Happy Thursday, ladies and gents - hope everyone is staying relatively warm and dropping bugs this week.

In case You Missed It...

• Pwn2Own Vancouver 2024 Announced - While Pwn2Own Automotive is set to take place next week, ZDI just announced the flagship event will be March 20th-24th at CanSecWest. The usual suspects are listed as categories this go-round (Web browsers, LPEs, Enterprise Apps) as well as a new contender - the Cloud Native/Container category.
• Day[0] Pod Shoutout - We here at exploits.club are long time listeners of the Day[0] podcast, so imagine our surprise when we were featured in the shoutouts section of this week's binary episode. We figured it would be a good time to do the same, so if you enjoy this weekly round-up of RE, VR and exploit dev news, there's pretty much a 100% chance you will enjoy their weekly podcast as well. Give it a listen.

Resources and Write-Ups From This Week:

• Linux Kernel GSM Multiplexing Race Condition Local Privilege Escalation Vulnerability - This week, @pikala released a technical analysis and exploit for CVE-2023-6546. The write-up itself walks through the bug (a race condition leading to a UAF), discusses bypassing modern kernel protections, and ends with the exploit strategy.
• PixieFail: Nine vulnerabilities in Tianocore's EDK II IPv6 network stack. - If you have been on Twitter this week, you likely came across this write-up from Quarkslab detailing a handful of vulnerabilities they found in EDK II. The blog walks through what a Preboot Execution Environment is and how it works, before diving into the vulnerabilities themselves.
• Hi, My Name Is Keyboard - SchmooCon took place this week, and one of the talks we found particularly fun detailed how an emulated Bluetooth keyboard can be paired with most popular operating systems to inject keystrokes without user confirmation. The slides and exploit scripts are also available now!
• Welcome To 2024: The SSLVPN Chaos Continues - It's been a tough few days for Ivanti. After it was reported that two vulnerabilities were being used in the wild to achieve unauthenticated RCE against their Ivanti Connect Secure (ICS) VPN Appliance, watchtowr released this post detailing the vulnerabilities and exploitation. Following that, Synacktiv released a report detailing multiple additional vulnerabilities they had discovered in ICS. Yikes.
• Chrome Update - A new ITW Chrome bug was reported and patched under CVE-2024-0519. The OOB memory access in V8 appears to be fixed under this commit (credit @hosselot). In addition, the update covers a bug used to exploit the v8CTF, and we are eager to read @__suto's write-up when it drops.
• Ivan Frantic's MacOS Video Decoder Bugs - Ivan Frantic posted this week on Twitter that he reported 15 video decoding bugs to Apple in December. The Tweet thread linked both to the issues and the fuzzing methodology write-up (now included in the Jackalope examples).

Interesting Job Postings:

• Webkit Engine Security Engineer @ Apple
• Reverse Engineer @ Red Balloon Security
• Mobile Security Researcher @ Ascendo Resources
• Vulnerability Researcher @ Two Six Technologies
• Senior Fuzzing & Tools Developer @ Draper
• Vulnerability Researcher @ TekStream Solutions
  

These job postings tend to be fairly US centric. If you have non-US postings you know of or want to feature, shoot us a message!

Wrapping Up...

As always, thanks for stopping by for this weeks Vulnerability Research Newsletter. If you have comments, questions, or suggestions on how we can improve, feel free to shoot us a DM on X (or just drop us a follow if you are feeling generous).

The exploits.club Discord is live! Feel free to show your interest in joining by filling out the form. Going to send out another round of invites this week.