exploits.club Weekly Newsletter 35 - NPU exploits, Phrack 71, 2014 Tablet Hacks, and More
Happy Thursday Exploits Club. Big thank you for all the support you guys and girls have been showing us over the last few weeks. It's what gets us up at 5 AM on Thursdays in a panic realizing we have absolutely nothing prepared keeps us going. Annnnyways 👇
In Case You Missed It...
- Phrack #71 Is OUT! - It's back and better than ever.
- A Visual Guide To Windows Kernel Mitigations - A cool resource from @f4rmpoet which gives a brief overview of various mitigations and some strategies for bypassing them.
- DefCON Slides - We missed these in last weeks slide deck round up. We particularly liked Xiaomi The Money and The Rise and Fall of Binary Exploitation.
Resources And Write-Ups From This Week:
- Introduction To Windows Secure Channel RCE: CVE-2024-28148 - In a new post this week, @vv474172261 shows us how a DOS bug may actually just be a skill issue. The post takes a look at a UAF in Windows Secure Channel (CVE-2024-38148), walking through a quick patch diff, running through an RCA, and explaining why Microsoft is wrong to think its not exploitable. The most interesting part about the post, though, is what inspired Victor to look at the patch. Turns out, he had previously audited secure channel before and includes some reflections on how he missed the vuln and his takeaways moving forward.
- CVE-2022-22265 Samsung npu driver - Strap in, this bad boy is packed to the gills with technical content. @javierprtd took to the internet this week to walk us through an exploit he wrote for an ITW 0day reported by Google. The post starts with a walkthrough and RCA of the double free in the Samsung NPU driver. It then discusses exploit strategy, and we hit all the good stuff...cross-cache, dirty-pagetable, leaks with pipe_buffer...you name it, it's probably in here somewhere. The post walks all the way through to a getting reverse shell and includes a handful of really great references at the end.
- ioxide: N_GSM 0 day - @roddux dropped a what was a second 0day in n_gsm. Following just a few months after his release of germy, the new repo published this week includes a crash PoC and some notes on the bug itself. The core issue revolves around a race condition leading to a UAF. The notes also include a KASAN splat and some ideas on how a full exploit for this might be written. (Un)fortunately, this was mitigated in a patch released this month.
- SIMurai: Slicing Through the Complexity of SIM Card Security Research - A new paper from @nSinusR et al asks the question what if a malicious SIM card was a valid attack surface? The paper centers around the release of the team's new tool, SIMurai, a "versatile software SIM implementation that can be integrated into various environments for advanced testing and development." It starts by describing the tool's design and how it implements various technical aspects of the specification. It then jumps into the juicy security research aspects, walking through several threat models and the associated potential attacks. Of note, the team ran a fuzzing campaign against baseband firmware, and identified two high severity vulnerabilities.
- Hacking a 2014 Tablet...in 2024 - A fun post from last month from @r0rt1z2 discussing his successes and failures in hacking the Amazon Fire HD6. The write-up begins with a walkthrough of firmware analysis, rooting the device, and accessing UART. Roger then discusses how he attempted to access bootROM mode, successfully achieving the mark of any good hardware hacking project...killing his first unit. He then pivots to target the preloader, explaining how to leverage a GCPU exploit for arbitrary memory read/write. After failing to dump the bootROM, he decided to upload and execute his own preloader payloads. The post then goes on to discuss how he was able to unlock the bootloader and craft a malicious boot image.
- CVE-2024-38213: Copy2Pwn Exploit Evades Windows Web Protections - This quick hitter out of ZDI takes us through some of the team's recent research into WebDAV. The team notes a recent uptick in threat actors hosting payloads on WebDAV shares, which are accessible directly through Windows Explorer. Files copied off a WebDAV share and copied to the host do not receive Mark-of-the-Web designations, meaning they bypass the additional security checks normally associated with files downloaded off the internet.
Interesting Job Postings:
- Vulnerability Researcher @ Nightwing (On-Site: St Petersburg, FL)
- Senior Game Application Security Engineer @ Sony Interactive Entertainment (Remote)
- Research Engineer @ Tenable (Remote)
- Principal Researcher (IoT) @ Palo Alto Networks (On-Site: Santa Clara, CA)
- Offensive Cyber Security Researcher @ Riverside Research (On-Site: Lexington, MA)
Wrapping Up...
As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us a DM on X (or just drop us a follow if you are feeling generous - we just broke 1k so we are feeling official).
We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.
Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx
Same time next week? See you then 🏴☠️