Sign in Subscribe
5 min read

exploits.club Weekly Newsletter 32 - Popping Basebands, Pwnie Nominated PrivEscs, The Compiler Landscape, And More

exploits.club Weekly Newsletter 32 - Popping Basebands, Pwnie Nominated PrivEscs, The Compiler Landscape, And More

Apparently a few of you took our joke too far last week...when we said we are just as capable of hallucinating on V8 internals as an LLM, that was not a challenge. Hearts and prayers out to all you vuln management teams in the age of average LLMs. Annnnnyways 👇

In Case You Missed It...

Resources And Write-Ups From This Week:

  • Multiple Vulnerabilities in the Deep Sea Electronics DSE855 - ZDI put out a post this week walking through a handful of vulnerabilities reported in a communications device developed by Deep Sea Electronics. These vulnerabilities are 0-days at the time of release because Deep Sea missed the 120-day patch deadline set by ZDI. The post does a quick overview of the device's hardware and software before jumping into a rundown of the rather straight forward vulns...some missing auth checks, stack overflows, and a DOS bug just for good measure. This is your wake-up call to go buy embedded devices and get some wins.
  • Racing round and round: The little bug that could - @chompie released a write-up detailing her Pwn2Own winning, Pwnie nominated bug in Windows Streaming Service. The post not only serves as a wonderful technical reference, walking through the logic error which lead to the UAF, but also takes you through the more...abstract...skills associated with good vuln research: subsystem selection, going with your gut, spotting things which are fishy, etc. The core bug itself stems from the failure to set a certain pointer to null during an object's release, leading to the potential re-release of the same object, causing a UAF. The post also goes through a retrospective to see when the bug was first introduced before concluding with the patch (spoiler: it's not great). We are looking forward to the next installment on exploitation!
  • corCTF 2024: trojan-turtles writeup - We love a good CTF write-up and this post from @zolutal is just that. The Shellphish member detailed his solution for trojan-turtles, a KVM challenge featured in corCTF 2024. The write-up begins with an overview of KVM, providing a great primer for those unfamiliar. It then details the solution itself, starting with a diff of the two provided kernel modules, identifying the backdoor, and hitting the vulnerable code path. The post ends with a deep-dive on exploitation, in which the Extended Page Table is modified to map the host's address space into the guest.
  • Heap exploitation, glibc internals and nifty tricks - Continuing on the CTF write-ups theme, Quarkslab walks through a heap challenge in their most recent blog post, using it as an opportunity to give a detailed rundown of internals and exploitation techniques. It offers a primer on GLIBC malloc internals, explaining heap implementation and common exploitation techniques. It then builds on this foundational information, walking through the HITCON qualifiers challenge which required a combination of techniques to be solved. If you are looking to get up to speed quickly on heap exploitation, this is a great place to start.
  • Unburdened By What Has Been: Exploiting New Attack Surfaces in Radio Layer 2 for Baseband RCE on Samsung Exynos - Following up their 3 part blog series about Full Chain Baseband exploits from late last year, Taszk is back with more baseband goodies this week. In their new post, the team explains an exploit they developed to achieve RCE on Samsung Exynos basebands by targeting Radio Layer 2. The post starts with some details about Layer 2 and continues on to talk about the two bugs they identified. Used in conjunction, the bugs give them a relatively strong heap overflow primitive. Before going into the exploitation, the post talks through baseband heap internals, discussing the front-end and back-end allocators, as well as the classic heap exploit technique the back-end allocator is susceptible to. It then continues onto exploitation, walking through heap shaping and overcoming mitigations before concluding with a demo.
  • 21 compilers and 3 orders of magnitude in 60 minutes - While not new, this deck resurfaced on X this week and we figured it would be worth sharing for those who have not seen it. The slides from Rust creator Graydon Hoare walk through the landscape of compilers, touching on design choices, history, and the potential future of the area. It hits all the big players and quite a few we doubt you have seen or heard of.
  • Windows Security best practices for integrating and managing security tools - Thought you were done hearing about Crowdstrike? Welllll not quite yet. This post out of Microsoft talks about the root cause from their perspective, going over a quick RCA and comparing their findings with the Preliminary Post Incident Review. After digging into the crash dumps, the post goes on at a high level to discuss why security tools leverage kernel drivers, and how a little oopsie which caused me and half of America to miss a flight might be prevented in the futures.
  • Fun Bugs

Interesting Job Postings:

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us a DM on X (or just drop us a follow if you are feeling generous - we just broke 1k so we are feeling official).

We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.

Support us through your purchase of a coffee holder


Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️

Published by:

exploits.club