Pwn2Own is a computer hacking contest held annually by Trend Micro’s Zero Day Initiative - ZDI. Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. Winners of the contest receive the device that they exploited and a cash prize. The total prize for each contest is up to millions of dollars. The 2025 spring edition of Pwn2Own (Pwn2Own Berlin) was held from 15th May to 17th May 2025 in a on-site format where participants are ba...| STAR Labs
Summary Product Calibre Vendor Calibre Severity High - Unprivileged adversaries may exploit software vulnerabilities to perform relative path traversal to achieve arbitrary file read Affected Versions <= 7.14.0 (latest version as of writing) Tested Versions 7.14.0 CVE Identifier CVE-2024-6781 CVE Description Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability allows Relative Path Traversal CWE Classification(s) CWE-22 Improper Limitation of a Pathn...| STAR Labs
Summary Product Calibre Vendor Calibre Severity Critical - Unprivileged adversaries may exploit software vulnerabilities to perform remote code execution Affected Versions 6.9.0 ~ 7.14.0 (latest version as of writing) Tested Versions 7.14.0 CVE Identifier CVE-2024-6782 CVE Description Improper Access Control in Calibre Content Server allows remote code execution CWE Classification(s) CWE-863: Incorrect Authorization CAPEC Classification(s) CAPEC-253: Remote Code Inclusion CVSS3.| STAR Labs
Summary Product Calibre Vendor Calibre Severity Medium Affected Versions <= 7.15.0 (latest version as of writing) Tested Versions 7.15.0 CVE Identifier CVE-2024-7008 CWE Classification(s) CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) CAPEC Classification(s) CAPEC-591 Reflected XSS CVSS3.1 Scoring System Base Score: 5.4 (Medium) Vector String: CVSS:3.| STAR Labs
Summary Product Calibre Vendor Calibre Severity Medium Affected Versions <= 7.15.0 (latest version as of writing) Tested Versions 7.15.0 CVE Identifier CVE-2024-7009 CWE Classification(s) CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) CAPEC Classification(s) CAPEC-66 SQL Injection CVSS3.1 Scoring System Base Score: 4.2 (Medium) Vector String: CVSS:3.| STAR Labs
Summary Product Singtel WI-FI 6 ROUTER RT5703W Vendor Singtel/Askey Severity Critical - Adversaries may exploit software vulnerabilities to execute arbitrary commands on the underlying OS with root privileges. Affected Versions V1.6.4-5194 (latest version as of writing) Tested Versions V1.6.4-5194 (latest version as of writing) Internal Identifier STAR-2023-0097 CVE Identifier TBD CVE Description OS command injection vulnerability in net.| STAR Labs
Summary Product Singtel WI-FI 6 ROUTER RT5703W Vendor Singtel/Askey Severity High - Adversaries may exploit software vulnerabilities to execute arbitrary commands on the underlying OS with root privileges. Affected Versions V1.6.4-5194 (latest version as of writing) Tested Versions V1.6.4-5194 (latest version as of writing) Internal Identifier STAR-2023-0098 CVE Identifier TBD CVE Description OS command injection vulnerability in net.| STAR Labs
Pwn2Own is a computer hacking contest held annually by Trend Micro’s Zero Day Initiative - ZDI. Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. Winners of the contest receive the device that they exploited and a cash prize. The total prize for each contest is up to millions of dollars. The 2024 spring edition of Pwn2Own (Pwn2Own Vancouver) was held from 20th March to 21st March 2022 in a hybrid format where participants ...| STAR Labs
Summary Product Chamilo Vendor Chamilo Severity High - Adversaries may exploit software vulnerabilities to obtain unauthenticated remote code execution. Affected Versions <= v1.11.20 Tested Versions v1.11.20 (latest version as of writing) CVE Identifier CVE-2023-3368 CVE Description Command injection in /main/webservices/additional_webservices.php in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to obtain remote code execution via improper neutralisation of special characters.| STAR Labs
Summary Product Chamilo Vendor Chamilo Severity High - Adversaries may exploit software vulnerabilities to obtain unauthenticated remote code execution. Affected Versions <= v1.11.20 Tested Versions v1.11.20 (latest version as of writing) CVE Identifier CVE-2023-3533 CVE Description Path traversal in file upload functionality in /main/webservices/additional_webservices.php in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain rem...| STAR Labs
Summary Product Chamilo Vendor Chamilo Severity High - Adversaries may exploit software vulnerabilities to obtain unauthenticated remote code execution. Affected Versions <= v1.11.20 Tested Versions v1.11.20 (latest version as of writing) CVE Identifier CVE-2023-3545 CVE Description Improper sanitisation in main/inc/lib/fileUpload.lib.php in Chamilo LMS <= v1.11.20 on Windows and Apache installations allows unauthenticated attackers to bypass file upload security protections and obtain remote...| STAR Labs
Summary Product Chamilo Vendor Chamilo Severity High - Adversaries may exploit software vulnerabilities to obtain unauthenticated remote code execution. Affected Versions <= v1.11.24 Tested Versions v1.11.24 (latest version as of writing) CVE Identifier CVE-2023-4220 CVE Description Unrestricted file upload in big file upload functionality in /main/inc/lib/javascript/bigupload/inc/bigUpload.php in Chamilo LMS <= v1.11.24 allows unauthenticated attackers to perform stored cross-site scripting ...| STAR Labs
Summary Product Chamilo Vendor Chamilo Severity High - Adversaries may exploit software vulnerabilities to obtain unauthenticated remote code execution. Affected Versions <= v1.11.24 Tested Versions v1.11.24 (latest version as of writing) CVE Identifier CVE-2023-4221 CVE Description Command injection in main/lp/openoffice_presentation.class.php in Chamilo LMS <= v1.11.24 allows users permitted to upload Learning Paths to obtain remote code execution via improper neutralisation of special char...| STAR Labs
Summary Product Chamilo Vendor Chamilo Severity High - Adversaries may exploit software vulnerabilities to obtain unauthenticated remote code execution. Affected Versions <= v1.11.24 Tested Versions v1.11.24 (latest version as of writing) CVE Identifier CVE-2023-4222 CVE Description Command injection in main/lp/openoffice_text_document.class.php in Chamilo LMS <= v1.11.24 allows users permitted to upload Learning Paths to obtain remote code execution via improper neutralisation of special cha...| STAR Labs
Summary Product Chamilo Vendor Chamilo Severity High - Adversaries may exploit software vulnerabilities to obtain unauthenticated remote code execution. Affected Versions <= v1.11.24 Tested Versions v1.11.24 (latest version as of writing) CVE Identifier CVE-2023-4223 CVE Description Unrestricted file upload in /main/inc/ajax/document.ajax.php in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.| STAR Labs
Summary Product Chamilo Vendor Chamilo Severity High - Adversaries may exploit software vulnerabilities to obtain unauthenticated remote code execution. Affected Versions <= v1.11.24 Tested Versions v1.11.24 (latest version as of writing) CVE Identifier CVE-2023-4224 CVE Description Unrestricted file upload in /main/inc/ajax/dropbox.ajax.php in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.| STAR Labs
Summary Product Chamilo Vendor Chamilo Severity High - Adversaries may exploit software vulnerabilities to obtain unauthenticated remote code execution. Affected Versions <= v1.11.24 Tested Versions v1.11.24 (latest version as of writing) CVE Identifier CVE-2023-4225 CVE Description Unrestricted file upload in /main/inc/ajax/exercise.ajax.php in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.| STAR Labs
Summary Product Chamilo Vendor Chamilo Severity High - Adversaries may exploit software vulnerabilities to obtain unauthenticated remote code execution. Affected Versions <= v1.11.24 Tested Versions v1.11.24 (latest version as of writing) CVE Identifier CVE-2023-4226 CVE Description Unrestricted file upload in /main/inc/ajax/work.ajax.php in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.| STAR Labs
Summary Product Bitrix24 Vendor Bitrix24 Severity High Affected Versions Bitrix24 22.0.300 (latest version as of writing) Tested Versions Bitrix24 22.0.300 (latest version as of writing) CVE Identifier CVE-2023-1713 CVE Description Insecure temporary file creation in bitrix/modules/crm/lib/order/import/instagram.php in Bitrix24 22.0.300 hosted on Apache HTTP Server allows remote authenticated attackers to execute arbitrary code via uploading a crafted “.| STAR Labs
Summary: Product Bitrix24 Vendor Bitrix24 Severity High Affected Versions Bitrix24 22.0.300 (latest version as of writing) Tested Versions Bitrix24 22.0.300 (latest version as of writing) CVE Identifier CVE-2023-1714 CVE Description Unsafe variable extraction in bitrix/modules/main/classes/general/user_options.php in Bitrix24 22.0.300 allows remote authenticated attackers to execute arbitrary code via (1) appending arbitrary content to existing PHP files or (2) PHAR deserialization.| STAR Labs
Summary: Product Bitrix24 Vendor Bitrix24 Severity Critical Affected Versions Bitrix24 22.0.300 (latest version as of writing) Tested Versions Bitrix24 22.0.300 (latest version as of writing) CVE Identifier CVE-2023-1715 & CVE-2023-1716 CVE Description (CVE-2023-1715): A logic error when using mb_strpos() to check for potential XSS payload in Bitrix24 22.0.300 allows attackers to bypass XSS sanitisation via placing HTML tags at the begining of the payload.| STAR Labs
Summary: Product Bitrix24 Vendor Bitrix24 Severity Critical Affected Versions Bitrix24 22.0.300 (latest version as of writing) Tested Versions Bitrix24 22.0.300 (latest version as of writing) CVE Identifier CVE-2023-1717 CVE Description Prototype pollution in bitrix/templates/bitrix24/components/bitrix/menu/left_vertical/script.js in Bitrix24 22.0.300 allows remote attackers to execute arbitrary JavaScript code in the victim’s browser, and possibly execute arbitrary PHP code on the server i...| STAR Labs
Summary: Product Bitrix24 Vendor Bitrix24 Severity High Affected Versions Bitrix24 22.0.300 (latest version as of writing) Tested Versions Bitrix24 22.0.300 (latest version as of writing) CVE Identifier CVE-2023-1718 CVE Description Improper file stream access in /desktop_app/file.ajax.php?action=uploadfile in Bitrix24 22.0.300 allows unauthenticated remote attackers to cause denial-of-service via a crafted “tmp_url”. CWE Classification(s) CWE-835 Loop with Unreachable Exit Condition (‘...| STAR Labs
Summary: Product Bitrix24 Vendor Bitrix24 Severity High Affected Versions Bitrix24 22.0.300 (latest version as of writing) Tested Versions Bitrix24 22.0.300 (latest version as of writing) CVE Identifier CVE-2023-1719 CVE Description Global variable extraction in bitrix/modules/main/tools.php in Bitrix24 22.0.300 allows unauthenticated remote attackers to (1) enumerate attachments on the server and (2) execute arbitrary JavaScript code in the victim’s browser, and possibly execute arbitrary ...| STAR Labs
Summary: Product Bitrix24 Vendor Bitrix24 Severity High Affected Versions Bitrix24 22.0.300 (latest version as of writing) Tested Versions Bitrix24 22.0.300 (latest version as of writing) CVE Identifier CVE-2023-1720 CVE Description Lack of mime type response header in Bitrix24 22.0.300 allows authenticated remote attackers to execute arbitrary JavaScript code in the victim’s browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via upload...| STAR Labs
Pwn2Own is a computer hacking contest held annually by Trend Micro’s Zero Day Initiative - ZDI. Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. Winners of the contest receive the device that they exploited and a cash prize. The total prize for each contest is up to millions of dollars. The 2023 fall edition of Pwn2Own (Pwn2Own Toronto) was held from 24th October to 27th October 2023 in a hybrid format (offline and online).| STAR Labs
Summary: Product Dolibarr ERP CRM Vendor Dolibarr Severity High Affected Versions <= 18.0.1 Tested Versions 17.0.1, 18.0.1 CVE Identifier CVE-2023-4197 CVE Description Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.| STAR Labs
Summary: Product Dolibarr ERP CRM Vendor Dolibarr Severity High Affected Versions <= 17.0.3 Tested Versions 17.0.1, 17.0.3 CVE Identifier CVE-2023-4198 CVE Description Improper Access Control in Dolibarr ERP CRM v17.0.3 allows unauthorized users to read a database table containing sensitive third-party customers’ information via the ajaxcompanies.php endpoint. CWE Classification(s) CWE-862 Missing Authorization CAPEC Classification(s) CAPEC-1 Accessing Functionality Not Properly Constrained...| STAR Labs
Summary: Product NodeBB Vendor NodeBB Severity High - Unprivileged attackers are able to cause NodeBB to crash and exit permanently Affected Versions < v2.8.11 (Commit 82f0efb) Tested Versions v2.8.9 (Commit fb100ac) CVE Identifier CVE-2023-30591 CVE Description Denial-of-service in NodeBB <= v2.8.10 allows unauthenticated attackers to trigger a crash, when invoking eventName.startsWith() or eventName.toString(), while processing Socket.| STAR Labs
Summary: Product OpenCart Vendor OpenCart Severity High - Adversaries may exploit software vulnerabilities to empty any file on the server with write permissions. Affected Versions 4.0.0.0 - 4.0.2.2 Tested Version(s) 4.0.2.2 CVE Identifier CVE-2023-2315 CVE Description Path traversal in Opencart versions 4.0.0.0 to 4.0.2.2 allows authenticated backend users to empty any existing file on the server with write permissions.| STAR Labs
Summary: Product Trend Micro Mobile Security (Enterprise) 9.8 SP5 Vendor Trend Micro Severity Critical Affected Versions Trend Micro Mobile Security (Enterprise) 9.8 SP5 (<= Critical Patch 3) Tested Version(s) Trend Micro Mobile Security (Enterprise) 9.8 SP5 (Critical Patch 3) CVE Identifier CVE-2023-32523 CVE Description Improper implementation of the authentication mechanism results in authentication bypass for affected installations of Trend Micro Mobile Security (Enterprise) 9.| STAR Labs
Summary: Product Trend Micro Mobile Security (Enterprise) 9.8 SP5 Vendor Trend Micro Severity Critical Affected Versions Trend Micro Mobile Security (Enterprise) 9.8 SP5 (<= Critical Patch 3) Tested Version(s) Trend Micro Mobile Security (Enterprise) 9.8 SP5 (Critical Patch 3) CVE Identifier CVE-2023-32524 CVE Description Improper implementation of the authentication mechanism results in authentication bypass for affected installations of Trend Micro Mobile Security (Enterprise) 9.| STAR Labs
Summary: Product Trend Micro Apex Central 2019 Vendor Trend Micro Severity High Affected Versions Apex Central 2019 Build <= 6016 Tested Version(s) Apex Central 2019 Build 6016 CVE Identifier CVE-2023-32529 CVE Description Missing input validation in Apex Central 2019 Build 6016 and below uses user-supplied certificate values to construct a part of a SQL query that is executed in the DeleteCertById() function.| STAR Labs
Summary: Product Trend Micro Apex Central 2019 Vendor Trend Micro Severity High Affected Versions Apex Central 2019 Build <= 6016 Tested Version(s) Apex Central 2019 Build 6016 CVE Identifier CVE-2023-32530 CVE Description Missing input validation in Apex Central 2019 Build 6016 and below uses user-supplied certificate values to construct a part of a SQL query that is executed in the AddCert() function.| STAR Labs
Summary: Product Trend Micro Apex Central 2019 Vendor Trend Micro Severity High Affected Versions Apex Central 2019 Build <= 6394 Tested Version(s) Apex Central 2019 Build 6394 CVE Identifier CVE-2023-38624 CVE Description Missing input validation in Apex Central 2019 Build 6394 and below uses user-supplied values to perform a server-side request in a function in modTMSL.| STAR Labs
Summary: Product Trend Micro Apex Central 2019 Vendor Trend Micro Severity High Affected Versions Apex Central 2019 Build <= 6394 Tested Version(s) Apex Central 2019 Build 6394 CVE Identifier CVE-2023-38625 CVE Description Missing input validation in Apex Central 2019 Build 6394 and below uses user-supplied values to perform a server-side request in a function in modDeepSecurity.| STAR Labs
Summary: Product Obsidian Vendor Obsidian Severity High Affected Versions Obsidian < 1.2.8 Tested Versions Obsidian 1.1.16 CVE Identifier CVE-2023-2110 CVE Description Improper path handling in Obsidian desktop before 1.2.8 on Windows, Linux and macOS allows a crafted webpage to access local files and exfiltrate them to remote web servers via “app://local/<absolute-path>”. This vulnerability can be exploited if a user opens a malicious markdown file in Obsidian, or copies text from a mali...| STAR Labs
Summary: Product Typora Vendor Typora Severity Medium Affected Versions Typora for Windows/Linux < 1.6.7 Tested Versions Typora for Windows 1.5.12, Typora for Linux 1.5.10 CVE Identifier CVE-2023-2316 CVE Description Improper path handling in Typora before 1.6.7 on Windows and Linux allows a crafted webpage to access local files and exfiltrate them to remote web servers via “typora://app/<absolute-path>”.| STAR Labs
Summary: Product Typora Vendor Typora Severity High Affected Versions Typora for Windows/Linux < 1.6.7 Tested Versions Typora for Windows 1.5.12, Typora for Linux 1.5.10 CVE Identifier CVE-2023-2317 CVE Description DOM-based XSS in updater/update.html in Typora before 1.6.7 on Windows and Linux allows a crafted markdown file to run arbitrary JavaScript code in the context of Typora main window via loading “typora://app/typemark/updater/update.| STAR Labs
Summary: Product MarkText Vendor MarkText Severity High Affected Versions MarkText <= 0.17.1 Tested Versions MarkText 0.17.1 CVE Identifier CVE-2023-2318 CVE Description DOM-based XSS in src/muya/lib/contentState/pasteCtrl.js in MarkText 0.17.1 and before on Windows, Linux and macOS allows arbitrary JavaScript code to run in the context of MarkText main window. This vulnerability can be exploited if a user copies text from a malicious webpage and paste it into MarkText.| STAR Labs
Summary: Product Typora Vendor Typora Severity Medium Affected Versions Typora for Windows/Linux < 1.7.0-dev Tested Versions Typora for Windows 1.6.7, Typora for Linux 1.6.6 CVE Identifier CVE-2023-2971 CVE Description Improper path handling in Typora before 1.7.0-dev on Windows and Linux allows a crafted webpage to access local files and exfiltrate them to remote web servers via “typora://app/typemark/”.| STAR Labs
Summary Product Razer CentralService Vendor Razer Severity High - Adversaries may exploit software vulnerabilities to obtain privilege escalation. Affected Versions Razer Central 7.11.0.558 and below Tested Versions Razer Central 7.8.0.381 to 7.11.0.558 CVE Identifier CVE-2023-3513 CVSS3.1 Scoring System Base Score: 7.8 (High) Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Metric Value Attack Vector (AV) Local Attack Complexity (AC) Low Privileges Required (PR) low User Interacti...| STAR Labs
Summary Product Razer CentralService Vendor Razer Severity High - Adversaries may exploit software vulnerabilities to obtain privilege escalation. Affected Versions Razer Central 7.11.0.558 and below Tested Versions Razer Central 7.8.0.381 to 7.11.0.558 CVE Identifier CVE-2023-3514 CVSS3.1 Scoring System Base Score: 7.8 (High) Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Metric Value Attack Vector (AV) Local Attack Complexity (AC) Low Privileges Required (PR) low User Interacti...| STAR Labs
Summary: Product Shopware Vendor Shopware AG Severity High - Users with login access to Shopware Admin panel may be able to obtain remote code/command execution Affected Versions v6.4.18.1 <= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4 (Commit facfc88) Tested Versions v6.4.20.0 (Latest stable version), v6.5.0.0-rc3 (Latest pre-release version) CVE Identifier CVE-2023-2017 CVE Description Server-side Template Injection (SSTI) in Shopware 6 (<= v6.| STAR Labs
Pwn2Own is a computer hacking contest held annually by Trend Micro’s Zero Day Initiative - ZDI. Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. Winners of the contest receive the device that they exploited and a cash prize. The total prize for each contest is up to millions of dollars. The 2023 spring edition of Pwn2Own (Pwn2Own Vancouver) was held from 23rd March to 25th March 2022 in a hybrid format where participants ...| STAR Labs
Pwn2Own is a computer hacking contest held annually by Trend Micro’s Zero Day Initiative - ZDI. Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. Winners of the contest receive the device that they exploited and a cash prize. The total prize for each contest is up to millions of dollars. Pwn2Own Miami was held from 14th February to 16th February 2023 in a hybrid format (offline and online).| STAR Labs
Summary Product Microsoft DirectMusic Vendor Microsoft Severity High Affected Versions Microsoft DirectMusic Core Services DLL (dmusic.dll) version 10.0.22000.1 Tested Versions Microsoft DirectMusic Core Services DLL (dmusic.dll) version 10.0.22000.1 CVE Identifier CVE-2022-44667 CVSS3.1 Scoring System Base Score: 7.8 (High) Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Metric Value Attack Vector (AV) Local Attack Complexity (AC) Low Privileges Required (PR) None User Interactio...| STAR Labs
Summary Product Microsoft DirectMusic Vendor Microsoft Severity High Affected Versions Microsoft DirectMusic Core Services DLL (dmusic.dll) version 10.0.22000.1 Tested Versions Microsoft DirectMusic Core Services DLL (dmusic.dll) version 10.0.22000.1 CVE Identifier CVE-2022-44668 CVSS3.1 Scoring System Base Score: 7.8 (High) Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Metric Value Attack Vector (AV) Local Attack Complexity (AC) Low Privileges Required (PR) None User Interactio...| STAR Labs
Pwn2Own is a computer hacking contest held annually by Trend Micro’s Zero Day Initiative - ZDI. Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. Winners of the contest receive the device that they exploited and a cash prize. The total prize for each contest is up to millions of dollars. The 2022 fall edition of Pwn2Own (Pwn2Own Toronto) was held from 06th December to 09th December 2022 in a hybrid format (offline and onli...| STAR Labs
MSRC Most Valuable Security Researchers is an annual program of Microsoft which offers public thanks and acknowledgement to the researchers who help protect their customers through discovering and sharing security vulnerabilities under Coordinated Vulnerability Disclosure. Today, we are proud to announce that our researcher, Lê Hữu Quang Linh (#9), has been shortlisted for the 2022 Q3’s Microsoft Most Valuable Security Researchers (MVRs). References https://msrc-blog.microsoft.com/2022/1...| STAR Labs
MSRC Most Valuable Security Researchers is an annual program of Microsoft which offers public thanks and acknowledgement to the researchers who help protect their customers through discovering and sharing security vulnerabilities under Coordinated Vulnerability Disclosure. Today, we are proud to announce that our researcher, Ngo Wei Lin (#48), has been shortlisted for this year’s Microsoft Most Valuable Security Researchers (MVRs). References https://msrc-blog.microsoft.com/2022/08/08/congr...| STAR Labs
Summary: Product Asus System Control Interface Vendor Asus Severity High - Adversaries may exploit this software vulnerability to set weak file permissions, leading to local privilege escalation. Affected Versions MyASUS: 3.1.5.0 ASUS System Control Interface: 3.1.4.0 File Version: 1.0.9.0 (AsusSwitch.exe) Tested Versions MyASUS: 3.1.5.0 ASUS System Control Interface: 3.1.4.0 File Version: 1.0.9.0 (AsusSwitch.exe) CVE Identifier CVE-2022-26438 CWE CWE-276 - Incorrect Default Permissions CVSS3.| STAR Labs
Summary: Product Asus System Control Interface Vendor Asus Severity Medium - Adversaries may exploit this software vulnerability to set weak file permissions, leading to local privilege escalation. Affected Versions MyASUS: 3.1.5.0ASUS System Control Interface: 3.1.4.0File Version: 1.0.52.0 (AsusSoftwareManager.exe)1.0.44.0 (AsusLiveUpdate.dll) Tested Versions MyASUS: 3.1.5.0ASUS System Control Interface: 3.1.4.0File Version: 1.0.52.0 (AsusSoftwareManager.exe)1.0.44.0 (AsusLiveUpdate.dll) CVE...| STAR Labs
CVE: CVE-2021-4206 Tested Versions: QEMU < v6.0.0 Product URL(s): https://www.qemu.org/ Description of the vulnerability Technical Details QXL, the QEMU QXL video accelerator, is a para-virtualized framebuffer device for the SPICE protocol. It is the default video device when we create a VM from virt-manager. It exposes the RAMs and I/O ports to let guest communicate with it. 00:01.0 VGA compatible controller: Red Hat, Inc. QXL paravirtual graphic card (rev 04) (prog-if 00 [VGA controller]) S...| STAR Labs
Introduction Many vulnerability writeups nowadays focus on the exploitation process when it comes to software bugs. The term “Exploit Developer” is also still used synonymously with Vulnerability Research, presumably coming from the early 2000s where bugs were easily discoverable and the community was just beginning to explore the art of exploitation. However nowadays with SDL and continuous fuzzing, the discovery of unknown vulnerabilities in crucial systems is getting more important, ar...| Blogs on STAR Labs
STAR Labs Windows Exploitation Challenge Writeup Over the past few months, the STAR Labs team has been hosting a Windows exploitation challenge. I was lucky enough to solve it and got myself a ticket to Off-By-One conference. Here is my writeup for the challenge! Analyzing the binary We are given a Windows kernel driver. Basic analysis shows that it is used to receive and save messages sent from usermode. Important structures There are two key structures used in this driver: handle and messag...| Blogs on STAR Labs
Imagine downloading a game from a third-party app store. You grant it seemingly innocuous permissions, but hidden within the app is a malicious exploit that allows attackers to steal your photos, eavesdrop on your conversations, or even take complete control of your device. This is the kind of threat posed by vulnerabilities like CVE-2022-22706 and CVE-2021-39793, which we’ll be dissecting in this post. These vulnerabilities affect Mali GPUs, commonly found in many Android devices, and allo...| Blogs on STAR Labs
Executive Summary CVE-2024-26230 is a critical vulnerability found in the Windows Telephony Service (TapiSrv), which can lead to an elevation of privilege on affected systems. The exploit leverages a use-after-free in FreeDialogInstance. By manipulating the registry, an attacker controls memory allocation to create a fake object, triggering the UAF in TUISPIDLLCallback to gain code execution. This is further chained with techniques to bypass mitigations like CFG and ultimately load a maliciou...| Blogs on STAR Labs
🎉🎊 Cheers to 7 Amazing Years! 🎊🎉 On 8th January 2018, STAR Labs SG Pte. Ltd. was born with a simple but bold idea: to do fun offensive research that protects customers. Seven years later, that spark of curiosity and innovation has grown into something extraordinary. 🚀 Our Humble Beginnings 🛠️ It all started when STAR Labs had a small, passionate group of researchers: Shi Ji, Wei Lei, Phạm Hồng Phi, Phan Thanh Duy, and Tạ Đình Sung.| Blogs on STAR Labs
Think you’ve got what it takes to pop shells and snag your ticket to… RE//verse and Off-By-One? 😏 🔥 Windows Exploitation Challenge 🔥 Get SYSTEM privileges by exploiting a bug in the downloadable driver below. (pwn it!) Keep the OS alive and happy — no BSODs, no excuses! Your exploit must work on Windows 11 24H2. Submit your winning solutions(exploit source code and writeup) to info@starlabs.sg. If you think you’ve figured out the bug but can’t exploit it in time, feel free ...| Blogs on STAR Labs
TLDR CVE-2024-30085 is a heap-based buffer overflow vulnerability affecting the Windows Cloud Files Mini Filter Driver cldflt.sys. By crafting a custom reparse point, it is possible to trigger the buffer overflow to corrupt an adjacent _WNF_STATE_DATA object. The corrupted _WNF_STATE_DATA object can be used to leak a kernel pointer from an ALPC handle table object. A second buffer overflow is then used to corrupt another _WNF_STATE_DATA object, which is then used to corrupt an adjacent PipeAt...| Blogs on STAR Labs
TL;dr Vulnerabilities can often be found in places we don’t expect, and CVE-2022-24547 in CastSrv.exe is one of the examples. CVE-2022-24547 is a privilege escalation vulnerability in CastSrv.exe, allowing attackers to bypass security and gain elevated privileges. We’ll break down how the bug works, its exploitation, and how to protect against it. Summary Vendor Microsoft Security Impact Elevation of Privilege CVE ID CVE-2022-24547 CVSS3.| Blogs on STAR Labs
Introduction As promised, we are releasing the firmware and this post for the Off-By-One badge about one month after the event, allowing interested participants the opportunity to explore it. If you’re interested in learning more about the badge design process, please let us know. We were thrilled to introduce the Octopus Badge at the first-ever Off-By-One Conference 2024. The badge was a one of the highlight at the conference, as it included hardware-focused CTF challenges.| Blogs on STAR Labs
Earlier this year, in mid-January, you might have come across this security announcement by GitHub. In this article, I will unveil the shocking story of how I discovered CVE-2024-0200, a deceptively simple, one-liner vulnerability which I initially assessed to likely be of low impact, and how I turned it into one of the most impactful bugs in GitHub’s bug bounty history. Spoiler: The vulnerability enabled disclosure of all environment variables of a production container on GitHub.| Blogs on STAR Labs
Introduction Wi-Fi routers have always been an attractive target for attackers. When taken over, an attacker may gain access to a victim’s internal network or sensitive data. Additionally, there has been an ongoing trend of attackers continually incorporating new router exploits into their arsenal for use in botnets, such as the Mirai Botnet. Consumer grade devices are especially attractive to attackers, due to many security flaws in them. Devices with lower security often contain multiple ...| Blogs on STAR Labs
Introduction The prevalence of memory corruption bugs persists, posing a persistent challenge for exploitation. This increased difficulty arises from advancements in defensive mechanisms and the escalating complexity of software systems. While a basic proof of concept often suffices for bug patching, the development of a functional exploit capable of bypassing existing countermeasures provides valuable insights into the capabilities of advanced threat actors. This holds particularly true for ...| Blogs on STAR Labs
Back in January 2023, I tasked one of our web security interns, River Koh (@oceankex), to perform n-day analysis of CVE-2022-46164 as part of his internship with STAR Labs. The overall goal is to perform an objective assessment of the vulnerability based on the facts gathered. In addition, I challenged him to reproduce the vulnerability without referencing any other materials besides the textual contents of the official advisory by NodeBB.| Blogs on STAR Labs
Brief I may have achieved successful exploitation of a SharePoint target during Pwn2Own Vancouver 2023. While the live demonstration lasted only approximately 30 seconds, it is noteworthy that the process of discovering and crafting the exploit chain consumed nearly a year of meticulous effort and research to complete the full exploit chain. This exploit chain leverages two vulnerabilities to achieve pre-auth remote code execution (RCE) on the SharePoint server: Authentication Bypass – An u...| Blogs on STAR Labs
During my internship, I have been researching and trying to find bugs within the nftables subsystem. In this blog post, I will talk about a bug I have found, as well as the exploitation of an n-day discovered by Mingi Cho – CVE-2023-31248. Introduction to nftables nftables is a modern packet filtering framework that aims to replace the legacy {ip,ip6,arp,eb}_tables (xtables) infrastructure. It reuses the existing netfilter hooks, which act as entry points for handlers that perform various o...| Blogs on STAR Labs
We are excited to embark on a series of teardowns to explore the inner workings of various devices. In this particular teardown, our focus will be on the 1st-Generation of IKEA-SONOS SYMFONISK Speaker Lamp, unraveling its captivating inner workings. Please note that due to prior testing, certain screws, wires, and components have been temporarily removed from the appliance and may not be present during this analysis. However, for the purpose of this exercise, we have meticulously reassembled ...| Blogs on STAR Labs
Recently, I was trying out various exploitation techniques against a Linux kernel vulnerability, CVE-2022-3910. After successfully writing an exploit which made use of DirtyCred to gain local privilege escalation, my mentor Billy asked me if it was possible to tweak my code to facilitate a container escape by overwriting /proc/sys/kernel/modprobe instead. The answer was more complicated than expected; this led me down a long and dark rabbit hole… In this post, I will discuss the root cause ...| Blogs on STAR Labs
TLDR prctl PR_SET_VMA (PR_SET_VMA_ANON_NAME) can be used as a (possibly new!) heap spray method targeting the kmalloc-8 to kmalloc-96 caches. The sprayed object, anon_vma_name, is dynamically sized, and can range from larger than 4 bytes to a maximum of 84 bytes. The object can be easily allocated and freed via the prctl syscall, and leaked information can be obtained via reading the proc/pid/maps file. The advantage of this method is that it does not require a cross-cache attack from cg/othe...| Blogs on STAR Labs
Background The discovery and analysis of vulnerabilities is a critical aspect of cybersecurity research. Today, we will dive into CVE-2023-1829, a vulnerability in the cls_tcindex network traffic classifier found by Valis. We will explore the process of exploiting and examining this vulnerability, shedding light on the intricate details and potential consequences. We have thoroughly tested our exploit on Ubuntu 22.04 with kernel version 5.15.0-25, which was built from the official 5.| Blogs on STAR Labs
TLDR; We began our work on Samsung immediately after the release of the Pwn2Own Toronto 2022 target list. In this article, we will dive into the details of an open-redirect vulnerability discovered during the Pwn2Own 2022 event and how we exploited it on a Samsung S22 device. By breaking down the technical aspects and using code snippets, we aim to provide a comprehensive overview of this critical security flaw. To begin, I revisited our team’s paper (written by Li Jiantao and Nguyễn Hoà...| Blogs on STAR Labs
Introduction While analyzing CVE-2022-41082, also known as ProxyNotShell, we discovered this vulnerability which we have detailed in this blog. However, for a comprehensive understanding, we highly recommend reading the thorough analysis written by team ZDI. To aid in understanding, we present a visual representation of CVE-2022-41082 below. The sink of ProxyNotShell: //System.Management.Automation.InternalDeserializer.ReadOneObject() internal object ReadOneObject(out string streamName) { //....| Blogs on STAR Labs
Summary A command injection vulnerability exists in CS-Cart’s HTML to PDF converter (https://github.com/cscart/pdf) allowing unauthenticated attackers to achieve remote command execution (RCE). The vulnerability only affects the HTML to PDF converter service and the default hosted service at converter.cart-services.com (maintained by CS-Cart’s development team) used by the PDF converter plugin, and does not allow for RCE against base installations of CS-Cart. Product Background In CS-Cart...| Blogs on STAR Labs
Upon finding the vulnerability, our team member, Ngo Wei Lin (@Creastery), immediately reported it to the Microsoft Security Response Center (MSRC) on 19th March 2022, who fixed the important issue with a fix commited in the repo within seven days, which is impressive and a much faster response than other Microsoft bugs which we reported previously. The fix was pushed down to Azure Cosmos DB Explorer on 31st March 2022.| Blogs on STAR Labs
STAR LABS SG PTE. LTD. (STAR Labs) announced today that it has become a CVE Numbering Authority (CNA) for the Common Vulnerabilities and Exposures (CVE®) system, a global cybersecurity community. As a CNA, STAR LABS is authorized to assign CVE Identifiers(CVE IDs)to newly discovered vulnerabilities and publicly disclose information about these vulnerabilities through CVE Records. Identifying vulnerabilities with CVE IDs can speed up the awareness and understanding of those vulnerabilitie...| Blogs on STAR Labs
Background Lately, my focus has been on discovering any potential vulnerabilities in KEPServerEX. KEPServerEX is the industry’s leading connectivity platform that provides a single source of industrial automation data to all your applications. Users can connect, manage, monitor, and control diverse automation devices and software applications through one intuitive user interface. This software employs multiple anti-debugging measures, making it challenging to discover any vulnerabilities an...| Blogs on STAR Labs
Introduction In this post, one of our recent intern, Wang Hengyue (@w_hy_04) was given the task to analyse CVE-2021-20617 & CVE-2021-20618 in acmailer since there isn’t any public information on it. Today, we’ll be sharing his journey in dissecting the vulnerabilities in acmailer. Both vulnerabilities were originally found by ma.la acmailer is a Perl-based email delivery application that provides functionality centered around sending mass emails, with associated functions such as registra...| Blogs on STAR Labs
As part of my internship at STAR Labs, I conducted n-day analysis of CVE-2020-6418. This vulnerability lies in the V8 engine of Google Chrome, namely its optimizing compiler Turbofan. Specifically, the vulnerable version is in Google Chrome’s V8 prior to 80.0.3987.122. In this article, I will give a step-by-step analysis of the vulnerability, from the root cause to exploitation. Background In JavaScript, objects do not have a fixed type. Instead, V8 assigns each object a Map that reflects i...| Blogs on STAR Labs
Background Some time ago, we were playing with some Netgear routers and we learned so much from this target. However, Netgear recently patched several vulnerabilities in their RAX30 router firmware, including the two vulnerabilities in the DHCP interface for the LAN side and one remote code execution vulnerability on the WAN side which we prepared for Pwn2Own Toronto 2022. This blog post focuses on the vulnerabilities found in version 1.0.7.78You can download the firmware from this link, and ...| Blogs on STAR Labs
Introduction CVE-2021-38003 is a vulnerability that exists in the V8 Javascript engine. The vulnerability affects the Chrome browser before stable version 95.0.4638.69, and was disclosed in October 2021 in google’s chrome release blog, while the bug report was made public in February 2022. The vulnerability will cause a special value in V8 called TheHole being leaked to the script. This can lead to a renderer RCE in a Chromium-based browser, and has been used in the wild.| Blogs on STAR Labs
Background Proxmox Virtual Environment (Proxmox VE or PVE) is an open-source type-1 hypervisor. It includes a web-based management interface programmed in Perl. Another Proxmox product written in Perl, Proxmox Mail Gateway (PMG), comes with a similar web management interface. They share some of the codebases. In this article, I will introduce how to debug PVE’s web service step-by-step and analyse three bugs I have found in PVE and PMG. [UPDATE] This is a quick and minor update to this blog...| Blogs on STAR Labs
Overview Disclaimer: No anime characters or animals were harmed during the research. The bug had been fixed but it did not meet that criterion required to get CVE. Recently, we have found a Server-Side Request Forgery (SSRF) in Microsoft SharePoint Server 2019 which allows remote authenticated users to send HTTP(S) requests to arbitrary URL and read the responses. The endpoint <site>/_api/web/ExecuteRemoteLOB is vulnerable to Server-Side Request Forgery (SSRF). The HTTP(S) request is highly c...| Blogs on STAR Labs
Late last year, I have focused my research on the CoreText framework for 2-3 months. In particular, the code related to the text shaping engine and the code responsible for parsing the AAT tables. During this research, I found an OOB (Out-Of-Bounds) Write in the morx table. This series of writeups is to document my whole process, from selecting this attack surface to finding the bug to writing an exploit for it in Safari.| Blogs on STAR Labs
Recently, ZDI released the advisory for a Safari out-of-bounds write vulnerability exploited by Manfred Paul (@_manfp) in Pwn2Own. We decided to take a look at the patch and try to exploit it. The patch is rather simple: it creates a new function (IntRange::sExt) that is used to decide the integer range after applying a sign extension operation (in rangeFor). Before this patch, the program assumes that the range stays the same after applying sign extension.| Blogs on STAR Labs
Initially, our team member, Đỗ Minh Tuấn, wanted to write about the RCA (Root Cause Analysis) of CVE-2021-1870 which APT used. But Maddie Stone pointed it to us that it was actually CVE-2021-1789. None-the-less, we would still want to share with everyone the analysis done by Đỗ Minh Tuấn. The bug is assigned CVE-2021-1789 in security content of Safari 14.0.3. We successfully exploited it on WebKitGTK <= 2.30.5 or equivalent on WebKit.| Blogs on STAR Labs
At the beginning of this month, GitLab released a security patch for versions 14->15. Interestingly in the advisory, there was a mention of a post-auth RCE bug with CVSS 9.9. The bug exists in GitLab’s Project Imports feature, which was found by @vakzz. Incidentally, when I rummaged in the author’s h1 profile. I discovered that four months ago, he also found a bug in the import project feature: Initially, I thought it was tempting after seeing the bounty, so I started learning Rails and d...| Blogs on STAR Labs
For the past few weeks, I have been working on conducting N-day analysis and bug hunting in the io_uring subsystem of the Linux kernel with the guidance of my mentors, Billy and Ramdhan. In this article, I will briefly discuss the io_uring subsystem, as well as my approach to discovering and developing a new kernel exploit technique during my N-day analysis of CVE-2021-41073. I will also discuss two bugs I found while analyzing a new io_uring feature.| Blogs on STAR Labs
Introduction I recently discovered a very interesting kernel vulnerability that allows the reading of arbitrary kernel-mode address. Sadly, the vulnerability was patched in Windows 21H2 (OS Build 22000.675), and I am unsure of the CVE being assigned to it. In this short blog post, I will share my journey of trying to exploit this vulnerability. Although I didn’t finish the exploit in the end, I have decided to share this with everyone anyway.| Blogs on STAR Labs
Introduction Recently, I have had a some work which is related to Sharepoint, so I was learning on how to setup and debug old bugs of Sharepoint. In February, there was a Deserialization bug CVE-2022-22005 (post-auth of course). There is already a detailed analysis blog post about that written by a Vietnamese guy (here). The blog is written with great enthusiasm and detail. I also rely on the details in that blog to setup and debug.| Blogs on STAR Labs
Introduction On 13th September 2021, Google published the security advisory for Google Chrome. That advisory states that Google is aware of two vulnerabilities exploited in the wild, CVE-2021-30632 as RCE and CVE-2021-30633 as Sandbox Escape. In this post, I will talk about the bypass sandbox vulnerability CVE-2021-30633. Man Yue Mo had published a very detailed blog post explaining CVE-2021-30632, which is a Type Confusion bug that leads to RCE in Chrome.| Blogs on STAR Labs
Introduction Looking to practice on source code review, I had been diving into how open-source LMS codebases are structured in order to find undiscovered vulnerabilities. Initially, my main focus had been on Chamilo LMS (their source code can be found on GitHub). Afterwards, I looked into Moodle LMS (their source code can also be found on GitHub). The majority of the findings that were found are the ones you would think of when you hear the words “common web application vulnerabilities”, ...| Blogs on STAR Labs
References: STARLabs Advisory STAR-21-1758 In February, Peter found a OOB read vulnerability in libFontParser.dylib. The latest tested version with the vulnerability is macOS Catalina 10.15.4 (19E287). I wrote a guide earlier on setting up a testing environment. Mac Resource Fork Font File References: Font Forge: Macintosh Font Formats Apple: MoreMacintoshToolbx fontTools: macRes It turns out that macOS can load something called a Mac Resource Fork font file.| Blogs on STAR Labs
In the past few months, Akash (@enigmatrix) and I (@daniellimws) worked on developing a taint analysis tool to find bugs in routers, with the guidance of Shi Ji (@puzzor) and Thach (@d4rkn3ss). We had developed a tool based on CVE-2019-8312 to CVE-2019-8319, which are command injection vulnerabilities on the D-Link DIR-878 router with firmware version 1.12A1. The goal was to automate the detection of such bugs. Ideally, the tool should be faster than finding the bugs manually.| Blogs on STAR Labs
Introduction During my research into Javascript Engine (V8), I have created a small tool to help you view recent V8 bugs that contains regression test on a single page. Since most of the time, regression test often contains PoC to trigger the bug, it’s pretty useful to analyze them to find the root cause and writing exploit for the n-day bug. For example, regress-1053604.js contains the PoC to trigger the side-effect in kJSCreate opcode (CVE-2020-6418).| Blogs on STAR Labs
What is WebDriver and How does it work? WebDriver is a protocol used for web browser automation. It can drive a browser to perform various tests on web pages as if a real user was navigating through them. It allows simulating user actions such as clicking links, entering text and submitting forms, which can help test if your website is working as intended. It is usually used for front-end testing and web crawling in a headless environment.| Blogs on STAR Labs
Introduction This blog post details the exploitation process for the vulnerability CVE 2020-15999 in Google Chrome 86.0.4222.0 on Linux. While CVE 2020-15999 is a heap-based buffer overflow in the font-loading library Freetype rather than Chrome proper, its extensive use in the latter enables us to achieve code execution in the browser’s renderer. This post will not be focused on the analysis of the bug, but rather its exploitation, as extensive explanation and analysis can be found here.| Blogs on STAR Labs
