exploits.club Weekly Newsletter 30
Don't worry - the two week period where you feel guilty for hacking instead of going outside is officially over. Now that it's 112 degrees everyday here in the US (yes...fahrenheit), you are officially safe to enjoy your reverse engineering tool of choice coughbinjacough from indoors...guilt free. Annnnnnnyways 👇
In Case You Missed It...
- Uncoordinated Vulnerability Disclosure: The Continued Issues With CVD - ZDI came forward this week to discuss the inherent issues with coordinated vulnerability disclosure, and the roadblocks they have both seen and run-into personally. The post primarily discusses the issues with Microsoft specifically, but explains the problems are not only localized to them. It concludes with some open-ended questions which may explain why CVD isn't working.
- Kernel exploit for Xbox SystemOS using CVE-2024-30088 - @carrot_c4k3 and @landaire released an exploit for SystemOS on Xbox One/Series X consoles. The exploit is specifically for CVE-2024-30088.
- Pwn2Own Ireland Announced - Everyone's favorite hacking competition is back, this time in a new location. This year will feature WhatsApp, a return of the SOHO smashup, and all the classics.
Resources And Write-Ups From This Week:
- Pwn2Own Automotive: CHARX Vulnerability Discovery - Ret2 Systems is back with a new blog post detailing the vulnerabilities they found and exploited in the CHARX SEC-3100 for Pwn2Own Automotive. The post starts with an enumeration of the device's attack surface before explaining why the team decided to focus on the Controller Agent. It then dives into the vulnerability research aspect, discussing how the Controller Agent works, what protocols it speaks, and finally, the discovery of a null deref bug in the Agent's HomePlug parsing. The post then details a second bug, a UAF during the process teardown due to some specific nuances of C++ deconstructors. Part 2 will be released soon, explaining the exploit, but if you are eager, Ret2 put a replica challenge on their WarGames platform.
- Jailbreaking RabbitOS: Uncovering Secret Logs, and GPL Violations - The Rabbit R1 has been under fire recently for just all around sucking - from a product, technology, and security point of view (the holy trinity!). @David3141593 decided to get in on the fun this week, releasing a post about his efforts in jailbreaking the device. The write-up outlines the hardware and boot process of the R1 before detailing how he broke the root of trust via the USB bootloader mode, which accepts unsigned Download Agents. From there, he could backdoor the device with flashable-android-rootkit and dig into the device's internals. The rest of the post discusses his findings so far, both in terms of data privacy and technical claims from the Rabbit team.
- Pwn2Own: Pivoting from WAN to LAN to Attack a Synology BC500 IP Camera, Part 2 - Last week, we covered the first entry in the blog series discussing Claroty Team82's SOHO smash-up exploit chain at Pwn2Own 2023 Toronto. This week, the team released a follow-up post walking through the vulnerability and exploit for the Synology BC500 IP camera. Specifically, the team identified a parsing bug in one of the web-interface's C/C++ based CGI executables, which was reachable via an HTTP endpoint. The vulnerability itself was a stack-based buffer overflow resulting from a
sscanf
call. The write-up then dives into exploiting this bug, starting with brute forcing ASLR, explaining the target function pointer to overwrite, and then discussing the challenges associated with building the exploit payload itself. - Linux Kernel: Vulnerability in the eBPF verifier register limit tracking - @thatjiaozi published an interesting eBPF vulnerability on the Google Security Research Github repo earlier this week. The bug itself was identified via a modified version of buzzer, and allows "an attacker to trick the eBPF verifier into thinking a register has a value different from the one it takes when executing the program". Essentially, the verifier attempts to keep track of the minimum and maximum value a specific register can hold, and this bug allows that assumption to be broken, leading to arbitrary R/W in kernel memory.
- Return of the JIT - A short fun and short post from @_winterknife_ discussing recent changes to the behavior of the V8 optimizer toggle in Chrome. Previously, individuals were using this toggle as a means disabling JIT and switching V8 to interpreter-only mode. However, since late June, the behavior of this toggle was changed to only disable the 2 higher tiers of JIT compilation, leaving Sparkplug enabled. The theory is this may have been introduced to not break WASM, but if its something you're worried about, the blog offers a workaround using the
jitless
command-line flag. - Stardew Valley PRNG Seed Cracking - Interrupt Labs shared a post this week walking through the process of cracking the PRNG seed used in the Switch version of Stardew Valley. The post is heavy on reverse engineering, first locating the PRNG functionality by comparing the PC and Switch binary, before giving a detailed walkthrough of the code. The post then uses this RE to develop a seed cracker based on the random "Traveling Cart stock". It finishes with the code release for both a Seed Cracker and a generator.
- Surviving MiraclePtr Navigating of Webp and Beyond by Kira - A new talk went up on the GEEKCON YouTube channel earlier this week which will be sure to please the Chrome fans. The talk first opens with discussion of the webp bug and its exploitation in Chrome. After that, the @0xKira123 discusses the state of mitigations across the Chrome landscape. He notes a handful of places where exploitation has gotten drastically harder but demonstrates three bugs found over the last year to prove that "memory corruption is not dead."
Interesting Job Postings:
- Exploitation Vulnerability Researcher @ Two Six Technologies (On-Site: Arlington, VA)
- Senior Embedded Vulnerability Researcher @ Draper (On-Site: Cambridge, MA)
- Mobile Vulnerability Researcher @ Magnet Forensics (Remote)
- Software Reverse Engineer @ Booz Allen Hamilton (On-Site: Huntsville, AL)
- Senior Anti-Cheat Engineer @ Intrepid Studios (On-Site: San Diego, CA)
Wrapping Up...
We are a mug selling company now, so it's going fast! Get yours on at https://shop.exploits.club.
As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us a DM on X (or just drop us a follow if you are feeling generous - we just broke 1k so we are feeling official).
Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx