exploits.club Weekly Newsletter 20 - Special @_manfp Edition
Hello hacker friends, Welcome to the 20th exploits.club entry.
Something A Little Different...
If you are reading this, it means your friendly neighborhood writer and editor is sitting on a beach somewhere...hopefully drinking something with a flower in it.
As such, the newsletter this week is taking a slightly different form. Inspired by the recent Kendrick vs Drake beef, we are excited to drop our tl;dr sec diss track.
In all seriousness, instead of the normal round up of weekly resources, we have an interview with browser hacker extraordinaire and Master Of Pwn, @_manfp. Manfred was able to successfully pop all 4 browsers this year at Pwn2Own, and we were super excited to have the opportunity to ask him a few questions.
@_manfp Interview:
How long have you been doing vuln research? How much of that time has been dedicated towards browser research?
My official first CVE was in 2019 - I found a Ghostscript bug during GoogleCTF. I totally thought that this was the intended solution (it wasn't), but I still suspect it might have been easier than solving the actual challenge!
Then, in 2020, I started looking at the Linux kernel a bit just for fun, because the eBPF JIT compiler interested me. To my surprise, I found a bug - my first Pwn2Own participation! After Pwn2Own 2021 (again Linux) I started focusing a bit more on browsers; the jump from eBPF JIT to JavaScript JIT isn't necessarily that huge. Since then, I've mostly been doing that (though I'm keeping my eyes open for other targets!).
I heard through the grapevine that you found and exploited all the P2O bugs in just three months? Is that true?
In a literal sense, it's true - I didn't have any bug when the year started. I did however put in some work a couple of weeks or months before that - sometimes, looking at code gains understanding that is then useful at a later point, even if I don't find any concrete bug. And also there's just (un)lucky streaks sometimes - it's all probabilistic.
Over those three months, what did your routine look like? Did you tend to focus on one target until you had a working exploit, or bounce around?
They were certainly intense months. It's not like I did absolutely nothing else, but I think I pushed myself pretty hard - having something for all browsers at one Pwn2Own was kind of a pipe dream I had in the back of my head, so with each bug the motivation to find something for the other ones only increased! I definitely bounced around between targets a lot - it helps with not getting frustrated during periods where I don't find anything.
What methodology did you use to find the bugs?
So far, I've found 100% of my bugs with manual code-review. Fuzzing is great, but it's also what so many people are doing - I think I tend to find the bugs that fuzzers have a hard time with, like for example if you need a really complicated and precise JavaScript expression to trigger something. One other benefit of reading a lot of code is that it helps with exploitation, or even just deciding if something is likely to be exploitable! That being said, getting into fuzzing or other more automated approaches is definitely something I'm considering for the future.
For code review, I tend to just follow my intuition about what parts of the code seem dangerous or interesting to me - if it engages my curiosity, I'm way more likely to find a bug. I mostly don't look a lot at specific previous bugs (except for getting a general understanding of different methods or dangerous areas) - going in somewhat blind means I don't subconsciously believe that everything has already been found, so I feel like that way I make less assumptions about the code being correct.
What advice do you have for others looking to get into vuln research?
I can of course only comment on my personal experience - learning skills is something very individual. That said, my three pieces of advice would be: 1. Play CTFs - that's where I learned nearly everything about finding and exploiting bugs. And it's also just a lot of fun! 2. If possible, find a team to play them with. Especially if you're able to meet up (or travel to finals), it can be such a huge motivation. I've been lucky to play with some experienced teammates, and they taught me a lot (and still do from time to time!) 3. Don't be afraid to look at real-world software. Read some writeups - if you're able to generally understand some bugs, then you're probably able to find them, given enough time. It gets a bit easier, but convincing myself that I have a chance of finding something is still one of the hardest parts of vulnerability research!
Who are some other researchers you look up to?
A hard question because there are so many (it doesn't help that I'm terrible with names!). Generally speaking, I have a huge respect for all the people who found all those clever techniques we build on today. Also, everyone who writes great writeups or gives talks about their (or other people's!) bugs and techniques - that's work I've relied on so often! And let's not forget the defensive side - finding bugs tends to get a lot of the glory, but in the end it's the people who fix stuff and build mitigations who ultimately keep people secure.
Favorite (public) bug of all time? Can be your own or someone else's.
Another hard one, I'm sure I'm forgetting some really cool ones. Of the top of my head, it might be the expm1 v8 typer one (https://abiondo.me/2019/01/02/exploiting-math-expm1-v8/) - when I first read about it, going from "a function can return -0" to RCE felt like pure magic.
Where do you see the field of vuln research headed in the future? Should we all jump ship before we are unemployed, or is memory corruption here to stay?
Not sure about memory corruption bugs specifically (though those will probably be around for a while too...), but I'm fairly certain vulnerability research is here to stay. For my own bugs, memory corruptions tends to be more a symptom than the root cause, which is more often than not a plain old logic bug in the JIT compiler - using Rust won't help very much there! All those mitigations that are being added do often make things a bit more "interesting" however - but that also just means there's methods for circumventing them that need finding!
Should we expect to see you back on stage to defend your title for P2O 2025?
It's too early to say - while my immediate plans are to continue doing some independent research, there might also be a point where I'll be looking for something a bit more stable. But if I'm back, don't expect me to cling too much to that trophy - winning it required a lot of luck, hard work (and sadly, misfortune for another team), which I'm not certain I could repeat a second time. A few months ago I wouldn't have dreamt of even having a shot at master of pwn - so even if that were to remain the only time, I'd still be very happy with it!
Wrapping Up...
As always, thanks for stopping by. HUGE THANK YOU again to @_manfp for taking the time to answer a few questions. You should all go read his guest post on ZDI's blog , in which he covers the technical details of his Pwn2Own Chrome bug.
Regularly scheduled content will resume this time next week :) 🏴☠️
Want to support us? You can now sponsor a coffee for the club.