exploits.club Weekly Newsletter 41 - Exploit Dev Lifecycle, Binder Internals, UEFI Deep-Dive, and More
A bit of a light week this week after the civilized discussion that took place following the CUPs disclosure. People may be opinionated about politics and pineapples on pizza but at least when it comes to Linux bugs and CVSS scores, everyone is very level headed. Annnnnnnyways 👇
In Case You Missed It...
- RomHack Live Stream - RomHack streamed their whole conference and left the video up on YouTube for your viewing pleasure. It's timestamped, so you can easily jump around to the talks you are most interested in.
- FlareOn 11 Is Live - Everyone's favorite RE CTF is back for the 11th year in a row. It's live NOW and will run through November 8th.
Resources And Write-Ups From This Week:
- The Exploit Development Lifecycle - @chompie1337 released her keynote slides from BSidesCanberra about exploit development. The talk goes through the timeline typically associated with finding and exploiting a bug, and how that typically only a small part of the exploit dev lifecycle. It goes into the logistics of weird machines, stability, maintenance, stealth...you know, all the stuff you ignore when you ROP to system on your shitty side project and call it a day. This one is pretty much mandatory viewing for anyone in the space. Also, the deck itself has such an aesthetic...we suddenly have the urge to throw on a pink sweater and take our laptops over to the nearest 1950s diner.
- Attacking UNIX Systems via CUPS, Part I - You're tired of hearing about it, we're tired of hearing about it. But it's our job to bring you the VR news and if we didn't include it...well that would just be silly. So, ignoring the surrounding drama, what's this CUPs stuff about? Well last week @evilsocket released a blog post detailing vulnerabilities he found is cups-browsed, a subsystem within the CUPs. After identifying an overflow that he decided not to further pursue for exploitation, he turned his attention to "lower hanging fruit". Essentially, he figured out a way to get the target to connect back to him, allowing the injection of a controlled PPD directives to the default file. This in turn would be exploited when a print job is sent to the fake printer.
- Iconv, set the charset to RCE: Exploiting the glibc to hack the PHP engine (part 3) - The third and final part detailing how a 24 year old bug can be used to exploit the PHP engine was released earlier this week. This part builds on the exploit detailed in part 2, this time making it more generic and not dependent on any program output. The exploitation strategy starts by allocating a large amount of byte buffers of varying sizes, and then strategically using the corruption to achieve an arbitrary read primitive (after jumping through a few hurdles). It then uses this arbitrary read to find the addresses necessary to further exploitation, such as
system
andmalloc
. After this, it is able to use the same exploit strategy as detailed in the original 2 parts. - Binder Internals - Have you ever sat down and thought "gosh, I wish someone would just document how Binder works from front-to-back"? Well, it appears thats what the Android Red Team had the same idea. Following their Binder research presented earlier this year at OffensiveCON, the team has now released just under 9k words going through all things Binder internals. The post is broken into 5 major sections: Lifetimes of Objects, Concurrency Model, Workqueues and Work Items, Binder's Buffer Allocator, and the Transaction stack. It comes complete with supporting code snippets for each subsystem and diagrams to help visualize some of the more complex dataflows. Overall, its a golden resource for anyone in the Android space who is interested in getting spun up on Binder quickly.
- UEFI is the new BIOS - @LeviathanSec released their first in an 8 part series detailing UEFI RE, VR, and exploit development. This introductory post starts with a brief history of the technology and the move from Legacy BIOS. It then takes a detailed look at the UEFI boot process, discussing the first 4 phases (SEC, PEI, DXE and BDS) and providing all the requisite knowledge to understand the flow. It concludes with a quick look at Secure Boot and some additional protections such as Boot Guard and BIOS Guard, and then some context around the UEFI shell. We are looking forward to the next installments in the series!
- Hacking Kia: Remotely Controlling Cars With Just a License Plate - This post has pretty much nothing to do with low-level vuln research. But it's too good not to include. @samcurry et al figured out a way to completely take over pretty much every Kia with some well formed HTTP requests. Essentially, Kia just lets you register as a dealer, and then from there you can search for users via VIN number. From there it's pretty much game over, where the attacker can add themselves as the primary holder of the account, and then perform pretty much any action they want, such as unlocking the doors, remote start / start, honking the horn, and more. Just wait till the Kia Boyz hear about this one. Maybe now is a good time for Kia owners to start looking for a new car.
- Pwn2Own Stories - A bit late to this one but @bdmcbri's Pwn2Own stories talk hit YouTube a few weeks back. The talk goes through some of the targets he has gone after, his success, failures, and overall learnings. The talk shines for the way it emphasizes the usefulness in taking a simple approach and not being overly concerned about the myriad of unknowns associated when targeting something like a SCADA devices for the first time. Along the way, the talk goes over a handful of Ben's entries, ranging from .NET and Java deserialization bugs to crypto weaknesses. If you are interested in participating in Pwn2Own for the first time, this talk is there to get you on your way and show you the barrier to entry maybe lower than you think
Interesting Job Postings:
- Senior Reverse Engineer/Vulnerability Researcher @ Nightwing (On-Site: Huntsville, AL)
- Vulnerability Research Manager @ Apple (On-Site: Seattle, WA)
- Vulnerability Researcher @ Chameleon Consulting Group LLC (On-Site: Herndon, VA)
- Reverse Engineer Intern (2025) @ Johns Hopkins Applied Physics Laboratory (On-Site: Laurel, MD)
- Android Exploit Developer @ Parsons (On-Site: Chantilly, VA)
Wrapping Up...
As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.
Follow us on X - we occasionally Tweet poor attempts at memes
Don't forget to check out https://bug.directory! It's growing weekly, and we are still looking for more people to contribute (Also we fixed the path issues for Windows if you were having problems).
We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.
Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx
Same time next week? See you then 🏴☠️