Deep dives into vulnerability research, exploitation techniques, and security analysis from the STAR Labs team.
TL;DR In January 2026, the Chrome Releases blog announced several security fixes across different Chrome components. One entry caught our attention: …
A single-byte integer overflow in Cisco's EUQ RPC protocol chains into Python pickle deserialization, achieving unauthenticated RCE with a single HTTP request …
Eight years ago today, I started STAR Labs by hiring several fresh grads with no working experiences. Today, I stand here with a different group of faces. Some …
Most will talk about the success in their year-end posts. Great. Nobody talks about the failures. Nobody talks about what ACTUALLY happened. Well, we are going …
HEX ADVENT 2025: Crack the Advent, Conquer the Threat 🐛 Last chance to register! Registration closing on 20 Dec 2025, 09:00 SGT! WELCOME TO HEX ADVENT 2025, …
Information This is a solo CTF event open to women residing in Singapore or Malaysia. To register and be eligible for the prizes: Register on CTFd, and select …
The Target: Brother MFC-J1010DW Affected Models: Brother Printer MFC-J1010DW Vulnerable Firmware: Version <= 1.18 TL;DR: The Vulnerability Chain We …
TL;DR 🚀 We’re turning a simple compression library into a shell delivery service! This writeup exploits a buffer overflow in lz1/lz77 decompression by …
Last month, Jacob asked me to create a CTF challenge for the Summer Pwnables event. I went with a kernel pwnable since my goal was to teach students some more …
During our security research in 2024, we discovered several vulnerabilities in Apache Foundation projects that seem to have gotten ’lost in …
Printers have three things going for them from an attacker’s perspective: they live on the corporate network, they trust far too much from far too many …
[Updates] Summer Pwnables 2025 Major Announcement: ISD Sponsorship We are pleased to announce that Internal Security Department (ISD) is sponsoring Summer …
🌴☀️ SUMMER PWNABLES 2025 ☀️🌴 The hottest hacking challenge on this side of Southeast Asia! Think you can handle the heat? Time to prove your l33t skills are …
In April 2025, Microsoft patched a vulnerability that had become a key component in sophisticated ransomware attack chains. CVE-2025-29824, an use-after-free …
For my internship, I was tasked by my mentor Le Qi to analyze CVE-2024-30088, a double-fetch race condition bug in the Windows Kernel Image ntoskrnl.exe. A …
During my internship I was tasked to analyze a Mali GPU exploit on Pixel 7/8 devices and adapt it to make it work on another device: the Pixel 6 Pro. While the …
As part of my internship at STAR Labs, I was tasked to conduct N-day analysis of CVE-2023-6241. The original PoC can be found here, along with the accompanying …
Introduction We are back with Round 2 of the Off-By-One conference — where bits meet breadboards and bugs are celebrated! 🐛⚡ If you are into hardware and IoT …
At Pwn2Own Berlin 2025, STAR Labs took home Master of Pwn for a chain that escaped a major hypervisor from inside a guest VM. This is the short version of how …
In April 2024, I discovered a high-severity vulnerability in Visual Studio Code (VS Code <= 1.89.1) that allows attackers to escalate a Cross-Site Scripting …
Introduction Many vulnerability writeups nowadays focus on the exploitation process when it comes to software bugs. The term “Exploit Developer” is …
STAR Labs Windows Exploitation Challenge Writeup Over the past few months, the STAR Labs team has been hosting a Windows exploitation challenge. I was lucky …
Imagine downloading a game from a third-party app store. You grant it seemingly innocuous permissions, but hidden within the app is a malicious exploit that …
Executive Summary CVE-2024-26230 is a critical vulnerability found in the Windows Telephony Service (TapiSrv), which can lead to an elevation of privilege on …
🎉🎊 Cheers to 7 Amazing Years! 🎊🎉 On 8th January 2018, STAR Labs SG Pte. Ltd. was born with a simple but bold idea: to do fun offensive research that protects …
Think you’ve got what it takes to pop shells and snag your ticket to… RE//verse and Off-By-One? 😏 🔥 Windows Exploitation Challenge 🔥 Get SYSTEM …
TLDR CVE-2024-30085 is a heap-based buffer overflow vulnerability affecting the Windows Cloud Files Mini Filter Driver cldflt.sys. By crafting a custom reparse …
TL;dr Vulnerabilities can often be found in places we don’t expect, and CVE-2022-24547 in CastSrv.exe is one of the examples. CVE-2022-24547 is a privilege …
Introduction As promised, we are releasing the firmware and this post for the Off-By-One badge about one month after the event, allowing interested participants …
Earlier this year, in mid-January, you might have come across this security announcement by GitHub. In this article, I will unveil the shocking story of how I …
Short version: while poking at GitHub Enterprise Server (GHES) for an unrelated reason the day after Christmas, I noticed an unvalidated Kernel#send() call in …
Introduction Wi-Fi routers have always been an attractive target for attackers. When taken over, an attacker may gain access to a victim’s internal …
Introduction The prevalence of memory corruption bugs persists, posing a persistent challenge for exploitation. This increased difficulty arises from …
Back in January 2023, I tasked one of our web security interns, River Koh (@oceankex), to perform n-day analysis of CVE-2022-46164 as part of his internship …
Brief I may have achieved successful exploitation of a SharePoint target during Pwn2Own Vancouver 2023. While the live demonstration lasted only approximately …
During my internship, I have been researching and trying to find bugs within the nftables subsystem. In this blog post, I will talk about a bug I have found, as …
We are excited to embark on a series of teardowns to explore the inner workings of various devices. In this particular teardown, our focus will be on the …
Recently, I was trying out various exploitation techniques against a Linux kernel vulnerability, CVE-2022-3910. After successfully writing an exploit which made …
TLDR prctl PR_SET_VMA (PR_SET_VMA_ANON_NAME) can be used as a (possibly new!) heap spray method targeting the kmalloc-8 to kmalloc-96 caches. The sprayed …
Background The discovery and analysis of vulnerabilities is a critical aspect of cybersecurity research. Today, we will dive into CVE-2023-1829, a vulnerability …
TLDR; We began our work on Samsung immediately after the release of the Pwn2Own Toronto 2022 target list. In this article, we will dive into the details of an …
Introduction While analyzing CVE-2022-41082, also known as ProxyNotShell, we discovered this vulnerability which we have detailed in this blog. However, for a …
Summary A command injection vulnerability exists in CS-Cart’s HTML to PDF converter (https://github.com/cscart/pdf) allowing unauthenticated attackers to …
Upon finding the vulnerability, our team member, Ngo Wei Lin (@Creastery), immediately reported it to the Microsoft Security Response Center (MSRC) on 19th …
STAR LABS SG PTE. LTD. (STAR Labs) announced today that it has become a CVE Numbering Authority (CNA) for the Common Vulnerabilities and Exposures (CVE®) …
Background Lately, my focus has been on discovering any potential vulnerabilities in KEPServerEX. KEPServerEX is the industry’s leading connectivity …
Introduction In this post, one of our recent intern, Wang Hengyue (@w_hy_04) was given the task to analyse CVE-2021-20617 & CVE-2021-20618 in acmailer since …
As part of my internship at STAR Labs, I conducted n-day analysis of CVE-2020-6418. This vulnerability lies in the V8 engine of Google Chrome, namely its …
Background Some time ago, we were playing with some Netgear routers and we learned so much from this target. However, Netgear recently patched several …
Introduction CVE-2021-38003 is a vulnerability that exists in the V8 Javascript engine. The vulnerability affects the Chrome browser before stable version …
Background Proxmox Virtual Environment (Proxmox VE or PVE) is an open-source type-1 hypervisor. It includes a web-based management interface programmed in Perl. …
Overview Disclaimer: No anime characters or animals were harmed during the research. The bug had been fixed but it did not meet that criterion required to get …
Late last year, I have focused my research on the CoreText framework for 2-3 months. In particular, the code related to the text shaping engine and the code …
Recently, ZDI released the advisory for a Safari out-of-bounds write vulnerability exploited by Manfred Paul (@_manfp) in Pwn2Own. We decided to take a look at …
Initially, our team member, Đỗ Minh Tuấn, wanted to write about the RCA (Root Cause Analysis) of CVE-2021-1870 which APT used. But Maddie Stone pointed it to us …
At the beginning of this month, GitLab released a security patch for versions 14->15. Interestingly in the advisory, there was a mention of a post-auth RCE …
For the past few weeks, I have been working on conducting N-day analysis and bug hunting in the io_uring subsystem of the Linux kernel with the guidance of my …
Introduction I recently discovered a very interesting kernel vulnerability that allows the reading of arbitrary kernel-mode address. Sadly, the vulnerability …
Introduction Recently, I have had a some work which is related to Sharepoint, so I was learning on how to setup and debug old bugs of Sharepoint. In February, …
Introduction On 13th September 2021, Google published the security advisory for Google Chrome. That advisory states that Google is aware of two vulnerabilities …
Introduction Looking to practice on source code review, I had been diving into how open-source LMS codebases are structured in order to find undiscovered …
References: STARLabs Advisory STAR-21-1758 In February, Peter found a OOB read vulnerability in libFontParser.dylib. The latest tested version with the …
In the past few months, Akash and I (@daniellimws) worked on developing a taint analysis tool to find bugs in routers, with the guidance of Shi Ji (@puzzor) and …
Introduction During my research into Javascript Engine (V8), I have created a small tool to help you view recent V8 bugs that contains regression test on a …
What is WebDriver and How does it work? WebDriver is a protocol used for web browser automation. It can drive a browser to perform various tests on web pages as …
Introduction This blog post details the exploitation process for the vulnerability CVE 2020-15999 in Google Chrome 86.0.4222.0 on Linux. While CVE 2020-15999 is …
Frida is an open-source dynamic instrumentation toolkit that has become popular in recent years, and its use in mobile security is especially prevalent. In this …
This post provides detailed analysis and an exploit achieving remote code execution for CVE-2020-10882, which was used at Pwn2Own 2019, on the TP-Link Archer …
In this post, we will cover the vulnerabilities used at Pwn2Own 2020 for the Oracle VirtualBox escape. These two vulnerabilities affect Oracle VirtualBox 6.1.4 …
Half a year ago, I found a vulnerability in libFontParser.dylib, which is a part of CoreGraphics library that is widely used in macOS, iOS, iPadOS to parse and …
While processing the URL for any blacklisted XSS list like the script tag in the check_xss_blacklist function, a stack buffer overflow is possible by extending …
As part of my month-long internship at STAR Labs, I was introduced to VirtualBox and learnt much about bug hunting and triaging, root-cause analysis and …
Last year, I participated in the TianFu Cup competition in Chengdu, China. The chosen target was the Adobe Reader. This post will detail a use-after-free bug of …
I have been into the vulnerability research field for a while now, and VirtualBox is my very first target. I have learned a lot along the way and I hope that …
