6 min read

exploits.club Weekly Newsletter 29

exploits.club Weekly Newsletter 29

@clintgibler, u up? Annnnnyways 👇

In Case You Missed It...

  • OST2 Introductory Course To HyperDbg - Last week, we featured Open Source Security Training 2's Windows Kernel Exploitation Course. This week, we wanted to acknowledge another free course they have been promoting recently. The intro course for HyperDbg consists of 65 video lessons, and a full Map Of Content can be viewed here!
  • REcon 2024 WinDbg Workshop - @_hugsy_ open-sourced the recent training from RECon on WinDbg. The repo includes a set-up guide, all the slides, and a challenge problem.
  • HITB2024BKK Armory CFP - Been working on an interesting vuln research tool? HITB2024BKK just opened their call for papers and are specifically looking for people to show off their open-source VR, exploit dev, and RE tooling.
  • CheckPoint Research Release's View8 - Following a blog post on recent compiled V8 JavaScript malware campaigns, the team released View8, a "new open-source static analysis tool for decompiling v8 bytecode to high-level readable code."
  • Unofficial Darwin Change Log Makes It's Return - Famed iOS hacker, author, and Dataflow CTO Jonathan Levin released a post on the company blog this week analyzing changes for Darwin 24. It includes a handful of hands-on advice for assessing different areas of the *OS attack surface and finishes with directions for conducting your own deeper analysis
  • The case for burning counterterrorism operations - Following @mncoppola's original post we covered a few weeks ago discussing TAG's burning of a counterterrorism operation, @JusticRage posted a rebuttal.

Resources And Write-Ups From This Week:

  • Pwn2Own: WAN-to-LAN Exploit Showcase - Claroty Team82 released a write-up for the first stage of their SOHO smashup exploit chain at Pwn2Own 2023 Toronto. This post discusses the WAN exploit they achieved against the TP-Link ER605 router. It starts by enumerating the attack surface, leading to the team targeting the binary handling DDNS services on the device. After understanding the custom protocol, the team identified three vulnerabilities. The first allowed them to impersonate the DDNS server due to symmetric encryption via a hardcoded key and no additional auth checks. After that, they leveraged two buffer overflows, the first to leak data back to their malicious server to break ASLR and the second to pop RCE. Part 2 should be coming to discuss pivoting to exploit the Synology BC500 IP camera.
  • The July 2024 Security Update Review - ZDI is back with their monthly review of Adobe and Microsoft goodies. The post notes that no Adobe vulnerabilities patched this month are under active exploitation, though it addressed five critical RCE bugs in InDesign and Bridge. Microsoft had a massive Patch Tuesday, addressing 139 bugs. Of those, there were five crits - notably a Remote Desktop Licensing Service Vulnerability marked as a Heap Overflow requiring no authentication. Also some fun bugs hiding in there, such as an RCE for the Kinect?? Nation-State Actors will be floored by our perfect score on Just Dance 3's "Promiscuous Girl."
  • Bytecode Breakdown: Unraveling Factorio's Lua Security Flaws - If anyone knows the author of this post, please let us know because it has got to be one of the cleanest write-ups we have seen in a long time. Everything is carefully explained and broken down, and the whole thing flows in a manner that makes sense even without prior context. While it is long, there's lots to cover. The post addresses the way Lua bytecode can be manipulated in a malicious manner in order to achieve remote code execution. The author demonstrates this by first causing a type confusion to leak a memory addresses, before diving into creating fake objects and gaining control of the instruction pointer. They then demonstrate the attack on the popular game Factorio, which will run the exploit when they connect to the malicious game server.
  • Resurrecting Internet Explorer: Threat Actors Using Zero-Day Tricks In Internet Shortcut File To Lure Victims - Check Point Research was busy this week. In addition to the V8 bytecode tooling, they also released a post on a trick threat actors have been employing against windows users. This attack leverages the .url extension on a fake PDF file, which is opened by the decommissioned browser Internet Explorer. Sooo they just pop an 0-day in the inherently less secure browser? Nope, not even that complex - instead, they force the download of a .hta file on the victim, resulting in code exec on the victim's machine.
  • CVE-2024-29511: Abusing Ghostscript's OCR device - Codean Labs followed up with part 2 of their three part series on exploiting Ghostscript. We covered part one last week, which leveraged a format string bug. This week, the team demonstrates a way to escape the sandbox using a path traversal in the ocr device. The post goes in depth on the internals that result in this vulnerability, and end with a quick demo leaking /etc/passwd. Part three is expected to release soon!
  • @SinSinology Obliterates WhatsUp Gold - @SinSinology looked like 1991-1993 Chicago Bulls, going back-to-back-to-back on WhatsUp Gold this week. The Michael Jordan of embarrassing Progress demonstrated 2 different path traversals, both of which he was able to turn into Pre-Auth RCEs. Then, to add insult to injury, he was able to demonstrate a PrivEsc simply by...overwriting the administrator's password via an endpoint exposed to unauthenticated users. We have included a few of his write-ups in the past, and these follow a very similar pattern - tracing from attacker controlled data down the call stack to the vulnerability.
  • Universal Code Execution by Chaining Messages in Browser Extensions - @spaceraccoonsec released a pretty fun write-up this week detailing his research in leveraging vulnerable chrome extensions into RCE on the underlying host machines. In some cases, browser extensions will allow communications with web pages via postMessage. Depending on if the extensions have been properly scoped or not, this could include result in malicious sites exploiting logic bugs and breaking Same Origin Policy. However, even more detrimental is many extensions actually specify a binary on the host machine they want permission to interact with. Think password managers needing access to the manager application on the host in order to autofill on the web. As such, in some cases, malicious sites can actually interact directly with binaries on the host, resulting in RCE on the underlying machine. No V8 sandbox escape needed.
  • Evernote RCE: From PDF.js font-injection to All-platform Electron exposed ipcRenderer with listened BrokerBridge Remote-Code Execution - I don't know about you but when we were 15 (or 20...or today years old), but we were not popping RCE on the biggest note taking app in the world. However, @retr0reg posted a write-up detailing how he did just that. In the post, he details how he was able to find a font injection leading to XSS in PDF.js. He was able to leverage this to target the desktop Evernote electron app, in which he did some IPC wizardry to land RCE. Really cool research and a moment of reflection for if we are in the wrong line of work.
  • Fun Bugs - Since this week's newsletter was a little on the "bug-bounty-enterprise-app-../" heavy side, here are some fun bugs that we came across

Interesting Job Postings:

Wrapping Up...

We are a mug selling company now, so it's going fast! Get yours on at https://shop.exploits.club.

Support us through your purchase of a coffee holder

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us a DM on X (or just drop us a follow if you are feeling generous - we are like 20 away from 1K).

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx