exploits.club Weekly Newsletter 39 - bug.directory, Fuzzing Successes, SLUB Internals, and More
Hope the rest of you are finding more bugs this week than we are...annnnyways 👇
In Case You Missed It...
- DayZeroSec Returned From Summer Break - The VR podcast is back this week talking through a handful of low-level vulns.
- Welcome to the junkyard,an EOL PwNATHON - Got a good EOL bug? Show it off at DistrictCon! The team announced this week they would be running an "on-stage" competition for "most impactful, creative, or most meme-worthy bugs in end-of-life (EOL) products"
- Guided Hacking Podcast - Zac The Squally Dev - Speaking of podcasts, Guided Hacking just kickstarted theirs with an interview of reverse engineer and education game-dev, @zcanann.
bug.directory:
Last week, we announced bug.directory 🎉 The project is now live and updated weekly! More information is available in our X thread or on bug.directory's home page.
Resources And Write-Ups From This Week:
- Diving into ADB protocol internals: Pt 1 - Chances are pretty high that if you've done any work with Android, you've probably used ADB. But have you ever thought about how it works under the hood? Thankfully, Synacktiv jumped on their blog to answer that question for you. The first post in the series takes a detailed look at the protocol and the client-server relationship. The team then discusses how they implemented the protocol for their open-source Rust crate. Part 2 is expected to talk through useful improvements to their Rust implementation, which we will, of course, summarize here when it's available.
- Reasons for the Unreasonable Success of Fuzzing - This week, the keynote from FUZZING'24 was made available on YouTube. The talk looks at the history of fuzzing in the community and some of the more memorable bugs that helped shape the modern sentiment around the technique. The presentation then attempts to answer why fuzzing continues to be such a successful method for finding bugs. It then ends with thoughts on the future of fuzzing, including everyone's favorite topic...AI. On that note, the same channel uploaded another talk from the conference aptly titled Is "AI" Useful For Fuzzing
- SLUB Internals for Exploit Developers - The best resource to date on SLUB internals released this week. @andreyknvl (maintainer of the Linux Kernel Exploitation GitHub) released the slides and recording from his talk at Linux Security Summit Europe 2024. He states the talk's goal is to "fill the void" on SLUB internals, as no exploit write-ups cover it in-depth and no developer articles discuss exploitation. It certainly seems to achieve that, walking through the internals and then turning around to explain how they are used and abused within typical bug classes. This is one you're sure to want to bookmark, as you'll probably return to it a few times.
- LLM-based Fuzz Harness generation with OSS-Fuzz-gen - If you've been following any of the OSS-Fuzz news we've covered over the last few months, you may be getting excited about the idea of leveraging LLMs to generate harnesses. This week, YouTube channel AdaLogics released a 30-minute video taking a detailed look at the oss-fuzz-gen repo and demonstrating it's usage to generate a simple harness.
- Hyper-V 1-day Class: CVE-2024-38127 - A quick and fun RCA for a recent Hyper-V OOB read patched by Microsoft. The post starts with a quick overview of the vulnerability itself, which occurs in
vhdmp.sys
and results from the incorrect calculation of an output buffer size, resulting in the read out of bounds. The post then walks through a quick PoC for the bug, before discussing the patch put in place. As mentioned by the author, this was labeled as severe and potentially useable for an EoP which might not quite be the case. - Zero-Click Calendar invite — Critical zero-click vulnerability chain in macOS - What do you get when you don't sanitize the file path associated with Calendar invites? Well, as it turns out, 0-click RCE. This new post from @Turmio_ demonstrates how he was able to do just that, walking through the initial vulnerabilities and all the shenanigans required to escalate it to code exec, bypassing GateKeeper and TCC along the way. It's a quick read, but certainly one you want to add to your backlog if you plan on doing MacOS research.
- The real slim shady || Ivanti Endpoint Manager (EPM) Pre-Auth RCE CVE-2024-29847 - @SinSinology released a post this week detailing a pre-auth RCE he found in...you guessed it...an Ivanti product. The post doubles as a primer on .NET Remoting and its (many) downfalls. Specifically, the post looks at some of the previous work by @tiraniddo and demonstrates how exploitation can be a bit more difficult constrained when with Low Type Filter is enabled. It then takes Forshaw's 2019 methods and demonstrates how they can be applied directly to the Ivanti vuln, concluding with the release of a limited compiled PoC (sorry, script kiddies).
Interesting Job Postings:
- Senior Application Security Engineer via @carste1n @ Cloudflare (Hybrid / Remote)
- Security Engineer, Android Malware Research @ Google (On-Site: Kirkland, WA)
- Principal Game Security Engineer @ Blizzard Entertainment (On-Site: Irvine, CA)
- Senior Exploitation Vulnerability Researcher @ TwoSix Technologies (On-Site: Arlington, VA)
- Senior Principal Reverse Engineer @ Nightwing (On-Site: Hunstville, AL)
Wrapping Up...
As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.
Follow us on X - we occasionally Tweet poor attempts at memes
We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.
Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx
Same time next week? See you then 🏴☠️