@Creastery profile picture
Ngo Wei Lin @Creastery

www = web web web · Staff Security Engineer @praetorianlabs · Previously 🌐 Security Researcher @starlabs_sg · Plays CTFs with HATS SG. Opinions are my own.

Joined May 2012
  • Tweets 115
  • Following 534
  • Followers 1,085
5 Photos and videos
Pinned Tweet
Ngo Wei Lin@Creastery
6 May 2024
Check out my write-up on a seemingly harmless and limited send() in GitHub (CVE-2024-0200) and how it could be used to obtain environment variables from a production container and to achieve remote code execution in GitHub Enterprise Server: starlabs.sg/blog/2024/04-sen…

5
84
241
40,117
Ngo Wei Lin@Creastery
11 Apr 2025
Happy to announce that I'll be speaking alongside @DennisPacewicz at @rubykaigi next week! We'll be sharing some secret stories on how I gained access to production GitHub credentials using CVE-2024-0200 as well as @GitHubSecurity's remediation efforts. rubykaigi.org/2025/presentat…

Keeping Secrets: Lessons Learned From Securing GitHub

rubykaigi.org
1
1
6
474
Ngo Wei Lin retweeted
Luke Jahnke@lukejahnke
25 Nov 2024
I just published a new blog post sharing an improved Deserialization Gadget Chain for Ruby! It builds on the work of others, including Leonardo Giovanni, Peter Stöckli @GHSecurityLab and @wcbowling nastystereo.com/security/rub…
2
61
203
25,939
Ngo Wei Lin retweeted
Orange Tsai 🍊
@orange_8361
9 Aug 2024
Thrilled to release my latest research on Apache HTTP Server, revealing several architectural issues! blog.orange.tw/2024/08/confu… Highlights include: ⚡ Escaping from DocumentRoot to System Root ⚡ Bypassing built-in ACL/Auth with just a '?' ⚡ Turning XSS into RCE with legacy code from 1996

38
649
1,890
232,613
Ngo Wei Lin retweeted
GitHub Security Lab
@GHSecurityLab
20 Jun 2024
🚨 New Blog Alert! 🚨 Can an attacker execute commands by sending JSON? Learn how unsafe deserialization vulnerabilities in Ruby can be exploited and how they can be detected with CodeQL. 🔗 Read the full post: github.blog/2024-06-20-execu… Stay safe and code responsibly! 🛡️💻

Execute commands by sending JSON? Learn how unsafe deserialization vulnerabilities work in Ruby...

Can an attacker execute arbitrary commands on a remote server just by sending JSON? Yes, if the running code contains unsafe deserialization vulnerabilities. But how is that possible? In this blog...

github.blog
20
46
5,004
Ngo Wei Lin retweeted
shubs
@infosec_au
9 May 2024
My colleague @hash_kitten and I discovered a full-read SSRF vulnerability in Next.js (CVE-2024-34351). We published our research today on @assetnote's blog: assetnote.io/resources/resea…. Thank you to the Vercel team for a smooth disclosure process.
16
181
779
95,518
Ngo Wei Lin retweeted
Adnan Khan@adnanthekhan
6 May 2024
Here is my deep-dive post on #github Actions cache poisoning. This is a powerful build pipeline lateral movement and privilege escalation technique and I used it to earn several thousand💰in #bugbounty rewards. adnanthekhan.com/2024/05/06/…

The Monsters in Your Build Cache - GitHub Actions Cache Poisoning | Adnan Khan - Security Research

The Monsters in Your Build Cache - GitHub Actions Cache Poisoning - Security research by adnanthekhan

adnanthekhan.com
3
25
89
6,658
Ngo Wei Lin retweeted
starlabs@starlabs_sg
6 May 2024
Send()-ing Myself Belated Christmas Gifts - GitHub's Environment Variables & GHES Shell starlabs.sg/blog/2024/04-sen… Read about how one of our talented researchers, @Creastery , found it, exploited it and reported it in a fast and professional manner:

1
20
102
12,071
Check out my write-up on a seemingly harmless and limited send() in GitHub (CVE-2024-0200) and how it could be used to obtain environment variables from a production container and to achieve remote code execution in GitHub Enterprise Server: starlabs.sg/blog/2024/04-sen…

5
84
241
40,117
Huge thanks to @GitHubSecurity for coordinating, investigating and fixing!
6
1,435
Ngo Wei Lin retweeted
joernchen@joernchen
3 May 2024
Earlier this year I found a pretty cool vuln, an arbitrary file write in GitLab. Here’s the details gitlab-com.gitlab.io/gl-secu…

3
48
152
27,032
Ngo Wei Lin retweeted
starlabs@starlabs_sg
18 Mar 2024
Route to Safety: Navigating Router Pitfalls is the swansong from @daniellimws starlabs.sg/blog/2024/route-… We hope everyone enjoyed his informative post and wish him all the best in his future endeavours.

2
29
60
12,907
Ngo Wei Lin retweeted
Off-By-One Conference@offbyoneconf
3 Feb 2024
Off-by-One 2024 Conference CFP is now opened! Be part of a historical event and shape the future of offensive security in this region. Submission and speaker benefits offbyone.sg/cfp/ If you like to talk to us, drop us a line at info@offbyone.sg
18
33
8,392
Ngo Wei Lin@Creastery
17 Jan 2024
👀
CVE@CVEnew
16 Jan 2024
CVE-2024-0200 An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. This vulnerability could lead to the execution of… cve.org/CVERecord?id=CVE-202…
1
11
1,845
Ngo Wei Lin@Creastery
17 Jan 2024
This is one of the most insane bugs I've discovered, but it all happened at a really inopportune time. 😥 Shoutout to all the Hubbers who got involved and had been working tirelessly on this since the Christmas/New Year period! 🙏
GitHub Security@GitHubSecurity
16 Jan 2024
We received a bug bounty report of a vulnerability which, if exploited, allowed access to credentials within a production container. We have patched GitHub.com and rotated all affected credentials, and patches for GHES are available today. github.blog/2024-01-16-rotat…
57
5,418
Ngo Wei Lin retweeted
Inductive Automation@InductiveAuto
21 Dec 2023
Special thanks to @chudypb, @TecR0c, @mr_me, @Creastery, @starlabs_sg, @Claroty & #team82, and @thezdi for finding & responsibly disclosing security vulnerabilities in Ignition. Fixes & full credits: bit.ly/4aytnlq

Tech Advisory: Regarding the Security Advisories Published by the ZDI on 8 August 2023

Regarding the Security Advisories Published by the ZDI on 8 August 2023 On August 8th, 2023, Trend Micro’s Zero Day Initiative (ZDI), the organizers of ICS Pwn2Own, published six security advisorie...

support.inductiveautomation.com
1
3
11
2,790
Ngo Wei Lin@Creastery
28 Nov 2023
Check out the technical analysis of 10 remote code execution bugs I discovered in Chamilo LMS below⬇️.
starlabs@starlabs_sg
28 Nov 2023
Several Chamilo RCE detailed analysis from our team member, @Creastery Patches available since September 2023. starlabs.sg/advisories/23/23… starlabs.sg/advisories/23/23… starlabs.sg/advisories/23/23… starlabs.sg/advisories/23/23… starlabs.sg/advisories/23/23… starlabs.sg/advisories/23/23…
2
1
15
3,938
Ngo Wei Lin@Creastery
28 Nov 2023
Unauthenticated RCE: starlabs.sg/advisories/23/23… starlabs.sg/advisories/23/23… starlabs.sg/advisories/23/23… starlabs.sg/advisories/23/23… Authenticated RCE: starlabs.sg/advisories/23/23… starlabs.sg/advisories/23/23… starlabs.sg/advisories/23/23… starlabs.sg/advisories/23/23… starlabs.sg/advisories/23/23… starlabs.sg/advisories/23/23…

(CVE-2023-3368) Chamilo LMS Unauthenticated Command Injection

Summary Product Chamilo Vendor Chamilo Severity High - Adversaries may exploit software vulnerabilities to obtain unauthenticated remote code execution. Affected Versions <= v1.11.20 Tested Versions...

starlabs.sg
1
2
4
797
Ngo Wei Lin@Creastery
28 Nov 2023
Notably, CVE-2023-3368 I discovered is a patch bypass of CVE-2023-34960 (unauthenticated command injection bug exploited in-the-wild found by @RandoriSec/@Aituglo), and CVE-2023-3533 is another unauthenticated file write RCE found in the same code location that was overlooked!🙈
3
369
Ngo Wei Lin@Creastery
29 Sep 2023
Check out this detailed n-day writeup by @oceankex, a former web security intern at STAR Labs I mentored, and how it led to two other bugs hidden in plain sight being discovered!
starlabs@starlabs_sg
29 Sep 2023
Our team member, @Creastery , & our former intern, @oceankex, prepared this some time ago. "Analysis of NodeBB Account Takeover Vulnerability (CVE-2022-46164)" starlabs.sg/blog/2023/09-ana… While writing this, they found another bug starlabs.sg/advisories/23/23… We hope you enjoy it
1
7
1,309
Ngo Wei Lin retweeted
Jia Hao@Chocologicall
31 Aug 2023
I've finally published the advisories regarding the Trend Micro bugs that I shared at #HITCON! Do check them out at @starlabs_sg's advisory page: starlabs.sg/advisories/ 🏌️‍♂️CVE-2023-32530 is an interesting case of SQLi to RCE: starlabs.sg/advisories/23/23…

Advisories

CVE advisories and vulnerability reports published by STAR Labs.

starlabs.sg
41
165
79,663
Load more