Happy almost-Easter, hackers! Remember, you work hard and you deserve to find those Easter eggs. The small children you shoved to the ground? They don't even know what an ioctl is. This is war. Annnnyways:

In Case You Missed It...

• Pwn2Own Wraps Up - Last week, Pwn2Own came to an end. In total, $1,132,500 was awarded for 29 0-days. Big congrats to @_manfp who took home the Master of Pwn title after popping all 4 browser targets. Also a shout-out to the FireFox team who had patches out in a record time. @maxspl0it put together a nice breakdown for one of the patched bugs on X.
• Off By One Security x86-64 Architecture Stream - @Steph3nSims put out a stream this week on his YouTube channel which serves as a great low-level primer. The stream covers a module from his SAN's course and details "low-level architectural considerations, memory management, and many other related information".

Resources And Write-Ups From This Week:

• Mind the Patch Gap: Exploiting an io_uring Vulnerability in Ubuntu - @XI_Research put out a new post this week detailing exploitation of CVE-2024-0582, a UAF in io_uring. The blog notes the bug was originally patched back in December of 2023, but wasn't brought to the Ubuntu kernel until late February. The post then dives into a brief overview of io_uring, a root-cause analysis of the vulnerability, and the data-only exploit written by the team.
• Flipping Pages: An analysis of a new Linux vulnerability in nf_tables and hardened exploitation techniques - Sticking with the Linux theme, @notselwyn released a post detailing a double free vuln in nf_tables (CVE-2024-1086). This post really shines when talking about exploitation techniques, detailing a number mitigation bypasses and introducing "Dirty Pagedirectory", an iteration on Dirty Pagetable.
• Operation Mango: Scalable Discovery of Taint-Style Vulnerabilities in Binary Firmware Services - This paper, which was just accepted to USINEX '24, walks through "MangoDFA, a novel binary data-flow analysis leveraging value analysis and data dependency analysis on binary code". The key idea is a scalable way to statically analyze Linux-based IoT firmware for common bugs. The results showed that the tool was able to both analyze binaries quicker and find more bugs compared to the other solutions currently available.
• A review of zero-day in-the-wild exploits in 2023 - As is becoming a Google custom, the Threat Analysis Group released their breakdown of the 97 ITW 0-days observed throughout 2023. Roughly 60% of the observed exploits targeted end-user platforms such as mobile devices, OSes and browsers. In addition, TAG noted an increase in enterprise software targeting, up roughly 2% from last year. The team also commented on the shift to targeting 3rd party components and the role commercial surveillance vendors played in the landscape. A full report can be found here.
• Address Sanitizer for Bare-metal Firmware - Another post out of Google, this one talks about how KASan can be applied to a wide range of bare-metal firmware targets. The write-up starts with a broad overview of Address Sanitizers, before giving a practical roadmap for enabling KASan on bare-metal firmware. The post ends with some general reflections on how this has enhanced the SDLC for the Android team at Google and then...yep you guessed it...mentions moving to Rust.
• Vulnerability Reward Program: 2023 Year in Review - It must have been promotion cycle time at Google and everyone needed to check that "publish a blog post" OKR off their goals list. Google also released this 2023 recap of the vulnerability review program. The post, while very high-level, does details trends, resources, payouts, and more - a good place to start if you are interested on hacking on something Google related in 2024.

Interesting Job Postings:

• Mobile Vulnerability Researcher @ Exodus Intelligence (Remote)
• Vulnerability Researcher @ Cromulence (Senior and Principal positions available as well) (On-Site: Melbourne, FL)
• Exploit Developer @ SIXGEN (On-Site: Annapolis Junction, MD)
• Security Researcher @ Dark Wolf Solutions (On-Site: Melbourne, FL | Herndon, VA)
• Senior Android Vulnerability Researcher @ Raytheon (On-Site: Aurora, CO)

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us a DM on X (or just drop us a follow if you are feeling generous).

We have a few changes coming up, such as a dedicated job board which will feature all the jobs from the newsletter, and be updated once a week to reflect continued vacancies. Don't worry, the jobs will still be featured here as well. Hoping to have that up this time next week.

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Want to support us? You can now sponsor a coffee for the club.

Same time next week? See you then 🏴‍☠️