Sign in Subscribe
5 min read

exploits.club Weekly Newsletter 37 - Juicy Overflows, The Art Of Exploitation, Rust in Firmware, and More

exploits.club Weekly Newsletter 37 - Juicy Overflows, The Art Of Exploitation, Rust in Firmware, and More

Yeah yeah, the cover image is fall themed and we are still technically 20-ish days away, but who can blame us? Everyone knows Starbucks is the real decider on the start of fall, and we are already using PSLs to fuel our long bug hunting days. Annnnnyways 👇

In Case You Missed It...

Resources And Write-Ups From This Week:

  • Pwn2Own Automotive 2024: Hacking the JuiceBox 40- Following the write-up from last month covering their ChargePoint Home Flex exploit, Sector 7 returned this week to dump the juicy details for one of their other Pwn2Own Automotive vulnerabilities - a stack overflow in Juicebox 40. The post starts with some background on the device, the custom OS, and the associated devkit and continues on to detail the vulnerability in the custom system messaging functionality. Essentially, the code performs a size check on the raw input string but doesn't account for the length of tag outputs (such as @t to insert a 23-byte timestamp), resulting in a stack overflow. The team then talks exploitation, overwriting PC with a controllable destination in flash. Unfortunately, the bug resulted in a collision, but made for a great write-up nonetheless.
  • 4 exploits, 1 bug - Exploiting CVE-2024-20017 4 Different Ways - Getting around various mitigations and remembering exploit strategies can be quite the challenge. Thankfully, @hyprdude's most recent post should help you out. The write-up walks through a stack overflow he found in the MediaTek MT7622/MT7915 SDK. It gets fun, though, because he wrote 4 different exploits, leveraging different strategies depending on the mitigations in place. Starting with no mitigations (ROP to system, baybee), the post works up to his working exploit for the Netgear WAX206 (NX, ASLR, PIE, full RELO). It's a banger of a post, check it out.
  • CVE-2020-27786 (Race Condition + Use-After-Free) - We love a post that talks methodology, but we also love a post that gets right into the nitty details. This new one from @ii4gsp is very much the latter, walking through his exploit technique for CVE-2020-27786, a use-after-free caused by a race condition in Linux's MIDI driver. The post quickly discusses the root cause and the patch before diving into exploitation. He bypassed KASLR with msg_msg and used tty_struct in combination with the spray of a ROP chain and fake function table to successfully escalate privileges.
  • CVE-2024-5274: A Minor Flaw in V8 Parser Leading to Catastrophes - The team at DARKNAVY published their root cause analysis and PoC for CVE-2024-5274, an ITW type confusion which was patched earlier this summer. The post starts with a review of the small patch and a root cause of the bug before looking at how to trigger the vulnerability and generate inconsistent bytecode. It then detours slightly to discuss methodology and the failures that led the team to the eventual working payload. After that, it discusses exploitation. @mistymntncop also took to X after the issue page was made public to release a PoC crafted by him and @buptsb.
  • Dissecting the CVE-2024-38106 Fix - @b1thvn_ and Pixiepoint Security rolled out a "just the facts" blog on the ITW vuln CVE-2024-38106 which Microsoft patched last month. The post starts with a quick bindiff to show the security relevant patches, and gives a quick overview of the race condition, which leads to a UAF. It ends with a crash PoC and a full crash dump should anyone be interested in continuing their research and carrying out a full RCA or exploit.
  • Deploying Rust in Existing Firmware Codebases - The Android team over at Google released a practical walkthrough for deploying Rust into existing firmware codebases. The post walks through the potential use cases and challenges, what components might make good candidates for replacement, how to pick a well-maintained, no_std compatible crate (or port one) for standard parsing operations, and more. It then talks about additional technical considerations that should be reviewed when attempting to create a 1-for-1 drop-in replacement where your C/C++ once stood and some final comments on memory safety.
  • A Deep Dive into the CoSoSys EndPoint Protector Exploit: Remote Code Execution - Theori detailed 4 vulnerabilities in the CoSoSys EndPoint Protector which they found during a recent engagement...ironically, it did not serve as much of a "data loss prevention" tool in this case. The vulnerabilities allowed for a complete takeover of both the clients and the server. Leveraging a path traversal on the server, the team could upload a webshell. They then documented 3 ways this newfound access could be abused to take over all the connected clients.

Interesting Job Postings:

Something New Is Coming...

As we alluded on X earlier this week, we have a pretty cool project we are working on for you all. If all goes according to plan, it should be launched on X account next week (and the subsequent newsletter...obviously)

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us a DM on X, or email info@exploits.club.

We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.

Support us through your purchase of a coffee holder


Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️

Published by:

exploits.club