exploits.club Weekly Newsletter 33 - CPU Vulns, Breaking Samsung Bootloaders, Tony Hawk Pro Skater, And More
Happy Hacker Summer Camp week! It's a shame that DEFCON was canceled, but don't worry because we are throwing a party at the pool on the roof. Annnnnyways 👇
In Case You Missed It...
- August Android Security Bulletin - The most interesting thing from this months bulletin appears to be a UAF in the kernel which was under "limited, targeted" exploitation in the wild as identfied by TAG. Also quite a few "High" framework EOPs
- Samsung Mobile Security Rewards Program Increases Bounties - This week, Samsung increased payouts by 5x, resulting in a potential maximum bounty of $1mil.
- Some Thoughts on Worker Ownership - Not particularly technical, but research firm Atredis Partners is now 100% employee owned, and the CEO released a blog post detailing the reasoning behind the decision and the administrative roadblocks encountered along the way.
- Crowdstrike External Root Cause Analysis - For those of you who weren't chill with the explanation of a "memory corruption error" being the cause of the Crowdstrike madness, a full RCA has finally been released which is sure to make you...even less chill. Honestly, we are tired of answering questions about it from our friends and family since we are the "security people" so hopefully this puts the whole thing to bed.
Resources And Write-Ups From This Week:
- Windows AppLocker Driver LPE Vulnerability: CVE-2024-21338 - In their first technical blog post, Crowdfense walks through a Windows vulnerability originally made famous by the Lazarus FudModule Rootkit. The admin-to-kernel privesc results from an untrusted pointer dereference in the
appid.sys
driver. The post briefly touches on the vulnerability before jumping straight into exploitation. While the bug gives complete control of the instruction pointer, bypassing SMEP and kCFG requires a data-only attack. The post concludes with two different demos, each leveraging a slightly different exploit technique. - FAQ: The tragedy of low-level exploitation - @gynvael took to his blog this week to discuss one of the most common questions he receives - "how do I make a career out of low-level exploitation". The well-thought-out post discusses the different career paths available to those interested in low-level security, centering around the fact that there is no silver bullet, and one potentially has to make certain trade-offs in either their specific focus area or their comfortability working at the hand of certain three-letter-agencies. The post is worth a read for anyone, especially if you want to turn pwn-chals into a career.
- When Samsung meets MediaTek: the story of a small bug chain - We are only 2 months late to this one, but who can blame us given the amount of content Quarkslab has continued to turn out? In this paper, the team walks through the research they conducted against low-end Samsung devices, specifically targeting the JPEG logo parsing of the bootloader. The first half of the post walks through the RE process, identification of a heap overflow, and exploitation to achieve full control over Normal World Execution Levels 1 and 0. It then discusses an Odin authentication bypass, which actually allows for the malicious JPEG to be flashed to the device. The second half of the post looks at targeting the TEE, and identifies memory leak which allowed the retrieval of keystore keys once they are loaded into Secure World RAM.
- Ghostwrite CPU Vulnerability - New research published this week details a vulnerability affecting certain RSIC-V CPUs. Specifically, the vulnerability allows arbitrary read and write of any physical memory address. The bug stems from faulty instructions in the vector extension, which operate directly on physical memory. An unprivileged attacker can use these instructions to write to any memory address with 100% reliability. One of the more interesting parts of this vulnerability was the method of discovery used by the team, which they outline in the associated paper. The team runs the same instructions across multiple CPUs, all of which should provide the same results if they are implemented to spec. If they don't....well might be a good spot to investigate.
- Breaking Barriers and Assumptions: Techniques for Privilege Escalation on Windows: Part 3 - ZDI is back this week with their third installment of the ongoing Windows PrivEsc series, this time discussing a technique for leveraging an on-boot delete primitive to abuse the Windows Task Scheduler. The core idea centers around the fact the Task Scheduler "does not validate mount points before it deletes the corresponding
.job
file from theC:\Windows\Tasks
", and this directory being writeable by a standard user. Furthermore, it uses a hidden file,SA.DAT
, to prevent the user from converting the directory to a junction. As such, a user can abuse an on-boot delete primitive to deleteSA.DAT
and privesc. The post then talks about the difficulties the team has had with vendors in reporting several of these privescs, and why many of the bugs reported in the series remain unpatched - Tony Hawk's Pro Strcpy - Look, we have some fond memories associated with the Tony Hawk pro skater series. We also have some fond memories with the PS2 which GrimDoesStuff clearly does not share. But in his recent upload, Grim walks us through a vulnerability he found and exploited in Tony Hawk Pro Skater. The bug is an overflow stemming from an unchecked strcpy when naming a super sick gap you created. He demonstrates how this can be used to jailbreak the console remotely by playing with friends who have a modified version of the game set-up. While the video primarily focuses on the uses for the exploit, the full write-up can be found here.
- You Can't Spell WebRTC without RCE: Part 2 - Margin Research returns with part 2 of the Signal security research blog series they started last month. The new entry into the series builds on the previous, taking the N-day vulnerability and walking through how we might go about exploiting it. The post goes in-depth on how we can chain a handful of leaks together to obtain addresses we will need to break ASLR and continue with exploitation. The post also touches on the limitations of the emulator, as the memory layout is not fully representative of a physical device. As such, the team pivots to Corellium before explaining how a ROP chain can be built to obtain RCE.
Interesting Job Postings:
- Vulnerability Research and Reverse Engineer Intern @ Tesla (On-Site: Palo Alto, CA)
- Principal Zero-Day Vulnerability Researcher @ Zscaler (On-Site: San Jose, CA)
- Senior Mobile Anticheat Engineer @ Epic Games (On-Site: Cary, NC)
- Sr. Security Software Engineer @ SpaceX (On-Site: Washington, DC)
- Principal Offensive Security Researcher @ Oracle (On-Site: Denver, CO)
Wrapping Up...
As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us a DM on X (or just drop us a follow if you are feeling generous - we just broke 1k so we are feeling official).
We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.
Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx
Same time next week? See you then 🏴☠️