4 min read

exploits.club Weekly Newsletter 27

exploits.club Weekly Newsletter 27

Happy Thursday you vulnerability voyagers. We hope everyone is having a week full of crashes...the good kind, not the "this-readme-makes-no-sense-and-build-systems-suck" kind. Annnnnyways πŸ‘‡

In Case You Missed It...

Resources And Write-Ups From This Week:

  • Attack of the clones: Getting RCE in Chrome's renderer with duplicate object properties - Our lord and savior @mmolgtm has returned, this time to walk through CVE-2024-3833, an object corruption bug in v8. The post starts with detailing a bug from 2021 reported by Project Zero before diving into two bugs related to Javascript Promise integration, a feature currently in an origin trial. Both bugs allow for certain objects to have duplicate properties. The post then dives into the novel exploit technique he used to go after the bugs. We won't try to summarize it here - we wouldn't be able to even if we wanted to. You should go read the post.
  • Hacking for Defenders: approaches to DARPA’s AI Cyber Challenge - AIxCC has caused quite the conversation in the VR community. Who knew that AI might come for our jobs before memory safety? In a short new Google Security Blog post, the team walks through their fuzzing approaches to a handful of the DARPA challenges. The blog covers how the team was able to adapt AFL and the AIxCC provided harness to fuzz the Linux kernel, and demonstrates both the limitations and promises of AI-based fuzzing and patching.
  • Project Naptime: Evaluating Offensive Security Capabilities of Large Language Models - Another post out of Project Zero (two in two weeks??), this time discussing the LLM assisted vulnerability research they have been experimenting with. This isn't your typical "paste-some-code-into-chatgpt-and-pray" though. Instead, they have built an entire architecture for the agent to interact with a code browser, run a debugger, and write python scripts. The post then goes into the benchmarking of the project, which includes a whole bunch of fancy numbers to basically say "this thing works on CTF challenges". In fact it even found some unintended solutions, and in one case it was actually held back by...not being permitted to write an exploit...? Same. Following their post, @daveaitel released one of his own reviewing the P0 implementation and discussing some similarities and differences in similar set of tools he has been working on.
  • RCE on Ollama - While we are on the topic of AI...how is the state of security for the AI products themself you might ask? I think this small Twitter thread might provide some insight into that question.
  • Fuzzer Development 4: Snapshots, Code-Coverage, and Fuzzing - Long-time readers of the newsletter will know we have been closely following @h0mbre's full-system snapshot fuzzer development. This week, we got installment number 4 in the blog series, which covers "Snapshots, Code Coverage Feedback, and more". The post is equal parts technical as it is reflective, walking through the issues encountered during development and the reason for resulting design decisions.
  • CVE-2024-27815: A Buffer Overflow in the XNU Kernel - @0xjprx just published an overflow he found in the XNU kernel. The bug manifests due to the mixup of two, very similar-looking variable names (MSIZE and MLEN). Apple introduced the bug by adding a size check on MSIZE, which actually is the size of an entire message buffer (header and data), and not just the buffer (which would be...you guessed it....MLEN). The post includes a crash PoC and the patch released by Apple.
  • IPC Fuzzing with Snapshots - @mozdeco from Mozilla released a post on the company's security blog detailing the new IPC fuzzing technique they have implemented for Firefox. The technical implementation uses Nyx for full-vm snapshots and AFL++ as the frontend. There is also an open-source custom agent which handles a handful of things. The write-up then details how this stack can effectively be used to fuzz a single IPC message, and how code coverage is tracked.

Interesting Job Postings:

Wrapping Up...

Introducing: The exploits.club mug. It won't help you find bugs, but it will give you something cool to look at on your desk while you are pondering your life choices. Get yours on at https://shop.exploits.club.

Support us through your purchase of a coffee holder

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us a DM on X (or just drop us a follow if you are feeling generous - we are getting dangerously close to 1K).

Feel free to join the exploits.club Discord server here πŸ‘‰ https://discord.gg/2dxN2Gtgpx