exploits.club Weekly Newsletter 31
A lot of people ask if we use AI for these summaries - nope, we have no problem hallucinating about V8 internals all on our own. Annnnnyways 👇
In Case You Missed It...
- Pwnie Award Nominations Are Live - Lots of great research nominated this year. Check it out!
- PagedOut CFP - Have an idea you want to write-about? You should submit it to PagedOut for their fifth edition. The fourth edition, which came out early this summer, can help to provide plenty of inspiration.
- Getting Started with Exploit Development - Friends of the newsletter Day[0] Sec updated their exploit developer's roadmap earlier this month to include a handful of new resources. If you are interested in getting into the field, but aren't sure where to start...well here you go.
Resources And Write-Ups From This Week:
- You Can't Spell WebRTC without RCE: Part 1 - Ah the zero-click IM RCE - everyone's dream. This week, Margin Research took to their blog to start an exciting new series revolving around security research on Signal. The first entry takes a look at WebRTC. It starts with a deep dive into the underlying protocols before discussing how to set up a research environment. This involves using an iOS target phone and an Android thrower. Finally, the iOS app is injected with vulnerabilities previously discovered by Natalie Silvanovich to demonstrate how they can be triggered from the thrower. A great primer for anyone looking to start attacking IMs, and we look forward to future entries in the series!
- Pwn2Own Automotive: Popping the CHARX SEC-3100 - Last week, we covered Ret2 Systems' blog detailing the discovery of two vulnerabilities in the CHARX SEC-3100 used at Pwn2Own Automotive. This week, the team followed up with details on exploitation. The write-up starts with a bit of a recap, explaining how the primitive gives the ability to traverse a freed list. It then jumps into how they can control a node because iterating over the freed list actually traverses the tcache bin. The post then touches on populating the tcache before talking about the last obstacle in the exploit - ASLR. After a pretty cool "smart-bruteforce", the post rounds out with an explanation of the COP Chain before giving a step-by-step walkthrough of the exploit's flow to put everything together.
- #BadgeLife @ Off-By-One Conference 2024 - Star Labs released a post this week detailing the Off-By-One conference badge. The post looks at how the badge was designed before jumping into the hardware CTFs hidden in its little octopus layers. The CTF ranged in difficulty, starting with just checking the USB string descriptor and going all the way up to some basic voltage glitching. The write-up serves as an official solution to all six challenges and could spark some inspiration or learning if you are getting into hardware hacking.
- HITCON CTF QUAL 2024 Pwn Challenge Part 1 - Halloween and v8sbx - @u1f383 wrote a really nice Linux Kernel challenge for HITCON CTF QUAL 2024 and then provided us with a lovely official solution on his blog. The challenge itself involves 4 vulnerabilities in a kernel module running network services. After discovering the auth bypass, the race condition, and the info leak, participants had to craft a pretty complex exploit. The post starts with a TLDR on all the information needed, but we highly recommend giving the full write-up a read, as it does an excellent job walking through each vulnerability and exploitation. Outside of the pwn challenge he wrote, @u1f383 also included a write-up for one of the V8 challenges at the end of this post and his solution.
- Hardware and firmware reverse engineering primer: dissecting an FPV and video surveillance platform - As the introduction states, this post out of Subreption is "not-so-short" but it is certainly full of helpful information for those of you who are looking to get into hardware and firmware reverse engineering. The blog's goal was to detail the "general methodology and some specifics of both the hardware and software reverse engineering efforts" for an OEM video sensor platform. It starts with assessing the board, then details extracting firmware, reversing Uboot, dissecting the OS, assessing attractive targets, reversing kernel modules, and more. This is one of the more comprehensive posts we have seen when it comes to blackbox reversing of a hardware device, so add it to your ever-growing reading list.
- Tech Analysis: Channel File May Contain Null Bytes - In a post that might as well be titled "we are dumb, but not 'a-file-full-of-0s-dumb'", CRWD (-26.50% ⬇), released an interesting tech talk detailing how channel files on disk can appear to be all zeros. This is the result of a file "being written to disk shortly before a machine crashes," and Alex simplified it even more for a layman like us, explaining how it's similar to why you have to eject a USB before removing it - writes are expensive, and so sometimes they are delayed. Take that, X. This came roughly at the same time as the official incident report was released by the company.
- Smoke and Mirrors: Driver Signatures Are Optional - @GabrielLandau's talk from BlueHat IL 2024 was just released on YouTube, in which he discusses a "previously unnamed vulnerability class" in Windows. The talk starts by recapping some of the research Gabriel had previously done and presented at BlackHat, in which he could jump from Admin to Kernel due to false file immutability. In his new research, he takes roughly the same idea but can translate it to a different security check (security catalogs) and leverage it to load an unsigned driver from userspace.
Interesting Job Postings:
- Senior Security Researcher @ Microsoft (Remote)
- Reverse Engineer and Vulnerability Researcher @ MIT Lincoln Lab (On-Site: Lexington, MA)
- Vulnerability Researcher @ Nightwing (On-Site: Annapolis Junction, MD)
- Vulnerability Researcher @ Plex (On-Site: Annapolis Junction, MD)
- Reverse Engineer @ iCR (On-Site: Louisville, CO)
- Reverse Engineer / Vulnerability Researcher @ Lockheed Martin (On-Site: Hanover, MD)
Wrapping Up...
We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.
As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us a DM on X (or just drop us a follow if you are feeling generous - we just broke 1k so we are feeling official).
Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx
Same time next week? See you then 🏴☠️