Normally something witty goes here, but your friendly author has been staring at disassembly for so long that "witty" just isn't happening today. Check back next week. Let's get into it 👇

In Case You Missed It...

• New Tools Galore - A couple useful tools came out this week. Trail Of Bits dropped a VSCode Plugin intended to help your code auditing workflow. In a similar vein, Interrupt Labs released a Binary Ninja Plugin which allows for Semgrep use against the pseudo-C.
• RCE on Apex Legends - Midway through a live esports tournament, multiple players suddenly found their game was "enhanced" with a number of cheats, from walls to aimbot. The cheats may have been injected remotely by a hacker who claims he was able to exploit a bug in the game for RCE. Will be interesting to see the post-mortem of this one
• Pwn2Own Is Back - At the time of writing, we are headed into day 2 of the hacking competition. In day one alone, $732,500 was awarded for 19 separate 0-days. Not too shabby.
• OffensiveCON CFP Ending Soon - Get those papers in before April 2nd!

Resources And Write-Ups From This Week:

• Chaining N-days to Compromise All: Part 1 — Chrome Renderer RCE - As promised, Theori has published the first blog post on their 1-day 6 bug full-chain. This post documents exploitation of CVE-2023–3079, a type confusion bug in V8. The team walks through the required browser background knowledge, before diving into an RCA of the bug and explaining how the primitive can be escalated to an OOB memory access before eventually being turned into RCE. We are looking forward to the next 5 posts!
• Gaining kernel code execution on an MTE-enabled Pixel 8 - If you have been anywhere near X this week, you probably came across this new post from the man, the myth, the legend, @mmolgtm. This time, he is back for some GPU hacking fun, popping CVE-2023-6241 to gain arbitrary kernel code execution from a malicious application context. Even better, the post demonstrates how MTE is completely useless against the bug because the exploit flow requires no pointer dereferencing, and instead uses the GPU to access physical memory directly.
• Making Mojo Exploits More Difficult - The Microsoft Browser Vulnerability Research Team put out a post last week discussing new security mitigations being implemented in Chromium-based browsers. The mitigation centers around Mojo and MojoJS, and targets attacks which enable MojoJS as a means of using the Mojo interface in a step to escape the browser sandbox.
• Free Security Training Resources - @alexjplaskett put together a great list of free training resources for cybersecurity professionals over on X. The list is segmented into sections based on topic and includes binary exploitation, fuzzing, reverse engineering, malware, and web.
• Java Deserialization Tricks - Synacktiv put together a list of helpful tips and tricks for Java Deserialization, specifically focusing on "once a gadget chain leading to RCE has been identified". The post centers around how to make your exploit stealthier and avoid detections. The post also links out to other posts Synacktiv has written on the topic, which would serve as a great primer on the topic for anyone unfamiliar with exploiting the vuln class.
• CVE-2024-1212: Unauthenticated Command Injection In Progress Kemp LoadMaster - Sometimes, you don't need a complex fuzzing set-up, 6 bug chain, or stealthy deserialization tricks to pop high impact vulns. Maybe you just need to search for some calls to "system". That's exactly what Rhino Security Labs proved in their most recent blog post, which details a command injection in Kemp LoadMaster. After reversing the web server binary, the team realized that the Basic Auth header was just thrown into "system()", allowing them to exploit it for a pre-auth RCE.

Interesting Job Postings:

• Exploit Developer @ GRIMM (On-Site: Columbia, MD)
• Principal Vulnerability Researcher @ Palo Alto Networks (Remote)
• Sr. Software Engineer, Windows Vulnerability Research & Detection @ CrowdStrike (Remote)
• Senior Information Security Engineer, Cloud Vulnerability Research @ Google (Remote)
• Offensive Security Research @ NVIDIA (On-Site: Santa Clara, CA)

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us a DM on X (or just drop us a follow if you are feeling generous).

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Want to support us? You can now sponsor a coffee for the club.

Same time next week? See you then 🏴‍☠️