Good morning, afternoon, and evening hackers. We hope everyone enjoyed our special edition newsletter last week! Again, big thanks to @_manfp for stopping by. Unfortunately, your friendly neighborhood writer and editor is back this week, meaning it's time to resume poorly summarized bug write-ups!

In Case You Missed It...

• OffensiveCON Happened - Do you feel that? It's called FOMO - and if you were sat up at home scrolling Twitter while all your friends hacked and partied in Berlin, then you know the vibes. Anyways, the con is good about publishing talks pretty quickly, but slides are already popping up online, such as Escaping The Safari Sandbox, Booting With Caution, and the Keynote.
• Off By One Security Upcoming Streams - Two streams happening tomorrow featuring industry legends @yarden_shafir and @haxorthematrix.

Resources And Write-Ups From This Week:

• CVE-2024-1283: Cross-{Cache, Bucket} Browser Exploit - ALLLLLL the way back in newsletter 07 , we included a bug from @r3tr074 and have quietly been waiting to hear more about it after he hinted at a novel exploitation technique. Well, the wait is over and suffice to say that it was worth it. The Chromium issue became unrestricted this week, and it includes initial discussions around the bug, some back and forth with the graphics team, and finally a succinct write-up which includes information on the "Cross-cache / Cross-bucket overflow" exploit strategy.
• QakBot attacks with Windows zero-day (CVE-2024-30051) - Kaspersky researchers accidentally stumbled across an 0-day (we hate it when that happens!) being used together with QakBot. While the team has not provided too many technical details at this time as they wait for users to patch their system, it was noted that the exploit is very similar to CVE-2023-36033, which has a nice RCA already as part of P0's ITW efforts.
• CVE-2024-21115: An Oracle VirtualBox LPE Used To Win Pwn2Own - ZDI hosted a blog post from Cody Gallagher, in which he discussed the OOB write bug he used to pop VirtualBox in P20. The core bug stems from an incorrect calculation of a start address, which results in the ability to write outside of a fixed size buffer. The exploit leverages this bug to disable the critical sections and trigger a race condition. The post does a fantastic job detailing all the specifics, including code, and digging into the VB internals - give it a read!
• Ghidra nanoMIPS ISA module - A quick hitter from NCC Group, intended to help get you spun up reversing nanoMIPS in Ghidra using their released plugin. The post walks through the steps the team followed on one of their projects, and uses the Moto Edge firmware as an example. The team notes that while the project is in a working state, there is still more to be done and it is in active development.
• Breaking SIP with Apple-Signed Packages - L3Harris dropped a post this week discussing their research into bypassing Apple's System Integrity Protection (SIP). The core idea of the vulnerability class revolves around finding command injection vulnerabilities present in installation scripts of Apple-signed packages with valid certificates. If these packages have the com.apple.rootless.install.heritables entitlement, this allows them (and subsequently...attackers), to write to SIP protected locations. The post goes into some of the downsides of this bug class, before discussing the fixes implemented by Apple.
• CVE-2024-4947: Type Confusion in V8 - @oct0xor and @vaber_b of Kaspersky identified a Chrome ITW 0-day. One of those Twitter handles look familiar? That's because we just talked about @oct0xor like 2 bullets above when he was foiling Microsoft 0-days. Man is a machine. Anyways, in typical @xvonfers fashion, he linked what appear to be the bug fixes in a pseudo-RCA while we wait for the Kaspersky team.

Interesting Job Postings:

• Vulnerability Researcher @ BlackSignal Technologies (On-Site: Melbourne, FL)
• Vulnerability Researcher @ Trend Micro (Remote)
• Vulnerability Researcher @ Dell (On-Site: Austin, TX)
• RF Systems Reverse Engineer @ Johns Hopkins Applied Physics Lab (On-Site: Laurel, MD)
• Lead Security Research Engineer @ L3Harris (Remote)

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us a DM on X (or just drop us a follow if you are feeling generous).

We are thinking about putting together a run of hoodies and stickers... because you're not a real hacking collective until you have matching hoodies and stickers. Interested? Let us know.

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Want to support us? You can now sponsor a coffee for the club.

Same time next week? See you then 🏴‍☠️