3 min read

exploits.club Weekly Newsletter 13

exploits.club Weekly Newsletter 13

Normally something witty goes here, but your friendly author has been staring at disassembly for so long that "witty" just isn't happening today. Check back next week. Let's get into it 👇

In Case You Missed It...

Resources And Write-Ups From This Week:

  • Chaining N-days to Compromise All: Part 1 — Chrome Renderer RCE - As promised, Theori has published the first blog post on their 1-day 6 bug full-chain. This post documents exploitation of CVE-2023–3079, a type confusion bug in V8. The team walks through the required browser background knowledge, before diving into an RCA of the bug and explaining how the primitive can be escalated to an OOB memory access before eventually being turned into RCE. We are looking forward to the next 5 posts!
  • Gaining kernel code execution on an MTE-enabled Pixel 8 - If you have been anywhere near X this week, you probably came across this new post from the man, the myth, the legend, @mmolgtm. This time, he is back for some GPU hacking fun, popping CVE-2023-6241 to gain arbitrary kernel code execution from a malicious application context. Even better, the post demonstrates how MTE is completely useless against the bug because the exploit flow requires no pointer dereferencing, and instead uses the GPU to access physical memory directly.
  • Making Mojo Exploits More Difficult - The Microsoft Browser Vulnerability Research Team put out a post last week discussing new security mitigations being implemented in Chromium-based browsers. The mitigation centers around Mojo and MojoJS, and targets attacks which enable MojoJS as a means of using the Mojo interface in a step to escape the browser sandbox.
  • Free Security Training Resources - @alexjplaskett put together a great list of free training resources for cybersecurity professionals over on X. The list is segmented into sections based on topic and includes binary exploitation, fuzzing, reverse engineering, malware, and web.
  • Java Deserialization Tricks - Synacktiv put together a list of helpful tips and tricks for Java Deserialization, specifically focusing on "once a gadget chain leading to RCE has been identified". The post centers around how to make your exploit stealthier and avoid detections. The post also links out to other posts Synacktiv has written on the topic, which would serve as a great primer on the topic for anyone unfamiliar with exploiting the vuln class.
  • CVE-2024-1212: Unauthenticated Command Injection In Progress Kemp LoadMaster - Sometimes, you don't need a complex fuzzing set-up, 6 bug chain, or stealthy deserialization tricks to pop high impact vulns. Maybe you just need to search for some calls to "system". That's exactly what Rhino Security Labs proved in their most recent blog post, which details a command injection in Kemp LoadMaster. After reversing the web server binary, the team realized that the Basic Auth header was just thrown into "system()", allowing them to exploit it for a pre-auth RCE.

Interesting Job Postings:

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us a DM on X (or just drop us a follow if you are feeling generous).

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Want to support us? You can now sponsor a coffee for the club.

Buy Me a Coffee at ko-fi.com

Same time next week? See you then 🏴‍☠️