Home
Recommended
Other Links
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
As we saw in our previous blogpost, we fully analyzed Ivanti’s most recent unauthenticated Remote Code Execution vulnerability in their Connect Secure (VPN) appliance. Specifically, we analyzed CVE-2025-0282.
Today, we’re going to walk through exploitation. Once again, however, stopping short of providing the world with a Detection Artifact Generator (also known as a proof of concept, apparently) - as previously mentioned, release and sharing of our PoC (in a to-be-decided form) will be held ba
🎉🎊 Cheers to 7 Amazing Years! 🎊🎉
On 8th January 2018, STAR Labs SG Pte. Ltd. was born with a simple but bold idea: to do fun offensive research that protects customers. Seven years later, that spark of curiosity and innovation has grown into something extraordinary. 🚀
Our Humble Beginnings 🛠️ It all started when STAR Labs had a small, passionate group of researchers: Shi Ji, Wei Lei, Phạm Hồng Phi, Phan Thanh Duy, and Tạ Đình Sung.
Key Points Introduction The FunkSec ransomware group first emerged publicly in late 2024, and rapidly gained prominence by publishing over 85 claimed victims—more than any other ransomware group in the month of December. Presenting itself as a new Ransomware-as-a-Service (RaaS) operation, FunkSec appears to have no known connections to previously identified ransomware gangs, and little […]
Did you have a good break? Have you had a chance to breathe? Wake up.
It’s 2025, and the chaos continues.
Haha, see what we did? We wrote the exact same thing in 2024 because 2024 was exactly the same.
As an industry, we are on GroundHog day - but let’s call it GroundHog Year, and pretend this isn’t just incredibly depressing.
Like clockwork, though, we have vulnerabilities in Ivanti Connect Secure that have all the hallmarks of APT using a zero-day against a mission-critical appliance.
The
### Summary
A vulnerability was found in engage platform, where an internal server error message exposes sensitive information about the servers, including SQL table which could lead to SQL inject...
In the last few months, we secured 75+ GitHub Actions workflows in open source projects, disclosing 90+ different vulnerabilities. Out of this research we produced new support for workflows in CodeQL, empowering you to secure yours.
Check Point Researchers uncover a new version of Banshee macOS, finding that its string encryption is the exact copy of Apple's XProtect
There is no excerpt because this is a protected post.
### Summary
AF_XDP sockets provide a high-performance mechanism for packet processing within the kernel. This bug report describes an integer overflow vulnerability in the `xsk_map_delete_elem` ([...
### Summary
AF_XDP sockets provide a high-performance mechanism for packet processing within the kernel. This bug report describes an integer overflow vulnerability in the `devmap_map_delete_elem`...
### Summary
Ksmbd, the in-kernel SMB server in Linux, utilizes extended attributes to store Alternate Data Streams (ADS) associated with files. Two vulnerabilities exist in the handling of request...
### Summary
The ksmbd_vfs_stream_write function, which handles writing data to a file with extended attributes (representing ADS), contains a vulnerability that allows an attacker to write data ou...
# Bypassing File Upload Restrictions To Exploit Client-Side Path Traversal
09 Jan 2025 - Posted by Maxence Schmitt
In my previous blog post, I demonstrated how a JSON file could be used as a gadget for Client-Side Path Traversal (CSPT) to perform Cross-Site Request Forgery (CSRF). That example...
Nominations are now open for the top 10 new web hacking techniques of 2024! Every year, security researchers from all over the world share their latest findings via blog posts, presentations, PoCs, an
Nominations are now open for the top 10 new web hacking techniques of 2024! Every year, security researchers from all over the world share their latest findings via blog posts, presentations, PoCs, an
After the excitement of our .MOBI research, we were left twiddling our thumbs. As you may recall, in 2024, we demonstrated the impact of an unregistered domain when we subverted the TLS/SSL CA process for verifying domain ownership to give ourselves the ability to issue valid and trusted TLS/SSL certificates for any .MOBI domain.
This resulted in significant Internet-wide change, with Google petitioning the CAB Forum to wholly sunset the use of WHOIS for ownership validation when issuing CA-sig
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
Hey ChatGPT! How to build a botnet with compromised ChatGPT instances! AI botnet vulnerability
# Bypassing File Upload Restrictions To Exploit Client-Side Path Traversal
07 Jan 2025 - Posted by Maxence Schmitt
In my previous blog post, I demonstrated how a JSON file could be used as a gadget for Client-Side Path Traversal (CSPT) to perform Cross-Site Request Forgery (CSRF). That example...
# ksmbd vulnerability research
07 Jan 2025 - Posted by Norbert Szetei
## Introduction
At Doyensec, we decided to perform a vulnerability research activity on the SMB3 Kernel Server (ksmbd), a component of the Linux kernel. Initially, it was enabled as an experimental feature, but in the kernel...
M365 Copilot was vulnerable to an IDOR, allowing enterprise generated images to be accessible without authentication.
Think you’ve got what it takes to pop shells and snag your ticket to… RE//verse and Off-By-One? 😏
🔥 Windows Exploitation Challenge 🔥 Get SYSTEM privileges by exploiting a bug in the downloadable driver below. (pwn it!) Keep the OS alive and happy — no BSODs, no excuses! Your exploit must work on Windows 11 24H2. Submit your winning solutions(exploit source code and writeup) to info@starlabs.sg. If you think you’ve figured out the bug but can’t exploit it in time, feel free to send us a writeup too describing how you would exploit it!
### Summary
When browsing in Safari’s Private Mode, WebKit adds noise to canvas readback to prevent fingerprinting. Due to the way noise is clamped for blocks of identical pixels, this can be remo...
Happy to share that my paper is now available on arxiv.
TL;dr Vulnerabilities can often be found in places we don’t expect, and CVE-2022-24547 in CastSrv.exe is one of the examples. CVE-2022-24547 is a privilege escalation vulnerability in CastSrv.exe, allowing attackers to bypass security and gain elevated privileges. We’ll break down how the bug works, its exploitation, and how to protect against it.
Summary Vendor Microsoft Security Impact Elevation of Privilege CVE ID CVE-2022-24547 CVSS3.
TLDR CVE-2024-30085 is a heap-based buffer overflow vulnerability affecting the Windows Cloud Files Mini Filter Driver cldflt.sys. By crafting a custom reparse point, it is possible to trigger the buffer overflow to corrupt an adjacent _WNF_STATE_DATA object. The corrupted _WNF_STATE_DATA object can be used to leak a kernel pointer from an ALPC handle table object. A second buffer overflow is then used to corrupt another _WNF_STATE_DATA object, which is then used to corrupt an adjacent PipeAttribute object.
We are excited to introduce the new CodeQL Community Packs, a comprehensive set of queries and models designed to enhance your code analysis capabilities. These packs are tailored to augment…
### Summary
<img width="493" alt="CompromisedMacPortMirror" src="https://github.com/user-attachments/assets/d32d589d-81ac-40e9-ba85-5e51fd53b3bf" />
When upd...
The other day, I worked on an XSS finding that required loading script content from an external source to load a proper POC. The limitations were
1. Stored XSS
2. Char limit 256
3. CSP `script-src` containing a bunch of company-owned sites but also `unsafe-inline`
4. CSP `connect-src` containing a...
Posted by Mateusz Jurczyk, Google Project Zero As previously mentioned in the second installment of the blog post series ( "A brief ...
Hacking Lab Hacking Lab Home People Publications CVEs Contact Light Dark Automatic Bridging the Gap between Real-World and Formal Binary Lifting through Filtered-Simulation (to appear) Jihee Park , Insu Yun , Sukyoung Ryu October 2025 Cite Publication Proceedings of the ACM SIGPLAN International...
Research is a constant process of failure and iteration. However, in most cases, you only see the one-in-a-thousand (successful) attempt. To normalize f*ck ups, and because I believe the behavior we identified in the course of this research is still relevant and interesting, this post is published for educational purposes.
Implementing secure Single-Sign-On (SSO) flows on mobile platforms is a continuos challenge. This post discusses an Android feature which potentially enabled a malicious Android app to hijack arbitrary SSO flows. As the feature existed on platform level (prior Android 12), it affected not only misconfigured apps, but also (web-)applications that follow OAuth best current practice1.
The vulnerability was reported to Google via the Android and Google Devices Security Reward Program on November, 29th 2024. Shortly after submission, Google highlighted a crucial thing that was missed before: Due to major rework of the App Link behavior, the reported issues do only work on Android versions prior to Android 12.
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
In this post, I’ll walk you through the vulnerabilities I uncovered in the GStreamer library and how I built a custom fuzzing generator to target MP4 files.
Large language model applications suffer from a few core novel issues that have been identified over the last two years. Let's see how Grok fares on those.
Posted by Seth Jenkins, Google Project Zero This blog post provides a technical analysis of exploit artifacts provided to us by Google's Thr...
# Diving into ADB protocol internals (2/2)
Our previous article laid the groundwork for understanding the ADB protocol and its usage scenarios. It primarily focused on the TCP/IP communication between the ADB Client and the ADB Server. However, this still required at this point an intermediate...
# Unsafe Archive Unpacking: Labs and Semgrep Rules
16 Dec 2024 - Posted by Michael Pastor
## Introduction
During my recent internship with Doyensec, I had the opportunity to research **decompression attacks** across different programming languages. As the use of archive file formats is...
Posted by James Forshaw, Google Project Zero This is a short blog post about some recent improvements I've been making to the OleView.NET ...
Learn how I discovered 11 new vulnerabilities by writing CodeQL models for Gradio framework and how you can do it, too.
Note: this is a rapidly-drafted post on an evolving topic - we'll update the post with more details as we discover more about the situation. Hit that F5 key regularly for updates!
We were having a nice uneventful Wednesday afternoon here at watchTowr, when we got news of some ransomware operators using a zero-day exploit in a bunch of Cleo software - LexiCom, VLTransfer, and Harmony - applications that many large enterprises rely on to securely share files.
Cleo have a (paywalled) advisory,
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
### Summary
A Out-Of-Bounds (OOB) read affecting KVM since v3.10 was discovered in `arch/x86/kvm/svm/nested.c`. The memory read is from the user-space process managing the associated KVM based Vir...