Hey hey, happy Thursday. If you live in the US and you're reading this, that means you successfully fought off the urge to look at the eclipse without proper eyewear. Or you got away with it, you rebel.

In Case You Missed It...

• OffensiveCON Talk Selection - The Berlin conference taking place next month has announced its speaker line-up.
• More XZ Backdoor Research - We know, at this point you are probably tired of hearing about it. But this @bl4sty Twitter thread was too good not to include, as it digs into some different features of the backdoor.

Resources And Write-Ups From This Week:

• Chaining N-days to Compromise All: Windows Driver LPE: Medium to System - Theori is back again, this time with the third write-up of their 6 bug N-day full chain. Previously, the team detailed how they compromised the browser and escaped the sandbox. In this post, they continue with the attack chain by escalating privileges through a logic bug in mkssrv.sys. The vulnerability itself stems from the ability to lock a Memory Descriptor List area at an arbitrary address, "including the kernel address space from a user application". The post goes into detail on MDLs, the vulnerability, reaching the code path from userspace, and exploitation.
• A Trick, The Story Of CVE-2024-26230 - Sticking to the Microsoft theme, @KeyZ3r0 released a post this week discussing a vuln he discovered, exploited and reported in Windows Telephony Server. The UAF vuln is relatively straight forward, in which there is no check to see if an object being freed is owned by the context handle. The write-up then details the Heap Fengshui used to exploit the vuln, including a nice XFG bypass.
• Exploit GSM - There's been no shortage of drama surrounding this write-up on Twitter, but we have chosen to ignore that for now. We have included what is believed to be the original write-up. Annnnnyways, the core issue here is a race condition leading to a UAF.
• The Boom, the Bust, the Adjust and the Unknown - Slides from @malltos92 Zer0con talk are online now. While not overly technical, the post details the history and potential future of the offensive cyber industry.
• ZDI April Security Updates Review - ZDI is back with their round-up of monthly updates from both Adobe and Microsoft. Adobe patched a handful of simple XSS bugs which they marked as "Important", as well as several info leaks resulting from an OOB read. Microsoft patched 147 CVEs, three of which are considered to be critical (all in Microsoft Defender for IoT).
• Some fun bugs - Not many articles and papers this week, so enjoy this collection of vulns from the past week. Maybe we will make this its own section in the future.
  • UAF in PowerVR from @tehjh
  • Buffer Overflow in Via H264 Processing from @natashenka
  • RCE & SQLi for pre-auth RCE in IP.Board e-commerce plugin ‘nexus’ from @SecuriTeam_SSD
  • AMD Radeon DirectX 11 Driver Arbitrary Write from @TalosSecurity
  • Unauthenticated Command Execution on Tp-Link AC1350 from @TalosSecurity
  • Heap Buffer Overflow In ANGLE - from @qriousec @__suto

Interesting Job Postings:

• CPU Security Architect @ Qualcomm (On-Site: Austin, TX | San Diego, CA)
• Cyber Security Software Engineer @ GTRI CIPHER Lab (On-Site: Atlanta, GA)
• Staff Reverse Engineer @ Shift5 (On-Site: Arlington, VA)
• Reverse Engineer @ think-cell (On-Site: Berlin, Germany)
• Staff Security Engineer, Hardware Vulnerability Research, Google Pixel @ Google (On-Site: Mountain View, CA | Atlanta, GA | Chicago, IL | San Diego, CA)

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us a DM on X (or just drop us a follow if you are feeling generous).

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Want to support us? You can now sponsor a coffee for the club.

Same time next week? See you then 🏴‍☠️