We are so back. Annnnnyways 👇

In Case You Missed It...

• HEX ADVENT 2025: Crack the Advent, Conquer the Threat - STAR Labs has put together a Holiday Themed CTF open to women residing in Singapore or Malaysia.
• Advent of Code 2025 - It's almost the most wonderful time of the year. Maybe a good time to learn that language you have been ignoring.
• Binary Ninja 5.2 - New free version features, bitfield support, container support, Ghidra Imports and more!
• POC 2025 Slides Available - Lot's of really great topics, so there are bound to be some nuggets in here.

Resources And Write-Ups From This Week:

• Exploiting CVE-2025-21479 on a Samsung S23 - Look...we have done our fair share of accidentally buying locked North American versions of Android phones. Now normally, we just return them and take our chance on a 1-star seller on eBay. But if you are @XploitBengineer, why not just PoC out an N-Day to get root instead? In a recent blog post, he shared his experience writing an exploit for CVE-2025-21479, an ITW bug related to the Qualcomm GPU microcode. The post walks you through how GPU command processing works and how the patched bug allowed for privileged commands to be executed from userspace. From there, the post moves to exploitation, looking at controlling a GPU pagetable, converting to arb r/w, and finding the kernel base. Unsatisfied with the primitives, he even takes it a step further, demonstrating how you can improve reliability and speed with a method based on dirty pagetable.
• Defeating KASLR by Doing Nothing at All - Project Zero took to their blog recently to point out, yet again, that KASLR just...doesn't work. In their most recent post, they show how Linux has a linear mapping, where kernel virtual address space is a 1:1 unstructured representation of physical memory. On some Android phones, kernel physical addresses aren't randomized at boot, meaning that it is possible to statically calculate virtual addresses for any .data entry. It then goes on to point out that even with physical KASLR, you aren't safe. The post goes on to show some examples of this on the S23, and if you find yourself in a similar position, this + @XploitBengineer's post should be more than enough to find whatever you need on a sammy as well.
• Breaking Into a Brother (MFC-J1010DW): Three Security Flaws in a Seemingly Innocent Printer - How can you not love printer hacking? Earlier this month, STAR Labs released a blog post about a 3 bug chain they used to fully compromise a Brother printer. The first of the bugs was an auth bypass related to the Simple Network Management Protocol. This protocol was exposed on the network, and allowed the team to retrieve the printers serial number, which in turn could be used to derive the arithmetically generated default password. The team also discovered it was possible to roll back the printer firmware...over the network...unauthenticated. With those two bugs out of the way, it gets into the main event - an overflow in the refer header. This part of the post includes a full hardware hacking section, showing the teardown process and the firmware dump. It then moves on to making sense of the flash.bin, finding the different named segments and load addresses. From there, they were able to hunt for a vulnerability, mapping out the HTTP request handling code, finding the referer header was missing some proper size checks. They were able to overflow this and overwrite a callback pointer, getting RCE.
• SPTM - The Last Bits - Very early this year, we covered a Dataflow post from Jonathan Levin about Secure Page Table Monitor, the new service intended to help enforce memory space isolation in XNU. Well, him and the DFFenders are back to discuss the topic one last time. If you missed the last episode, don't worry - we kick off with a recap episode which briefly summarizes the various learning thus far. Similar to the previous post, this one then goes into various implementation detail Page Retypings, Domain Traversals, and Dispatch tables. It is one of the more detailed posts, including tons of code examples, raw memory dumps, and RE walkthroughs all used to further the research on SPTM. Also, the team is hiring...so check it out
• Four Bytes, One Lie: A SMAP-Free Confidence Trick on Kernel Pointers - This month also gave us a great Windows LPE write-up from Hyeonjin. In this recent post, he takes a look at the bug exploited for Pwn2Own Berlin. The blog first reviews the subsystem in question, DirectComposition, explaining how it works and the kernel attack surface exposed. The vulnerability identified is a constrained OOB write, where 4 arbitrary bytes can be written at a fixed offset into the next heap chunk. After RCAing what caused this bug and how it can actually be triggered, the post turns its attention to exploitation. Given the SMAP free configuration, the idea was to overwrite a the upper 32 bits of a kernel pointer to have it point to user-mode. Using inspiration from Yarden's One I/O Ring to Rule Them All post, he was able to successfully convert this idea to a full SYSTEM shell.
• LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices - Unit 42 at PANW identified an Android Spyware family, which they gave a cool name...because that is easily the most important part. This specific spyware targets CVE-2025-21042, a previously unknown OOB write in libimagecodec.quarm.so, specifically in the DNG parser. After the high level overview, the post goes into explicit details on the campaign, looking at the malformed dng files, the payload delivered as an embedded zip, an analysis of the malware's capabilities, and the C2 comms. But, if you are like us, we're mostly interested in the vulnerability and the exploit....well good news....
• Samsung: QuramDng getOverlap miscalculation leads to integer overflow, leading to out-of-bounds read/write - While not the exact same bug as LANDFALL, this should be enough to hopefully get some of the point across...being that it is the same library and same file format. P0 and TAG teamed up and identified this OOB r/w, which can be triggered with a malicious DNG file. Specifically, the issue takes place while calculating overlap coordinates, which suffers from an off-by-one. This subsequently leads to the ability to int overflow, which in turn results in an oob calculation into an area which is noted as "very controllable". A reproduction case is included as always.

Interesting Job Postings:

• Senior Software Architect C/C++ @ hex-rays (Remote)
• Senior Principal Vulnerability Researcher @ Nightwing (On-Site: Annapolis Junction, MD)
• Mid-Level CNO Software Engineer @ Zetier (On-Site: Arlington, VA)
• Senior Attack Engineer (VR) @ Horizon3.ai (Remote: US)
• Software Reverse Engineer @ STR (On-Site: Arlington, VA)

Wrapping Up:

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Want to support us? Buy us a coffee ☕️

Don't forget to check out https://bug.directory!

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️