Manipulation

CVSS3.1 Scoring System:

Base Score: 7.5 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Analysis of NodeBB Account Takeover Vulnerability (CVE-2022-46164)

Fri, 29 Sep 2023 00:00:00 +0000

Back in January 2023, I tasked one of our web security interns, River Koh (@oceankex), to perform n-day analysis of CVE-2022-46164 as part of his internship with STAR Labs. The overall goal is to perform an objective assessment of the vulnerability based on the facts gathered. In addition, I challenged him to reproduce the vulnerability without referencing any other materials besides the textual contents of the official advisory by NodeBB.

About CVE-2022-46164

CVE-2022-46164 affects NodeBB, an open-source community forum platform built on Node.js with the addition of either a Redis, MongoDB, or PostgreSQL database. One of the features of the platform is the utilization of the Socket.IO for instant interactions and real-time notifications.

(CVE-2023-41984) Apple AppleSPU Shared Memory Read/Write Mapping Leading to Kernel Panic and Code Execution

Tue, 26 Sep 2023 00:00:00 +0000

CVE: CVE-2023-41984

Affected Versions: macOS Monterey before 12.7; macOS Ventura before 13.6; macOS Sonoma before 14; iOS and iPadOS before 16.7; iOS 17 and iPadOS 17; tvOS before 17; watchOS before 10

CVSS3.1: 7.8 (High) — CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

Product	Apple AppleSPU (`AppleSPUHIDDriverUserClient`)
Vendor	Apple
Severity	High — a local user may be able to execute arbitrary code with kernel privileges
Affected Versions	macOS Monterey < 12.7; macOS Ventura < 13.6; macOS Sonoma < 14; iOS/iPadOS < 16.7; tvOS < 17; watchOS < 10
Tested Versions	macOS 13.4; iOS 16.5
CVE Identifier	CVE-2023-41984
CVE Description	A memory handling issue in Apple operating systems may allow an app to execute arbitrary code with kernel privileges; addressed via improved memory handling
CWE Classification(s)	CWE-732: Incorrect Permission Assignment for Critical Resource

CVSS3.1 Scoring System

Base Score: 7.8 (High) Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

[P2O Vancouver 2023] SharePoint Pre-Auth RCE chain (CVE-2023–29357 & CVE-2023–24955)

Mon, 25 Sep 2023 00:00:00 +0000

Brief

I may have achieved successful exploitation of a SharePoint target during Pwn2Own Vancouver 2023. While the live demonstration lasted only approximately 30 seconds, it is noteworthy that the process of discovering and crafting the exploit chain consumed nearly a year of meticulous effort and research to complete the full exploit chain.

This exploit chain leverages two vulnerabilities to achieve pre-auth remote code execution (RCE) on the SharePoint server:

Authentication Bypass – An unauthenticated attacker can impersonate as any SharePoint user by spoofing valid JSON Web Tokens (JWTs), using the none signing algorithm to subvert signature validation checks when verifying JWT tokens used for OAuth authentication. This vulnerability has been found right after I started this project for two days.
Code Injection – A SharePoint user with Sharepoint Owners permission can inject arbitrary code by replacing /BusinessDataMetadataCatalog/BDCMetadata.bdcm file in the web root directory to cause compilation of the injected code into an assembly that is subsequently executed by SharePoint. This vulnerability was found on Feb 2022.

The specific part of the Authentication Bypass vuln is: it can access to SharePoint API only. So, the most difficult part is to find the post-auth RCE chain that using SP API.

nftables Adventures: Bug Hunting and N-day Exploitation (CVE-2023-31248)

Mon, 25 Sep 2023 00:00:00 +0000

Product	Typora
Vendor	Typora
Severity	Medium
Affected Versions	Typora for Windows/Linux < 1.7.0-dev
Tested Versions	Typora for Windows 1.6.7, Typora for Linux 1.6.6
CVE Identifier	CVE-2023-2971
CVE Description	Improper path handling in Typora before 1.7.0-dev on Windows and Linux allows a crafted webpage to access local files and exfiltrate them to remote web servers via “typora://app/typemark/”. This vulnerability can be exploited if a user opens a malicious markdown file in Typora, or copies text from a malicious webpage and paste it into Typora.
CWE Classification(s)	CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CAPEC Classification(s)	CAPEC-139 Relative Path Traversal

CVSS3.1 Scoring System:

Base Score: 6.3 (Medium)
Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Ghosts of the Past: Classic PHP RCE Bugs in Trend Micro Enterprise Offerings

Fri, 18 Aug 2023 00:00:00 +0000

Talk delivered at HITCON CMT 2023 (Taipei, August 2023). The research examines how well-understood PHP vulnerability patterns — deserialization, file inclusion, command injection — continue to appear in enterprise security products from major vendors, with case studies drawn from Trend Micro’s enterprise line.

Slides available on GitHub

What You See IS NOT What You Get: Pwning Electron-based Markdown Note-taking Apps

Fri, 18 Aug 2023 00:00:00 +0000

Talk delivered at HITCON CMT 2023 (Taipei, August 2023). The presentation explores how Markdown rendering pipelines in popular Electron-based note-taking applications can be abused to achieve code execution, chaining parser quirks with Electron’s Node.js integration.

Slides available on GitHub

MSRC 2023 Most Valuable Security Researchers (Annual)

Tue, 08 Aug 2023 00:00:00 +0000

The MSRC Most Valuable Security Researchers program offers public recognition to researchers who help protect customers by discovering and sharing security vulnerabilities under Coordinated Vulnerability Disclosure.

Ngo Wei Lin, Billy Jheng Bing-Jhong, and Bruce Chen Yu-Jen were recognised as Most Valuable Researchers in Microsoft’s 2023 annual leaderboard, ranking #26 globally — reflecting a year of high-quality vulnerability reports to the Microsoft Security Response Centre.

Under The Hood - Disassembling of IKEA-Sonos Symfonisk Speaker Lamp

Tue, 01 Aug 2023 00:00:00 +0000

We are excited to embark on a series of teardowns to explore the inner workings of various devices. In this particular teardown, our focus will be on the 1st-Generation of IKEA-SONOS SYMFONISK Speaker Lamp, unraveling its captivating inner workings.

Please note that due to prior testing, certain screws, wires, and components have been temporarily removed from the appliance and may not be present during this analysis. However, for the purpose of this exercise, we have meticulously reassembled the SYMFONISK to its approximate original state.

A new method for container escape using file-based DirtyCred

Tue, 25 Jul 2023 00:00:00 +0000

Recently, I was trying out various exploitation techniques against a Linux kernel vulnerability, CVE-2022-3910. After successfully writing an exploit which made use of DirtyCred to gain local privilege escalation, my mentor Billy asked me if it was possible to tweak my code to facilitate a container escape by overwriting /proc/sys/kernel/modprobe instead.

The answer was more complicated than expected; this led me down a long and dark rabbit hole…

In this post, I will discuss the root cause of the vulnerability, as well as the various methods I used to exploit it.

prctl anon_vma_name: An Amusing Linux Kernel Heap Spray

Tue, 25 Jul 2023 00:00:00 +0000

TLDR

prctl PR_SET_VMA (PR_SET_VMA_ANON_NAME) can be used as a (possibly new!) heap spray method targeting the kmalloc-8 to kmalloc-96 caches. The sprayed object, anon_vma_name, is dynamically sized, and can range from larger than 4 bytes to a maximum of 84 bytes. The object can be easily allocated and freed via the prctl syscall, and leaked information can be obtained via reading the proc/pid/maps file. The advantage of this method is that it does not require a cross-cache attack from cg/other caches (unlike other objects such as msg_msg) as anon_vma_name is allocated with the GFP_KERNEL flag.

(CVE-2023-3513) RazerCentralService unsafe deserialization Escalation of Privilege Vulnerability

Fri, 14 Jul 2023 00:00:00 +0000

Summary

Product	Razer CentralService
Vendor	Razer
Severity	High - Adversaries may exploit software vulnerabilities to obtain privilege escalation.
Affected Versions	Razer Central 7.11.0.558 and below
Tested Versions	Razer Central 7.8.0.381 to 7.11.0.558
CVE Identifier	CVE-2023-3513

CVSS3.1 Scoring System

Base Score: 7.8 (High)
Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Metric	Value
Attack Vector (AV)	Local
Attack Complexity (AC)	Low
Privileges Required (PR)	low
User Interaction (UI)	None
Scope (S)	Unchanged
Confidentiality (C)	High
Integrity (I)	High
Availability (A)	High

Product Overview

Razer Synapse 3 is a software suite developed by Razer, a leading gaming hardware manufacturer. It serves as a centralized hub for customizing and optimizing Razer peripherals, including keyboards, mice, headsets, and other gaming accessories. With its intuitive user interface, Synapse 3 allows gamers to personalize their devices by creating unique profiles, assigning macros, and fine-tuning settings such as lighting effects and DPI sensitivity. This software provides seamless integration with cloud storage, enabling users to access their personalized configurations from anywhere. With its advanced features and extensive compatibility, Razer Synapse 3 empowers gamers to enhance their gaming experience and gain a competitive edge.

(CVE-2023-3514) RazerCentralSerivce unsafe NamedPipe permission Escalation of Privilege Vulnerability

Fri, 14 Jul 2023 00:00:00 +0000

Summary

Product	Razer CentralService
Vendor	Razer
Severity	High - Adversaries may exploit software vulnerabilities to obtain privilege escalation.
Affected Versions	Razer Central 7.11.0.558 and below
Tested Versions	Razer Central 7.8.0.381 to 7.11.0.558
CVE Identifier	CVE-2023-3514

CVSS3.1 Scoring System

Base Score: 7.8 (High)
Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Metric	Value
Attack Vector (AV)	Local
Attack Complexity (AC)	Low
Privileges Required (PR)	low
User Interaction (UI)	None
Scope (S)	Unchanged
Confidentiality (C)	High
Integrity (I)	High
Availability (A)	High

Product Overview

MSRC 2023 Q2 Most Valuable Security Researchers

Fri, 14 Jul 2023 00:00:00 +0000

Ngo Wei Lin, Billy Jheng Bing-Jhong, and Bruce Chen Yu-Jen were recognised in Microsoft’s Q2 2023 Most Valuable Security Researchers leaderboard for high-quality vulnerability reports submitted to MSRC.

Breaking the Code - Exploiting and Examining CVE-2023-1829 in cls_tcindex Classifier Vulnerability

Mon, 19 Jun 2023 00:00:00 +0000

Background

The discovery and analysis of vulnerabilities is a critical aspect of cybersecurity research. Today, we will dive into CVE-2023-1829, a vulnerability in the cls_tcindex network traffic classifier found by Valis. We will explore the process of exploiting and examining this vulnerability, shedding light on the intricate details and potential consequences. We have thoroughly tested our exploit on Ubuntu 22.04 with kernel version 5.15.0-25, which was built from the official 5.15.0-25.25 source code.

The Old, The New and The Bypass - One-click/Open-redirect to own Samsung S22 at Pwn2Own 2022

Wed, 14 Jun 2023 00:00:00 +0000

TLDR;

We began our work on Samsung immediately after the release of the Pwn2Own Toronto 2022 target list.

In this article, we will dive into the details of an open-redirect vulnerability discovered during the Pwn2Own 2022 event and how we exploited it on a Samsung S22 device. By breaking down the technical aspects and using code snippets, we aim to provide a comprehensive overview of this critical security flaw.

To begin, I revisited our team’s paper (written by Li Jiantao and Nguyễn Hoàng Thạch) from previous year, where two bugs were identified. One of these bugs was exploited in P2O, while the other was promptly addressed. Interestingly, detailed documentation on one of these bugs is available here, allowing readers to gain a better understanding of this specific vulnerability.

Unearthing Vulnerabilities in the Apple Ecosystem: The Art of KidFuzzerV2.0

Fri, 19 May 2023 00:00:00 +0000

Talk delivered at Offensivecon 2023 (Berlin, May 2023). The presentation introduces KidFuzzerV2.0, a purpose-built fuzzer for Apple kernel and userspace components, detailing the design decisions behind corpus management, mutation strategies, and coverage instrumentation, along with a walkthrough of notable bugs uncovered.

Slides available on GitHub

Microsoft Exchange Powershell Remoting Deserialization leading to RCE (CVE-2023-21707)

Fri, 28 Apr 2023 00:00:00 +0000

Introduction

While analyzing CVE-2022-41082, also known as ProxyNotShell, we discovered this vulnerability which we have detailed in this blog. However, for a comprehensive understanding, we highly recommend reading the thorough analysis written by team ZDI.

To aid in understanding, we present a visual representation of CVE-2022-41082 below.

The sink of ProxyNotShell:

//System.Management.Automation.InternalDeserializer.ReadOneObject()
internal object ReadOneObject(out string streamName)
{
    //...
    Type targetTypeForDeserialization = psobject.GetTargetTypeForDeserialization(this._typeTable); //[1]
    if (null != targetTypeForDeserialization)
    {
        Exception ex = null;
        try
        {
            object obj2 = LanguagePrimitives.ConvertTo(obj, targetTypeForDeserialization, true, CultureInfo.InvariantCulture, this._typeTable); //[2]
        }
    //...
}

At [2], if targetTypeForDeserialization != null, it will continue to call LanguagePrimitives.ConvertTo() to convert the original obj to the Type specified by targetTypeForDeserialization.

(CVE-2023-2017) Shopware 6 Server-side Template Injection (SSTI) via Twig Security Extension

Mon, 17 Apr 2023 00:00:00 +0000

Summary:

Product	Shopware
Vendor	Shopware AG
Severity	High - Users with login access to Shopware Admin panel may be able to obtain remote code/command execution
Affected Versions	v6.4.18.1 <= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4 (Commit facfc88)
Tested Versions	v6.4.20.0 (Latest stable version), v6.5.0.0-rc3 (Latest pre-release version)
CVE Identifier	CVE-2023-2017
CVE Description	Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in `Shopware\Core\Framework\Adapter\Twig\SecurityExtension` and call any arbitrary PHP function and thus execute arbitrary code/commands via usage of fully-qualified names, supplied as array of strings, when referencing callables. Users are advised to upgrade to v6.4.20.1 to resolve this issue. This is a bypass of CVE-2023-22731.
CWE Classification(s)	CWE-184: Incomplete List of Disallowed Inputs, CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine
CAPEC Classification(s)	CAPEC-242: Code Injection

CVSS3.1 Scoring System:

Base Score: 8.8 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

MSRC 2023 Q1 Most Valuable Security Researchers

Thu, 13 Apr 2023 00:00:00 +0000

Lê Hữu Quang Linh (#38) was shortlisted for the Q1 2023 Microsoft Most Valuable Security Researchers leaderboard.

(CVE-2023-1872) Linux Kernel io_uring Missing Lock in io_file_get_fixed Leading to Use-After-Free and Local Privilege Escalation

Wed, 12 Apr 2023 00:00:00 +0000

CVE: CVE-2023-1872

Affected Versions: Linux kernel 5.7 through 5.17 (exclusive); stable branches 5.10.170, 5.15.96

CVSS3.1: 7.8 (High) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Product	Linux Kernel (io_uring)
Vendor	Linux Kernel
Severity	High — a local unprivileged attacker may exploit this to achieve local privilege escalation
Affected Versions	Linux kernel 5.7 through 5.17; stable branches 5.10.170, 5.15.96
CVE Identifier	CVE-2023-1872
CVE Description	A use-after-free vulnerability in the Linux kernel io_uring subsystem can be exploited to achieve local privilege escalation
CWE Classification(s)	CWE-416: Use After Free

CVSS3.1 Scoring System

Base Score: 7.8 (High) Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Pwn2Own Vancouver 2023

Sat, 25 Mar 2023 00:00:00 +0000

The 2023 spring edition of Pwn2Own (Pwn2Own Vancouver) was held from 23rd March to 25th March 2023 in a hybrid format where participants are back to competing in-person and in virtual.

CS-Cart PDF Plugin Unauthenticated Command Injection

Fri, 03 Mar 2023 00:00:00 +0000

Summary

A command injection vulnerability exists in CS-Cart’s HTML to PDF converter (https://github.com/cscart/pdf) allowing unauthenticated attackers to achieve remote command execution (RCE). The vulnerability only affects the HTML to PDF converter service and the default hosted service at converter.cart-services.com (maintained by CS-Cart’s development team) used by the PDF converter plugin, and does not allow for RCE against base installations of CS-Cart.

Product Background

In CS-Cart v4.13.2, the HTML to PDF converter is an optional plugin (disabled by default) for printing PDF documents in CS-Cart. However, the plugin is built-in and enabled by default in CS-Cart v4.13.1 or below.

Microsoft Azure Account Takeover via DOM-based XSS in Cosmos DB Explorer

Fri, 24 Feb 2023 00:00:00 +0000

Upon finding the vulnerability, our team member, Ngo Wei Lin (@Creastery), immediately reported it to the Microsoft Security Response Center (MSRC) on 19th March 2022, who fixed the important issue with a fix commited in the repo within seven days, which is impressive and a much faster response than other Microsoft bugs which we reported previously. The fix was pushed down to Azure Cosmos DB Explorer on 31st March 2022.

About the DOM XSS Vulnerability

The Azure Cosmos DB Explorer incorrectly accepts and processs cross-origin messages from certain domains. A remote attacker can take over a victim Azure user’s account by delivering a DOM-based XSS payload via a cross-origin message.

STAR LABS SG PTE. LTD. has been authorized by the CVE Program as a CVE Numbering Authority (CNA)

Wed, 22 Feb 2023 00:00:00 +0000

STAR LABS SG PTE. LTD. (STAR Labs) announced today that it has become a CVE Numbering Authority (CNA) for the Common Vulnerabilities and Exposures (CVE®) system, a global cybersecurity community.

As a CNA, STAR LABS is authorized to assign CVE Identifiers（CVE IDs）to newly discovered vulnerabilities and publicly disclose information about these vulnerabilities through CVE Records. Identifying vulnerabilities with CVE IDs can speed up the awareness and understanding of those vulnerabilities, enabling security researchers and system managers to expedite solutions. Going forward, as a CNA, STAR LABS will practice responsible and timely disclosure when publishing CVE Records for vulnerabilities we discover, enhancing coverage and cyber security for the industry.

Gotta KEP-tcha 'Em All - Bypassing Anti-Debugging methods in KEPServerEX

Fri, 17 Feb 2023 00:00:00 +0000

Background

Lately, my focus has been on discovering any potential vulnerabilities in KEPServerEX. KEPServerEX is the industry’s leading connectivity platform that provides a single source of industrial automation data to all your applications. Users can connect, manage, monitor, and control diverse automation devices and software applications through one intuitive user interface.

This software employs multiple anti-debugging measures, making it challenging to discover any vulnerabilities and performing fuzzing on it. In this regard, I would like to share my perspective on the issue and my strategy for circumventing these measures.

Dissecting the Vulnerabilities - A Comprehensive Teardown of acmailer's N-Days

Thu, 16 Feb 2023 00:00:00 +0000

Introduction

In this post, one of our recent intern, Wang Hengyue (@w_hy_04) was given the task to analyse CVE-2021-20617 & CVE-2021-20618 in acmailer since there isn’t any public information on it. Today, we’ll be sharing his journey in dissecting the vulnerabilities in acmailer. Both vulnerabilities were originally found by ma.la

acmailer is a Perl-based email delivery application that provides functionality centered around sending mass emails, with associated functions such as registration and unregistration forms, surveys, and email templating.

Pwn2Own Miami 2023

Thu, 16 Feb 2023 00:00:00 +0000

Pwn2Own Miami was held from 14th February to 16th February 2023 in a hybrid format (offline and online). STAR Labs came in 4th in this edition of Pwn2Own.

Deconstructing and Exploiting CVE-2020-6418

Wed, 21 Dec 2022 00:00:00 +0000

As part of my internship at STAR Labs, I conducted n-day analysis of CVE-2020-6418. This vulnerability lies in the V8 engine of Google Chrome, namely its optimizing compiler Turbofan. Specifically, the vulnerable version is in Google Chrome’s V8 prior to 80.0.3987.122. In this article, I will give a step-by-step analysis of the vulnerability, from the root cause to exploitation.

Background

In JavaScript, objects do not have a fixed type. Instead, V8 assigns each object a Map that reflects its type. This Map is considered reliable if it is guaranteed to be correct at that specific point in time, and it is unreliable if it could have been modified by another node beforehand. If the Map is unreliable, the object must be checked to have the correct type before it is used. This is done by insertion of CheckMaps nodes or CodeDependencies. When trying to optimise, Turbofan aims to insert as few Map checks as possible, and tries to do so only when necessary (i.e when the Map is unreliable and is going to be accessed).

(CVE-2022-44667) Windows CDirectMusicPortDownload Integer Overflow Vulnerability

Tue, 13 Dec 2022 00:00:00 +0000

Summary

Product	Microsoft DirectMusic
Vendor	Microsoft
Severity	High
Affected Versions	Microsoft DirectMusic Core Services DLL (dmusic.dll) version 10.0.22000.1
Tested Versions	Microsoft DirectMusic Core Services DLL (dmusic.dll) version 10.0.22000.1
CVE Identifier	CVE-2022-44667

CVSS3.1 Scoring System

Base Score: 7.8 (High)
Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Metric	Value
Attack Vector (AV)	Local
Attack Complexity (AC)	Low
Privileges Required (PR)	None
User Interaction (UI)	Required
Scope (S)	Unchanged
Confidentiality (C)	High
Integrity (I)	High
Availability (A)	High

Product Overview

Microsoft DirectMusic Core Services DLL is a dynamic link library (DLL) that is part of the DirectMusic component of the DirectX multimedia API for Windows operating systems. DirectMusic is a high-level music composition and playback system designed to simplify the process of creating and playing back music in Windows-based multimedia applications.

(CVE-2022-44668) Windows DirectMusicPortDownload Double Free Vulnerability

Tue, 13 Dec 2022 00:00:00 +0000

Summary

Product	Microsoft DirectMusic
Vendor	Microsoft
Severity	High
Affected Versions	Microsoft DirectMusic Core Services DLL (dmusic.dll) version 10.0.22000.1
Tested Versions	Microsoft DirectMusic Core Services DLL (dmusic.dll) version 10.0.22000.1
CVE Identifier	CVE-2022-44668

CVSS3.1 Scoring System

Base Score: 7.8 (High)
Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Metric	Value
Attack Vector (AV)	Local
Attack Complexity (AC)	Low
Privileges Required (PR)	None
User Interaction (UI)	Required
Scope (S)	Unchanged
Confidentiality (C)	High
Integrity (I)	High
Availability (A)	High

Product Overview

Pwn2Own Toronto 2022

Fri, 09 Dec 2022 00:00:00 +0000

The 2022 fall edition of Pwn2Own (Pwn2Own Toronto) was held from 06th December to 09th December 2022 in a hybrid format (offline and online). STAR Labs came in 4th in this edition of Pwn2Own.

The Last Breath of Our Netgear RAX30 Bugs - A Tragic Tale before Pwn2Own Toronto 2022

Tue, 06 Dec 2022 00:00:00 +0000

Background

Some time ago, we were playing with some Netgear routers and we learned so much from this target.

However, Netgear recently patched several vulnerabilities in their RAX30 router firmware, including the two vulnerabilities in the DHCP interface for the LAN side and one remote code execution vulnerability on the WAN side which we prepared for Pwn2Own Toronto 2022. This blog post focuses on the vulnerabilities found in version 1.0.7.78You can download the firmware from this link, and easily extract the firmware by using binwalk. All vulnerabilities were found and tested in version 1.0.7.78 of Netgear RAX30. Versions 1.0.7.78 and earlier are known to be susceptible as well.

TheHole New World - how a small leak will sink a great browser (CVE-2021-38003)

Tue, 06 Dec 2022 00:00:00 +0000

Introduction

CVE-2021-38003 is a vulnerability that exists in the V8 Javascript engine. The vulnerability affects the Chrome browser before stable version 95.0.4638.69, and was disclosed in October 2021 in google’s chrome release blog, while the bug report was made public in February 2022.

The vulnerability will cause a special value in V8 called TheHole being leaked to the script. This can lead to a renderer RCE in a Chromium-based browser, and has been used in the wild.

Multiple Vulnerabilities in Proxmox VE & Proxmox Mail Gateway

Fri, 02 Dec 2022 00:00:00 +0000

Background

Proxmox Virtual Environment (Proxmox VE or PVE) is an open-source type-1 hypervisor. It includes a web-based management interface programmed in Perl. Another Proxmox product written in Perl, Proxmox Mail Gateway (PMG), comes with a similar web management interface. They share some of the codebases.

In this article, I will introduce how to debug PVE’s web service step-by-step and analyse three bugs I have found in PVE and PMG.

[UPDATE] This is a quick and minor update to this blog post. MITRE email back to us on 9th December 2022 assigned CVE-2022-35507 & CVE-2022-35508 for the remaining 2 bugs

How to Backup and Pwn using Time Machine

Thu, 10 Nov 2022 00:00:00 +0000

Talk delivered at Power of Community (POC) 2022 (Seoul, November 2022). The research examines how macOS Time Machine’s backup and restore workflows introduce privileged operations that can be abused by a local attacker to escalate privileges, bypassing standard macOS hardening features.

Slides available on GitHub

The Journey To Hybrid Apple Driver Fuzzing

Thu, 10 Nov 2022 00:00:00 +0000

Talk delivered at Power of Community (POC) 2022 (Seoul, November 2022). The presentation describes a hybrid fuzzing architecture that combines coverage-guided feedback with grammar-aware generation to fuzz Apple kernel drivers more effectively, and surveys the vulnerability classes uncovered.

Slides available on GitHub

Microsoft SharePoint Server Post-Authentication Server-Side Request Forgery vulnerability

Tue, 25 Oct 2022 00:00:00 +0000

Overview

Disclaimer: No anime characters or animals were harmed during the research. The bug had been fixed but it did not meet that criterion required to get CVE.

Recently, we have found a Server-Side Request Forgery (SSRF) in Microsoft SharePoint Server 2019 which allows remote authenticated users to send HTTP(S) requests to arbitrary URL and read the responses. The endpoint <site>/_api/web/ExecuteRemoteLOB is vulnerable to Server-Side Request Forgery (SSRF). The HTTP(S) request is highly customizable in request method, path, headers and bodies. An attacker with the ability to perform SSRF attacks can scan the internal network, check for the existence of services on the host’s local network and potentially exploit other web services.

MSRC 2022 Q3 Most Valuable Security Researchers

Mon, 24 Oct 2022 00:00:00 +0000

Lê Hữu Quang Linh (#9) was shortlisted for the Q3 2022 Microsoft Most Valuable Security Researchers leaderboard.

References

MSRC blog: Top Q3 2022 Security Researchers

Apple CoreText - An Unexpected Journey to Learn about Failure

Thu, 29 Sep 2022 00:00:00 +0000

Late last year, I have focused my research on the CoreText framework for 2-3 months. In particular, the code related to the text shaping engine and the code responsible for parsing the AAT tables.

During this research, I found an OOB (Out-Of-Bounds) Write in the morx table. This series of writeups is to document my whole process, from selecting this attack surface to finding the bug to writing an exploit for it in Safari. I hope this is helpful for anyone interested in starting researching in this area or who wants to help finish the exploit on Safari (because it’s not done yet) :D

Step-by-Step Walkthrough of CVE-2022-32792 - WebKit B3ReduceStrength Out-of-Bounds Write

Thu, 08 Sep 2022 00:00:00 +0000

Recently, ZDI released the advisory for a Safari out-of-bounds write vulnerability exploited by Manfred Paul (@_manfp) in Pwn2Own. We decided to take a look at the patch and try to exploit it.

The patch is rather simple: it creates a new function (IntRange::sExt) that is used to decide the integer range after applying a sign extension operation (in rangeFor). Before this patch, the program assumes that the range stays the same after applying sign extension. This is incorrect and can result in wrongly removing an overflow/underflow check.

Exploiting WebKit JSPropertyNameEnumerator Out-of-Bounds Read (CVE-2021-1789)

Fri, 19 Aug 2022 00:00:00 +0000

Initially, our team member, Đỗ Minh Tuấn, wanted to write about the RCA (Root Cause Analysis) of CVE-2021-1870 which APT used. But Maddie Stone pointed it to us that it was actually CVE-2021-1789. None-the-less, we would still want to share with everyone the analysis done by Đỗ Minh Tuấn.

The bug is assigned CVE-2021-1789 in security content of Safari 14.0.3. We successfully exploited it on WebKitGTK <= 2.30.5 or equivalent on WebKit.

JSPropertyNameEnumerator is an internal object that helps JSC handle for...in loop. JavaScriptCore (JSC) uses this object to cache information about the base object we put into the loop. JSC also allows iterating through the prototype chain of the base object, which means it can go through a proxy with a trap callback. However, JSC does not check the final size of the base object after iterating, leading to an out-of-bounds read.

All Roads Lead to GKE's Host: 4+ Ways to Escape

Thu, 11 Aug 2022 00:00:00 +0000

Talk delivered at DEF CON 30 (Las Vegas, August 2022). The research catalogues four independent escape paths from Google Kubernetes Engine (GKE) pods to the host node, covering privilege escalation through misconfigured admission controllers, kernel vulnerabilities, and GKE-specific attack surfaces. The findings were responsibly disclosed to Google.

Slides (GitHub) · Official DEF CON mirror

MSRC 2022 Most Valuable Security Researchers (Annual)

Tue, 09 Aug 2022 00:00:00 +0000

Ngo Wei Lin (#48) was shortlisted in Microsoft’s 2022 annual Most Valuable Security Researchers leaderboard.

References

Gitlab Project Import RCE Analysis (CVE-2022-2185)

Thu, 21 Jul 2022 00:00:00 +0000

At the beginning of this month, GitLab released a security patch for versions 14->15. Interestingly in the advisory, there was a mention of a post-auth RCE bug with CVSS 9.9.

The bug exists in GitLab’s Project Imports feature, which was found by @vakzz. Incidentally, when I rummaged in the author’s h1 profile. I discovered that four months ago, he also found a bug in the import project feature:

Initially, I thought it was tempting after seeing the bounty, so I started learning Rails and debugged this bug! (who would have thought that 30k wouldn’t be so easy ( ° ͜ʖ ͡°) )

(CVE-2022-26438) Asus System Control Interface Backup Local Privilege Escalation (LPE)

Wed, 13 Jul 2022 00:00:00 +0000

Summary:

Product	Asus System Control Interface
Vendor	Asus
Severity	High - Adversaries may exploit this software vulnerability to set weak file permissions, leading to local privilege escalation.
Affected Versions	MyASUS: 3.1.5.0 ASUS System Control Interface: 3.1.4.0 File Version: 1.0.9.0 (AsusSwitch.exe)
Tested Versions	MyASUS: 3.1.5.0 ASUS System Control Interface: 3.1.4.0 File Version: 1.0.9.0 (AsusSwitch.exe)
CVE Identifier	CVE-2022-26438
CWE	CWE-276 - Incorrect Default Permissions

CVSS3.1 Scoring System:

Base Score: 7.8 (High)
Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

(CVE-2022-26439) Asus System Control Interface Software Update Arbitrary File Deletion

Wed, 13 Jul 2022 00:00:00 +0000

Summary:

Product	Asus System Control Interface
Vendor	Asus
Severity	Medium - Adversaries may exploit this software vulnerability to set weak file permissions, leading to local privilege escalation.
Affected Versions	MyASUS: 3.1.5.0 ASUS System Control Interface: 3.1.4.0 File Version: 1.0.52.0 (AsusSoftwareManager.exe) 1.0.44.0 (AsusLiveUpdate.dll)
Tested Versions	MyASUS: 3.1.5.0 ASUS System Control Interface: 3.1.4.0 File Version: 1.0.52.0 (AsusSoftwareManager.exe) 1.0.44.0 (AsusLiveUpdate.dll)
CVE Identifier	CVE-2022-26439
CWE

CVSS3.1 Scoring System:

Base Score: 6.0 (High)
Vector String: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Metric	Value
Attack Vector (AV)	Local
Attack Complexity (AC)	Low
Privileges Required (PR)	High
User Interaction (UI)	None
Scope (S)	Unchanged
Confidentiality (C)	None
Integrity (I)	High
Availability (A)	High

Description of the vulnerability

The ASUS Control Interface is a set of drivers that are installed to help manage computers with ASUS hardware. To interact with the functionality that these drivers provide, the Windows Store application MyASUS is required. The program has the functionality of manually checking for software updates. To do so, it communicates with AsusSoftwareManager (AsusSoftwareManager.exe) service which runs with SYSTEM privileges to check for updates.

io_uring - new code, new bugs, and a new exploit technique

Fri, 24 Jun 2022 00:00:00 +0000

For the past few weeks, I have been working on conducting N-day analysis and bug hunting in the io_uring subsystem of the Linux kernel with the guidance of my mentors, Billy and Ramdhan.

In this article, I will briefly discuss the io_uring subsystem, as well as my approach to discovering and developing a new kernel exploit technique during my N-day analysis of CVE-2021-41073. I will also discuss two bugs I found while analyzing a new io_uring feature.

Trying To Exploit A Windows Kernel Arbitrary Read Vulnerability

Tue, 07 Jun 2022 00:00:00 +0000

Introduction

I recently discovered a very interesting kernel vulnerability that allows the reading of arbitrary kernel-mode address. Sadly, the vulnerability was patched in Windows 21H2 (OS Build 22000.675), and I am unsure of the CVE being assigned to it. In this short blog post, I will share my journey of trying to exploit this vulnerability. Although I didn’t finish the exploit in the end, I have decided to share this with everyone anyway. This is also my attempt to find an answer based on this discussion.

New Wine in Old Bottle - Microsoft Sharepoint Post-Auth Deserialization RCE (CVE-2022-29108)

Thu, 12 May 2022 00:00:00 +0000

Introduction

Recently, I have had a some work which is related to Sharepoint, so I was learning on how to setup and debug old bugs of Sharepoint.

In February, there was a Deserialization bug CVE-2022-22005 (post-auth of course). There is already a detailed analysis blog post about that written by a Vietnamese guy (here). The blog is written with great enthusiasm and detail. I also rely on the details in that blog to setup and debug. And because the bug written in this article will be related to it, I recommend you read through the article above once to easily understand this article!

A Journey of Hunting macOS Kernel Vulnerabilities

Thu, 21 Apr 2022 00:00:00 +0000

Talk delivered at Zer0Con 2022 (Seoul, April 2022). The presentation walks through a sustained effort to find exploitable vulnerabilities in the macOS kernel, covering target selection, code review methodology, fuzzer design, and a discussion of the patches that resulted.

Slides available on GitHub

A Case Study of an Incorrect Bitwise AND Optimization in V8

Wed, 06 Apr 2022 00:00:00 +0000

Talk delivered at the NUS GreyHats Security Wednesday series (April 2022). A deep dive into CVE-2021-30599, an incorrect bitwise AND optimization in V8’s JIT compiler. The presentation covers how the compiler miscompilation was discovered, how it can be turned into a type confusion primitive, and what the broader takeaway is for auditing JIT compilers.

Slides available on GitHub

An Introduction to Manual Source Code Review

Wed, 06 Apr 2022 00:00:00 +0000

Talk delivered at the NUS GreyHats Security Wednesday series (April 2022). The session introduces a structured approach to manual source code review: how to identify trust boundaries, trace data flows, and focus attention on the components most likely to harbour exploitable bugs — the things automated scanners consistently miss.

Slides available on GitHub

(CVE-2021-4206) QEMU QXL Integer overflow leads to Heap Overflow

Mon, 28 Mar 2022 00:00:00 +0000

CVE: CVE-2021-4206

Tested Versions:

QEMU < v6.0.0

Product URL(s): https://www.qemu.org/

Description of the vulnerability

Technical Details

QXL, the QEMU QXL video accelerator, is a para-virtualized framebuffer device for the SPICE protocol. It is the default video device when we create a VM from virt-manager. It exposes the RAMs and I/O ports to let guest communicate with it.

00:01.0 VGA compatible controller: Red Hat, Inc. QXL paravirtual graphic card (rev 04) (prog-if 00 [VGA controller])
        Subsystem: Red Hat, Inc. QEMU Virtual Machine
        Flags: fast devsel, IRQ 21
        Memory at f4000000 (32-bit, non-prefetchable) [size=64M]
        Memory at f8000000 (32-bit, non-prefetchable) [size=64M]
        Memory at fcc14000 (32-bit, non-prefetchable) [size=8K]
        I/O ports at c040 [size=32]
        Expansion ROM at 000c0000 [disabled] [size=128K]
        Kernel driver in use: qxl
        Kernel modules: qxl

On its RAMs, QXL implements different rings for different purposes. The space cursor points to the device RAMs, which means the guest controls its content. In cursor_ring, the guest can push a cursor command to tell the video driver how to render a cursor or where to place the cursor. After we push a command and notify the device to handle the command, the function qxl_cursor will be called. It will use cursor->header.width and cursor->header.height to allocate enough space for forward use.

(CVE-2021-4207) QEMU QXL Integer overflow leads to Heap Overflow

Mon, 28 Mar 2022 00:00:00 +0000

CVE: CVE-2021-4207

Tested Versions:

QEMU < v6.0.0

Product URL(s): https://www.qemu.org/

Description of the vulnerability

Technical Details

00:01.0 VGA compatible controller: Red Hat, Inc. QXL paravirtual graphic card (rev 04) (prog-if 00 [VGA controller])
        Subsystem: Red Hat, Inc. QEMU Virtual Machine
        Flags: fast devsel, IRQ 21
        Memory at f4000000 (32-bit, non-prefetchable) [size=64M]
        Memory at f8000000 (32-bit, non-prefetchable) [size=64M]
        Memory at fcc14000 (32-bit, non-prefetchable) [size=8K]
        I/O ports at c040 [size=32]
        Expansion ROM at 000c0000 [disabled] [size=128K]
        Kernel driver in use: qxl
        Kernel modules: qxl

On its RAMs, QXL implements different rings for different purposes. The space cursor points are device RAMs, which means the guest controls its content. In cursor_ring, the guest can push a cursor command to tell the video driver how to render a cursor or where to place the cursor. After we push a command and notify the device to handle the command, the function qxl_cursor will be called. It will fetch cursor->header.width and cursor->header.height to allocate enough space for forward use.

(CVE-2022-0168) Linux Kernel smb2_ioctl_query_info NULL Pointer Dereference

Mon, 28 Mar 2022 00:00:00 +0000

CVE: CVE-2022-0168

Tested Versions:

Linux kernels 5.4–5.12, 5.13-rc+HEAD

Description of the vulnerability

Common Internet File System (CIFS) is a network filesystem protocol used for providing shared access to files and printers between machines on the network. A CIFS client application can read, write, edit and even remove files on the remote server. Linux can use the ioctl system call on CIFS file for query information. In the function smb2_ioctl_query_info, it incorrectly verify the return from the memdup_user function [2]. qi.output_buffer_length is grabbing from copy_from_user [1] which is user control value. If qi.output_buffer_length is equal to zero, the memdup_user function returns 0x10, which is not a valid ptr but can pass the check in [3].

(CVE-2022-0216) QEMU LSI SCSI Use After Free

Mon, 28 Mar 2022 00:00:00 +0000

CVE: CVE-2022-0216

Tested Versions:

QEMU < v6.0.0

Product URL(s):

https://www.qemu.org/

Description of the vulnerability

Technical Details

The vulnerability resides in the hw/scsi/lsi53c895a.c specifically in lsi_do_msgout function. lsi_do_msgout function is used to receive messages from the OS, and do something based on that message. In this case, one message only has one-byte size.

static void lsi_do_msgout(LSIState *s)
{
    uint8_t msg;
    int len;
    uint32_t current_tag;
    lsi_request *current_req, *p, *p_next;

    if (s->current) {
        current_tag = s->current->tag;
        current_req = s->current; // [1]
    } else {
        current_tag = s->select_tag;
        current_req = lsi_find_by_tag(s, current_tag);
    }

    trace_lsi_do_msgout(s->dbc);
    while (s->dbc) { // s->dbc is controlled
        msg = lsi_get_msgbyte(s);
        s->sfbr = msg;

        switch (msg) {
		...
        case 0x0d:
            /* The ABORT TAG message clears the current I/O process only. */
            trace_lsi_do_msgout_abort(current_tag);
            if (current_req) { // current_req = s->current
                scsi_req_cancel(current_req->req); // [1] cancel scsi request, s->current will be freed and s->current = NULL
            }
            lsi_disconnect(s);
            break;
		...
        }
    }
    return;
bad:
    qemu_log_mask(LOG_UNIMP, "Unimplemented message 0x%02x\n", msg);
    lsi_set_phase(s, PHASE_MI);
    lsi_add_msg_byte(s, 7); /* MESSAGE REJECT */
    s->msg_action = LSI_MSG_ACTION_COMMAND;
}

s->current is lsi_request object which is created and allocated every time we request SCSI command from OS. Using lsi_do_msgout, we can cancel the current SCSI request by calling the lsi_do_msgout function and sending 0x0d message. By sending 0x0d message in lsi_do_msgout function, it will call scsi_req_cancel with current_req->req as argument. The problem is that after the SCSI request is canceled, s->current will be freed, but current_req is not null-ed which will point to the freed buffer. Because current_req is freed, by sending the next message byte with 0x0d again. current_req->req will have an invalid value and can lead to undefined behavior or crash.

Pwn2Own Vancouver 2022: Master of Pwn

Tue, 22 Mar 2022 00:00:00 +0000

The 2022 spring edition of Pwn2Own (Pwn2Own Vancouver) was held from 18th March to 20th March 2022 in a hybrid format where participants are back to competing in-person and in virtual due to the ongoing COVID-19 pandemic that has limited some contestants’ traveling operations.

(CVE-2022-28730) Apache JSPWiki v2.11.1 - Reflected XSS in AjaxPreview.jsp

Mon, 14 Mar 2022 00:00:00 +0000

CVE: CVE-2022-28730

Tested Versions:

Latest release v2.11.2

CVSSv3.1 Base Score: 5.4 (Medium)

CVSSv3.1 String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Product URL(s):

https://github.com/apache/jspwiki/

Description of the vulnerability

Due to the lack of sanitzation before displaying the rendered preview to the user resulted in a Reflected XSS vulnerability at the AJAXPreview.jsp end-point. As a result, an unauthenticated attacker is able to execute arbitrary JavaScript code by deceiving an authenticated Admin user to trigger a specially crafted payload, resulting in potential state-changing actions being carried out.

(CVE-2022-26718) macOS smbfs Out-of-Bounds Read due to parse nic info

Fri, 04 Mar 2022 00:00:00 +0000

CVE: CVE-2022-26718

Tested Versions:

macOS 11.x.x <= 11.6.4
macOS 12.x.x <= 12.2.1

Product URL(s):

https://www.apple.com/

Description of the vulnerability

smbfs stands for Samba file system of macOS, which is used for communication and linking with Samba file server. smbfs allows users to connect a remote shared folder to Finder.

smbfs is a macOS driver containing two components one is netsmb and the other one is smbfs, this driver also has public open source at this link but it is only available for macOS 11.5. netsmb is used to setup authentication, do initialization, send and receive data from SMB file server. smbfs was implemented as a filesystem handler for accessing from local users such as: open, read, write, copy operations in client machines.

MSRC 2021 Q4 Most Valuable Security Researchers

Tue, 01 Feb 2022 00:00:00 +0000

Ngo Wei Lin (#18) was shortlisted for the Q4 2021 Microsoft Most Valuable Security Researchers leaderboard.

References

MSRC blog: Top Q4 2021 Security Researchers

The Cat Escaped from the Chrome Sandbox

Fri, 21 Jan 2022 00:00:00 +0000

Introduction

On 13th September 2021, Google published the security advisory for Google Chrome. That advisory states that Google is aware of two vulnerabilities exploited in the wild, CVE-2021-30632 as RCE and CVE-2021-30633 as Sandbox Escape.

In this post, I will talk about the bypass sandbox vulnerability CVE-2021-30633. Man Yue Mo had published a very detailed blog post explaining CVE-2021-30632, which is a Type Confusion bug that leads to RCE in Chrome.

In summary, the sandbox bypass is made possible because of a Use-After-Free (UAF) bug in the IndexedDB API, chained with a Out-of-Bounds (OOB) Write bug in V8, and triggered via Mojo IPC connection. As a disclaimer, this is not a bug that I had found. I made this post to help me organise my thoughts to understand the bug and the exploit. I will carry out a root cause analysis of the Sandbox Escape and discuss my observation and understanding of the full-chain exploit.

(CVE-2022-21877) Storage Spaces Controller Information Disclosure Vulnerability

Tue, 11 Jan 2022 00:00:00 +0000

Summary

Product	Storage Spaces
Vendor	Microsoft
Severity	Medium
Affected Versions	spaceport.sys in Windows 10 and Windows Server 2019
Tested Versions	spaceport.sys in Windows 10 and Windows Server 2019
CVE Identifier	CVE-2022-21877

CVSS3.1 Scoring System

Base Score: 5.5 (Medium)
Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Metric	Value
Attack Vector (AV)	Local
Attack Complexity (AC)	Low
Privileges Required (PR)	Low
User Interaction (UI)	None
Scope (S)	Unchanged
Confidentiality (C)	High
Integrity (I)	None
Availability (A)	None

Product Overview

Storage Spaces is a technology in Windows and Windows Server that can help protect your data from drive failures. It is conceptually similar to RAID, implemented in software. You can use Storage Spaces to group three or more drives together into a storage pool and then use capacity from that Pool to create Storage Spaces. These typically store extra copies of your data, so if one of your drives fails, you still have an intact copy of your data. If you run low on capacity, just add more drives to the storage pool. By abusing storage pools that are authorized for common users to access, storage space object and tier object. An attacker can set the properties of a tier object to trigger the bug, through which it is possible to leak data in the kernel if the appropriate value is passed.

VM Escape Case Study: VirtualBox Bug Hunting and Exploitation

Sat, 04 Dec 2021 00:00:00 +0000

Talk delivered at IDSECCONF 2021 (Indonesia, December 2021). The presentation walks through a complete VM escape case study targeting Oracle VirtualBox: how target areas were selected, how bugs were discovered through code review and dynamic analysis, and how findings were chained into a working exploit.

Slides available on GitHub

The Great Escape: A Case Study of VM Escape and EoP Vulnerabilities

Fri, 26 Nov 2021 00:00:00 +0000

Talk delivered at HITCON 2021 (Taipei, November 2021). The presentation examines how VM escape bugs and host-level elevation-of-privilege vulnerabilities are identified and chained together to achieve full host compromise, drawing on real cases from vulnerability research and competition settings.

Slides available on GitHub

Diving into Open-source LMS Codebases

Tue, 16 Nov 2021 00:00:00 +0000

Introduction

Looking to practice on source code review, I had been diving into how open-source LMS codebases are structured in order to find undiscovered vulnerabilities. Initially, my main focus had been on Chamilo LMS (their source code can be found on GitHub). Afterwards, I looked into Moodle LMS (their source code can also be found on GitHub).

The majority of the findings that were found are the ones you would think of when you hear the words “common web application vulnerabilities”, such as:

Pwn2Own Austin 2021

Thu, 04 Nov 2021 00:00:00 +0000

The 2021 fall edition of Pwn2Own (Pwn2Own Austin) was held from 02nd November to 04th November 2021 in a virtual format due to the ongoing COVID-19 pandemic that has limited many contestants’ traveling operations.

TianFu Cup 2021

Sun, 17 Oct 2021 00:00:00 +0000

The TianFu Cup International Cyber Security Competition is China’s premier hacking competition for security practitioners — modelled after Pwn2Own, with all teams required to use original vulnerabilities to compromise their targets.

Billy Jheng Bing-Jhong and Muhammad Alifa Ramdhan successfully pwned QEMU twice — including one entry with a Local Privilege Escalation — and were awarded the Best Demo prize.

原创漏洞演示复现赛

MSRC 2021 Q3 Most Valuable Security Researchers

Thu, 14 Oct 2021 00:00:00 +0000

Ngo Wei Lin (#27) was shortlisted for the Q3 2021 Microsoft Most Valuable Security Researchers leaderboard.

References

MSRC blog: Top Q3 2021 Security Researchers

Analysis of CVE-2021-1758 (CoreText Out-Of-Bounds Read)

Tue, 14 Sep 2021 00:00:00 +0000

References:

STARLabs Advisory STAR-21-1758

In February, Peter found a OOB read vulnerability in libFontParser.dylib. The latest tested version with the vulnerability is macOS Catalina 10.15.4 (19E287).

I wrote a guide earlier on setting up a testing environment.

Mac Resource Fork Font File

References:

It turns out that macOS can load something called a Mac Resource Fork font file. Looks like a legacy thing.

(CVE-2021-30844) macOS smbfs Out-of-Bounds Read

Mon, 13 Sep 2021 00:00:00 +0000

CVE: CVE-2021-30844

Tested Versions:

macOS BigSur 11.0 - 11.2.3

Product URL(s):

https://apple.com

Description of the vulnerability

smbfs is a kext driver which handles SMB connection between the user and SMB Server. This vulnerability occurs in smbfs, which allows an attacker to leak kernel memory to achieve further exploitation.

The bug occurs on the SMBIOC_T2RQ ioctl handler. This handler first process user-mode input on function smb_usr_t2request

int
smb_usr_t2request(struct smb_share *share, struct smbioc_t2rq *dp, vfs_context_t context)
{
	//...
	/* ioc_name_len includes the null byte, ioc_kern_name is a c-style string */
	if (dp->ioc_kern_name && dp->ioc_name_len) {
		t2p->t_name = smb_memdupin(dp->ioc_kern_name, dp->ioc_name_len);
		if (t2p->t_name == NULL) {
			error = ENOMEM;
			goto bad;
		}
	}
	//...
}

smb_usr_t2request copy data from user-mode address (dp->ioc_kern_name) with size is dp->ioc_name_len which is controlled by attacker also. Later, this function will build a TCP package from this data and then send it to SMB Server. The field t2p->t_name is also included in the TCP package of this function.

(CVE-2021-30845) macOS smbfs Out-of-Bounds Read

Mon, 13 Sep 2021 00:00:00 +0000

CVE: CVE-2021-30845

Tested Versions:

macOS BigSur 11.0 - 11.2.3

Product URL(s):

https://apple.com/

Description of the vulnerability

smbfs is a kext driver which handles SMB connection between the user and SMB Server. This vulnerability occurs in smbfs, which allows an attacker to leak kernel memory to achieve further exploitation.

The vulnerability exists in the smbfs_mount function, which can be triggered via mount syscall. mount syscall will take data from user input and pass it to smbfs_mount. smbfs_mount does not require any privilege to mount and smb to a folder.

MSRC 2020 Most Valuable Security Researchers (Annual)

Thu, 05 Aug 2021 00:00:00 +0000

Meysam Firouzi (#40) and Shi Ji (#54) were shortlisted in Microsoft’s 2020 annual Most Valuable Security Researchers leaderboard.

References

MSRC blog: Announcing 2020 MSRC Most Valuable Security Researchers

Identifying Bugs in Router Firmware at Scale with Taint Analysis

Wed, 04 Aug 2021 00:00:00 +0000

In the past few months, Akash and I (@daniellimws) worked on developing a taint analysis tool to find bugs in routers, with the guidance of Shi Ji (@puzzor) and Thach (@d4rkn3ss). We had developed a tool based on CVE-2019-8312 to CVE-2019-8319, which are command injection vulnerabilities on the D-Link DIR-878 router with firmware version 1.12A1. The goal was to automate the detection of such bugs. Ideally, the tool should be faster than finding the bugs manually.

MSRC 2021 Q2 Most Valuable Security Researchers

Thu, 15 Jul 2021 00:00:00 +0000

Lê Hữu Quang Linh (#24) was shortlisted for the Q2 2021 Microsoft Most Valuable Security Researchers leaderboard.

References

MSRC blog: Top Q2 2021 Security Researchers

Simple Vulnerability Regression Monitoring with V8Harvest

Fri, 25 Jun 2021 00:00:00 +0000

Introduction

During my research into Javascript Engine (V8), I have created a small tool to help you view recent V8 bugs that contains regression test on a single page. Since most of the time, regression test often contains PoC to trigger the bug, it’s pretty useful to analyze them to find the root cause and writing exploit for the n-day bug.

For example, regress-1053604.js contains the PoC to trigger the side-effect in kJSCreate opcode (CVE-2020-6418).

(CVE-2021-30868) macOS smbfs Race Condition leading to Use-After-Free Vulnerability

Fri, 18 Jun 2021 00:00:00 +0000

CVE: CVE-2021-30868

Tested Versions:

macOS BigSur 11.0 - 11.2.3

Product URL(s):

https://apple.com/

Description of the vulnerability

smbfs is a kext driver which handles SMB connection between the user and SMB Server. This vulnerability occurs in smbfs, which allows attacker can escalate from user permission into root privilege.

smbfs kext was implemented with chardev device styles. User can interact with smbfs kext via ioctl syscall to do some task.

smbfs only load when the user first connects to the SMB server. After that, the attacker can easily load it with user privilege via NetFSMountURLSync from NetFS Framework.

(CVE-20221-35400) Prolink PRC2402M mesh.cgi get_extender_page Un-authenticated Command Injection Vulnerability

Thu, 10 Jun 2021 00:00:00 +0000

CVE: CVE-2021-35400

Tested Versions:

Prolink PRC2402M 20190909

Product URL(s):

https://prolink2u.com/

Description of the vulnerability

This vulnerability is present as there are no checks on user input taken by mesh.cgi, which is passed to popen, allowing an attacker to execute arbitrary code in the context of the root user on affected installations of the Prolink PRC2402M router.

No authentication is required to exploit this vulnerability.

The router makes GET requests to interact with the cgi scripts. To access the vulnerable script, visit http://localhost/cgi-bin/mesh.cgi.

(CVE-20221-35401) Prolink PRC2402M login.cgi sys_login Un-authenticated Command Injection Vulnerability

Thu, 10 Jun 2021 00:00:00 +0000

CVE: CVE-2021-35401

Tested Versions:

Prolink PRC2402M 20190909

Product URL(s):

https://prolink2u.com/

Description of the vulnerability

This vulnerability is present as there are no checks on user input taken by login.cgi, which is passed to popen, allowing an attacker to execute arbitrary code in the context of the root user on affected installations of the Prolink PRC2402M router.

No authentication is required to exploit this vulnerability.

The router makes POST requests through HTML forms to interact with the cgi scripts. To access the vulnerable script, visit http://localhost/cgi-bin/login.cgi.

(CVE-20221-35403) Prolink PRC2402M touchlist_sync.cgi main Un-authenticated Command Injection Vulnerability

Thu, 10 Jun 2021 00:00:00 +0000

CVE: CVE-2021-35403

Tested Versions:

Prolink PRC2402M 20190909

Product URL(s):

https://prolink2u.com/

Description of the vulnerability

This vulnerability is present as there are no checks on user input taken by touchlist_sync.cgi, which is passed to popen, allowing an attacker to execute arbitrary code in the context of the root user on affected installations of the Prolink PRC2402M router.

No authentication is required to exploit this vulnerability.

The router makes GET requests to interact with the cgi scripts. To access the vulnerable script, visit http://localhost/cgi-bin/touchlist_sync.cgi.

(CVE-20221-35404) Prolink PRC2402M applogin.cgi sys_login1 Authenticated Command Injection Vulnerability

Thu, 10 Jun 2021 00:00:00 +0000

CVE: CVE-2021-35404

Tested Versions:

Prolink PRC2402M 20190909

Product URL(s):

https://prolink2u.com/

Description of the vulnerability

This vulnerability is present as there are no checks on user input taken by applogin.cgi, which is passed to system, allowing an attacker to execute arbitrary code in the context of the root user on affected installations of the Prolink PRC2402M router.

Authentication is required to exploit this vulnerability.

The router makes GET requests through HTML forms to interact with the cgi scripts. To access the vulnerable script, visit http://localhost/cgi-bin/applogin.cgi.

(CVE-20221-35406) Prolink PRC2402M login.cgi sys_login1 Authenticated Command Injection Vulnerability

Thu, 10 Jun 2021 00:00:00 +0000

CVE: CVE-2021-35406

Tested Versions:

Prolink PRC2402M 20190909

Product URL(s):

https://prolink2u.com/

Description of the vulnerability

Authentication is required to exploit this vulnerability.

The router makes POST requests through HTML forms to interact with the cgi scripts. To access the vulnerable script, visit http://localhost/cgi-bin/login.cgi.

(CVE-20221-35406) Prolink PRC2402M qos.cgi qos_settings Un-authenticated Command Injection Vulnerability

Thu, 10 Jun 2021 00:00:00 +0000

CVE: CVE-2021-35406

Tested Versions:

Prolink PRC2402M 20190909

Product URL(s):

https://prolink2u.com/

Description of the vulnerability

This vulnerability is present as there are no checks on user input taken by qos.cgi, which is passed to system, allowing an attacker to execute arbitrary code in the context of the root user on affected installations of the Prolink PRC2402M router.

No authentication is required to exploit this vulnerability.

The router makes POST requests through HTML forms to interact with the cgi scripts. To access the vulnerable script, visit http://localhost/cgi-bin/qos.cgi.

(CVE-20221-35407) Prolink PRC2402M mesh.cgi get_upgrade_page Un-authenticated Command Injection Vulnerability

Thu, 10 Jun 2021 00:00:00 +0000

CVE: CVE-2021-35407

Tested Versions:

Prolink PRC2402M 20190909

Product URL(s):

https://prolink2u.com/

Description of the vulnerability

No authentication is required to exploit this vulnerability.

The router makes GET requests to interact with the cgi scripts. To access the vulnerable script, visit http://localhost/cgi-bin/mesh.cgi.

(CVE-20221-35409) Prolink PRC2402M nightled.cgi SetNightLed Un-authenticated Command Injection Vulnerability

Thu, 10 Jun 2021 00:00:00 +0000

CVE: CVE-2021-35409

Tested Versions:

Prolink PRC2402M 20190909

Product URL(s):

https://prolink2u.com/

Description of the vulnerability

This vulnerability is present as there are no checks on user input taken by nightled.cgi, which is passed to system, allowing an attacker to execute arbitrary code in the context of the root user on affected installations of the Prolink PRC2402M router.

No authentication is required to exploit this vulnerability.

The router makes GET requests to interact with the cgi scripts. To access the vulnerable script, visit http://localhost/cgi-bin/nightled.cgi.

(CVE-2021-30836) WebKit WebCore::AudioNode::disconnect null pointer reference

Wed, 09 Jun 2021 00:00:00 +0000

CVE: CVE-2021-30836

Tested Versions:

webkitGTK2.32.0

Product URL(s):

https://webkit.org/

Description of the vulnerability

In order to show how we can reproduce it, let’s open poc.html in webkitgtk version 2.32.0 within Ubuntu.

Alternatively, you may want to use my docker script to build. Source code of build.sh

docker build . -t webkit_asan
docker run -it  --name=webkit2.32.0 webkit_asan /bin/bash

Source code of Dockerfile

FROM ubuntu:18.04
MAINTAINER mipu94
RUN echo ${WEBKIT_VERSION}
ARG DEBIAN_FRONTEND=noninteractive
RUN apt-get -y update && \
    apt-get install -y wget \
    cmake \
    bison \
    git \
    unzip \
    xz-utils \
    apache2 \
    llvm-7 \ 
    clang-7 \
    libclang-7-dev \
    tzdata \
    sed \ 
    ruby

WORKDIR /root/

# install ninja
RUN wget https://github.com/ninja-build/ninja/releases/download/v1.10.0/ninja-linux.zip \
 && unzip ninja-linux.zip \
 && mv ninja /usr/local/bin/ \
 && rm ninja-linux.zip

# install clang
RUN wget https://prereleases.llvm.org/10.0.0/rc3/clang+llvm-10.0.0-rc3-x86_64-linux-gnu-ubuntu-18.04.tar.xz \
 && tar xvf clang+llvm-10.0.0-rc3-x86_64-linux-gnu-ubuntu-18.04.tar.xz \
 && mv clang+llvm-10.0.0-rc3-x86_64-linux-gnu-ubuntu-18.04 clang

ENV WEBKIT_VERSION="2.32.0" \
    FUZZ_TYPE="address"
RUN  apt-get update --fix-missing
# download webkit
RUN wget https://webkitgtk.org/releases/webkitgtk-${WEBKIT_VERSION}.tar.xz && \
    tar xvf webkitgtk-${WEBKIT_VERSION}.tar.xz && \
    cd webkitgtk-${WEBKIT_VERSION} && \
    printf 'y\n' | ./Tools/gtk/install-dependencies 


WORKDIR /root/webkitgtk-${WEBKIT_VERSION}
# patch asan build
#address, memory
ENV ASAN_TYPE=address  
RUN sed -i 's~COMMAND CC=${CMAKE_C_COMPILER} CFLAGS=-Wno-deprecated-declarations LDFLAGS=~COMMAND CC=${CMAKE_C_COMPILER} CFLAGS=\\\"-Wno-deprecated-declarations -fsanitize=address\\\" LDFLAGS=\\\"-fsanitize=address\\\"~g' Source/WebKit/PlatformGTK.cmake

RUN sed -i 's~COMMAND CC=${CMAKE_C_COMPILER} CFLAGS=-Wno-deprecated-declarations~COMMAND CC=${CMAKE_C_COMPILER} CFLAGS=\\\"-Wno-deprecated-declarations -fsanitize=address\\\"~g' Source/WebKit/PlatformGTK.cmake

RUN sed -i 's~LDFLAGS="${INTROSPECTION_ADDITIONAL_LDFLAGS}"~LDFLAGS=\\\"${INTROSPECTION_ADDITIONAL_LDFLAGS} -fsanitize=address\\\"~g' Source/WebKit/PlatformGTK.cmake
ENV CC="$BUILD_PATH/clang/bin/clang" \
      CXX="$BUILD_PATH/clang/bin/clang++" \
      CFLAGS="-fsanitize=$ASAN_TYPE" \
      CXXFLAGS="-fsanitize=$ASAN_TYPE" \
      LDFLAGS="-fsanitize=$ASAN_TYPE" \
      ASAN_OPTIONS="detect_leaks=0"
RUN mkdir mybuild && cd mybuild && cmake \
      -DCMAKE_BUILD_TYPE=Release  \
      -DCMAKE_INSTALL_PREFIX=/usr \
      -DCMAKE_SKIP_RPATH=ON       \
      -DPORT=GTK                  \
      -DLIB_INSTALL_DIR=/usr/lib  \
      -DUSE_LIBHYPHEN=OFF         \
      -DENABLE_MINIBROWSER=ON     \
      -DENABLE_GAMEPAD=OFF        \
      -DUSE_WOFF2=OFF             \
      -DUSE_WPE_RENDERER=OFF      \
      -DENABLE_BUBBLEWRAP_SANDBOX=OFF \
-Wno-dev -G Ninja -DCMAKE_C_COMPILER="/root/clang/bin/clang" -DCMAKE_CXX_COMPILER="/root/clang/bin/clang++" .. && ninja && ninja install

RUN cp -rf mybuild /root/webkitASAN

CMD ["/bin/bash"]

    # ./build.sh
    # export DISPLAY=:1000
    # Xvfb :1000 -screen 0 1920x1080x24 &
    # DISPLAY=:1000 LD_LIBRARY_PATH=/root/webkitASAN/lib /root/webkitASAN/bin/MiniBrowser ~/poc.html

In order to understand the root cause of this, let’s take a deeper look at the poc.html Source code of poc.html

(CVE-20221-35402) Prolink PRC2402M live_api.cgi satellist_list Un-authenticated Command Injection Vulnerability

Wed, 09 Jun 2021 00:00:00 +0000

CVE: CVE-2021-35402

Tested Versions:

Prolink PRC2402M 20190909

Product URL(s):

https://prolink2u.com/

Description of the vulnerability

This vulnerability is present as there are no checks on user input taken by live_api.cgi, which is passed to system, allowing an attacker to execute arbitrary code in the context of the root user on affected installations of the Prolink PRC2402M router.

No authentication is required to exploit this vulnerability.

The router makes GET requests to interact with the cgi scripts. To access the vulnerable script, visit http://localhost/cgi-bin/live_api.cgi.

(CVE-2021-35408) Prolink PRC2402M qos.cgi qos_sta_settings Un-authenticated Command Injection Vulnerability

Tue, 08 Jun 2021 00:00:00 +0000

CVE: CVE-2021-35408

Tested Versions:

Prolink PRC2402M 20190909

Product URL(s):

https://prolink2u.com/

Description of the vulnerability

No authentication is required to exploit this vulnerability.

The router makes POST requests through HTML forms to interact with the cgi scripts. To access the vulnerable script, visit http://prc2402m.setup/cgi-bin/qos.cgi

(CVE-2021-0956) Android NFC Out-Of-Bounds Write due to increase mNumTechList without bounds checking

Fri, 28 May 2021 00:00:00 +0000

CVE: CVE-2021-0956

Tested Versions:

RQ1A.210205.004

Product URL(s):

https://www.android.com/

Description of the vulnerability

There is a Out-Of-Bounds Write problem found in libnfc_nci_jni.so, within the NFC endpoints discovering and activation. Specifically, in file packages/apps/Nfc/nci/jni/NfcTag.cpp, function NfcTag::discoverTechnologies (activation), when a new NFC endpoint is actived, its information is append to some arrays. Since there is no bound check when append data, it may result in a Out-of-bounds Write vulnerability.

When the NFC service is operating on Reader/Writer mode, it has ability to discover Remote NFC Endpoints. While polling, if the NFCC discovers more than one Remote NFC Endpoint, or a Remote NFC Endpoint that supports more than one RF Protocol, NFC Controller start sending RF_DISCOVER_NTF messages to the Device Host for each endpoint and each RF protocol.

(CVE-2021-30745) Apple macOS QuartzCore Type Confusion Vulnerability

Thu, 20 May 2021 00:00:00 +0000

CVE: CVE-2021-30745

Tested Versions:

macOS Catalina 10.15.5 (19F101)

Product URL(s):

https://apple.com

Description of the vulnerability

This vulnerability exists in QuartzCore Framework, which is used by _windowserver process that allows other applications to interact with OS by mach message that allows attacker can bypass sandbox to get system privilege on the victim’s computer.

_windowserver is a process run as higher privilege act as a server to receive any messages from other applications and handle some system privilege actions for them.

(CVE-2021-0204) Juniper Junos OS Local Privilege Escalation vulnerability in dexp

Wed, 14 Apr 2021 00:00:00 +0000

CVE: CVE-2021-0204

Tested Versions:

Junos OS 15.1 to 20.4R1 (Tested on Juniper MX960 device)

Product URL(s): https://juniper.net

Description of the vulnerability

On the Juniper OS, there are a few binaries that have the setuid permission bit enabled. These binaries will run as the owner of the executable (typically as “root”) and inherit their privileges. Hence, these binary files can be used to escalate privileges to disclose sensitive information or execute arbitrary command as root.

(CVE-2021-0223) Juniper Junos OS Local Privilege Escalation vulnerability in telnetd

Wed, 14 Apr 2021 00:00:00 +0000

CVE: CVE-2021-0223

Tested Versions:

Junos OS 15.1 to 20.4R1 (Tested on Juniper MX960 device)

Product URL(s):

https://www.juniper.net/

Description of the vulnerability

(CVE-2021-0254) Junos OS overlayd service bss Buffer Overflow

Wed, 14 Apr 2021 00:00:00 +0000

CVE: CVE-2021-0254

Tested Versions:

Junos OS 15.1 to 20.4R1 (Tested on Juniper MX960 device)

Product URL(s):

https://www.juniper.net/

Description of the vulnerability

overlayd is a service that handles Overlay OAM Packet send to Juniper device. This service runs as root by default when the device starts and listens to the UDP connection on port 4789. Port 4789 is exposed to the internet, and everyone can connect to this port and send data. The specific flaw exists within the parsing packet function in the overlayd service. The issue results from the lack of proper validation of the size of the buffer before copying this data to a bss buffer, which can lead to bss overflow. Unauthenticated attackers can send specially crafted packets to trigger this vulnerability and resulting in remote code execution on the device.

(CVE-2021-0255) Juniper Junos OS Local Privilege Escalation vulnerability in ethtraceroute

Wed, 14 Apr 2021 00:00:00 +0000

CVE: CVE-2021-0255

Tested Versions:

Junos OS 15.1 to 20.4R1 (Tested on Juniper MX960 device)

Product URL(s):

https://www.juniper.net/

Description of the vulnerability

(CVE-2021-0256) Juniper Junos OS Local Privilege Escalation vulnerability in mosquitto

Wed, 14 Apr 2021 00:00:00 +0000

CVE: CVE-2021-0256

Tested Versions:

Junos OS 15.1 to 20.4R1 (Tested on Juniper MX960 device)

Product URL(s):

https://www.juniper.net/

Description of the vulnerability

You Talking To Me?

Mon, 12 Apr 2021 00:00:00 +0000

What is WebDriver and How does it work?

WebDriver is a protocol used for web browser automation. It can drive a browser to perform various tests on web pages as if a real user was navigating through them. It allows simulating user actions such as clicking links, entering text and submitting forms, which can help test if your website is working as intended. It is usually used for front-end testing and web crawling in a headless environment. WebDriver clients (such as Selenium WebDriver) interact with WebDriver servers (e.g. chromedriver, geckodriver) to launch and control browsers. In Capture-the-Flag (CTF) competitions, WebDriver clients are often used to play the role of a victim user (aka. XSS bot) and simulate user interactions to trigger player-supplied XSS payload.

Pwn2Own Vancouver 2021

Fri, 09 Apr 2021 00:00:00 +0000

The 2021 spring edition of Pwn2Own (Pwn2Own Vancouver) was held from 07th April to 09th April 2021 in a virtual format due to the ongoing COVID-19 pandemic that has limited many contestants’ traveling operations.

(CVE-2021-2321) Oracle VirtualBox E1000 BSS Out-Of-Bounds Read

Tue, 06 Apr 2021 00:00:00 +0000

CVE: CVE-2021-2321

Tested Versions:

Oracle VirtualBox 6.1.18 revision r142142

Product URL(s):

https://www.virtualbox.org/

Description of the vulnerability

When the e1000 driver is sending data to e1000 device, it will send frame by frame, there are context frame and data frame, usually one context frame followed by one or multiple data frames. We can prepare by setting TDH (Transfer Head), TDBAL (first 32 bit physical address of frames), TDBAH (last 32 bit physical address of frame) register, We can make device doing transfer by writing TDT (Transfer Tail) register and then will call e1kXmitPending to do the transfer.

(CVE-2021-3409) QEMU Heap Overflow in SDHCI Component

Tue, 23 Mar 2021 00:00:00 +0000

CVE: CVE-2021-3409

Tested Versions:

QEMU version under 5.2.50

Product URL(s):

https://www.qemu.org/

Description of the vulnerability

QEMU version 5.2.50 is susceptible to vulnerabilities which, when successfully exploited, could lead to the disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS).

SDHCI is Secure Digital Host Controller Interface. Secure Digital is a proprietary non-volatile memory card format developed by the SD Association (SDA) for portable devices. SDHCI code in QEMU is SD Controller emulation implementation based on SD Host Controller Specification Ver2.0 by Technical Committee SD Association.

(CVE-2021-34978) NETGEAR R6260 setupwizard.cgi Buffer Overflow Unauthenticated Remote Code Execution

Mon, 22 Mar 2021 00:00:00 +0000

CVE: CVE-2021-34978

Tested Versions:

NETGEAR R6260 V1.1.0.78_1.0.1

Product URL(s):

https://www.netgear.com/

Description of the vulnerability

This vulnerability allows for an attacker with LAN access to a NETGEAR R6260 router to execute arbitrary code. This was tested on the latest firmware available for the router, V1.1.0.78_1.0.1 at the point of writing.

When setupwizard.cgi is executed via a HTTP SOAP request, specially crafted SOAP-ENV headers will cause strncpy() to produce unterminated strings in analyse_XML_namespace(). A subsequent sprintf() call in the same function will introduce a buffer overflow due to overlapping strings, allowing for instruction pointer control.

(CVE-2021-34979) NETGEAR R6260 mini_httpd Buffer Overflow Unauthenticated Remote Code Execution

Mon, 22 Mar 2021 00:00:00 +0000

CVE: CVE-2021-34979

Tested Versions:

NETGEAR R6260 V1.1.0.78_1.0.1

Product URL(s):

https://www.netgear.com/

Description of the vulnerability

A buffer overflow in mini_httpd.c:1768 allows for unexpectedly long environment variables to be passed to the setupwizard.cgi executable. When setupwizard.cgi is executed via a specially crafted HTTP SOAP request, an unbounded strcat() in the check_soap_login_record() function allows for instruction pointer control when the environment variable SOAP_LOGIN_TOKEN is sufficiently long. An attacker can use this to execute arbitrary code as root.

(CVE-2021-0950) Android NFC android.hardware.nfc@1.2-service Writer mode Out-Of-Bounds Write leading to Information Disclosure

Fri, 05 Mar 2021 00:00:00 +0000

CVE: CVE-2021-0950

Tested Versions:

RQ1A.210205.004

Product URL(s):

https://www.android.com/

Description of the vulnerability

An Out-Of-Bounds Write bug was found in nfc_nci_nxp.so. Specifically, in file "hardware/nxp/nfc/halimpl/hal/phNxpNciHal_ext.cc", function phNxpNciHal_write_ext, due to lack of proper validation of the length of supplied command prior to increasing length of it, leading to 3 bytes overflow problem. This vulnerability can be turned into a read past the end of a global buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of NFC HIDL service.

(CVE-2021-33760) Windows Media Foundation Integer Overflow Vulnerability

Sat, 27 Feb 2021 00:00:00 +0000

CVE: CVE-2021-33760

Tested Versions:

mfsrcsnk.dll 10.0.18362.836

Product URL(s):

https://www.microsoft.com/

Description of the vulnerability

An integer overflow leads to OOB read when parsing MP3 header. The crash can be trigger by navigating into the folder containing the POC file. The crash happens inside mfsrcsnk.dll when parsing MP3 header. Stack trace.

(582c.420c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
mfsrcsnk!CMPEGFrame::DeSerializeFrameHeader+0x42:
00007ffa`88140492 418b0e          mov     ecx,dword ptr [r14] ds:00000264`bf9f527f=????????
0:000> k
 # Child-SP          RetAddr           Call Site
00 00000084`61afe770 00007ffa`881408a8 mfsrcsnk!CMPEGFrame::DeSerializeFrameHeader+0x42
01 00000084`61afe7f0 00007ffa`8814128c mfsrcsnk!CMP3MediaSourcePlugin::ReadMPEGFrameHeader+0x78
02 00000084`61afe860 00007ffa`8813f62c mfsrcsnk!CMP3MediaSourcePlugin::DoReadFrameHeader+0x5c
03 00000084`61afe8e0 00007ffa`8813fefa mfsrcsnk!CMP3MediaSourcePlugin::ParseHeader+0x1cc
04 00000084`61afe9c0 00007ffa`8813fd60 mfsrcsnk!CMFMP3PropertyHandler::FeedNextBufferToPlugin+0x12e
05 00000084`61afea60 00007ffa`88137763 mfsrcsnk!CMFMP3PropertyHandler::FeedBuffersToPlugin+0x9c
06 00000084`61afeb20 00007ffa`881492e4 mfsrcsnk!CMFMP3PropertyHandler::InternalInitialize+0x103
07 00000084`61afebf0 00007ffa`f1885451 mfsrcsnk!CMFPropHandlerBase::Initialize+0x84
08 00000084`61afec50 00007ffa`f188241b windows_storage!InitializeFileHandlerWithStream+0x175
09 00000084`61afed10 00007ffa`f1913fc5 windows_storage!CFileSysItemString::HandlerCreateInstance+0x2c7
0a 00000084`61afee00 00007ffa`f1878fd6 windows_storage!CFileSysItemString::_PropertyHandlerCreateInstance+0xad
0b 00000084`61afeeb0 00007ffa`f190a680 windows_storage!CFileSysItemString::LoadHandler+0x1aa
0c 00000084`61aff000 00007ffa`f1876ab5 windows_storage!CFSFolder::LoadHandler+0xe0
0d 00000084`61aff360 00007ffa`f18772a2 windows_storage!CFSPropertyStoreFactory::_GetFileStore+0x165
0e 00000084`61aff430 00007ffa`f1876c12 windows_storage!CFSPropertyStoreFactory::_GetPropertyStore+0x20e
0f 00000084`61aff520 00007ffa`f189d024 windows_storage!CFSPropertyStoreFactory::GetPropertyStore+0x22
10 00000084`61aff560 00007ffa`f189f18b windows_storage!CShellItem::_GetPropertyStoreWorker+0x384
11 00000084`61affaa0 00007ffa`f3b36ddb windows_storage!CShellItem::GetPropertyStore+0xdb
*** WARNING: Unable to verify checksum for metadata.exe
12 00000084`61affd70 00007ff7`0fc710ac SHELL32!SHGetPropertyStoreFromParsingName+0x5b
13 00000084`61affde0 00007ff7`0fc7117c metadata+0x10ac
14 00000084`61affe70 00007ff7`0fc713a4 metadata+0x117c
15 00000084`61affea0 00007ffa`f26a7bd4 metadata+0x13a4
16 00000084`61affee0 00007ffa`f452ce51 KERNEL32!BaseThreadInitThunk+0x14
17 00000084`61afff10 00000000`00000000 ntdll!RtlUserThreadStart+0x21
0:000> !heap -p -a @r14
    address 00000264bf9f527f found in
    _DPH_HEAP_ROOT @ 264bf911000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                264bf913af8:      264bf9f5000             2000
    00007ffaf45c51c4 ntdll!RtlDebugFreeHeap+0x000000000000003c
    00007ffaf4575670 ntdll!RtlpFreeHeap+0x0000000000073d90
    00007ffaf4500790 ntdll!RtlpFreeHeapInternal+0x0000000000000790
    00007ffaf44ffb91 ntdll!RtlFreeHeap+0x0000000000000051
    00007ffaf4199cfc msvcrt!free+0x000000000000001c
    00007ffa88140f2b mfsrcsnk!CID3Frame::`vector deleting destructor'+0x000000000000005b
    00007ffa8814d34a mfsrcsnk!CMP3Base::Release+0x000000000000003a
    00007ffa881346d9 mfsrcsnk!ComSmartPtr<Windows::Foundation::Collections::IMap<HSTRING__ * __ptr64,IInspectable * __ptr64> >::~ComSmartPtr<Windows::Foundation::Collections::IMap<HSTRING__ * __ptr64,IInspectable * __ptr64> >+0x0000000000000019
    00007ffa88140db0 mfsrcsnk!CID3Header::ReadFrames+0x0000000000000134
    00007ffa881512c1 mfsrcsnk!CID3Header::DeSerializeFrameBody+0x0000000000000071
    00007ffa8814b918 mfsrcsnk!CMP3MediaSourcePlugin::DoReadHeaderBody+0x0000000000000060
    00007ffa8813f896 mfsrcsnk!CMP3MediaSourcePlugin::ParseHeader+0x0000000000000436
    00007ffa8813fefa mfsrcsnk!CMFMP3PropertyHandler::FeedNextBufferToPlugin+0x000000000000012e
    00007ffa8813fd60 mfsrcsnk!CMFMP3PropertyHandler::FeedBuffersToPlugin+0x000000000000009c
    00007ffa88137763 mfsrcsnk!CMFMP3PropertyHandler::InternalInitialize+0x0000000000000103
    00007ffa881492e4 mfsrcsnk!CMFPropHandlerBase::Initialize+0x0000000000000084
    00007ffaf1885451 windows_storage!InitializeFileHandlerWithStream+0x0000000000000175
    00007ffaf188241b windows_storage!CFileSysItemString::HandlerCreateInstance+0x00000000000002c7
    00007ffaf1913fc5 windows_storage!CFileSysItemString::_PropertyHandlerCreateInstance+0x00000000000000ad
    00007ffaf1878fd6 windows_storage!CFileSysItemString::LoadHandler+0x00000000000001aa
    00007ffaf190a680 windows_storage!CFSFolder::LoadHandler+0x00000000000000e0
    00007ffaf1876ab5 windows_storage!CFSPropertyStoreFactory::_GetFileStore+0x0000000000000165
    00007ffaf18772a2 windows_storage!CFSPropertyStoreFactory::_GetPropertyStore+0x000000000000020e
    00007ffaf1876c12 windows_storage!CFSPropertyStoreFactory::GetPropertyStore+0x0000000000000022
    00007ffaf189d024 windows_storage!CShellItem::_GetPropertyStoreWorker+0x0000000000000384
    00007ffaf189f18b windows_storage!CShellItem::GetPropertyStore+0x00000000000000db
    00007ffaf3b36ddb SHELL32!SHGetPropertyStoreFromParsingName+0x000000000000005b
    00007ff70fc710ac metadata+0x00000000000010ac
    00007ff70fc7117c metadata+0x000000000000117c
    00007ff70fc713a4 metadata+0x00000000000013a4
    00007ffaf26a7bd4 KERNEL32!BaseThreadInitThunk+0x0000000000000014
    00007ffaf452ce51 ntdll!RtlUserThreadStart+0x0000000000000021

@r14 points to an invalid location on the heap.

(CVE-2021-34503) Windows Media Foundation Type Confusion Vulnerability

Sat, 27 Feb 2021 00:00:00 +0000

CVE: CVE-2021-34503

Tested Versions:

mfsrcsnk.dll 10.0.18362.836

Product URL(s):

https://www.microsoft.com/

Description of the vulnerability

There is a type confusion when parsing Quick Time video file format’s metadata that leads to OOB access on heap memory. The vulnerability can be triggered by navigating into folder contains POC file, inside Internet Explorer and Microsoft Edge.

The crashes happens inside mfmp4srcsnk.dll when parsing CQTSampleDescriptionAtom. Stack trace.

(2154.3bf0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=05d90ee8 ebx=05d7ef00 ecx=05d84f78 edx=05d8efe8 esi=5ba00cf0 edi=05d80f00
eip=5ba43c64 esp=006fedec ebp=006fedf8 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
mfmp4srcsnk!CAVCVideoSampleDescription::IsBetterForMediaType+0x44:
5ba43c64 8bb704010000    mov     esi,dword ptr [edi+104h] ds:002b:05d81004=????????
0:000> k
 # ChildEBP RetAddr  
00 006fedf8 5b9fea8a mfmp4srcsnk!CAVCVideoSampleDescription::IsBetterForMediaType+0x44
01 006fee44 5b9fdc50 mfmp4srcsnk!CQTSampleDescriptionAtom::FinalParseAtom+0x36a
02 006feedc 5b9ff7bd mfmp4srcsnk!CQTSampleTable::FinalParseAtom+0x3d0
03 006fef6c 5b9ff51e mfmp4srcsnk!CQTAtom::FinalParseAtom+0xdd
04 006fef8c 5b9ff7bd mfmp4srcsnk!CQTMedia::FinalParseAtom+0x3e
05 006fefd4 5b9fecbc mfmp4srcsnk!CQTAtom::FinalParseAtom+0xdd
06 006ff004 5b9ff7bd mfmp4srcsnk!CQTTrack::FinalParseAtom+0x9c
07 006ff04c 5b9fd1e8 mfmp4srcsnk!CQTAtom::FinalParseAtom+0xdd
08 006ff094 5ba02ed9 mfmp4srcsnk!CQTMovie::FinalParseAtom+0x138
09 006ff0f8 5ba1e00c mfmp4srcsnk!CQTMovie::CreateQTMovie+0x2b9
0a 006ff180 5ba1d4bf mfmp4srcsnk!CQTMovie::CreateMovieFromBuffer+0x571
0b 006ff1b0 5ba252ff mfmp4srcsnk!MFCreateQTMovie+0x4a
0c 006ff1e8 5ba30cea mfmp4srcsnk!CMFMP4PropertyHandler::LoadMetadataProvider+0x13e
0d 006ff25c 5ba351cf mfmp4srcsnk!CMFMP4PropertyHandler::InternalInitialize+0xba
0e 006ff280 753fab92 mfmp4srcsnk!CMFPropHandlerBase::Initialize+0x1af
0f 006ff2d4 75480a38 windows_storage!InitializeFileHandlerWithStream+0x184
10 006ff364 754ef088 windows_storage!CFileSysItemString::HandlerCreateInstance+0x1ba
11 006ff3b4 753fd557 windows_storage!CFileSysItemString::_PropertyHandlerCreateInstance+0x69
12 006ff488 753fb4b6 windows_storage!CFileSysItemString::LoadHandler+0x181
13 006ff748 753fb0cc windows_storage!CFSFolder::LoadHandler+0xa6
14 006ff7a0 753f9849 windows_storage!CFSPropertyStoreFactory::_GetFileStore+0x148
15 006ff7b8 7545a37e windows_storage!CFSPropertyStoreFactory::_s_GetFileStore+0x19
16 006ff828 7545a094 windows_storage!CFSPropertyStoreFactory::_GetMultiplexPropertyStore+0x217
17 006ff86c 7545aa5e windows_storage!CFSPropertyStoreFactory::_GetPropertyStore+0xa9
18 006ff888 7544c632 windows_storage!CFSPropertyStoreFactory::GetPropertyStore+0x1e
19 006ffb7c 7544d5d6 windows_storage!CShellItem::_GetPropertyStoreWorker+0xb22
1a 006ffde4 76887ca6 windows_storage!CShellItem::GetPropertyStore+0xb6
*** WARNING: Unable to verify checksum for metadata.exe
1b 006ffe14 00021085 SHELL32!SHGetPropertyStoreFromParsingName+0x56
1c 006ffe74 00021190 metadata!target_func+0x35 [c:\users\bit\source\repos\mf\metadata\metadata.cpp @ 15] 
1d 006ffe8c 0002137a metadata!wmain+0x40 [c:\users\bit\source\repos\mf\metadata\metadata.cpp @ 55] 
1e (Inline) -------- metadata!invoke_main+0x1c [d:\agent\_work\3\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 90] 
1f 006ffed4 77266359 metadata!__scrt_common_main_seh+0xfa [d:\agent\_work\3\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288] 
20 006ffee4 77a97c24 KERNEL32!BaseThreadInitThunk+0x19
21 006fff40 77a97bf4 ntdll!__RtlUserThreadStart+0x2f
22 006fff50 00000000 ntdll!_RtlUserThreadStart+0x1b

@edi points to an object of size only 0x100 but the code tries to access a property at offset 0x104.

(CVE-2021-1758) macOS/iOS CoreText Out-Of-Bounds Read

Wed, 10 Feb 2021 00:00:00 +0000

CVE: CVE-2021-1758

Tested Versions:

macOS Catalina 10.15.4 (19E287)

Product URL(s):

https://apple.com

Description of the vulnerability

This vulnerability exists in libFontParser.dylib, a part of CoreText library is widely used in macOS, iOS, iPadOS to parse, and draw text. This vulnerability allows attacker to read memory of application which uses API from CoreText.

macOS/iOS creates a font format structure that is a wrapper of Type 1 Postscript Font and TrueType Font is Mac Resource Fork Font. CoreText is a framework to draw text that supports load Mac Resource Fork Font through API CoreText CTFontManagerCreateFontDescriptorsFromURL.

(CVE-2021-1790) macOS/iOS CoreText libhvf Out-Of-Bounds Read

Wed, 10 Feb 2021 00:00:00 +0000

CVE: CVE-2021-1790

Tested Versions:

macOS Catalina 10.15.4 (19E287)

Product URL(s):

https://apple.com

Description of the vulnerability

This vulnerability exists in libhvf.dylib, a part of CoreText library is widely used in macOS, iOS, iPadOS to parse font. An attacker can craft an evil PDF contains the malicious font that could lead to remote code execution.

libhvf.dylib is used to parse HierVariation table in Truetype Font. libhvf.dylib is a feature of libFontParser.dylib. To enable this feature user must create a plist file in /User/<user>/Library/Preferences/com.apple.FontParser.plist with following content.

Chrome 1-Day Hunting - Uncovering and Exploiting CVE-2020-15999

Sat, 09 Jan 2021 00:00:00 +0000

Introduction

This blog post details the exploitation process for the vulnerability CVE 2020-15999 in Google Chrome 86.0.4222.0 on Linux. While CVE 2020-15999 is a heap-based buffer overflow in the font-loading library Freetype rather than Chrome proper, its extensive use in the latter enables us to achieve code execution in the browser’s renderer. This post will not be focused on the analysis of the bug, but rather its exploitation, as extensive explanation and analysis can be found here. In essence, Truetype font files that contain bitmaps (i.e. raster images) store them in the sbix table of the font. When Freetype loads an embedded PNG image in the sbix table with dimensions exceeding the int16 limit, an integer overflow to buffer overflow (IO2BO) occurs. A PoC to achieve code execution in the renderer and pop calculator can be found in the last section of this post.

Instrumenting Adobe Reader with Frida

Fri, 13 Nov 2020 00:00:00 +0000

Frida is an open-source dynamic instrumentation toolkit that has become popular in recent years, and its use in mobile security is especially prevalent.

In this post, I would like to provide a general introduction to the tool and show some examples of how it can also be used on the Windows platform.

Pwn2Own Tokyo 2020

Sun, 08 Nov 2020 00:00:00 +0000

The 2020 fall edition of Pwn2Own (Pwn2Own Tokyo) was held from 06th to 08th November 2020 in a virtual format due to the ongoing COVID-19 pandemic that has limited many contestants’ traveling operations.

Analysis & Exploitation of a Recent TP-Link Archer A7 Vulnerability

Fri, 16 Oct 2020 00:00:00 +0000

This post provides detailed analysis and an exploit achieving remote code execution for CVE-2020-10882, which was used at Pwn2Own 2019, on the TP-Link Archer C7:

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer A7 AC1750 routers. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the tdpServer service, which listens on UDP port 20002 by default. When parsing the slave_mac parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the root user.

Pwn2Own 2020: Oracle VirtualBox Escape

Fri, 25 Sep 2020 00:00:00 +0000

In this post, we will cover the vulnerabilities used at Pwn2Own 2020 for the Oracle VirtualBox escape. These two vulnerabilities affect Oracle VirtualBox 6.1.4 and prior versions.

This Font is not Your Type

Fri, 04 Sep 2020 00:00:00 +0000

Half a year ago, I found a vulnerability in libFontParser.dylib, which is a part of CoreGraphics library that is widely used in macOS, iOS, iPadOS to parse and render fonts. This vulnerability was patched in iOS 13.5.1 & macOS 10.15.5. In this writeup, I will describe the bug in detail in hopes that it will help others to better understand this vulnerability. This issue could allow an attacker to execute code during the parsing of a malicious font.

(CVE-2020-24430) Adobe Acrobat Pro DC FDF.addContact Use-After-Free Vulnerability

Fri, 21 Aug 2020 00:00:00 +0000

CVE: CVE-2020-24430

Tested Versions:

Adobe Reader DC 2020.012.20041

Product URL(s):

https://adobe.com

Description of the vulnerability

Adobe Acrobat is a family of application software and Web services developed by Adobe Inc. to view, create, manipulate, print and manage files in Portable Document Format (PDF).

There is an UAF bug when Adobe Acrobat DC executes javascript related to the FDF.addContact function

The following is the crash context (with page heap enabled):

First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=004fb7bc ecx=1ceeafd0 edx=0030d000 esi=1ceeafd0 edi=7e476eb8
eip=6301132a esp=004fb5ec ebp=004fb608 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210246
Acrobat!DllCanUnloadNow+0x6153a:
6301132a 8b5f14          mov     ebx,dword ptr [edi+14h] ds:002b:7e476ecc=????????

Vulnerability Discovery/Analysis

The following POC would trigger the bug when executed in a privileged / trusted context:

ASUSWRT URL Processing Stack Buffer Overflow

Fri, 07 Aug 2020 00:00:00 +0000

While processing the URL for any blacklisted XSS list like the script tag in the check_xss_blacklist function, a stack buffer overflow is possible by extending the length of the URL when accessing the web interface of the ASUS Router. To exploit it, stack pivoting technique is used before chaining up ROP gadgets to call our own custom command. In this post, we show how this can be exploited to get a reverse shell.

(CVE-2020-13937) Apache Kylin - Unauthenticated Configuration Disclosure

Fri, 17 Jul 2020 00:00:00 +0000

CVE: CVE-2020-13937

Tested Versions:

All versions starting from 2.0.0 up to 2.3.2, all versions starting from 2.4.0 up to 2.4.1, all versions starting from 2.5.0 up to 2.5.2, all versions starting from 2.6.0 up to 2.6.6, all versions starting from 3.0.0 up to 3.0.2, version 3.1.0

Product URL(s):

http://kylin.apache.org/

Description of the vulnerability

There is an unauthenticated configuration disclosure via /kylin/api/admin/config GET API Endpoint.

The getConfig() method of AdminController.java handling /kylin/api/admin/config endpoint did not include any security checks, which allowed an unauthenticated user to disclose all Kylin configuration settngs, which includes sensitive information such as LDAP and JDBC credentials.

Oracle VirtualBox VHWA Use-After-Free Privilege Escalation Vulnerability

Fri, 26 Jun 2020 00:00:00 +0000

As part of my month-long internship at STAR Labs, I was introduced to VirtualBox and learnt much about bug hunting and triaging, root-cause analysis and exploitation. This post will detail a use-after-free bug I found during the duration of the internship, and specifics on the VM escape exploit that I wrote utilising the bug. The latest version at the point of reporting was VirtualBox 6.1.2 r135662.

(CVE-2020-0634) Windows CLFS UAF Memory Corruption Vulnerability

Fri, 12 Jun 2020 00:00:00 +0000

CVE: CVE-2020-0634

Tested Versions:

Windows RS2( 2019.01.08) build 7763
ntoskrnl.exe file version 10.0.17763.195 . MD5:4a8bc8a4b90486a5567fb6c6bf93ab6b

Product URL(s):

https://www.microsoft.com/

Description of the vulnerability

An elevation of privilege vulnerability exists when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context.

To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system.

(CVE-2020-1664) Juniper Junos OS dcd create_debug_data() buffer overflow

Fri, 12 Jun 2020 00:00:00 +0000

CVE: CVE-2020-1664

Tested Versions:

Junos OS 20.1R1.11

Product URL(s):

https://www.juniper.net/

Description of the vulnerability

dcd is device control daemon and is running as root by default when the device starts. This daemon has a stack buffer overflow vulnerability that allows an attacker with low privilege to DOS the daemon or execute arbitrary code in the system with root privilege.

The vulnerability exists in create_debug_data() function:

FILE *create_debug_data()
{
  char v13; // [esp+3h] [ebp-51h]
  result = fopen("/var/tmp/dcd_debug.txt", "r");
  v1 = result;
  ifd_list_head = 0;
  if ( result )
  {
    dcd_global_dump_flag = 1;
    if ( fscanf(result, "%s", &v13) == 1 )
    {
      v15 = 0;
      stream = v1;
      do
      {
        dcd_print_i(
          8,
          "%u %s:%d %s() %s : Adding Interface %s to debug list",
          gDcdPid,
          "dcd.c",
          4770,
          "create_debug_data",
          szSev[0],
          &v13);
...

The buffer overflow vulnerability is caused by reading content in /var/tmp/dcd_debug.txt to a stack-based buffer. With the low privilege user, an attacker could put the long string to /var/tmp/dcd_debug.txt file to trigger the vulnerability.

(CVE-2021-0218) Junos OS lc_fetch_license_keys() command injection

Fri, 12 Jun 2020 00:00:00 +0000

CVE: CVE-2021-0218

Tested Versions:

Junos OS 20.1R1.11

Product URL(s):

https://www.juniper.net/

Description of the vulnerability

license-check is a daemon to manage license in Juniper device. By default, this daemon is running as root. There is a command injection vulnerability in license-check daemon that allows an attacker with low privilege to execute a command with root privilege.

The command injection exists in the license update feature. To update license, user run command request system license update in cli console. First, when run this command, the mgd_update_license() function in /usr/lib/dd/libjunos-actions-impl.so is called.

(CVE-2021-0219) Juniper Junos OS validate package mgd_package_real() command injection

Fri, 12 Jun 2020 00:00:00 +0000

CVE: CVE-2021-0219

Tested Versions:

Junos OS 20.1R1.11

Product URL(s):

https://www.juniper.net/

Description of the vulnerability

The command injection vulnerability exists in the validation of the installed package. Upon successfully exploiting this vulnerability, an attacker with low privilege can execute a command with root privilege in the system.

To validate a package on host before installing, user run command request system software add validate-on-host <host> <package-path> in cli console. First, when run this command, function mgd_package_real() in /usr/lib/dd/libjunos-actions-impl.so will be called:

(CVE-2021-1485) Cisco IOS XR CLI Arbitrary Command Injection

Fri, 12 Jun 2020 00:00:00 +0000

CVE: CVE-2021-1485

Tested Versions:

Cisco IOS XRv 64 bit 7.0.2

Product URL(s): https://cisco.com

Description of the vulnerability

The router CLI implements some commands as passthrough to the underlying Linux shell. From some tests conducted, it is evident that there are some quoting issues when passing arguments to the shell.

RP/0/RSP0/CPU0# dir "'"
sh: -c: line 0: unexpected EOF while looking for matching `''
sh: -c: line 1: syntax error: unexpected end of file
sh: -c: line 0: unexpected EOF while looking for matching `''
sh: -c: line 1: syntax error: unexpected end of file
dir : ' : Path does not exist

This type of issue could lead to arbitrary command injection from the restricted CLI that does not have direct access to the shell.

(CVE-2020-15357) Askey AP5100W Authenticated Command Injection in web Interface

Fri, 22 May 2020 00:00:00 +0000

CVE: CVE-2020-15357

Tested Versions:

Askey AP5100W version Dual_SIG_1.01.071

Product URL(s):

https://www.askey.com.tw/

Description of the vulnerability

Askey AP5100W was a wifi mesh node provided to Singtel customers as part of their Fibre Broadband contract package. It is used to provide greater WiFi coverage in homes or offices.

The wifi mesh node comes with a configurable web interface that allows users to modify settings on their mesh nodes and run diagnostics.

The default login credential of the web interface for the Askey AP5100W is as follows:

(CVE-2020-25545) Askey AP5100W Information Leak through Insecure backups

Fri, 22 May 2020 00:00:00 +0000

CVE: CVE-2020-25545

Tested Versions:

Askey AP5100W version Dual_SIG_1.01.071

Product URL(s):

https://www.askey.com.tw/

Description of the vulnerability

Askey AP5100W was a wifi mesh node provided to Singtel customers as part of their Fibre Broadband contract package. It is used to provide greater WiFi coverage in homes or offices.

The wifi mesh node comes with a configurable web interface that allows users to modify settings on their mesh nodes and run diagnostics.

The default login credential of the web interface for the Askey AP5100W is as follows:

(CVE-2020-25546) Askey AP5100W Logic Error allowing Web Admin authentication bypass

Fri, 22 May 2020 00:00:00 +0000

CVE: CVE-2020-25546

Tested Versions:

Askey AP5100W version Dual_SIG_1.01.071

Product URL(s):

https://www.askey.com.tw/

Description of the vulnerability

Askey AP5100W was a wifi mesh node provided to Singtel customers as part of their Fibre Broadband contract package. It is used to provide greater WiFi coverage in homes or offices.

The wifi mesh node comes with a configurable web interface that allows users to modify settings on their mesh nodes and run diagnostics.

Vulnerability

The default login credential of the web interface for the Askey AP5100W is as follows:

(CVE-2020-2575) Oracle VirtualBox OHCI Uninitialized Heap Variable - Pwn2Own

Thu, 30 Apr 2020 00:00:00 +0000

CVE: CVE-2020-2575

Tested Versions:

Oracle VirtualBox 6.1.0 revision r135406

Product URL(s):

https://virtualbox.org

Description of the vulnerability

VirtualBox is a x86 and AMD64/Intel64 virtualization product for enterprise as well as home use. It is a solution commercially supported by Oracle, in addition to being made available as open source software. It runs on various host platforms like Windows, Linux, Mac and Solaris and also supports a large number of guest operating systems.

(CVE-2020-2748) Oracle VirtualBox SVGA Out-of-Bounds Read in vmsvgaR3FifoUpdateCursor

Thu, 30 Apr 2020 00:00:00 +0000

CVE: CVE-2020-2748

Tested Versions:

Oracle VirtualBox 6.1.0 r135406

Product URL(s):

https://virtualbox.org

Description of the vulnerability

(CVE-2020-2758) Oracle VirtualBox VHWA Use-After-Free Privilege Escalation

Thu, 30 Apr 2020 00:00:00 +0000

CVE: CVE-2020-2758

Tested Versions:

Oracle VirtualBox 6.1.2 r135662

Product URL(s):

https://virtualbox.org

Description of the vulnerability

(CVE-2020-2894) Oracle VirtualBox e1kInsertChecksum Out-of-Bounds Read - Pwn2Own

Thu, 30 Apr 2020 00:00:00 +0000

CVE: CVE-2020-2894

Tested Versions:

Oracle VirtualBox 6.1.0 revision r135406

Product URL(s):

https://virtualbox.org

Description of the vulnerability

(CVE-2020-10907) Foxit Reader XFA Widget Use-After-Free Code Execution

Thu, 16 Apr 2020 00:00:00 +0000

CVE: CVE-2020-10907

Tested Versions:

Foxit Reader 9.7.0.29455

Product URL(s):

https://www.foxitsoftware.com/pdf-reader/

Description of the vulnerability

Foxit Reader is a popular PDF reading and printing software.

When processing XFA forms within a PDF, a flaw exists when handling widgets in the form, which can lead to code execution.

The attacker setup a XFA form which has 2 XFA_Widgets: combobox, and checkbox_group.

<!-- XFA Combo Box -->
<subform layout="tb" name="subform_combox_0">
	<occur initial="1" max="10" min="0" name="occur_subform_combox_0">
	</occur>
	<field h="10mm" name="combox" w="40mm" x="10mm" y="10mm">
		<ui>
			<choiceList open="onEntry">
				<border><edge/></border>
			</choiceList>
		</ui>
		<items save="1">
			<text>apples</text>
			<text>bananas</text>
			<text>pears</text>
		</items>
			<value>
			<text>apples</text>
		</value>
		<event activity="ready" ref="$layout">
			<script contentType="application/x-javascript">
				xfa.host.openList("my_doc.subform_combox_0");
			</script>
		</event>
	</field>
</subform>
<!-- XFA CheckBox Group-->
<subform layout="tb" name="subform_checkbutton_group_0">
	<occur initial="1" max="10" min="0" name="occur_subform_checkbutton_group_0">
	</occur>
	<exclGroup layout="tb" name="checkbutton_group">
		<!-- XFA CheckBox 1-->
		<field h="10mm" name="checkbutton_check1" w="40mm" x="30mm" y="600mm">
			<ui>
				<checkButton shape="round">
					<border><edge/></border>
				</checkButton>
			</ui>
			<items>
				<integer>1</integer>
			</items>
			<value>
				<text>Select 1</text>
			</value>
			<caption placement="left">
				<value>
					<text>Option 1</text>
				</value>
			</caption>
			<validate>
				<script contentType="application/x-javascript">
					xfa.resolveNode("my_doc.subform_checkbutton_group_0.checkbutton_group.checkbutton_check1").addItem("this is random string");
					xfa.resolveNode("my_doc.subform_checkbutton_group_0.checkbutton_group").rawValue = "this is random string";
				</script>
			</validate>
		</field>
		<!-- XFA CheckBox 2-->
		<field h="10mm" name="checkbutton_check2" w="40mm" x="30mm" y="600mm">
			<ui>
				<checkButton shape="round">
					<border><edge/></border>
				</checkButton>
			</ui>
			<items>
				<integer>2</integer>
			</items>
			<value>
				<text>Select 2</text>
			</value>
			<caption placement="left">
				<value>
					<text>Option 2</text>
				</value>
			</caption>
		</field>
	</exclGroup>
	<event activity="ready" ref="$layout">
		<script contentType="application/x-javascript">
			_subform_checkbutton_group_0.addInstance(93);
		</script>
	</event>
</subform>

Foxit Reader didn’t properly handle re-entry validate event when adding new instances into PDF XFA form, which leads to Use-After-Free in this case.

TianFu Cup 2019: Adobe Reader Exploitation

Fri, 10 Apr 2020 00:00:00 +0000

Last year, I participated in the TianFu Cup competition in Chengdu, China. The chosen target was the Adobe Reader. This post will detail a use-after-free bug of JSObject. My exploit is not clean and not an optimal solution. I have finished this exploit through lots of trial and error. It involves lots of heap shaping code which I no longer remember exactly why they are there. I would highly suggest that you read the full exploit code and do the debugging yourself if necessary. This blog post was written based on a Windows 10 host with Adobe Reader.

Adventures in Hypervisor: Oracle VirtualBox Research

Fri, 03 Apr 2020 00:00:00 +0000

I have been into the vulnerability research field for a while now, and VirtualBox is my very first target. I have learned a lot along the way and I hope that anyone who are interested in escaping hypervisors can find something useful from these notes. I assume that you have some basic knowledge on memory corruption, hypervisor architecture and device I/O.

Pwn2Own Vancouver 2020

Sun, 22 Mar 2020 00:00:00 +0000

The 2020 spring edition of Pwn2Own (Pwn2Own Vancouver) was held from 19th March to 20th March 2020 in a virtual format due to the ongoing COVID-19 pandemic that has limited many contestants’ traveling operations.

(CVE-2020-3800) Adobe Reader xfa.loadXML Use-after-Free

Tue, 17 Mar 2020 00:00:00 +0000

CVE: CVE-2020-3800

Tested Versions:

Acrobat DC version 2019.008.20064 (Windows 10 64-bit)

Product URL(s):

Description of the vulnerability

Adobe Acrobat is a family of application software and Web services developed by Adobe Inc. to view, create, manipulate, print and manage files in Portable Document Format (PDF).

Both Adobe Reader and Acrobat DC share the same AcroForm.api plugin: File Version 19.012.20040.17853

Adobe Reader and Adobe Acrobat DC crashes after executing the following Javascript code:

(CVE-2020-3801) Adobe Reader XFA Heap Address Leak

Tue, 17 Mar 2020 00:00:00 +0000

CVE: CVE-2020-3801

Tested Versions:

Acrobat DC version 2019.008.20064 (Windows 10 64-bit)

Product URL(s):

Description of the vulnerability

Adobe Acrobat is a family of application software and Web services developed by Adobe Inc. to view, create, manipulate, print and manage files in Portable Document Format (PDF).

Both Adobe Reader and Acrobat DC share the same AcroForm.api plugin: File Version 19.012.20040.17853

Adobe Reader (and Adobe Acrobat DC) has a weird “feature” that leaks heap pointer after executes Javascript when openning XFA PDF. Any of these Javascript below would work.

(CVE-2020-9816) macOS libFontParser HeapOverflow Vulnerability

Tue, 17 Mar 2020 00:00:00 +0000

CVE: CVE-2020-9816

Tested Versions:

macOS Catalina 10.15.1 (19B88)

Product URL(s):

https://apple.com

Description of the vulnerability

This vulnerability exists in libFontParser.dylib, which is a part of CoreGraphic library is widely used in macOS, iOS, iPadOS to parse Font. Attacker can craft an evil PDF contains malicious font could leads to remote code execution in Apple devices.

The bug exists in TParsingContext::Subroutine method, which parse Subrs field in Type1 Font. TParsingContext::Subroutine try to calculate decrypted buffer size from IV and encrypted buffer size but fail to make sure that decrypted buffer size and encrypted buffer size.

(CVE-2020-2682) Oracle VirtualBox VBoxVHWAHandleTable Out-Of-Bounds Access Privilege Escalation

Wed, 15 Jan 2020 00:00:00 +0000

CVE: CVE-2020-2682

Tested Versions:

Oracle VirtualBox 5.2.18 revision r123745

Product URL(s):

https://virtualbox.org

Description of the vulnerability

(CVE-2020-2674) Oracle VirtualBox OHCI Use-After-Free

Tue, 14 Jan 2020 00:00:00 +0000

CVE: CVE-2020-2674

Tested Versions:

Oracle VirtualBox 5.2.18 revision r123745

Product URL(s):

https://virtualbox.org

Description of the vulnerability

(CVE-2019-16452) Adobe Acrobat/Reader getSound JSObject Use-after-Free - TianFu Cup 2019

Tue, 10 Dec 2019 00:00:00 +0000

CVE: CVE-2019-16452

Tested Versions:

Adobe Acrobat and Reader versions 2019.012.20035 and earlier

Product URL(s):

Adobe Acrobat is a family of application software and Web services developed by Adobe Inc. to view, create, manipulate, print and manage files in Portable Document Format (PDF). The basic Acrobat Reader, available for several desktop and mobile platforms, is freeware; it supports viewing, printing and annotating of PDF files. The commercial proprietary Acrobat, available for Microsoft Windows and macOS only, can also create, edit, convert, digitally sign, encrypt, export and publish PDF files.

(CVE-2020-0889) Microsoft Jet Database Format Record Length Memory Corruption

Wed, 04 Dec 2019 00:00:00 +0000

CVE: CVE-2020-0889

Tested Versions:

msexcl40.dll 4.0.9801.17

Product URL(s):

https://microsoft.com

Description of the vulnerability

msexcl40.dll is a part of Microsoft Jet Excel. It is responsible for processing Excel files. When opening a craft .xls file, especially when the pExcelRecordBuffer is corrupt, this will cause an Out-of-Bounds write problem.

The crash occurs at msexcl40!WriteStringPool+0xa5:

0:000> r
eax=25c90000 ebx=256662ec ecx=00000000 edx=00000000 esi=00000000 edi=256662ec
eip=7ca9a905 esp=00f6ea8c ebp=00000000 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
msexcl40!WriteStringPool+0xa5:
7ca9a905 8910            mov     dword ptr [eax],edx  ds:002b:25c90000=????????
0:000> kb
 # ChildEBP RetAddr  Args to Child              
00 00f6eab0 7ca98066 256657ac 256600fc 256657ac msexcl40!WriteStringPool+0xa5
01 00f6ead4 7ca8b496 256657ac 00000000 00000000 msexcl40!ExcelMISave+0x86
02 00f6eaf0 7ca84f41 256657ac 00000000 00000000 msexcl40!ExcelCloseFile+0x26
03 00f6eb08 7ca7d996 25665744 00000000 252aaf20 msexcl40!WorkbookClose+0x31
04 00f6eb24 7c83b36a 00000000 00000001 00000000 msexcl40!WBDBCloseDatabase+0xd6
05 00f6eb3c 7c81cf4c 252aaf20 000000ff 00000000 msjet40!ErrDispCloseDatabase+0x4a
06 00f6eb50 7c77afb0 252aaf20 000000ff 00000000 msjet40!JetCloseDatabase+0x3c
07 00f6ebd4 7c5643e9 25cafef4 00000000 25cb3fb0 msjetoledb40!CDBSession::~CDBSession+0x220
08 00f6ebe8 7c5a67fb 25cafee8 7c562a99 45181ec9 oledb32!CACMDynamic<CACMAggregationWrapper>::CmFinalRelease+0x5c
09 00f6ebf0 7c562a99 45181ec9 27689fe0 7c562a40 oledb32!CSCM::FinalRelease+0xa
0a 00f6ec14 7c53dd1c 25cafee8 2767fee8 00f6ec9c oledb32!CSCMComPolyObject<CSCM>::Release+0x59
0b 00f6ec24 7c779255 25cafef4 f3aefcc7 2767fee8 oledb32!ATL::CComContainedObject<CACMAggregationWrapper>::Release+0x1c
0c 00f6ec6c 00297521 274e4fdc 00000000 0032ae58 msjetoledb40!CCommand::~CCommand+0x175

EAX should be ExcelRecordBuffer locates at msexcl40!pExcelRecordBuffer, but as we see, the value is corrupted

(CVE-2020-2902) Oracle VirtualBox Direct3D 9 Shader Out-of-Bounds Write Remote Code Execution Vulnerability

Wed, 04 Dec 2019 00:00:00 +0000

CVE: CVE-2020-2902

Tested Versions:

Microsoft Direct3D 9 Runtime version 10.0.17763.1

Product URL(s):

https://microsoft.com

Description of the vulnerability

TianFu Cup 2019

Sun, 17 Nov 2019 00:00:00 +0000

Our researcher, Phan Thanh Duy, successfully pwned Adobe PDF Reader.

References

Twitter: @tianfucup results

(CVE-2020-0961) Microsoft Jet Database file position integer overflow Memory Corruption

Wed, 13 Nov 2019 00:00:00 +0000

CVE: CVE-2020-0961

Tested Versions:

msexcl40.dll 4.0.9801.17

Product URL(s):

https://microsoft.com

Description of the vulnerability

msexcl40.dll is a part of Microsoft Jet Excel, it is responsible for to process excel files when opening a specially crafted .xls file, an memory corruption will occur.

The crash occurs at msexcl40!memcpy+0x2a:

(42b8.1bc0): Access violation - code c0000005 (first/second chance not available)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=9f33c218 ebx=00000004 ecx=00000004 edx=00000004 esi=9f33c214 edi=00b3e080
eip=5374abda esp=00b3e00c ebp=00b3e1cc iopl=0         nv up ei pl nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000217
msexcl40!memcpy+0x2a:
5374abda f3a4            rep movs byte ptr es:[edi],byte ptr [esi]
0:000> kb
 # ChildEBP RetAddr  Args to Child              
00 00b3e010 5373b647 00b3e080 9f33c214 00000004 msexcl40!memcpy+0x2a
01 00b3e028 5372cd8d 25111a7a 00b3e080 00000004 msexcl40!BFReadFile+0x57
02 00b3e1cc 537276c4 251117de 5375c770 00000000 msexcl40!ExcelScanFile+0x12d
03 00b3e1e0 53727c8e 25111776 00000000 00b3e324 msexcl40!NextName+0x24
04 00b3e200 5371cc1a 25111776 00b3e324 00000100 msexcl40!WorkbookNameFirst+0x2e
05 00b3e524 5371dc52 251127a6 256a6168 00b3e54c msexcl40!LocateTableInDatabase+0x28a
06 00b3eb6c 7b8bb575 20a16f20 00000001 256a6168 msexcl40!WBDBDeleteTable+0x1f2
07 00b3eb80 7b89b716 20a16f20 000000ff 256a6168 msjet40!ErrDispDeleteTable+0x35
08 00b3eb9c 7b978e1a 20a16f20 000000ff 256a6168 msjet40!ErrDeleteTable+0x56
09 00b3ed98 7b9449c8 20a16f20 000000ff 000007ff msjet40!ErrExecuteDDL+0xe2e
0a 00b3edc8 7b94634d 20a16f20 000000ff 000007ff msjet40!ErrExecuteTempQuery+0xa0
0b 00b3edf8 7b7f5d40 20a16f20 000000ff 000007ff msjet40!JetExecuteTempQuery+0x90
0c 00b3eea4 7b64d303 25630ff0 25652f34 7b5c48bc msjetoledb40!CImpICommandText::Execute+0x390
0d 00b3efdc 00707521 25648fdc 00000000 0079ae58 oledb32!CCommandText::Execute+0x313

From the crash, we get to know that the source address of memcpy is wrong. In our case, it is 0x9f33c214. Through reverse engineering, we found this value comes from [EDI+0x8] at 0x1002B611:

(CVE-2019-1406) Microsoft Jet Engine ColumnLvText Type Confusion

Tue, 12 Nov 2019 00:00:00 +0000

CVE: CVE-2019-1406

Tested Versions:

Windows 10 version 1903 and below
Windows 7

Product URL(s): https://www.microsoft.com

The Microsoft Jet Database Engine (also Microsoft JET Engine or simply Jet) is a database engine on which several Microsoft products have been built. JET stands for Joint Engine Technology. Microsoft Access and Visual Basic have used Jet as their underlying database engine.

Description of the vulnerability

The vulnerable DLL msjet40.dll is a component in versions from Windows 7 to Windows 10. The vulnerability described here can be triggered with a specially-crafted MDB file, and could lead to code execution.

(CVE-2019-2984) Oracle VirtualBox Video Hardware Acceleration NULL Pointer Dereferences

Sun, 20 Oct 2019 00:00:00 +0000

CVE: CVE-2019-2984

Tested Versions: Oracle VirtualBox 5.2.18 revision r123745

Product URL(s): https://virtualbox.org

VirtualBox is a x86 and AMD64/Intel64 virtualization product for enterprise as well as home use. It is a solution commercially supported by Oracle, in addition to being made available as open source software. It runs on various host platforms like Windows, Linux, Mac and Solaris and also supports a large number of guest operating systems.

There are several interfaces for the guest to communicate with the host in VirtualBox, one of them is Host-Guest Shared Memory Interface (HGSMI) services. These vulnerabilities occur in the VirtualBox Video Acceleration (VBVA) channel, which works on top of HGSMI.

(CVE-2019-3002) Oracle VirtualBox Integer Divide by Zero in hdaR3StreamInit

Sun, 20 Oct 2019 00:00:00 +0000

CVE: CVE-2019-3002

Tested Versions:

Oracle VirtualBox 6.0.4 revision r128413

Product URL(s): https://virtualbox.org

Vulnerability

Intel HD Audio (HDA) is the default VirtualBox Audio Controller for Windows guests. The vulnerability occurs while processing an audio stream which the guest sends to the host via this emulated device.

(CVE-2019-3005) Oracle VirtualBox NULL Pointer Dereference in hdaR3WalClkSet

Sun, 20 Oct 2019 00:00:00 +0000

CVE: CVE-2019-3005

Tested Versions:

Oracle VirtualBox 6.0.4 revision r128413

Product URL(s): https://virtualbox.org

Vulnerability

(CVE-2019-3026) Oracle VirtualBox VBoxSVGA Invalid Check in vmsvgaFIFOLoop

Sun, 20 Oct 2019 00:00:00 +0000

CVE: CVE-2019-3026

Tested Versions:

Oracle VirtualBox 6.0.4 revision r128413

Product URL(s): https://virtualbox.org

Vulnerability

VboxSVGA is the default Video Adapter for Windows guests. The vulnerability occurs while processing an SVGA command which the guest send to the host.

(CVE-2019-3031) Oracle VirtualBox VMSVGA Out-of-Bounds Read in vmsvga3dSetLightEnabled

Sun, 20 Oct 2019 00:00:00 +0000

CVE: CVE-2019-3031

Tested Versions:

Oracle VirtualBox 6.0.4 revision r128413

Product URL(s): https://virtualbox.org

Vulnerability

Besides the default VirtualBox Video Adapter, VirtualBox also emulates VMware virtual SVGA device. It is not enabled by default. The vulnerability occurs while processing a SVGA command which the guest send to the host.

HITB Driven2Pwn 2019

Thu, 17 Oct 2019 00:00:00 +0000

HITB Driven2Pwn is the UAE’s first bug bounty buffet event — a one-stop collaborative bounty organised by Hack In The Box, VXRL and Vulnerability Labs.

Our researcher, Pham Hong Phi, successfully pwned Oracle VirtualBox in the Virtualization Category.

References

Twitter: @driven2pwn announcement

(CVE-2019-8220) Adobe Reader CLstBxField Use-after-Free

Tue, 15 Oct 2019 00:00:00 +0000

CVE: CVE-2019-8220

Tested Versions:

Adobe Acrobat and Reader DC versions 2019.012.20040 and earlier

Product URL(s):

Description of the vulnerability

Adobe Acrobat is a family of application software and Web services developed by Adobe Inc. to view, create, manipulate, print and manage files in Portable Document Format (PDF).

Both Adobe Reader and Acrobat DC share the same DigSig.api plugin:

Image path: C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\plug_ins\DigSig.api
File Version Number: 19.10.20064.48846
Product Version Number:  19.10.20064.48846
Comments:  The Digital Signature plug-in (DigSig) provides a generic PDF file digital-signing service. [...]
Company Name:  Adobe Systems Incorporated
File Description:  Adobe Acrobat Digital Signature Plug-in
File Version:  19.10.20064.310990
Legal Copyright: Copyright 1984-2018 Adobe Systems Incorporated and its licensors. All rights reserved.
Product Name:  Adobe Acrobat Digital Signature Plug-in
Product Version: 19.10.20064.310990

There is a use-after-free bug when Acrobat Reader executes Javascript related to Document.Field object.

(CVE-2019-8221) Adobe Reader Type Confusion in getColorConvertAction

Tue, 15 Oct 2019 00:00:00 +0000

CVE: CVE-2019-8221

Tested Versions:

Acrobat DC version 2019.008.20064 (Windows 10 64-bit)

Product URL(s):

Description of the vulnerability

Adobe Acrobat is a family of application software and Web services developed by Adobe Inc. to view, create, manipulate, print and manage files in Portable Document Format (PDF).

Both Adobe Reader and Acrobat DC share the same Escript.api plugin:

Image path: C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\plug_ins\EScript.api
Image name: EScript.api
Browse all global symbols  functions  data
Timestamp:        Tue Dec  4 10:46:45 2018 (5C06CB95)
CheckSum:         00000000
ImageSize:        002AB000
File version:     19.10.20064.48846
Product version:  19.10.20064.48846
File flags:       0 (Mask 3F)
File OS:          4 Unknown Win32
File type:        2.0 Dll
File date:        00000000.00000000
Translations:     0409.04b0
Information from resource tables:
    CompanyName:      Adobe Systems Incorporated
    ProductName:      Adobe Acrobat Escript
    InternalName:     Escript
    OriginalFilename: Escript.api
    ProductVersion:   19.10.20064.310990
    FileVersion:      19.10.20064.310990
    FileDescription:  Adobe Acrobat Escript Plug-in

Technical Details

There is type-confusion because the colorConvertPage function does not check the object type.

(CVE-2019-1250) Microsoft Jet database Record::IsNull Memory Corruption

Tue, 10 Sep 2019 00:00:00 +0000

CVE: CVE-2019-1250

Tested Versions:

Windows 10 version 1903 and below
Windows 7

Product URL(s): https://www.microsoft.com

Vulnerability

The vulnerable DLL msrd3x40.dll is a component in versions from Windows 7 to Windows 10. The vulnerability described here can be triggered with a specially-crafted MDB file, and could lead to code execution.

(CVE-2019-8011) Acrobat Reader DC 2d.x3d!_LoadTIFF() Out-of-Bounds Read

Tue, 13 Aug 2019 00:00:00 +0000

CVE: CVE-2019-8011

Tested Versions:

Adobe Reader DC 2019.010.20099

Product URL(s):

Description of the vulnerability

Adobe Acrobat is a family of application software and Web services developed by Adobe Inc. to view, create, manipulate, print and manage files in Portable Document Format (PDF). It provides compatibility to the ECMA-363 Standard (Universal 3D File Format) via 3difr.x3d, 2d.x3d and rt3d.dll, which allow viewing embedded 3D contents in PDF files. The ECMA-363 standard allows external texture images to be encoded with the Texture Resource Declaration Block, with options to load either JPEG/PNG images embedded in the PDF file, or other image types from the local file system. These external image formats include TGA, TIFF, PIC, GIF, BMP, PCX, PPM, IFF, FLI/FLC, RGB, PSD, RLE and CEL. The 2d.x3d module is activated when the users choose to enable 3D content display.

(CVE-2019-8018) Acrobat Reader DC 2d.x3d!_LoadRGB() OOB Read in TRGB::expandrow()

Tue, 13 Aug 2019 00:00:00 +0000

CVE: CVE-2019-8018

Tested Versions:

Adobe Reader DC 2019.010.20099

Product URL(s):

Description of the vulnerability

Adobe Acrobat is a family of application software and Web services developed by Adobe Inc. to view, create, manipulate, print and manage files in Portable Document Format (PDF). It provides compatibility to the ECMA-363 Standard (Universal 3D File Format) via 3difr.x3d, 2d.x3d and rt3d.dll, which allow viewing embedded 3D contents in PDF files. The ECMA-363 standard allows external texture images to be encoded with the Texture Resource Declaration Block, with options to load either JPEG/PNG images embedded in the PDF file, or other image types from the local file system. These external image formats include TGA, TIFF, PIC, GIF, BMP, PCX, PPM, IFF, FLI/FLC, RGB, PSD, RLE and CEL. The 2d.x3d module is activated when the users choose to enable 3D content display.

(CVE-2019-8038) Adobe Acrobat/Reader CTextWidget Use-after-Free

Thu, 20 Jun 2019 00:00:00 +0000

CVE: CVE-2019-8038

Tested Versions:

Adobe Acrobat and Reader versions 2019.012.20035 and earlier

Product URL(s):

Description of the vulnerability

Adobe Acrobat is a family of application software and Web services developed by Adobe Inc. to view, create, manipulate, print and manage files in Portable Document Format (PDF). The basic Acrobat Reader, available for several desktop and mobile platforms, is freeware; it supports viewing, printing and annotating of PDF files. The commercial proprietary Acrobat, available for Microsoft Windows and macOS only, can also create, edit, convert, digitally sign, encrypt, export and publish PDF files.

(CVE-2019-8039) Adobe Acrobat/Reader CTextField Use-after-Free

Thu, 20 Jun 2019 00:00:00 +0000

CVE: CVE-2019-8039

Tested Versions:

Adobe Acrobat and Reader versions 2019.012.20035 and earlier

Product URL(s):

Description of the vulnerability

Adobe Acrobat is a family of application software and Web services developed by Adobe Inc. to view, create, manipulate, print and manage files in Portable Document Format (PDF). The basic Acrobat Reader, available for several desktop and mobile platforms, is freeware; it supports viewing, printing and annotating of PDF files. The commercial proprietary Acrobat, available for Microsoft Windows and macOS only, can also create, edit, convert, digitally sign, encrypt, export and publish PDF files.

(CVE-2019-7142) Acrobat Reader DC 2d.x3d!_LoadRGB() Out-of-Bounds Read/Write in TRGB::expandrow()

Tue, 14 May 2019 00:00:00 +0000

CVE: CVE-2019-7142

Tested Versions:

Adobe Reader DC 2019.010.20099

Product URL(s):

Description of the vulnerability

Adobe Acrobat is a family of application software and Web services developed by Adobe Inc. to view, create, manipulate, print and manage files in Portable Document Format (PDF). It provides compatibility to the ECMA-363 Standard (Universal 3D File Format) via 3difr.x3d, 2d.x3d and rt3d.dll, which allow viewing embedded 3D contents in PDF files. The ECMA-363 standard allows external texture images to be encoded with the Texture Resource Declaration Block, with options to load either JPEG/PNG images embedded in the PDF file, or other image types from the local file system. These external image formats include TGA, TIFF, PIC, GIF, BMP, PCX, PPM, IFF, FLI/FLC, RGB, PSD, RLE and CEL. The 2d.x3d module is activated when the users choose to enable 3D content display.

(CVE-2019-8010) Acrobat Reader DC 2d.x3d!_LoadTIFF() Out-of-Bounds Read

Tue, 07 May 2019 00:00:00 +0000

CVE: CVE-2019-8010

Tested Versions:

Adobe Reader DC 2019.010.20099

Product URL(s):

Description of the vulnerability

Adobe Acrobat is a family of application software and Web services developed by Adobe Inc. to view, create, manipulate, print and manage files in Portable Document Format (PDF). It provides compatibility to the ECMA-363 Standard (Universal 3D File Format) via 3difr.x3d, 2d.x3d and rt3d.dll, which allow viewing embedded 3D contents in PDF files. The ECMA-363 standard allows external texture images to be encoded with the Texture Resource Declaration Block, with options to load either JPEG/PNG images embedded in the PDF file, or other image types from the local file system. These external image formats include TGA, TIFF, PIC, GIF, BMP, PCX, PPM, IFF, FLI/FLC, RGB, PSD, RLE and CEL. The 2d.x3d module is activated when the users choose to enable 3D content display.

(CVE-2019-7118) Acrobat Reader DC 2d.x3d!_LoadRGB() Out-of-Bounds Write in TRGB::Read()

Tue, 09 Apr 2019 00:00:00 +0000

CVE: CVE-2019-7118

Tested Versions:

Adobe Reader DC 2019.010.20064

Product URL(s):

Description of the vulnerability

Adobe Acrobat is a family of application software and Web services developed by Adobe Inc. to view, create, manipulate, print and manage files in Portable Document Format (PDF). It provides compatibility to the ECMA-363 Standard (Universal 3D File Format) via 3difr.x3d, 2d.x3d and rt3d.dll, which allow viewing embedded 3D contents in PDF files. The ECMA-363 standard allows external texture images to be encoded with the Texture Resource Declaration Block, with options to load either JPEG/PNG images embedded in the PDF file, or other image types from the local file system. These external image formats include TGA, TIFF, PIC, GIF, BMP, PCX, PPM, IFF, FLI/FLC, RGB, PSD, RLE and CEL. The 2d.x3d module is activated when the users choose to enable 3D content display.

(CVE-2019-7119) Acrobat Reader DC 2d.x3d!_LoadRGB() Out-of-Bounds Write in TRGB::Read()

Tue, 09 Apr 2019 00:00:00 +0000

CVE: CVE-2019-7119

Tested Versions:

Adobe Reader DC 2019.010.20064

Product URL(s):

Description of the vulnerability

Adobe Acrobat is a family of application software and Web services developed by Adobe Inc. to view, create, manipulate, print and manage files in Portable Document Format (PDF). It provides compatibility to the ECMA-363 Standard (Universal 3D File Format) via 3difr.x3d, 2d.x3d and rt3d.dll, which allow viewing embedded 3D contents in PDF files. The ECMA-363 standard allows external texture images to be encoded with the Texture Resource Declaration Block, with options to load either JPEG/PNG images embedded in the PDF file, or other image types from the local file system. These external image formats include TGA, TIFF, PIC, GIF, BMP, PCX, PPM, IFF, FLI/FLC, RGB, PSD, RLE and CEL. The 2d.x3d module is activated when the users choose to enable 3D content display.

(CVE-2019-7120) Acrobat Reader DC 2d.x3d!_LoadILBM() Out-of-Bounds Read in TIF::Read()

Tue, 09 Apr 2019 00:00:00 +0000

CVE: CVE-2019-7120

Tested Versions:

Adobe Reader DC 2019.010.20064

Product URL(s):

Description of the vulnerability

Adobe Acrobat is a family of application software and Web services developed by Adobe Inc. to view, create, manipulate, print and manage files in Portable Document Format (PDF). It provides compatibility to the ECMA-363 Standard (Universal 3D File Format) via 3difr.x3d, 2d.x3d and rt3d.dll, which allow viewing embedded 3D contents in PDF files. The ECMA-363 standard allows external texture images to be encoded with the Texture Resource Declaration Block, with options to load either JPEG/PNG images embedded in the PDF file, or other image types from the local file system. These external image formats include TGA, TIFF, PIC, GIF, BMP, PCX, PPM, IFF, FLI/FLC, RGB, PSD, RLE and CEL. The 2d.x3d module is activated when the users choose to enable 3D content display.

(CVE-2019-7121) Acrobat Reader DC 2d.x3d!_LoadILBM() Out-of-Bounds Read in TIF::Read()

Tue, 09 Apr 2019 00:00:00 +0000

CVE: CVE-2019-7121

Tested Versions:

Adobe Reader DC 2019.010.20064

Product URL(s):

Description of the vulnerability

Adobe Acrobat is a family of application software and Web services developed by Adobe Inc. to view, create, manipulate, print and manage files in Portable Document Format (PDF). It provides compatibility to the ECMA-363 Standard (Universal 3D File Format) via 3difr.x3d, 2d.x3d and rt3d.dll, which allow viewing embedded 3D contents in PDF files. The ECMA-363 standard allows external texture images to be encoded with the Texture Resource Declaration Block, with options to load either JPEG/PNG images embedded in the PDF file, or other image types from the local file system. These external image formats include TGA, TIFF, PIC, GIF, BMP, PCX, PPM, IFF, FLI/FLC, RGB, PSD, RLE and CEL. The 2d.x3d module is activated when the users choose to enable 3D content display.

(CVE-2019-7122) Acrobat Reader DC 2d.x3d!_LoadTIFF() Out-of-Bounds Read in TTIFFread::TifReadChunkyRGB()

Tue, 09 Apr 2019 00:00:00 +0000

CVE: CVE-2019-7122

Tested Versions:

Adobe Reader DC 2019.010.20064

Product URL(s):

Description of the vulnerability

Adobe Acrobat is a family of application software and Web services developed by Adobe Inc. to view, create, manipulate, print and manage files in Portable Document Format (PDF). It provides compatibility to the ECMA-363 Standard (Universal 3D File Format) via 3difr.x3d, 2d.x3d and rt3d.dll, which allow viewing embedded 3D contents in PDF files. The ECMA-363 standard allows external texture images to be encoded with the Texture Resource Declaration Block, with options to load either JPEG/PNG images embedded in the PDF file, or other image types from the local file system. These external image formats include TGA, TIFF, PIC, GIF, BMP, PCX, PPM, IFF, FLI/FLC, RGB, PSD, RLE and CEL. The 2d.x3d module is activated when the users choose to enable 3D content display.

(CVE-2019-7123) Acrobat Reader DC 2d.x3d!_LoadRGB() Memory Corruption in TRGB::expandrow()

Tue, 09 Apr 2019 00:00:00 +0000

CVE: CVE-2019-7123

Tested Versions:

Adobe Reader DC 2019.010.20064

Product URL(s):

Description of the vulnerability

Adobe Acrobat is a family of application software and Web services developed by Adobe Inc. to view, create, manipulate, print and manage files in Portable Document Format (PDF). It provides compatibility to the ECMA-363 Standard (Universal 3D File Format) via 3difr.x3d, 2d.x3d and rt3d.dll, which allow viewing embedded 3D contents in PDF files. The ECMA-363 standard allows external texture images to be encoded with the Texture Resource Declaration Block, with options to load either JPEG/PNG images embedded in the PDF file, or other image types from the local file system. These external image formats include TGA, TIFF, PIC, GIF, BMP, PCX, PPM, IFF, FLI/FLC, RGB, PSD, RLE and CEL. The 2d.x3d module is activated when the users choose to enable 3D content display.

Pwn2Own Vancouver 2019

Fri, 22 Mar 2019 00:00:00 +0000

The 2019 spring edition of Pwn2Own (Pwn2Own Vancouver) was held from 20th March to 22nd March 2019.

(CVE-2019-2722) Oracle VirtualBox e1000 Integer Underflow - Pwn2Own

Wed, 20 Mar 2019 00:00:00 +0000

CVE: CVE-2019-2722

Tested Versions:

Oracle VirtualBox 5.2.28 and earlier
Oracle VirtualBox 6.0.6 and earlier

Product URL(s): https://virtualbox.org

(CVE-2019-9133) KMPlayer Subtitles Parser Integer Overflow Vulnerability

Thu, 07 Mar 2019 00:00:00 +0000

CVE: CVE-2019-9133

Tested Versions:

KMPlayer 4.2.2.12 KMP Plus

Product URL(s):

http://www.kmplayer.com/

Description of the vulnerability

K-Multimedia Player (KMPlayer) is a media player for Windows which can play a large number of formats including VCD, DVD, AVI, MKV, Ogg, OGM, 3GP, MPEG-1/2/4, AAC, WMA 7, 8, WMV, RealMedia, FLV and QuickTime. When processing .sup files, KMPlayer doesn’t check the Object size correctly, which leads to integer overflow then to memory out-of-bound read.

(CVE-2018-20334) ASUSWRT Command Injection in start_apply.htm

Tue, 19 Feb 2019 00:00:00 +0000

Tue, 19 Feb 2019 00:00:00 +0000

CVE: CVE-2019-16340

Tested Versions:

Linksys Velop 1.1.2.185309

Product URL(s): https://www.linksys.com/us/velop/

Velop is a WHOLE HOMEMESH Wi-Fi system from LINKSYS. It allows users to enjoy fast, nonstop Wi-Fi everywhere with Velop’s modular easy-to-use Wi-Fi Mesh system.

There are three categories from their official site: WHW0303, WHW0302, WHW0301.

The differences between these three are the pack count: 1, 2 or 3. The system is the same.

Vulnerability

There are many information leak problems; one of them is through /sysinfo_json.cgi, requesting this URL will leak sensitive information and may lead to authentication bypass.

(CVE-2019-7035) Acrobat Reader DC 2d.x3d!_LoadGIF() Arbitrary Write in TGIF::PutPixel()

Tue, 12 Feb 2019 00:00:00 +0000

CVE: CVE-2019-7035

Tested Versions:

Adobe Reader DC 2019.010.20064

Product URL(s):

Description of the vulnerability

Adobe Acrobat is a family of application software and Web services developed by Adobe Inc. to view, create, manipulate, print and manage files in Portable Document Format (PDF). It provides compatibility to the ECMA-363 Standard (Universal 3D File Format) via 3difr.x3d, 2d.x3d and rt3d.dll, which allow viewing embedded 3D contents in PDF files. The ECMA-363 standard allows external texture images to be encoded with the Texture Resource Declaration Block, with options to load either JPEG/PNG images embedded in the PDF file, or other image types from the local file system. These external image formats include TGA, TIFF, PIC, GIF, BMP, PCX, PPM, IFF, FLI/FLC, RGB, PSD, RLE and CEL. The 2d.x3d module is activated when the users choose to enable 3D content display.

(CVE-2019-16337) Hancom Office Use-after-Free in HncBD90

Thu, 10 Jan 2019 00:00:00 +0000

CVE: CVE-2019-16337

Tested Versions:

Hancom Office NEO (HncBD90 version 9.6.1.9403)

Product URL(s): https://www.hancom.com/cs_center/csDownload.do

Description of the vulnerability

Hangul Office is published by Hancom, Inc. and is considered one of the more popular Office suites used within South Korea. When opening a specially crafted Office Open XML Workbook (.xlsx), HncBD90 uses realloc function to reallocate a memory buffer, but after the realloc it continues using the old pointer that has been freed, resulting in a use-after-free vulnerability. This could lead to code execution under the context of the application.

(CVE-2019-16338) Hancom Office tfo_common Object Use-after-Free in HwordApp

Thu, 10 Jan 2019 00:00:00 +0000

CVE: CVE-2019-16338

Tested Versions:

Hancom Office NEO (HwordApp)

Product URL(s): https://www.hancom.com/cs_center/csDownload.do

Description of the vulnerability

Hangul Office is published by Hancom, Inc. and is considered one of the more popular Office suites used within South Korea. When opening a specially crafted Office Open XML Document (.docx), HwordApp does not properly process a tfo_common object which will cause a use-after-free. This may lead to code execution under the context of the application.

(CVE-2019-16339) Hancom Hcell Unspecified Memory Corruption

Wed, 09 Jan 2019 00:00:00 +0000

CVE: CVE-2019-16339

Tested Versions:

HCell.exe 9.6.1.7363
SDSerialize 9.6.1.9403

Product URL(s): https://www.hancom.com/cs_center/csDownload.do

Hangul Office is published by Hancom, Inc. and is considered one of the more popular Office suites used within South Korea. This vulnerability was discovered within the SDSerialize.dll when opening a specially crafted Office Open XML Workbook (.xlsx). This is part of the Hangul Office Suite.

Vulnerability

0:000> lmvm SDSerialize
start    end        module name
6eca0000 6ed36000   SDSerialize   (export symbols)       C:\Program Files (x86)\Hnc\Office NEO\HOffice96\Bin\SDSerialize.dll
    Loaded symbol image file: C:\Program Files (x86)\Hnc\Office NEO\HOffice96\Bin\SDSerialize.dll
    Image path: C:\Program Files (x86)\Hnc\Office NEO\HOffice96\Bin\SDSerialize.dll
    Image name: SDSerialize.dll
    Timestamp:        Thu Apr 12 17:20:43 2018 (5ACF24EB)
    CheckSum:         0005FF4F
    ImageSize:        00096000
    File version:     9.6.1.9403
    Product version:  9.6.1.9403
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Hancom Inc.
    ProductName:      Hancom, Inc.  Common Library 9.0
    InternalName:     SDSERIALIZE.DLL
    OriginalFilename: SDSerialize.dll
    ProductVersion:   9, 6, 1, 9403
    FileVersion:      9, 6, 1, 9403
    FileDescription:  Hancom Inc.  SDSerialize 9.0
    LegalCopyright:   Copyright 1989. Hancom Inc. All rights reserved.
    LegalTrademarks:  SDSERIALIZE is a registered trademark of Hancom Inc.

[NOTE]

(CVE-2018-20333) ASUSWRT Information Disclosure on update_applist.asp

Fri, 21 Dec 2018 00:00:00 +0000

CVE: CVE-2018-20333

Tested Versions: ASUSWRT 3.0.0.4.384.20308 (2018/02/01)

Product URL(s): https://www.asus.com/us/ASUSWRT/

Vulnerability

An unauthenticated user can request the http://<ROUTERIP>/update_applist.asp to see if a USB device is attached to the router and if there are apps installed on the router. Although getting to know if a USB storage is attached to the device does seems not a vulnerability, this will let the attacker knows more about the router.

(CVE-2019-6984) Foxit Reader U3D Shading Modifier Block Integer Overflow Vulnerability

Wed, 28 Nov 2018 00:00:00 +0000

CVE: CVE-2019-6984

Tested Versions:

Foxit Reader 9.1.0.5096, U3DBrowser.fpi 9.1.0.425

Product URL(s):

https://www.foxitsoftware.com/pdf-reader/

Description of the vulnerability

Foxit Reader is a popular PDF reading and printing software. It provides compatibility to the ECMA-363 Standard (Universal 3D File Format) via the U3DBrowser plug-in, which allows viewing embedded 3D annotations in PDF files. Up to version 9.0.1.1049 the plug-in is loaded in its default installation package, subsequent version continues the support to its user base with the plug-in separately acquired.

(CVE-2019-6985) Foxit Reader U3D 2D Glyph Modifier Block Use-after-Free Vulnerability

Wed, 28 Nov 2018 00:00:00 +0000

CVE: CVE-2019-6985

Tested Versions:

Foxit Reader 9.1.0.5096, U3DBrowser.fpi 9.1.0.425

Product URL(s):

https://www.foxitsoftware.com/pdf-reader/

Description of the vulnerability

(CVE-2019-6982) Foxit Reader U3D CLOD Mesh Declaration OOB Write

Tue, 27 Nov 2018 00:00:00 +0000

CVE: CVE-2019-6982

Tested Versions: Foxit Reader 9.0.1.1049, U3DBrowser.fpi 9.0.1.994

Product URL(s): https://www.foxitsoftware.com/pdf-reader/

(CVE-2019-6983) Foxit Reader U3D File Header Block Heap Overflow

Tue, 27 Nov 2018 00:00:00 +0000

CVE: CVE-2019-6983

Tested Versions: Foxit Reader 9.1.0.5096, U3DBrowser.fpi 9.1.0.425

Product URL(s): https://www.foxitsoftware.com/pdf-reader/

Alicia Ho