Happy Week 19 of newsletters - these things always feel better to write after finding a bug. At least that's what I assume, will confirm after it actually happens. Annnnyways 👇

In Case You Missed It...

• The FloW Drops PPW - Last week, famous Playstation hacker @theFlow0 posted that he had popped the PS4 with a CVE from 2006. Originally he was planning on dropping all the spicy details at TyphoonCon24, but he decided to drop the PoC early, much to the delight of the 12 year olds blasting his replies.
• OffensiveCon Agenda - The conference dropped the agenda for this week, so you can finally decide how early you have to drag your hungover self out of bed. If you are headed out to the conference, feel free to hop in our Discord (link below) to meet-up with some of the other members of the exploits.club community.
• QCSuper - "QCSuper is a tool communicating with Qualcomm-based phones and modems, allowing to capture raw 2G/3G/4G (and for certain models 5G) radio frames, among other things."

Resources And Write-Ups From This Week:

• Exploit Development: Windows Kernel Exploitation: Debugging Environment and Stack Overflow - @33y0re posted a fantastic primer on getting started with Windows Kernel Exploitation. The post walks through setting up a debugging environment and exploiting a straight forward stack overflow using HackSysExtremeVulnerableDriver as an example. A great read for anyone looking to get into Windows Kernel Research but not sure where to start.
• Exploiting the NT Kernel in 24H2: New Bugs in Old Code & Side Channels Against KASLR - Sticking with the Windows theme, @gabe_k came through with a post about multiple kernel vulns and an LPE in a version of Windows that's not even out yet. He was able to take advantage of the public preview to identify multiple double-fetches due to the broad changes intended to treat user-mode memory as volatile. The post then moves on to talk about the new KASLR changes, and how he was able to bypass them using a timing side channel.
• iOS: A Journey In The USB Networking Stack - In true Linux-enthusiast fashion, this entire post from Synactiv seems to stem from the fact that someone was willing to reverse engineer an entire proprietary protocol just to avoid having to use a Macbook. Anyways, the post dives into the history of tethering and reverse tethering on iOS devices. It then jumps into an explanation of how the process works under the hood and discusses some of the major changes in iOS 16 and 17.
• Emulating RH850 architecture with Unicorn Engine - Quarkslab released a post this week discussing how they were able to to emulate RH850 architecture with Unicorn. The post starts with explaining what Unicorn is and some details about its implementation, before diving into how they wrote code to generate the Intermediate Representation (IR) for RH850 instructions. It then jumps to adding a new CPU, initializing its callbacks, and leveraging the Unicorn Bindings. Finally, it wraps up with building a harness and leveraging hooks to retrieve code coverage.
• CodeQL zero to hero part 3: Security research with CodeQL - Github Security Lab released a write-up this week as part of their CodeQL series detailing how the tool can effectively be used for security research. The post walks through crafting queries which might be useful for certain research projects, such as looking for specific library functions or analyzing data flow. There are also hands-on challenges for each section to help solidify the concepts.
• One Year of Mobile VRP: Reward Increases and Lessons Learned - The Google VRP team put out a short post recapping the first year of the Mobile program's existence. The post highlights the most common vulnerabilities seen and the vulnerabilities which consistently had the highest payouts. In addition, the post announces that rewards are being upgraded, in some cases by 10x (RCE for a Tier one app is now $300k). In addition, reports can garner additional rewards based on their quality.
• Some fun bugs:
  • CVE-2024-26925: nf_tables: release mutex after nft_gc_seq_end from abort path from @h3xr4bbit
  • CVE-2024-25938: Foxit Reader Barcode widget Calculate event use-after-free vulnerability from @TalosSecurity
  • Linux: UAF in the tipc_buf_append() from @sam4k
  • CVE-2023-26322: Xiaomi Pro 13 isUrlMatchLevel Permissive List of Allowed Inputs Remote Code Execution Vulnerability from Team Orca Of Sea Security
  • CVE-2024-3914: V8 UAF by @0x10n

Interesting Job Postings:

• Vulnerability Researcher (Cyber196) @ Research Innovations Incorporated (On-Site: St Pete Beach, FL)
• Vulnerability Researcher And Developer @ FBI (On-Site: Chantilly, VA)
• Vulnerability Researcher @ STR (On-Site: Woburn, MA | Melbourne, FL | Arlington, VA)
• Senior Fuzzing & Cyber Tools Software Developer @ Draper (On-Site: Cambridge, MA
• Reverse Engineer @ Lockheed Martin (On-Site: Hanover, MD)
• CNO Developer @ Mantech (On-Site: Aurora, CO)

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us a DM on X (or just drop us a follow if you are feeling generous).

We are thinking about putting together a run of hoodies and stickers... because you're not a real hacking collective until you have matching hoodies and stickers. Interested? Let us know.

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Want to support us? You can now sponsor a coffee for the club.

Same time next week? See you then 🏴‍☠️