Tag：Vulnerability

The Journey of Bypassing Ubuntu’s Unprivileged Namespace Restriction

Pumpkin

2025-06-26

Recently, Ubuntu introduced sandbox mechanisms to reduce the attack surface, and they seemed unbreakable. However, after carrying out in-depth research, we found that the implementation contained some issues, and bypassing it was not as difficult as expected. This post will explain how we began our research at the kernel level and discovered a bypass method. We will also share some interesting stories from the process.

OSEE Exam Uncovered: Cracking OSEE in Taipei

Terrynini

2025-05-27

EXP-401(OSEE), also known as Advanced Windows Exploitation (AWE), is considered OffSec's hardest certification. As of now, only about 100–200 people worldwide hold this certification, and the pass rate is around 10%.

Frame by Frame, Kernel Streaming Keeps Giving Vulnerabilities

Angelboy

2025-05-17

In-depth research into Windows Kernel Streaming vulnerabilities, revealing MDL misuse, buffer misalignment, and exploitation techniques used in CVE-2024-38238 and others.

From Convenience to Contagion: The Half-Day Threat and Libarchive Vulnerabilities Lurking in Windows 11

Terrynini

2025-02-12

Windows 11's KB5031455 update adds RAR and 7z support via libarchive, but DEVCORE discovered multiple vulnerabilities, including Heap Buffer Overflow and arbitrary file operations. Delayed patching also enables “Half-day” attacks, putting projects like ClickHouse at risk. A step forward in convenience—or a hidden security threat?

WorstFit: Unveiling Hidden Transformers in Windows ANSI!

Orange Tsai

2025-01-09

The research unveils a new attack surface in Windows by exploiting Best-Fit, an internal charset conversion feature. Through our work, we successfully transformed this feature into several practical attacks, including Path Traversal, Argument Injection, and even RCE, affecting numerous well-known applications!

Streaming vulnerabilities from Windows Kernel - Proxying to Kernel - Part II

Angelboy

2024-10-05

This research continues to explore the attack surface of Kernel Streaming, delving into newly discovered vulnerabilities within another feature of Kernel Streaming and demonstrating how to leverage this bug class to successfully attack Windows 11. This topic was also presented at HEXACON 2024.

Streaming vulnerabilities from Windows Kernel - Proxying to Kernel - Part I

Angelboy

2024-08-23

This research will discuss an overlooked attack surface that allowed us to find more than ten vulnerabilities within two months. Additionally, we will delve into a proxy-based logical vulnerability type that allows us to bypass most validations, enabling us to successfully exploit Windows 11 in Pwn2Own Vancouver 2024.

Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server!

Orange Tsai

2024-08-09

This article explores architectural issues within the Apache HTTP Server, highlighting several technical debts within Httpd, including 3 types of Confusion Attacks, 9 new vulnerabilities, 20 exploitation techniques, and over 30 case studies. The content includes, but is not limited to: 1. How a single ? can bypass Httpd's built-in access control and authentication. 2. How unsafe RewriteRules can escape the Web Root and access the entire filesystem. 3. How to leverage a piece of code from 1996 to transform an XSS into RCE.

BLOG

All #Vulnerability Articles

Pumpkin

Terrynini

Angelboy

Terrynini

Orange Tsai

Angelboy

Angelboy

Orange Tsai

Orange Tsai

Shaolin