5 min read

exploits.club Weekly Newsletter 25

exploits.club Weekly Newsletter 25

Good news! Your X likes are now private. Maybe those bots in your replies really are interested in you for your knowledge of Android System Internals...drop them a like! Annnnnyways 👇

In Case You Missed It...

Resources And Write-Ups From This Week:

  • Pumping Iron on the Musl Heap: Real World CVE-2022-24834 Exploitation on an Alpine mallocng Heap - A new post of NCC Group this week, walking through the exploitation of CVE-2022-24834, a heap overflow affecting the Lua cjson module in Redis Servers. The team decided to target Alpine 13.8, which uses musl libc, rendering exploits targeting Ubuntu and other, similar distros based on GNU libc useless. The post dives into musl's allocator (mallocng) before walking through the exploit. The blog is highly in-depth and leaves no stone unturned, so read it.
  • June 2024 Security Update Review - We covered the June Android Security bulletin last week. While we promise this newsletter is not turning into patch review, ZDI did come out with their round-up of the interesting Patch Tuesday notes and we figured it would be good to include here for continuity sake. No publicly exploited bugs for Adobe this month, but potential code exec in Photoshop and some critical vulns in FrameMaker stood out as potentially interesting, should you 1-day guru's feel so inclined. Microsoft released 8 patches addressing Pwn2Own bugs, so expect some blog posts to arrive in the near future. In addition, they patched one critical vuln, RCE in Microsoft Messaging Queue (MSMQ).
  • Private Cloud Compute: A new frontier for AI privacy in the cloud - WWDC 24 happened, and we will reserve our judgment on Apple Intelligence, emoji reacts, or calculator on an iPad for the time being. However, we did want to include this joint post from several Apple's security teams, which walks through the engineering which has gone into the cloud architecture intended to support Apple Intelligence. The post walks through the concerns, the threat model, and the prevention mechanisms put in place. This goes so far as to discuss the hardware mitigations to thwart physical attackers—pretty cool stuff.
  • No Way, PHP Strikes Again: CVE-2024-4577 - Last week @orange_8361 tweeted that PHP had fixed an RCE vulnerability he had reported. In the tweet, he included a short write-up with a bit more information. That seemed enough for the team over at Watchtowr, who released a blog post a few hours later, complete with a full RCA and exploit. The vulnerability itself stems from a mix-up in the unicode handling for command line arguments, resulting in an injection.
  • ROPing Routers From Scratch: Step-By-Step TEnda Ac8v4 MIPs 0day Flow-Control ROP -> RCE - We think @retr0reg summed up all of our thoughts nicely at the start of this post with the following line: "Not sure why but I am always obsessed with assemblies, caller stacks, and glibc heaps and kinds of stuff." The write-up takes a previous bug @retr0reg found and walks through the process for writing an exploit for it. The post discusses testing environment set-up before writing a ROP chain on a MIPs device. Whether you are interested in getting up to speed on MIPs specifically or writing real-world exploits for 1-days, this is a great primer.
  • Analyzing Modern DRMs - Now if it's not abundantly evident at this point, we are based out of the country known for large-portioned meals and an obesity problem (though they are not correlated, we swear). As such, we do not speak German, the language this talk on DRM analysis from @momo5502 is in. That said, the slides themselves can be found entirely in English, and provide an excellent overview into modern DRMs and techniques used to analyze them.
  • Bypassing Veeam Authentication CVE-2024-29849 Following up his post less than a week ago, @SinSinology is back again, this time taking a deep-dive into an auth bypass on Veeam. Similar to his first post, this one is exceptionally in-depth, doing a complete walk-through of the authentication code-flow, before jumping into what makes it vulnerable. In this case, the vulnerability stems from the ability to use an attacker controlled URL to validate auth tokens, so "we can tell "Veeam Enterprise Manager to ask our Rouge Server if the malicious token is valid or not". Pretty cool bug, and the post wraps up with a small PoC.
  • CVE-2024-29824 Deep Dive: Ivanti EPM SQL Injection Remote Code Execution Vulnerability - Horizon3.ai dropped a deep dive on CVE-2024-29824 this week. The vulnerability is a pretty straight forward SQL injection, where string.Format is used to insert an attacker controlled value into a SQL query. The post steps through reversing a .NET application to identify the vulnerable function and then walks up the call tree to determine the best way to trigger the bug. It then shows a payload using xp_cmdshell to gain RCE. Finally, as always from these guys, it includes some IoCs at the very end if you happen to still be using Ivanti products at this point

Interesting Job Postings:

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us a DM on X (or just drop us a follow if you are feeling generous - we are getting dangerously close to 1K).

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Want to support us? You can now sponsor a coffee for the club.

Buy Me a Coffee at ko-fi.com

Same time next week? See you then 🏴‍☠️