Ramdhan

@spendergrsec Correct, the main fix is the first commit you post. I think the second commit is not quite relevant

@n0psledbyte What's bothering me is the error handling in the first if of the loop. ctx->merge is set at the end of the loop, so either that first if handles it and continues with the next iteration, or it means ctx->merge is 0, which means the fix applied there would be a no-op.

@spendergrsec This bug is reachable without MSG_SPLICE_PAGES. So that's means 15 years old container escape bug reachable without user namespace 😅. We use this for kernelCTF

Doesn't seem like the fixes tag is correct on that one though, I think it should be d3dccb0a487d065ce097e565d9ca8ae85d892a55. Should not be able to reach the bad case prior to MSG_SPLICE_PAGES support.

After 6 months of responsible disclosure, proud to announce our team discovered 13 (mostly exploitable) vulnerabilities in Samsung Exynos processors! Kudos to @st424204, @n0psledbyte, @Peterpan980927 & @rainbowpigeon_ CVE-2025-23095 to CVE-2025-23107 📍 semiconductor.samsung.com/support/qualit…

Big shoutout to @hi_im_d4rkn3ss & @gerrard_tai for flying over & represent us To our 1st-timers Gerrard @cplearns2h4ck @MochiNishimiya for the awesome work To @n0psledbyte & @st424204 for guiding the next gen & @_piers2 @bruce30262 who are part of it Lets continue trying #Pwn2Own

Nicely done! Billy (@st424204) and Ramdhan (@n0psledbyte) of STAR Labs used a UAF to perform their Docker Desktop escape and execute code on the underlying OS. They earn $60,000 and 6 Master of Pwn Points.

After a dramatic pause in getting things setup Billy(@st424204) and Ramdhan(@n0psledbyte) of STAR Labs preformed a Docker Desktop escape to pop calc - and they are also now off to the disclosure room - good luck! #Pwn2Own #P2OBerlin

We look forward to meeting everyone (both speakers and attendees). 🥳

Seems like the Docker Escape (CVE-2024-6222) that our team members, @st424204 ,@n0psledbyte & @tuanit96 presented at Pwn2Own is finally fixed. Great work. 👍🏼💪🏼 #4290" target="_blank" rel="nofollow noopener">docs.docker.com/desktop/releas…

Exciting news! 🚀 Just dropped my blogpost unveiling the universal Linux kernel LPE PoC for CVE-2024-1086 (working on v5.14 - v6.7) used for pwning Debian, Ubuntu, and KernelCTF Mitigation instances, including novel techniques like Dirty Pagedirectory 🧵 pwning.tech/nftables

Our researchers @st424204 & @tuanit96 & @n0psledbyte are also successful in their LPE attempt in Ubuntu at #Pwn2Own Vancouver 2024, 🥳🥳👍🏼

Verified! The first #Docker escape at #Pwn2Own involved two bugs, including a UAF. The team from STAR Labs SG did great work in the demonstration and earned $60,000 and 6 Master of Pwn points. #P2OVancouver

During the 2nd day of #Pwn2Own Vancouver 2024, our researchers @st424204 & @tuanit96 & @n0psledbyte successfully demonstrated their Docker Escape. 🥳🥳👍🏼

We are organising a conference on 26th - 27th June 2024 Attention Speakers: Our 2024 Call for Papers is now open! #OffByOne2024? Learn all about it: offbyone.sg/cfp/

Excellent blog posts by @sam4k1 introducing Linux kernel memory management: buddy (page) allocator and slab (SLUB) allocator buff.ly/3Ofs5kR buff.ly/3EqeXpu #Linux #kernel #cybersecurity #0xor0ne

So far I've written 559 pages to help the security community: 1. exploitreversing.com/2021/12/03/mal… 2. exploitreversing.com/2022/02/03/mal… 3. exploitreversing.com/2022/05/05/mal… 4. exploitreversing.com/2022/05/12/mal… 5. exploitreversing.com/2022/09/14/mal… 6. exploitreversing.com/2022/11/24/mal… 7. exploitreversing.com/2023/01/05/mal… 8. exploitreversing.com/2023/04/11/exp…

2024 is the year of the decompiler! Start your year off right by reading a post on the last 30 years of decompilation and one of its hardest problems: structuring! mahaloz.re/dec-history-pt1 Part 2 to be released next week.

I wasted my afternoon writing an introduction to the Hiew hex editor😆 lock.cmpxchg8b.com/hiew.html

during reverse engineering, whenever i see some unknown instruction the first place i go to is this page: felixcloutier.com/x86/index.html you can click on each instruction and see their psuedocode, this helps you to understand what are the steps that this instructions takes which are not obvious like how ret instructions pops the stack pointer into eip.

Reminder to go ask the questions that you feel are stupid. Just fixed a problem I was stuck on for 2 days in 15 minutes because I asked all my dumb questions.