Good morning, afternoon, and evening you beautiful low-level freaks. I hope everyone is having a week full of successful bug hunting. Lots to cover this week, so let's get right into it 👇

In Case You Missed It...

• Celebrating The Life Of Sophia d'Antoine - The vuln research community and security community at large suffered a major loss with the passing of Sophia d'Antoine on April 4th. An outpouring of stories and love have been shared on X in the last weeks, and we wanted to take this opportunity to acknowledge her impact on shaping the VR landscape and celebrate her life.
• Pre-selected REcon Talks - While the CFP ends on April 26th, the conference shared a handful of talks which have already been selected for presentation.
• The V8 Issue Tracker Is Moving - The new issue tracker will now be housed with the Chromium issue tracker, which was moved earlier this year.

Resources And Write-Ups From This Week:

• Vulnerabilities found in VMWare by me - @la300588 shared a post this week on 2 vulnerabilities he found in VMware's virtual printing component. The first (CVE-2022-22938) is a DOS bug stemming from an invalid size check. The second (CVE-2021-21987) is an OOB read which results from a value in the attacker controlled header being used as an offset.
• Palo Alto - Putting The Protecc In GlobalProtect (CVE-2024-3400) - More enterprise VPN issues and honestly who can be surprised at this point. As called out in this Watchtowr post, Volexity identified the vulnerability and did a great initial write-up. Watchtowr then followed that post with a deep dive into a root cause analysis and exploit of the vulnerability based on the CVE description. Plus, its full of memes and we love memes. TL;DR it's a very sophisticated...command injection.
• Exploiting American Conquest - As long time Synacktiv fans here at exploits.club, we were excited to see their new blog this week which dives back into everyone's favorite topic - finding bugs in old video games. This time, the team went after the 2003 game American Conquest, and identified and exploited a straight forward stack overflow in one of the "chat" components associated with the game's multiplayer.
• Chaining N-days to Compromise All: Part 4 — VMware Workstation Information leakage - It wouldn't be a newsletter these days if we didn't have a Theori post, and they are back with the 4th part of their N-day full chain. The posts up to this point have detailed compromising the browser and privesc-ing on the virtual host. Now the team discusses the first step in escaping from the virtual machine to the host. If you have read the other 3 posts up to this point, you will be familiar with the format of this one, but the explanation walks you through the necessary background knowledge on Virtual Bluetooth devices and USB Request Blocks. It then jumps into the vulnerability (and a botched patch resulting in a variant) followed by some notes on exploitation.
• CVE-2023-6345: Integer overflow in Skia MeshOp::onCombineIfPossible - A new RCA on Google's 0-Days In The Wild was posted this week covering an int overflow in Skia. When combining two MeshOps, there is a missing check to ensure that int fVertexCount won't overflow. Later this value is used in conjunction with others for allocation.
• CVE-2024-20697: Windows Libarchive Remote Code Execution Vulnerability - ZDI posted this week about a recently patched Windows Vuln originally discovered by MORSE. The write-up serves as a good primer to the RAR file format, as the majority of the post serves to describe how the files are composed and decompressed. The vulnerability stems from an integer overflow under certain parsing conditions, resulting in an OOB access. There's also a detection guide included at the end for you blue hat folks.
• How an old bug in Lighttpd gained new life in AMI BMC, including Lenovo and Intel products - This blog from binarly discusses the state of the software supply chain and some of its shortcomings. In particular, the post covers a silent Lighttpd bug fix from 2018 which was not assigned a CVE. As such, the OSS component was not consumed by MegaRAC BMC. As a result, multiple vendors were affected since MegaRAC is used by Intel and Lenovo. The bug in question is an OOB read, which the blog goes into the technical details of towards the end.

Interesting Job Postings:

• Vulnerability Researcher @ REDLattice (On-Site: Fort Meade, MD)
• Lead Security Research Engineer @ L3Harris Technologies (Remote)
• Junior Offensive Cyber Security Researcher @ Draper (On-Site: Cambridge, MA)
• Anti-Cheat Engineer @ Ubisoft (On-Site: San Francisco, CA)
• CNO Developer – Exploit SME @ X8 LLC (On-Site: Columbia, MD)
• Bootloader Security Researcher @ Dataflow Security (Remote)

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us a DM on X (or just drop us a follow if you are feeling generous...we are getting dangerously close to 500 followers with is just 71,000 away from @chompie1337).

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Want to support us? You can now sponsor a coffee for the club.

Same time next week? See you then 🏴‍☠️