Aug 29, 2024 5 min read

exploits.club Weekly Newsletter 36 - Regex Fuzzing, C++ Metadata, Kernel Streaming, And More

You guys published so many bugs this week that I'm not sure there are any left for the rest of us. Not that we would know...we were too busy poorly summarizing your posts to look for any ourselves. Annnnnyways 👇

In Case You Missed It...

Chrome VRP Reward Updates to Incentivize Deeper Research - Chrome updated it's VRP program with updated memory corruption guidelines and payouts. It also updated it's MiraclePtr Bypass Reward to $250,128.
Introducing DistrictCon- In the NOVA area? A new conference is coming to you! This week, DistrictCon was announced, scheduled for February of 2025 in DC. Ticket purchases and the CFP and will be opening soon, so be sure to check it out
C and Assembly Developers - A quick shout-out to an X community dedicated to C and Assembly. We are sure most of you have seen them on your TL already, but if not admin @7etsuo is constantly posting high-quality content and lectures, including original articles such as this one on Linux process memory layout.

Resources And Write-Ups From This Week:

Ring Around The Regex: Lessons learned from fuzzing regex libraries (Part 2) - Everyone's second favorite club is back this week with a new fuzzing post. In Part 2 installment into the regex fuzzing series, @addisoncrump_vr continues his journey breaking down the uses and limitations around fuzzing, specifically in the context of evaluating regex libraries. This time, he looks at PCRE2. The library is already in OSS-Fuzz, but as Addison explains, this doesn't mean all hope is lost. The post then discusses some challenges, including an interesting insight into how coverage-guided fuzzing doesn't reflect a code region's behavior. Overall, the fuzzer found a handful of non-critical bugs - which sparked some additional philosophical questions touched on towards the end of the post.
C++ Unwind Exception Metadata: A Hidden Reverse Engineering Bonanza - An exceptionally well-written post from @RolfRolles was released this week discussing how C++ exception metadata is a wealth of information when it comes to reversing. In particular, the post looks at wind and unwind metadata, which the compiler includes to ensure deconstructors are called in the case of an exception. This metadata includes the deconstructor for each of the individual subobjects within the struct, which can be useful for type information, struct nesting recovery, and inheritance relationships.
Sky's the Limit: Quick Analysis and Exploitation of a Chrome ipcz TOCTOU Vulnerability - Binary Gecko released a quick overview for a vulnerability in the new IPC mechanism in Chrome. The core issue stems from the fact that a pointer to shared memory is used in serialized mojo messages, breaking the fundamental assumption that these messages cannot be changed. The post explores how to take advantage of this, running into multiple dead-ends before discussing how to take advantage of Pickle in Channel the Interface of MessagePipeReader, which provides a heap overflow primitive via a TOCTOU.
OpenSSH Backdoors - Everyone's favorite blogger, @benhawkes returned to the Isosceles blog this week to write about the OpenSSH backdoor...and maybe not the one you are thinking of. The post examines a backdoor attempt of the critical software back in 2002 and compares the similarities and differences to the 2024 xz-util debacle. The biggest takeaway? Supply chain security is a real mess.
From Pwn2Own Automotive: Taking Over the Autel Maxicharger - A short post from ZDI which briefly touches on two vulnerabilities identified in the Autel Maxicharger firmware during Pwn2Own automotive earlier this year. The first bug was a straightforward overflow in BLE message parsing, and the second was a hardcoded backdoor in the WiFi authentication. The post does a bit of patch diffing to show the introduced fixes but doesn't touch on anything related to exploitation.
Meta Bug Bounty: Fuzzing "netconsd" for fun and profit - Two nice, bite-sized fuzzing posts from @Fady_Othman detailing his fuzzing journey with netconsd. Part 1 starts with a quick explanation of the motivations behind the project before reviewing how to find the relevant packet parsing code. From there, he gets a harness set up and lets the fuzzer start running. Part 2 walks through improving the fuzzer with additional insight into how the target itself actually works. Future parts are expected to cover a heap overflow the fuzzer found, so we look forward to that.
CVE-2024-37079: VMware vCenter Server Integer Underflow Code Execution Vulnerability - ZDI released a write-up this week detailing CVE-2024-37079, a integer underflow in VMware vCenter. The post starts with a quick overview of the software and some technical aspects that allow it to operate, namely DCERPC. It then examines how a specially crafted DCERPC can lead to an integer underflow. It's a technically heavy post, but it's worth a read.
SSD Advisory: Linux Kernel taprio OOB - We have covered a few of the bugs from TyphoonPWN 2024, and this week we got a write-up for a Linux LPE entry. The vulnerability manifests from a logic bug, eventually leading to an OOB access. An attacker can pass an arbitrary mqprio to the kernel, which begs the question...what can we do with that? The post walks through a code path where the the value will be propagated for "direct PC-control", so that's pretty cool. As usual with SSD Advisories, complete exploit code is included.
Streaming vulnerabilities from Windows Kernel (Part 1): Proxying to Kernel - DEVCORE took to the internet this week to give you one of the best Microsoft Kernel Streaming Service overviews that exist on the web at the moment. The post looks at the attack surface as a whole, including a brief review of two previous vulnerabilities. It then does a deep dive into Kernel Streaming, looking at the core functionality, how we interact with the devices, and its architecture from an attacker's point of view. Finally, the post reviews the vulnerability and exploit the team used in Pwn2Own 2024. It's a banger of a post; we highly recommend checking it out.

Interesting Job Postings:

Lead Security Researcher @ NCC Group (Remote)
Senior Software Security Compiler Engineer @ NVIDIA (On-Site: Redmond, WA)
Offensive Cyber Research @ RTX (On-Site: Cambridge, MA)
Reverse Engineer @ Caesar Creek (On-Site: Miamisburg, OH)
Security Researcher, Platform Architecture @ Apple (On-Site: Cupertino, CA)

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us a DM on X or email info@exploits.club.

We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.

Support us through your purchase of a coffee holder

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️