6 min read

exploits.club Weekly Newsletter 40 - iOS Kernel Exploitation, CET Bypasses, Elgato Hardware Repair, And More

exploits.club Weekly Newsletter 40 - iOS Kernel Exploitation, CET Bypasses, Elgato Hardware Repair, And More

Anyone have any good wallpaper apps? Preferably with an unnecessary subscription? Asking for a friend....annnnnyways 👇

In Case You Missed It...

Resources And Write-Ups From This Week:

  • A step-by-step guide to writing an iOS kernel exploit - If you like write-ups which are well written, concise, and manage to be extremely technical while foregoing the "in the attached 700 line code snippet...", @alfiecg_dev somehow has managed to do just that. The post released this week documents how he approached exploitation for PhysPuppet, a physical-use-after-free. The blog starts with a quick refresher on page-tables and memory management in XNU. It then defines a physical-use-after-free, explains why it is a powerful primitive, and shows how spraying IOSurface objects can help to identify the dangling PTE and subsequently achieve arbitrary R/W. And he does all of that in just 2,235 words. Unreal.
  • Eliminating Memory Safety Vulnerabilities at the Source - This week, Google posted some analytics related their continued journey towards eradicating memory corruption vulnerabilities. The piece opens with some numbers intended to support the overall central thesis: vulnerabilities in a codebase decay exponentially with time. While the lines of unsafe code have gone up slightly in AOSP over the last 5 years, the majority of new features have been written in Rust, resulting in a 52% decrease in observed memory safety bugs. As the software industry has matured, it's approach to memory safety has gone through a number of stages. Google doesn't necessarily think you should just "re-write it in Rust" ... but maybe focusing on the Rust adoption in your newer features could be worthwhile.
  • Google & Arm - Raising The Bar on GPU Security - Another Google team got to check off that "blog post" OKR this week before the start of Q4. The Android Red Team released a write-up in collaboration with Arm Product Security detailing their assessment Mali GPU assessment. The team had the opportunity to poke at both the firmware and associated kernel driver, finding bugs in both. While the post doesn't go to technical on the bugs, it does link out to the associated advisories. The blog starts with some broad generalities about why the attack surface is interesting, before talking about their approach to the assessment itself which consisted mainly of fuzzing and formal verification.
  • Fixing an Elgato HD60 S HDMI capture device with the help of Ghidra - If you like hardware, firmware, and hacking war stories, then @dt_db has got an absolute banger of a post for you. The self-proclaimed lover-of-repair-videos decided to try his hand at restoring some non-working tech himself and picked up a 2nd hand, broken Elgato capture card off of Ebay. What followed is documented in his lengthy blog post, going through chip identification, hardware hacking, firmware dumping, and manual patching. It's a fun read, and one that spares no details about the journey to get the device and it's LEDs back in a working order.
  • IERAE CTF 2024 - Intel CET Bypass Challenge - What do you have a straight forward overflow but you need to bypass CET? Well that was the question posed by the Intel CET Bypass Challenge written by @hugeh0ge for IERAE CTF. @_tsuro decided to try his hand at answering that question, and lucky for us, decided to document his solution. The post talks through the approach to bypassing CET and some of the other solutions used in the challenge, both intended and unintended. It then discusses his easier solution which involved a call to signal to re-run the main function inside a signal handler. Stephen concludes with the shortcomings of CET, and potential ways this bypass could have been mitigated.
  • Linux RCU internal - A few newsletters ago, we included a race condition related to improper usage of the RCU API. That post included a brief overview of RCU...just enough to get you to understand the bug. However, if it left you wondering about how the system works under the hood, then fear not because @u1f383 was wondering the same thing and took more of an initiative than you did. In the blog post from this week, Pumpkin walks through the 5 components implemented in the Linux RCU mechanism, and talks at length about how each of them work. It comes complete with well explained kernel code snippets and pretty diagrams for those of us who are too dumb to read the code snippets. And now that you know more about the API itself, maybe you can find some interesting bugs like Theori.
  • Winning the AIxCC Qualification Round - Last month, Theori took first place at the AIxCC qualification round, securing their spot in the 2025 finals. The team put out a brief blog post documenting their experience thus far, and giving a small peek at how they approached the competition. The post starts with a background on AIxCC, discussing the purpose of the competition, types of challenges, and ways to earn points. It then takes a look at the teams technical approach, both for finding bugs and patching them. The team highlights their use of traditional static and dynamic analysis tools, and how they are paired with custom LLM agents. Naturally, there are a handful of challenges associated Theori discusses such as LLM hallucinations when writing a patch. Overall, while they clearly are keeping some cards close to the vest for the finals next year, it was nice to hear a bit more about their general approach to the problem space.
  • Vanguard x VALORANT - I know a handful of you RE nerds got your start in game hacking. Well, this week the team at Vanguard (anti-cheat for Valorant) released a very minimal peek behind the curtain at what they have been working on recently - the post talks through metrics the team keeps track of, trends in bans, and approaches to new attack surfaces. Specifically, it looks at the rise in DMA tools and talks through how IOMMU appears to be the most viable path forward. The post ends with some of the challenges associated with Valorants move to console in 2024, keying in on some internal testing the team did to prevent M&K on console.
  • gaining access to anyones browser without them even visiting a website - When we think browser 0day, we typically do not think Firebase...and maybe thats our problem. In a new post, @xyz3va talks through a crazy vuln she found in Arc browser. Essentially, with Frida and some ObjectiveC, she was able to identify the browser seemed to be using Firestore. From there, she realized these things called "Arc boosts" (basically just ways to customize certain websites inside Arc) are also stored in Firestore for each user, and can contain arbitrary Javascript. These are retrieved via userId and....yep you can just change your own userId. So she created a "malicious" Arc boost, and then changed her userId to a victim Id and boom, popped the victims browser.

Interesting Job Postings:

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Don't forget to check out https://bug.directory! It's growing weekly, and we are still looking for more people to contribute.

Your second brain - strictly for bugs

We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.


Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️