4 min read

exploits.club Weekly Newsletter 23

exploits.club Weekly Newsletter 23

Happy Thursday to all you good-looking makers and breakers. Its been a busy week of interesting research, so lets not waste any time 👇

In Case You Missed It...

  • Surprising Facts About Fuzzing - @mboehme_ released a thread on X collecting some interesting facts about fuzzing and the associated paper in which the facts were originally presented. The thread also comes complete with some easily digestible slides to illustrate the claims visually.
  • V8 Sandbox Thread - @xvonfers, the account where we find all the bugs for the newsletter each week, posted a collection of resources and thoughts from his recent research into fuzzing the V8 sandbox
  • V8 Sandbox: Embedder Pointer Sandboxing - A new V8 sandbox design document discussing "options for fine-grained type checking for pointers coming from the Embedder."
  • Tell You Phone To Link Me At The Coffee Shop - Interested in getting into Android userland/application security research? You're gonna need to know about deeplinks, and thankfully @FuzzySec has come through with the perfect primer to get you up to speed.

Resources And Write-Ups From This Week:

  • Inside The iOS Bug That Made Deleted Photos Reappear - If you were seeing pictures of your long forgotten ex back in your photo library last week, you weren't alone. Apparently, iOS 17.5 introduced this bug for users, and it was patched out a week later in 17.5.1. Synacktiv decided to investigate by comparing the two updates and doing a bit of bindiffing on the photo-related libraries. The blog starts with obtaining the two updates and then jumps into identifying the interesting files, diffing them, and understanding the patch.
  • Race condition in 9p File System - A quick and dirty blog post from @R00tkitSMM covering a race condition leading to a UAF in the Linux kernel. The blog comes complete with a quick explanation, a rundown of the vulnerable code and the patch, as well as a PoC.
  • Etiquette for dropping PoCs in 2024? A Linux LPE - What's the right way to drop a PoC? Well thankfully for us, the people on X decided that it was "full exploits with offsets", so that's exactly what @roddux did with his Linux LPE, germy. The GitHub repo includes a write-up as well, complete with an overview of the root cause, exploit strategy, and mitigation bypasses. The bug stems from 3 seemingly inconsequential issues that, when taken in total, lead to an overflow.
  • Understanding AddressSanitizer: Better memory safety for your code - Trail Of Bits recently released a post covering ASan. While the write-up's main goal appears to be a primer for getting set-up with the tool, it goes well above and beyond that, covering the internals in-depth. Whether you spend hours reading ASan outputs, or you're lucky, we bet there is something new here for you to learn.
  • Exploiting V8 at openECSC - "CTFs don't help in the real world". Yeah, well tell that to this challenge, which requires going from a V8 bug to shell. The challenge from openECSC introduces some new functionality in the V8 engine via a buggy patch. After identifying the vulnerability, exploitation follows the common pattern of "read arbitrary addresses (addrof), create fake objects (fakeobj), and eventually reach arbitrary code execution." If you are interested in getting started with V8 exploitation, this challenge and the subsequent write-up from @rebane2001 are a great place to get your feet wet.
  • Introducing LLM-based harness synthesis for unfuzzed projects - Ahhhh fuzzing and LLMs, a tale as old as 1-2 years ago. This week OSS-Fuzz released a blog on some interesting work they are doing around automated harness creation via LLMs. The goal is to end up with an OSS-Fuzz project, taking only a GitHub URL as input. Magic? No, that's the power of AI, baby. The post wraps up with the results of the testing thus far, which includes 3 vulnerabilities found across 15 projects.
  • Hunting Bugs in Nginx JavaScript Engine (njs) - @0x_shaq released a write-up this week on his research into the Nginx Javascript Interpreter. After some initial fuzzing, he was able to identify two bugs: a type confusion and an OOB read. He then was able to codify the type confusion pattern into a CodeQL query, which found two additional variants.
  • CVE-2024-22058 Ivanti Landesk LPE - What's a good newsletter without doing a small bit of bashing on Ivanti? In this post, Mantodea Security walks through the discovery and exploitation of an overflow in Ivanti LanDesk. The post starts with a walk through of the vulnerability and the code path in which it can be triggered. It then covers exploitation of the bug, in which it uses a ROP chain to mark memory as executable and overwrites a function pointer to jump to it reliably.

Interesting Job Postings:

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us a DM on X (or just drop us a follow if you are feeling generous).

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Want to support us? You can now sponsor a coffee for the club.

Buy Me a Coffee at ko-fi.com

Same time next week? See you then 🏴‍☠️