exploits.club Weekly Newsletter 28
Did you hear that bald-eagle screech? That's right- Happy 4th of July to all our fellow Americans. We hope everyone in the States is enjoying a hotdog and thinking carefully about the cunning debate that took place last week. Annnnnyways 👇
In Case You Missed It...
- Exploitation 4011: Windows Kernel Exploitation - Open Source Security Training 2 continues to be one of the best free resources for budding vulnerability researchers and exploit developers. This week, they uploaded their entire Windows Kernel Exploitation training on YouTube.
- Virtual Escape; Real Reward: Introducing Google's kvmCTF - Earlier this week, Google announced a new vulnerability rewards program for KVM. The program will run similarly to kernelCTF, with a top payout of $250,000 for a full VM escape.
Resources And Write-Ups From This Week:
- The Windows Registry Adventure #3: Learning resources - Project Zero makes an appearance for the third time in a row, this time with the third installment in the running "Windows Registry Adventures series ." As a quick recap, the series started with an introduction, which explained the target subsystem, the research P0 performed, and the resulting bugs. The team then followed it up with a post outlining a brief history of the Registry. The newest post in the series looks specifically at learning resources and tools one should use to get up to speed on the Registry. It serves as an excellent blueprint for someone looking to replicate P0's work and, more broadly, shows a methodology for researching and learning about a specific subsystem on a target.
- regreSSHion: RCE in OpenSSH's server, on glibc-based Linux systems (CVE-2024-6387) - The only way you haven't heard about this is if you have been living under a rock or inside your debugger. Earlier this week, Qualys' Threat Research Unit identified an RCE vulnerability within OpenSSH, specifically impacting glibc-based Linux systems. For many of you who work on the blue side of the house, that may be as far as you made it in the advisory before you had a panic attack and started patching systems. However, the write-up is exceptionally detailed, walking through the signal handler race condition, the history of the bug (a regression to CVE-2006-5051, originally reported by @mdowd) and the exploit strategy.
- Do a firmware update for your AirPods...now - A quick hitter blog post on a recent AirPods vulnerability. While the post itself doesn't go too deep on the technicals (though the author notes he will do a follow-up post), it does hit at the key points. Namely, there is a proprietary protocol from Apple called "Fast Connect", which helps to simplify the connection process by only taking 4 back-and-forth messages, as opposed to the complex process that takes place with regular Bluetooth devices. While trying to re-implement this protocol from his Linux machine, the author noticed no authentication check for non-Apple devices over this protocol, meaning that anyone can connect and listen to your AirPods as long as they know the fixed Bluetooth Mac Address.
- July Bulletins - The first week of the month means Security Bulletins from Android and other associated vendors. Android noted one critical, marked as CVE-2024-31320, which is an EoP related to companion device association. The bulletin also links out to a critical Qualcomm vuln, which the vendor noted is a double-free stemming from the HMAC handling in the HLOS.
- Ring Around The Regex: Lessons learned from fuzzing regex libraries (Part 1) - secret.club (no relation) put out an interesting post this week related to fuzzing regex libraries. Interestingly, author @addisoncrump_vr notes up front, "targets and bugs described below are instead offered as a study for fuzzing design decisions and understanding where fuzzing fails." The blog takes a look at rust-lang/regex, in which Addison analyzes the OSS-Fuzz harness and describes ways it can be changed, including the pros and cons of each change (which can sometimes be counterintuitive). The post ends with the results and takeaways and a promise to follow up with part two covering PCRE2.
- Exploiting a SpiderMonkey: From Integer Range Inconsistency to Bound Check Elimination then RCE - @bjrjk published a set of slides this week walking through the background, RCA, exploit for CVE-2024-29943. The bug was originally used by @_manfp in Pwn2Own and later analyzed by @maxspl0it. We also want to give a shout-out to the quality of the slides - this deck is "make-your-asshole-McKinsey-cousin-drool" type stuff.
- ZDI-24-821: A Remote UAF in The Kernel's net/tipc - Last week we shared @sam4k's slides about finding bugs in the Linux kernel. In the presentation, he shared a bug he found using his methodology. Now, we were under the assumption this was a bug he found a while ago and just decided to use as a good example. Turns out, that assumption was extremely wrong. In his newest blog post, he walks through how he decided to look for a bug while making the presentation, and found the UAF in the kernel's TIPC networking stack. The post itself walks through the background and vulnerability in much more detail than the slides, covering networking subsystem fundamentals, the fundamental structures of the subsystem, and TIPC. It then goes into the vulnerability, working backwards from the stacktrace and working out the root cause. Finally, it includes some notes on potential exploitation before concluding with the patch.
- Modern Cryptographic Attacks: A Guide For The Perplexed - You know that guy on your CTF team that does all the crypto, and you don't understand anything he's saying, but you just let him keep doing his thing? This new post from Checkpoint Research is intended to close the language barrier a bit. The post walks through a handful of modern cryptographic attacks in extreme detail, using analogies and abstractions along the way to ensure your "perplexed" mind can handle it. It's a really cool resource; we aren't sure if there is anything else out there like it...but then again, we actively avoid crypto challenges and bugs.
- CVE-2024-29510 – Exploiting Ghostscript using format strings - Codean Labs released a post this week walking through a format string bug in Ghostscript, the document conversion toolkit first released in 1988. Based on the parameters of a particular output device, the author was inclined to peak at the source code and confirmed that they were used in a format string improperly, leading to a classic vuln. From there, the post goes into exploitation, turning the heap-based bug into a read / write and escaping the sandbox.
- Pixel Tablet Dock (korlan) Secure Boot Bypass - A fun post from ODS Security Research covering the team's exploitation of the Google Pixel Tablet Dock. The post discusses how they could get a u-boot shell on the device, extract the relevant boot images, and modify them to disable AML Secure Boot.
Interesting Job Postings:
- Automotive Threat Researcher @ Trend Micro (Remote)
- Senior Vulnerability Researcher @ Two Six Technologies (On-Site: Arlington, VA)
- Cryptography & Security Researcher @ Glocomms (On-Site: San Francisco, CA)
- Senior Embedded Vulnerability Researcher @ Draper (Hybrid: 12 US Locations)
- Vulnerability Researcher @ Kudu Dynamics (Chantilly, VA)
Wrapping Up...
The exploits.club mug sold in the singles of digits last week, so it's going fast! Get yours on at https://shop.exploits.club.
As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us a DM on X (or just drop us a follow if you are feeling generous - we are getting dangerously close to 1K).
Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx