exploits.club Weekly Newsletter 11
Good morning, afternoon and evening. We hope everyone is having a wonderful start to their March, full of bugs.
In Case You Missed It...
- Theori's 6 Bug Chain - Using 6 N-days, the Theori team was able to write an exploit chain to pop Chrome and escape VMware. The team has commented that they will be releasing details over the next few weeks, and we will include them in the newsletters as they come out.
- Linux Kernel Exploitation Collection Jan/Feb Update - The repo got an update with 30 new resources ranging across a number of Linux-related topics.
Resources And Write-Ups From This Week:
- Secure by Design: Google’s Perspective on Memory Safety - Google is aiming to be President Biden's favorite child. Just a week after the White House's cry for memory safety, the tech giant released a 12 page paper detailing the company's approach to mitigating memory corruption bugs. The paper includes a brief history on the bug class, before jumping into Google's thoughts on how to irradiate it. The approach involves adapting their Safe Coding strategy to low-level languages, employing better exploit mitigations, and using static analysis and fuzzing to identify bugs ahead of deployment. Don't worry fanboys, they do talk about Rust.
- Fuzzer Development 3: Building Bochs, MMU, and File I/0 - Two weeks ago, we covered the @h0mbre_'s fuzzer development blog series. This week, he is back with another installment. In the post, he walks through some changes he's made, such as changing the syscall Infrastructure, simplifying the context-switching calling convention, introducing a new error class, and sandboxing thread-local-storage. He then dives into building Bochs and handling the subsequent syscalls this introduces into the project.
- Android Security Bulletin—March 2024 - Android released their monthly security bulletin on the 4th, which included two critical patches, both related to Bluetooth. CVE-2024-23717 is an EOP vuln found by @marcnewlin and is being detailed at NullCon next week! The other Bluetooth bug, CVE-2024-0039, was marked as RCE and includes links to three commits .
- Jailbreaking The Apple HomePod: Fun With Checkm8 And Smart Speakers - Yes, yes we are late to this one. The recording was uploaded to YouTube two weeks ago and the presentation is from last year. But that doesn't make it any less fun. This talk given by @Tihmstar and @LinusHenze walks through the software and hardware of the Apple HomePod, before jumping into exploitation and discussing the different things you can do with a jailbroken HomePod.
- VirtualBox Vuln Research Set-Up - @farazsth98 put together a collection of notes on getting started with building and debugging VirtualBox.
- CVE-2023-42942: xpcroleaccountd Root Privilege Escalation - @patch1t released a write-up for an PrivEsc he found and reported to Apple last month. The TOCTOU bug was able to be exploited with a symbolic link. The symbolic link initially points at a legitimate Apple-signed XPC bundle, but is swapped out after the signature verification.
- SolarWinds Security Event Manager AMF deserialization RCE (CVE-2024-0692) - If you aren't a Chinese speaker, you may have to whip out Google Translate for this one. That said, this detailed write-up from @X1r0z documents the process of identifying the AMF Deserialization Vulnerability, and then walks through two different ways to leverage it into RCE. The bug was disclosed by ZDI on the 1st of this month.
Interesting Job Postings:
- Senior Information Security Engineer, Cloud Vulnerability Research @ Google (Remote)
- Offensive Cyber Developer @ Leidos (On-Site: Columbia, MD)
- Exploit Developer @ Parsons (On-Site: Fort Belvoir, VA)
- Vulnerability Researcher @ Raytheon (On-Site: San Antonio, TX)
- Anti-Cheat Engineer – XDefiant @ Ubisoft (On-Site: San Francisco, CA)
- Lead Hardware Reverse Engineer @ Two Six Technologies (On-Site: Arlington, VA)
Wrapping Up...
As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us a DM on X (or just drop us a follow if you are feeling generous).
We are opening up the exploits.club Discord to the public. Feel free to join us here 👉 https://discord.gg/2dxN2Gtgpx
Want to support us? You can now sponsor a coffee for the club.
Same time next week? See you then 🏴☠️