Happy Thursday you vulnerability voyagers. We hope everyone is having a week full of crashes...the good kind, not the "this-readme-makes-no-sense-and-build-systems-suck" kind. Annnnnyways 👇

In Case You Missed It...

• Introducing Nyxstone: An LLVM-based (Dis)assembly Framework - This week, emproof released an assembly and disassembly library based on LLVM. The release blog includes some usage examples to help you get up to speed on its key features.
• Google: Stop Burning Counterterrorism Operations - We doubt you missed this one, but @mncoppola released a blog post discussing the Google TAG / P0 work from 2020 and 2021 which exposed a counterterrorism operation run by US-allies. He had some opinions on the topic, as did the entire rest of the vuln research community (all 143 of you). We aren't an opinion newsletter, though, so you are free to develop your own.
• Google CTF Write-Ups - Google's annual CTF wrapped up last week, and some subsequent write-ups have started floating around for the challenges. In particular, we enjoyed @terjanq's write-ups for the challenges he authored. Perfect Blue team member and meme lord himself @gf_256 also released a handful of write-ups.
• Mitigating RIDL Side-Channel Attack in Microsoft Edge on Windows - Pretty interesting new feature from Microsoft, effectively rendering RIDL impossible by keeping threads within a process from being scheduled to the same core as threads from another security domain.
• Zero Day Markets With Mark Dowd - Following the release of his BlueHat '23 Keynote slides, @mdowd joined @SCWpod to discuss the 0-day market.

Resources And Write-Ups From This Week:

• Attack of the clones: Getting RCE in Chrome's renderer with duplicate object properties - Our lord and savior @mmolgtm has returned, this time to walk through CVE-2024-3833, an object corruption bug in v8. The post starts with detailing a bug from 2021 reported by Project Zero before diving into two bugs related to Javascript Promise integration, a feature currently in an origin trial. Both bugs allow for certain objects to have duplicate properties. The post then dives into the novel exploit technique he used to go after the bugs. We won't try to summarize it here - we wouldn't be able to even if we wanted to. You should go read the post.
• Hacking for Defenders: approaches to DARPA’s AI Cyber Challenge - AIxCC has caused quite the conversation in the VR community. Who knew that AI might come for our jobs before memory safety? In a short new Google Security Blog post, the team walks through their fuzzing approaches to a handful of the DARPA challenges. The blog covers how the team was able to adapt AFL and the AIxCC provided harness to fuzz the Linux kernel, and demonstrates both the limitations and promises of AI-based fuzzing and patching.
• Project Naptime: Evaluating Offensive Security Capabilities of Large Language Models - Another post out of Project Zero (two in two weeks??), this time discussing the LLM assisted vulnerability research they have been experimenting with. This isn't your typical "paste-some-code-into-chatgpt-and-pray" though. Instead, they have built an entire architecture for the agent to interact with a code browser, run a debugger, and write python scripts. The post then goes into the benchmarking of the project, which includes a whole bunch of fancy numbers to basically say "this thing works on CTF challenges". In fact it even found some unintended solutions, and in one case it was actually held back by...not being permitted to write an exploit...? Same. Following their post, @daveaitel released one of his own reviewing the P0 implementation and discussing some similarities and differences in similar set of tools he has been working on.
• RCE on Ollama - While we are on the topic of AI...how is the state of security for the AI products themself you might ask? I think this small Twitter thread might provide some insight into that question.
• Fuzzer Development 4: Snapshots, Code-Coverage, and Fuzzing - Long-time readers of the newsletter will know we have been closely following @h0mbre's full-system snapshot fuzzer development. This week, we got installment number 4 in the blog series, which covers "Snapshots, Code Coverage Feedback, and more". The post is equal parts technical as it is reflective, walking through the issues encountered during development and the reason for resulting design decisions.
• CVE-2024-27815: A Buffer Overflow in the XNU Kernel - @0xjprx just published an overflow he found in the XNU kernel. The bug manifests due to the mixup of two, very similar-looking variable names (MSIZE and MLEN). Apple introduced the bug by adding a size check on MSIZE, which actually is the size of an entire message buffer (header and data), and not just the buffer (which would be...you guessed it....MLEN). The post includes a crash PoC and the patch released by Apple.
• IPC Fuzzing with Snapshots - @mozdeco from Mozilla released a post on the company's security blog detailing the new IPC fuzzing technique they have implemented for Firefox. The technical implementation uses Nyx for full-vm snapshots and AFL++ as the frontend. There is also an open-source custom agent which handles a handful of things. The write-up then details how this stack can effectively be used to fuzz a single IPC message, and how code coverage is tracked.

Interesting Job Postings:

• Senior Security Researcher @ Microsoft (On-Site: Redmond, WA)
• Vulnerability Researcher @ Nightwing (On-Site: Annapolis Junction, MD)
• Reverse Engineer and Vulnerability Researcher @ MIT Lincoln Lab (Hybrid: Lexington, MA)
• RF Systems Reverse Engineer @ The Johns Hopkins University Applied Physics Lab (On-Site: Laurel, MD)
• Junior Reverse Engineer @ KBR (On-Site: Beavercreek Township, OH)
• Vulnerability Researcher @ Carnegie Mellon (On-Site: Pittsburgh, PA)

Wrapping Up...

Introducing: The exploits.club mug. It won't help you find bugs, but it will give you something cool to look at on your desk while you are pondering your life choices. Get yours on at https://shop.exploits.club.

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us a DM on X (or just drop us a follow if you are feeling generous - we are getting dangerously close to 1K).

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx