exploits.club Weekly Newsletter 24
Your friendly neighborhood writer and editor couldn't come up with a fun intro this week, so I did what most of you are doing to help with those emails you don't want to write - asked ChatGPT to do it:
"Why don't security researchers play hide and seek? Because good luck hiding when they have zero days to find you!"
Honestly, its so hilariously bad that it had to be included. Annnnyways 👇
In Case You Missed It...
- OffensiveCon24 Videos Are Out! - Enjoy the magic of imposter syndrome right from the comfort of your own home. Lots of really cool research here, and we are thankful they always upload it for everyone to enjoy free of charge.
- PagedOut Issue #4 Is Out! - Take a break from watching OffensiveCon videos by heading over to check out the new PagedOut edition, complete with all the topics you've come to love and expect (RE, hacking, Crypto, Assembly, Art and more). The project headed up by @gynvael is an invaluable resource to the community, and if you have anything you have been researching, consider submitting it for the next edition!
Resources And Write-Ups From This Week:
- An Introduction to Chrome Exploitation: Maglev Edition - @matteomalvica released a post this week which may be one of the best introductions to the V8 pipeline currently available. The post starts with an introduction to Chromium and its security architecture, before diving into the V8 pipeline. The post then takes a look at CVE-2023-4069, with a full walkthrough, RCA, and exploit. It's quite an impressive piece of work, we highly recommend checking it out
- Attacking Android Binder: Analysis and Exploitation of CVE-2023-20938 - The Android Red Team gave a presentation at OffensiveCon24 discussing the fuzzing work they had done against Binder, and how they leveraged the findings into an LPE. This post serves in conjunction with that talk, providing a nice written explanation for the root cause of the vulnerability and the associated exploitation. The vulnerability itself stems from a tricky error handling condition which can be manipulated to trigger a UAF. The exploit builds on previous work done by Blue Frost Security, but changes the technique slightly in order to account for changes in the SLUB allocator in newer kernel versions.
- Android Security Bulletin: June 2024 - It's the first week of the month, which means Android Security Bulletin time. The most interesting postings this go-round actually seem to come from the Qualcomm Bulletin in which 3 crits were reported. Of these three crits, one was a buffer overflow in the trustzone OS, one was cryptography error leading to an auth bypass, and the last was an overflow in the hypervisor. Of the AOSP vulns, @xvonfers did a quick tweetable RCA of CVE-2024-31311, which appears to just be a straight forward missing size check.
- CVE-2024-30043: Abusing URL Parsing Confusion To Exploit XXE On SharePoint Server And Cloud - Now we weren't originally planning to include this write-up, since as the post notes "in the vulnerability research world, you typically find [XXEs], report them, and forget about them." However, the post also notes, "this is one of the craziest XXEs that I have ever seen", and so we would be doing you a disservice not to bring it to your attention. The core issue stems from a prohibition check being performed after the parameter entries have been processed, allowing for an Out-Of-Band XXE. The post then goes into exploitation and a nice demo.
- Linux Kernel Int Overflow Leading To Priv Esc - SSD Secure Disclosure Team released a Linux privesc write-up this week which was patched in July of 2023. The bug is a straightforward int overflow which results in a OOB read and write primitive. The post ends with a full PoC which uses
nft_payload
to leak stack info and bypass KASLR, overwrite the return address, and ROP to overwrite modprobe. - Molding Lies Into Reality: Exploiting CVE-2024-4358 - @SinSinology released a post detailing an auth bypass he found in the Telerick Report Server, and how it could be combined with a deserialization vuln to achieve a full chain. This research stemmed from an advisory for the deserialization issue which initially claimed to be reachable by an unauthenticated user, but was later updated to reflect permissions were needed. Thus, he set out to find an auth bypass and then to exploit the 1-day deserialization vuln. The post is extremely in depth, covering the internals of the report server, concepts for advanced .NET deserialization, and his attacker thought process.
- CVE-2024-27822: macOS PackageKit Privilege Escalation - A fun macOS privesc from @khronokernel. The post is pretty short and to the point, but boy is it effective. The core idea is that PackageKit will load the users
.zshrc
as root, allowing malicious payloads to be embedded into it for an easy privesc. The write-up also takes a look at Apple's fix by reversing the patch and understanding how it works.
Interesting Job Postings:
- Lots of interesting positions available with Exodus Intelligence following their most recent blog post discussing the future of the company
- Browser Security Research @ Apple (On-Site: Seattle, WA)
- Browser Vulnerability Researcher @ Interrupt Labs (Remote: UK)
- Principal Vulnerability Researcher (5G) @ Two Six Technologies (On-Site: Arlington, VA)
- Reverse Engineer @ Steely (Hybrid: Reston, VA)
- Vulnerability Researcher @ Research Innovations (On-Site: San Antonio, TX | St. Pete, FL | Melbourne, FL)
Wrapping Up...
As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us a DM on X (or just drop us a follow if you are feeling generous - we are getting dangerously close to 1K).
Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx
Want to support us? You can now sponsor a coffee for the club.
Same time next week? See you then 🏴☠️