"It's not about how many vulns you find, it's about how much fun you had along the way" - Albert Einstein

Let's get to it 👇

In Case You Missed It...

• Talos releases new macOS open-source fuzzer - Talos released a new fuzzer and an associated blog post. The blog recaps the previous research and tooling that led to this project, and then goes into a case study that demonstrates how snap_wtf_macos can be used on a real target.
• @pr0me thread on using Rust to improve embedded device security

Resources And Write-Ups From This Week:

• Chaining N-days to Compromise All: Part 6 — Windows Kernel LPE: Get SYSTEM - Long time exploit club readers will know we have been keeping close tabs on this series from Theori. The team has been writing up each step of their 1-Day full-chain, and we have finally reached the finale. In their most recent blog post, the team describes exploiting CVE-2023-36802 (the same bug @chompie1337 wrote-up as well). The entry follows the same format as the others in the series, first describing necessary background for the readers, before going into the vuln, patch, and exploit.
• The V8 Heap Sandbox - We are still eagerly awaiting YouTube uploads from OffensiveCON, but in the meantime @5aelo released his V8 Sandbox slides. The talk starts with a brief overview of the sandbox, before going into its design and implementation.
• CVE-2024-4761: v8 missing check of WasmObject type cast causes type confusion and OOB access - @buptsb and @mistymntncop have been busy this week. They first released a blog post and PoC for CVE-2024-4947, an ITW Chrome 0-day found by Kaspersky (which you should know about if you read last week's exploits.club). Following up, they did the same for the second ITW Chrome 0-day in last week's security update. Both posts are worth a read, but in the end they use the same exploit technique. Zero Day Engineering also released a RCA of the bugs should you be interested in further reading.
• CVE-2024-4367: Arbitrary JavaScript execution in PDF.js - Okay, that's lots of Chrome bugs...tired of reading JS yet? Well too bad, because Codean Labs is coming with an interesting vulnerability in PDF.js, the pdf viewer maintained by Mozilla and used in Firefox. The core vulnerability stems from a missing type check in the Glyph rendering code. For applications that embed PDF.js, the result is an XSS on the domain the PDF is viewed. For non-sandboxed electron apps....yikes.
• CVE-2023-34992: Fortinet FortiSIEM Command Injection Deep-Dive - When offensive security companies start a blog post with "given some early success in auditing Fortinet appliances", it might be time to rethink your application security strategy. And this post from @Horizon3Attack only furthers that point. In it, the team discusses the discovery and exploitation of CVE-2023-34992, a command injection on FortiSIEM. The write-up discusses enumerating the attack surface, identifying a remotely accessible sub-system, building a basic client to communicate it, and eventually discovering and exploiting a command injection. The post rounds-out with some IOCs for you blue-hat wearers.
• QNAP QTS: QNAPping At The Wheel (CVE-2024-27130 and friends) - What do you get when you take a NAS device and bolt on a custom web server which forwards commands to various CGI scripts written in C? A remotely exploitable stack overflow like it's 1999. That's exactly what watchTowr Labs demonstrated on the QNAP QTS in their most recent blog post. And in traditional watchtowr fashion, the post is just generally fun to read, so give it a read.
• SSD ADVISORY: D-LINK DIR-X4860 Security Vulnerabilities - Sticking with the IoT bug theme, this SSD advisory demonstrates how to chain an auth bypass with a command execution to pop a D-Link device. The auth bypass results from an undocumented parameter which can be used to generate a PrivateKey based on the known username parameter. The command injection results from an attacker controlling the IP address when setting up the Virtual Server settings on the device, which is thrown straight into a FCGI_popen function.

Interesting Job Postings:

• Offensive Security Researcher @ NVIDIA (On-Site: Santa Clara, CA)
• Exploit Developer @ STR (On-Site: Woburn, MA)
• Malware Reverse Engineer @ CodeHunter (Remote)
• Malware Reverse Engineer @ Meta (On-Site: Bellevue, WA)
• Reverse Engineer @ QinetiQ US (On-Site: Reston, VA)
• Information Security Engineer (iOS, YouTube) @ Google (On-Site: San Bruno, CA)
• Senior / Principal Vulnerability Researcher @ Roblox (Hybrid: San Mateo, CA)

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us a DM on X (or just drop us a follow if you are feeling generous).

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Want to support us? You can now sponsor a coffee for the club.

Same time next week? See you then 🏴‍☠️