πŸ”’
❌
There are new articles available, click to refresh the page.
Before yesterdayBlog on STAR Labs

Adventures in Hypervisor: Oracle VirtualBox Research

3 April 2020 at 00:00

I have been into the vulnerability research field for a while now, and VirtualBox is my very first target. I have learned a lot along the way and I hope that anyone who are interested in escaping hypervisors can find something useful from these notes. I assume that you have some basic knowledge on memory corruption, hypervisor architecture and device I/O.

TianFu Cup 2019: Adobe Reader Exploitation

10 April 2020 at 00:00

Last year, I participated in the TianFu Cup competition in Chengdu, China. The chosen target was the Adobe Reader. This post will detail a use-after-free bug of JSObject. My exploit is not clean and not an optimal solution. I have finished this exploit through lots of trial and error. It involves lots of heap shaping code which I no longer remember exactly why they are there. I would highly suggest that you read the full exploit code and do the debugging yourself if necessary. This blog post was written based on a Windows 10 host with Adobe Reader.

Oracle VirtualBox VHWA Use-After-Free Privilege Escalation Vulnerability

26 June 2020 at 00:00

As part of my month-long internship at STAR Labs, I was introduced to VirtualBox and learnt much about bug hunting and triaging, root-cause analysis and exploitation. This post will detail a use-after-free bug I found during the duration of the internship, and specifics on the VM escape exploit that I wrote utilising the bug. The latest version at the point of reporting was VirtualBox 6.1.2 r135662.

ASUSWRT URL Processing Stack Buffer Overflow

7 August 2020 at 00:00
While processing the URL for any blacklisted XSS list like the script tag in the check_xss_blacklist function, a stack buffer overflow is possible by extending the length of the URL when accessing the web interface of the ASUS Router. To exploit it, stack pivoting technique is used before chaining up ROP gadgets to call our own custom command. In this post, we show how this can be exploited to get a reverse shell.

This Font is not Your Type

4 September 2020 at 00:00
Half a year ago, I found a vulnerability in libFontParser.dylib, which is a part of CoreGraphics library that is widely used in macOS, iOS, iPadOS to parse and render fonts. This vulnerability was patched in iOS 13.5.1 & macOS 10.15.5. In this writeup, I will describe the bug in detail in hopes that it will help others to better understand this vulnerability. This issue could allow an attacker to execute code during the parsing of a malicious font.

Pwn2Own 2020: Oracle VirtualBox Escape

25 September 2020 at 00:00

In this post, we will cover the vulnerabilities used at Pwn2Own 2020 for the Oracle VirtualBox escape. These two vulnerabilities affect Oracle VirtualBox 6.1.4 and prior versions.

Analysis & Exploitation of a Recent TP-Link Archer A7 Vulnerability

16 October 2020 at 00:00
This post provides detailed analysis and an exploit achieving remote code execution for CVE-2020-10882, which was used at Pwn2Own 2019, on the TP-Link Archer C7: This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer A7 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the tdpServer service, which listens on UDP port 20002 by default. When parsing the slave_mac parameter, the process does not properly validate a user-supplied string before using it to execute a system call.

Instrumenting Adobe Reader with Frida

13 November 2020 at 00:00

Frida is an open-source dynamic instrumentation toolkit that has become popular in recent years, and its use in mobile security is especially prevalent.

In this post, I would like to provide a general introduction to the tool and show some examples of how it can also be used on the Windows platform.

Chrome 1-Day Hunting - Uncovering and Exploiting CVE-2020-15999

9 January 2021 at 00:00
Introduction This blog post details the exploitation process for the vulnerability CVE 2020-15999 in Google Chrome 86.0.4222.0 on Linux. While CVE 2020-15999 is a heap-based buffer overflow in the font-loading library Freetype rather than Chrome proper, its extensive use in the latter enables us to achieve code execution in the browser’s renderer. This post will not be focused on the analysis of the bug, but rather its exploitation, as extensive explanation and analysis can be found here.

You Talking To Me?

12 April 2021 at 00:00
What is WebDriver and How does it work? WebDriver is a protocol used for web browser automation. It can drive a browser to perform various tests on web pages as if a real user was navigating through them. It allows simulating user actions such as clicking links, entering text and submitting forms, which can help test if your website is working as intended. It is usually used for front-end testing and web crawling in a headless environment.

Simple Vulnerability Regression Monitoring with V8Harvest

25 June 2021 at 00:00
Introduction During my research into Javascript Engine (V8), I have created a small tool to help you view recent V8 bugs that contains regression test on a single page. Since most of the time, regression test often contains PoC to trigger the bug, it’s pretty useful to analyze them to find the root cause and writing exploit for the n-day bug. For example, regress-1053604.js contains the PoC to trigger the side-effect in kJSCreate opcode (CVE-2020-6418).

Identifying Bugs in Router Firmware at Scale with Taint Analysis

4 August 2021 at 00:00
In the past few months, Akash (@enigmatrix) and I (@daniellimws) worked on developing a taint analysis tool to find bugs in routers, with the guidance of Shi Ji (@puzzor) and Thach (@d4rkn3ss). We had developed a tool based on CVE-2019-8312 to CVE-2019-8319, which are command injection vulnerabilities on the D-Link DIR-878 router with firmware version 1.12A1. The goal was to automate the detection of such bugs. Ideally, the tool should be faster than finding the bugs manually.

Analysis of CVE-2021-1758 (CoreText Out-Of-Bounds Read)

14 September 2021 at 00:00
References: STARLabs Advisory STAR-21-1758 In February, Peter found a OOB read vulnerability in libFontParser.dylib. The latest tested version with the vulnerability is macOS Catalina 10.15.4 (19E287). I wrote a guide earlier on setting up a testing environment. Mac Resource Fork Font File References: Font Forge: Macintosh Font Formats Apple: MoreMacintoshToolbx fontTools: macRes It turns out that macOS can load something called a Mac Resource Fork font file.

Diving into Open-source LMS Codebases

16 November 2021 at 00:00
Introduction Looking to practice on source code review, I was diving into how open-source LMS codebases are structured in order to find undiscovered vulnerabilities. Initially, my main focus had been on Chamilo LMS (their source code can be found on GitHub). Afterwards, I looked into Moodle LMS (their source code can also be found on GitHub). The majority of the findings that were found are the ones you would think of when you hear the words β€œcommon web application vulnerabilities”, such as:

The Cat Escaped from the Chrome Sandbox

21 January 2022 at 00:00
Introduction On 13th September 2021, Google published the security advisory for Google Chrome. That advisory states that Google is aware of two vulnerabilities exploited in the wild, CVE-2021-30632 as RCE and CVE-2021-30633 as Sandbox Escape. In this post, I will talk about the bypass sandbox vulnerability CVE-2021-30633. Man Yue Mo had published a very detailed blog post explaining CVE-2021-30632, which is a Type Confusion bug that leads to RCE in Chrome.

New Wine in Old Bottle - Microsoft Sharepoint Post-Auth Deserialization RCE (CVE-2022-29108)

12 May 2022 at 00:00
Introduction Recently, I have had a some work which is related to Sharepoint, so I was learning on how to setup and debug old bugs of Sharepoint. In February, there was a Deserialization bug CVE-2022-22005 (post-auth of course). There is already a detailed analysis blog post about that written by a Vietnamese guy (here). The blog is written with great enthusiasm and detail. I also rely on the details in that blog to setup and debug.

Trying To Exploit A Windows Kernel Arbitrary Read Vulnerability

7 June 2022 at 00:00
Introduction I recently discovered a very interesting kernel vulnerability that allows the reading of arbitrary kernel-mode address. Sadly, the vulnerability was patched in Windows 21H2 (OS Build 22000.675), and I am unsure of the CVE being assigned to it. In this short blog post, I will share my journey of trying to exploit this vulnerability. Although I didn’t finish the exploit in the end, I have decided to share this with everyone anyway.

io_uring - new code, new bugs, and a new exploit technique

24 June 2022 at 00:00
For the past few weeks, I have been working on conducting N-day analysis and bug hunting in the io_uring subsystem of the Linux kernel with the guidance of my mentors, Billy and Ramdhan. In this article, I will briefly discuss the io_uring subsystem, as well as my approach to discovering and developing a new kernel exploit technique during my N-day analysis of CVE-2021-41073. I will also discuss two bugs I found while analyzing a new io_uring feature.

Adventures in Hypervisor: Oracle VirtualBox Research

3 April 2020 at 00:00

I have been into the vulnerability research field for a while now, and VirtualBox is my very first target. I have learned a lot along the way and I hope that anyone who are interested in escaping hypervisors can find something useful from these notes. I assume that you have some basic knowledge on memory corruption, hypervisor architecture and device I/O.

❌