Happy Thursday to all those who celebrate. Remember, to check if your ssh logins are a little slow today. This could be your chance to uncover the next big hacking campaign. Slow-ish week, but let's get into it 👇

In Case You Missed It...

• NDSS 2024 Talks Are Now On YouTube - We mentioned some interesting talks and papers back when the conference was taking place, but now you can officially watch them over on YouTube. Be sure to check out Professor Herbert Bos's keynote, Corruption of Memory: Those who don’t know history are doomed to repeat it.
• FuzzingLabs April Newsletter - Your second favorite newsletter. Fuzzing-related blog posts, presentations, and repos which came out over the last month.
• 0-days at Zer0Con - Zer0Con is happening this week! Lots of cool talks taking place and some 0-days being dropped on stage.
• Crowdfense Launches Public Bug Bounty - Got us day-dreaming about how we would be able to submit our second bug from our yacht.

Resources And Write-Ups From This Week:

• Reverse Engineering The XZ Backdoor - We won't bury the lead. With over half a million impressions, it seems like everyone and their mother has seen this tweet from @amlweems detailing the XZ backdoor. The repo includes a honeypot and a walkthrough for triggering the backdoor.
• Chaining N-days to Compromise All: Part 2 — Windows Kernel LPE (a.k.a Chrome Sandbox Escape) - Theori released the second write-up for their 1-day fullchain. Following on from their Chrome Renderer RCE, the post walks through escaping the Chrome Sandbox by exploiting a Windows Kernel vulnerability. Specifically, the team was able to take advantage of a UAF in Advanced Local Procedure Call (ALPC). The post is exceptionally detailed, walking through ALPC internals, an RCA of the original CVE, and the exploit strategy.
• CVE-2024-28183 OTA Anti-Rollback Bypass via TOCTOU in ESP-IDF - A quick-hitter from elttam. The team found a way to bypass the anti-rollback mechanism by leveraging a TOCTOU vulnerability. The second-stage bootloader does the final anti-rollback check prior to refetching the application image from flash. The rest of the post dives into setting up a test environment and crafting a PoC.
• Android Security Bulletin: April - Another month, another list of Android bugs. Mainly application-level priv-esc vulns this month, though Qualcomm did patch a critical corruption in the data modem, as well as a handful of other vulns.
• Security research without ever leaving GitHub: From code scanning to CVE via Codespaces and private vulnerability reporting - Github Security Lab released a methodology post this week, essentially walking through the workflow of performing vulnerability research entirely within the Github ecosystem (huh..convenient). The blog walks through forking a repository, setting up CodeQL to run via Github Actions, and using Codespaces for debugging and exploitation. While probably a bit more reasonable for for small web projects, this could come in helpful for a cursory look before fully diving into your next VR project.

Interesting Job Postings:

• Exploit Developer - All Levels @ Interclypse (On-Site: Reston, VA)
• Senior Vulnerability Researcher @ Interrupt Labs (On-Site: Washington, DC)
• Security Researcher @ Semgrep (On-Site: San Francisco, CA)
• Vulnerability Researcher @ Research Innovations Incorporated (On-Site: St Pete Beach, FL)
• Reverse Engineer / Vulnerability Researcher @ Lockheed Martin (On-Site: Hanover, MD)
• Vulnerability Researcher @ COLSA (On-Site: Quantico, VA)

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us a DM on X (or just drop us a follow if you are feeling generous).

I know, I know - we said we would have our dedicated job board up this week. But we got busy, sue us. Hopefully it will be up this time next week.

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Want to support us? You can now sponsor a coffee for the club.

Same time next week? See you then 🏴‍☠️