Hope everyone has recovered from their 4-day hangover - you know... the one that makes you realize you must have had superpowers back in college. Anywayssss 👇

In Case You Missed It...

• Why exploits prefer memory corruption - This short fun post came out earlier this week and talks about why most ITW exploits still target memory corruption. Contrary to popular belief, it's actually not because it gives you a superiority complex or lets you look down upon those who use Burp as a weapon of choice.
• The August 2024 Security Update Review - ZDI is back with a round-up of this month's Adobe and Microsoft bugs. 6 Microsoft bugs under active exploitation, and a handful of other crits including IPv6 showing it's true colors. Adobe also had some patches, a few of which are in the more interesting targets (Acrobat and Reader), but nothing under active exploitation.
• Getting Started With Hardware Hacking - Inspired by some recent research? Looking to get into ripping devices apart? @wrongbaud put together a great Twitter thread on where to get started!

Resources And Write-Ups From This Week:

• From object transition to RCE in the Chrome renderer - Be honest with us...is the last @mmolgtm write-up still in your backlog? Before you could even find the time to read about his last v8 bug and exploit, he's already found and exploited another one. Makes you question your career path, doesn't it? Anyyyyways you can wipe away those tears with this sweet type-confusion blog post. As usual with his posts, we start with an overview of object map and map transitions in v8, so no major browser pre-reqs are required. After that, the post goes over the vulnerability which results in the confusion of a fast map and a dictionary map and discusses how that can be leveraged into arbitrary read/write within the v8 heap. Finally, the post rounds off with a V8 sandbox escape, courtesy of a type confusion in a Blink object via the arbitrary heap write. Don't worry, by the time you read this one he will have probably dropped a new GPU bug.
• How we found and fixed an eBPF Linux Kernel Vulnerability - The security engineering team at Google released a blog this week detailing how they found and fixed CVE-2023-2163, an eBPF verifier bug resulting from incorrect pruning. The post starts with a bit of context, explaining the background behind eBPF, and why it has been an attractive target for researchers (Look no further than EC 30, where we covered CVE-2024-41003). The write-up then quickly touches on the creation of Buzzer-the-fuzzer, before taking a look at how eBPF path pruning actually works. This gets us to the team's RCA of the fuzzer bug, which results from the incorrect preciseness assumption. The post then goes into exploitaiton, explaining how to take the register which is assumed to be 0 and leverage it to overflow the stack, obtain arbitrary R/W, leak the eBPF map, and defeat KASLR. They also include a full exploit PoC.
• You Can’t Spell WebRTC without RCE: Part 3 - The running Signal hacking blog series out of Margin has finally reached its conclusion. In this last installment, the team reflects on the previous two posts and talks through indicators of compromise. In particular, the post notes some of the limitations behind the current exploit such as using a debug build of Signal, limits on data exfiltration packets, and using a virtual device for a thrower. It then jumps into IOCs from an interface, process, and network traffic perspective. It's an interesting post that makes you consider the steps behind productizing an exploit...or detecting them.
• SSD Advisory: Google Chrome RCE - An RCA and exploit for a type confusion bug identified during TyphoonPWN 2024. The post walks through the vulnerability, which is a type confusion between canonicalized type id and wasm::HeapType. This bug can be elevated to arbitrary type confusion between WASM objects. The post goes on to say that leveraging this into basic exploit constructs was very similar to that of @_manfp Pwn2Own winning exploit. The last step is the escape the V8 sandbox, which was successfully done by abusing abusing PartitionAlloc
• Listen Up: Sonos Over-The-Air Remote Kernel Exploitation and Covert Wiretap - NCCGroup (more specifically, @alexjplaskett and @robHerrera_) released a 40-page whitepaper ahead of their BlackHat talk covering their exploitation of 2 Sonos speakers. The paper first walks through the stack overflow identified in the Sonos One's wireless kernel driver while handling WPA2 handshake negotiations. They discuss how they narrowed the attack surface, identified and triggered the bug, complications with exploitation and post-exploitation techniques to capture audio on the victim device covertly. The second part of the paper talks through 3 bootloader vulnerabilities which not only allow for persistent code execution, but also the ability to dump the OTP data to decrypt future firmware updates. The paper is well written and extremely thorough, we highly recommend everyone give it read.
• Writing a PE Loader for the Xbox in 2024 - Everyone loves a good console security write-up. This week, @landaire released a post about his challenges writing a PE loader for the Xbox One. The idea stemmed from @carrot_c4k3, whose Xbox One exploit we covered a few weeks ago. After getting arbitrary read/write, she was looking for a way to load executables to help simplify the exploit development pipeline. Landaire takes us through his journey of working on building out the loader, complete with some weird internal Rust-isms, hot patches for CLI arguments and a list of remaining TODOs.
• Hacker Summer Camp Round-Up - Look, unfortunately your friendly author and editor is not built of time. As such, when 3 conferences happen simultaneously and research gets dumped by the 100s...well here are some of the things that look interesting:
  • Modern Anti-Abuse Mechanisms in Competitive Video Games at Black Hat 2024
  • The Way to Android Root: Exploiting Your GPU on Smartphone
  • All Your Secrets Belong to Us: Leveraging Firmware Bugs to Break TEEs
  • Bugs of Yore: A Bug Hunting Journey on VMware's Hypervisor
  • Bypassing ARM's Memory Tagging Extension with a Side-Channel Attack
  • Remote, One-Click, Breaking through Smartphones via a Non Well-Known Remote Attack Surface
  • Super Hat Trick: Exploit Chrome and Firefox Four Times
  • PageJack: A Powerful Exploit Technique With Page-Level UAF
  • Microarchitecture Vulnerabilities: Past, Present, and Future
  • Exploiting Android's Hardened Memory Allocator

Interesting Job Postings:

• Mobile Vulnerability Researcher @ Magnet Forensics (Remote)
• Vulnerability Researcher @ Exodus Intelligence (Remote)
• Senior Security Researcher @ Chameleon Consulting Group (On-Site: Herndon, VA)
• Software Security Compiler Engineer @ NVIDIA (Remote)
• Senior Staff Security Researcher, Device Security @ Google (On-Site: Kirkland, WA)

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us a DM on X (or just drop us a follow if you are feeling generous - we just broke 1k so we are feeling official).

We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️