Welcome back to your favorite "mostly weekly but sometimes whenever we feel like it" newsletter. Annnnnnyways 👇

In Case You Missed It...

• HEXACON Videos Are OUT
• Advent Of Pwn - PwnCollege's Advent Of Pwn ends today. If you haven't already given it a go, make sure to try it out before Christmas! It will exist after that...but it would be slightly weird to help the elves in May
• 40 Years Of Phrack - A podcast about the rise and history of Phrack, brought to you by two Phrack editors

Resources And Write-Ups From This Week:

• Exploiting a 13-years old bug on QEMU - So if you didn't know, apparently "iret and call far are broken in all versions of QEMU prior to version 9.1". We must admit...we were unaware. Thankfully, @Erge, @leave and @prosti were willing to clue us in on this info in their most recent blog post. Following what can only be considered an "unintended solve" for a kpwn challenge hosted on a Ubuntu 24.04 container, the group decided to put together a write-up explaining the vulnerability and how it can be exploited. Essentially, the aforementioned instructions assumed you were in ring 0 and going to ring 3. The bug arises if you start in ring 3 and stay in ring 3, resulting in QEMU accessing the stack as if the current priv level is 0. The post then goes on to show how this gives you arb write and how it can be exploited both with and without kPTI enabled.
• Breaking the BeeStation: Inside Our Pwn2Own 2025 Exploit Journey - We have said it before and we will say it again - Pwn2Own write-ups are the best. Synacktiv returned to their blog last week to prove our point yet again. In their newest post, the team walks through the full journey of their Pwn2Own win on the Synology BeeStation plus. Starting with obtaining and decrypting the firmware, we then move into enumerating the attack surface, identifying 69 pre-auth HTTP endpoints. While tracing through these, they quickly find a stack-based buffer overflow. Exploitation requires a few leaks. Because of the fork-server mechanism, they can bruteforce the canary, stack pointers, and return address byte-by-byte. This in turn allows them to ROP to a shell.
• How And Why We Hacked Cypherock Hardware Wallet: The Full Story - DARKNAVY made some recommendations on a hardware wallet you may not want to choose. The team recently unveiled their research into the Cypherock X1 Vault and it was...concerning. Right off the bat, they found an OOB access that led to a controllable function pointer with trivial exploitation due to the lack of pretty much all relevant mitigations. With that they were able to dump the bootloader. Another vulnerability allowed them to dump the Firewall Code Area. With all the components retrieved, it was possible to bypass the authenticity verification and flash malicious firmware.
• Proof-of-concept for CVE-2025-48593: No, this Android Bluetooth issue does NOT affect your phone or tablet - It is always a good time when someone takes it upon themselves to read and critically think about vulns in an Android Bulletin...that way we don't have to. For the November updates, Android patched a Bluetooth bug that they noted as critical. @zhuowei decided to have a look into it, and determined it only affected smartwatches, smart glasses, and cars. He was able to put together an RCA, showing how the bug was in the "handsfree profile" subsystem and how a use-after-free could be triggered and the subsequent allocation could be controlled.
• Writing Sync, Popping Cron: DEVCORE's Synology BeeStation RCE & A Novel SQLite Injection RCE Technique (CVE-2024-50629~50631) - Oh, you thought we were done talking about BeeStation? Wrong. Another post popped up, this one from @kiddo_pwn, discussing a novel exploitation technique that surfaced while reviewing an old bug. Specifically, he was reviewing the 3 bug chain from Devcore used in 2024. The post walks through the attack surface (similar to the Synacktiv write-up), and then reviews each of the three bugs used in the original P20 chain: an auth bypass, CRLF injection and SQL injection. He then set off to exploit these bugs, demonstrating a technique using crontab with the SQLite Dirty File Write (a variation on the normal PHP technique).
• Hanging pointers, fragile memory – from an undisclosed vulnerability to Pixel 9 Pro - Get out your Google Translate. Unless you speak Chinese...then you are in luck. A new post from Dawnslab released this week demonstrating exploitation of a recent Mali GPU driver patch. Basically the mix up here is a kfree takes place but doesn't null the memory, and a future free takes place if the memory is not zero'd leading to a double free. The post then goes into exploitation, discussing all the different important types to be familiar with and walking through how the bug can be triggered in a race, and then how you can escalate to a page UAF. It even works with MTE enabled as demonstrated on a Pixel 9 Pro (though it does throw a warning)

Interesting Job Postings:

• Malware Analysis Intern @ Apple (Remote / Hybrid: Canberra, Australian Capital Territory, Australia)
• Principal Security Researcher @ GitHub Security Lab (Remote: US / UK)
• Offensive Security Researcher @ NVIDIA (On-Site: Austin, TX)
• Android Vulnerability Researcher @ Booz Allen Hamilton (On-Site: Annapolis Junction, MD)
• Principal Security Researcher @ Microsoft (On-Site: Redmond, WA)

Wrapping Up:

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Want to support us? Buy us a coffee ☕️

Don't forget to check out https://bug.directory!

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️