Happy Thursday, you kernel cowboys. Remember, the best debugger is a walk outside, a new cup of coffee, and the anxiety associated with the inexplicable way you tie your self-worth to 1's and 0's some time with friends.

On a serious note, remember to take care of yourself. @netspooky put together this good list of healthy reminders. Annnnnyways 👇

In Case You Missed It...

• VR Career Roadmap - @kzalloc1 put together a great collection of resources and trainings for the aspiring vuln researcher, and a suggested roadmap for getting up to speed with modern VR. This is one of the most common questions we get / see asked!
• Odin.ai - A cool new project out of @mozilla, this bug bounty program focuses specifically on vulnerabilities in GenAI.
• Q&A with Valentina Palmiotti, aka chompie - @chompie1337 sat down with SecurityWeekly for an interview discussing her participation in P20.

Resources And Write-Ups From This Week:

• Driving forward in Android drivers - Babe, wake up P0 just posted. This week, @__sethJenkins released a blog post for Project Zero, which explores the fragmented world of vendor-specific drivers on Android. The post first explores how to enumerate the drivers accessible directly from the untrusted_app context. It then walks through two vulnerabilities identified in the MediaTek JPEG Decoding Accelerator. The first of these bugs is a straightforward OOB write (CVE-2023-32837), while the second (CVE-2023-32832) is a fun race condition leading to a UAF or double free. The blog then goes into exploitation, focusing specifically on the second bug and on a "novel exploit technique" to demonstrate exploitability in the face of potential future mitigations such as SLAB_VIRTUAL mitigation.
• TIKTAG: Breaking ARM’s Memory Tagging Extension with Speculative Execution - Speaking of "mitigations" and "novel exploitation," a paper released this week demonstrating how to break MTE via speculative execution. The team identified two new gadgets they deemed "TikTag-v1" and "TikTag-v2," which can "leak the MTE tag of an arbitrary memory address." The team demonstrated the vulnerability on Google Chrome and the Linux kernel via a Pixel 8 device. The paper's second half evaluates these experiments, discussing reliability, feasibility, and potential mitigations.
• So You Wanna Find Bugs In The Linux Kernel - @sam4k1 uploaded his TyphoonCon 24 slides on attacking the Linux Kernel. The slides first provide a wealth of knowledge on the state of the kernel VR before diving into specifics. It covers what makes a good subsystem to target, auditing workflow, and the use of tooling like syzcaller and CodeQL. The presentation ends with a case study, demonstrating the outlined process in action. Sam picked an interesting subsystem, performed a code audit, identified limitations in the current fuzzing coverage, modified syzcaller, and dropped a bug.
• Preauth RCE on NVIDIA Triton Server - What do you get when you mix new technology with rapid innovation and competition? We don't know, but if OSes...or web...or cloud...or crypto are any indicator, you do not get security. This write-up from @edwardzpeng indicates the state of AI security may also be going through its infancy stage. In his blog, he demonstrates two vulnerabilities he recently found on Triton Inference Server. The first (CVE-2024-0087) is an arbitrary file write. This results from the logging configuration interface accepting an arbitrary parameter for the log's write target. Because the log data is also attacker-controlled, this causes an arbitrary write, which can be spun into RCE. The second (CVE-2024-0088) is an arbitrary address write, resulting from how Triton allows for shared memory registration but fails to validate any of the attacker-controlled parameters. The post wraps up with some thoughts on these vulnerabilities, the impact they may have at large, and the current state of AI.
• Recovering an ECU firmware using disassembler and branches - A new post out of Quarkslab this week walks through an interesting challenge the team recently faced on a black box assessment while trying to dump the firmware. After your typical binwalk failed, the team ended up digging deep into the internals of the FAT filesystem. They then whipped up a Python script to identify function prologues, which helped identify some valid firmware chunks. Iterating on this idea, they added some script improvements by analyzing branch instructions, allowing them to slowly put the clusters of valid ARM functions into the correct order and export it to a new binary, recovering most of the firmware.
• SSD Advisory: TP-LINK VIGI onvif_discovery Overflow - SSD Secure Disclosure team released a write-up for a buffer overflow on TP-Link's VIGI security camera. The vulnerability resides in onvif_discovery, which listens on port 5001 and is reachable while unauthenticated. The root cause for the vulnerability here is pretty straightforward, as attacker-controlled data is copied from one stack buffer to another, smaller buffer without performing any sort of bounds checking. The advisory walks through the call stack and shows the RE where the vulnerability resides. While it doesn't go in-depth on the exploitation, it provides a full PoC, which looks to do some standard ROP.
• 4G GPS Tracker Reverse Engineering - If you are interested in hardware hacking and IoT RE, @nmatt0 has a YouTube channel you may enjoy. The channel is dedicated entirely to dissecting targets, extracting firmware, and doing some vuln research. In his most recent series, he reverses a GPS tracker, and his video from this week walks through the cell modem interactions.

Interesting Job Postings:

• Vulnerability Researcher @ Nightwing (On-Site: Annapolis Junction, MD)
• Senior Android Vulnerability Researcher @ Raytheon (On-Site: Aurora, CO)
• Reverse Engineer II / III @ Black Eagle Defense (On-Site: Annapolis Junction, MD)
• Malware Reverse Engineer @ Meta (Remote)
• Senior Security Researcher @ Rapid7 (On-Site: Prague, Czechia)

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us a DM on X (or just drop us a follow if you are feeling generous - we are getting dangerously close to 1K).

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Want to support us? You can now sponsor a coffee for the club.

Same time next week? See you then 🏴‍☠️