Congrats, we all just bagged another week in the low-level trenches. On-to the next one. Annnnnyways 👇

In Case You Missed It...

• Pwn2Own Automotive Tool Releases - If you are planning to participate in Pwn2Own Automotive next year, you may want to check out this Autel MaxiCharger Firmware Decryptor from Sector7 or this CHAR-X SEC-3150 Emulator from OneKey
• Monthly Security Bulletins - Android, Qualcomm, Samsung, Mediatek, ZDI Security Review (Adobe & Microsoft)...there are more, if you are curious you find them here.

Resources And Write-Ups From This Week:

• Can You Get Root With Only a Cigarette Lighter? - It doesn't seem too far fetched to say Hollywood would film a "hacking" scene where the rebellious, cig-smoking main character demonstrates his technical prowess with nothing more than his lighter, before saying "I have root access". And while we weren't in the room with @David3141593 when he pulled this off, we certainly hope thats how it went down. In this new post, Dave walks through his recent research into EMFI fault injection with a cigarette lighter coupled to an inductor. The post starts with showing how this tool can be used to flip bits and cause corruptions during read/write operations with a demonstrative CPython program. After that, Dave takes to an old Linux laptop and is able to achieve LPE by using a Rowhammer-esc exploit strategy. By flipping during a level 0-PTE read, he finds a way to effectively give himself physical arbitrary read/write.
• Effective Fuzzing - A Dav1d Case Study - If you've been paying attention to the VR landscape over the last year or so, then you know "Oh its fuzzed by oss-fuzz" is rarely the end-of-story for finding bugs in open source projects. P0 returns this week to further that point. In this post, guest blogger Nick Galloway explains how he was able to find two integer overflows in Dav1d, an AV1 video decoder. After reviewing the oss-fuzz harnesses, he realized constraints had manually been put in place for memory purposes, effectively reducing the total coverage. By removing these, his fuzzer was able to find new codepaths and in turn, new bugs. He also discusses a handful of other ways he improved coverage, such as fuzzing on a different architecture or changing the amount of threads the fuzzer can create.
• Pixel's Proactive Approach to Security - Addressing Vulnerabilities in Cellular Modems - The Pixel 9 line-up is coming with some changes to baseband security and Google wants you to know about it. In a post released last week, the team talks through why baseband is such a popular attack surface - from the remote reachability to the lack of mitigations. From there, the team talks through what they are doing about it, specifically on this most recent release of phones. The Pixel 9 line-up ships with a handful of additional mitigations baked into the baseband firmware, such as stack canaries, CFI, and sanatizers. The post also points out the continued increase in monetary incentive for independent research to submit their bare-metal firmware bugs to the VRP program.
• Why Code Security Matters - Even in Hardened Environments - This post is a banger front to back... half-tempted to just leave it at that and force you to go read it for yourself. The premise is this: you have an arbitrary file write via a Node.js server on a Linux read-only filesystem. Can you get RCE? These researchers figured out that the answer is yes, by abusing the pipes that Node's async capabilities are built on top of. The strategy involves a custom fake-object/rop gadget finder, and a handful of thoughtful restriction bypasses. Intrigued yet? You should be.
• CVE-2023-52447 - Exploit Technique - Honestly, this tweet feels very applicable recently. A new write-up hosted in the kCTF repo walks through CVE-2023-52447, a race condition leading to a UAF due to mismatched refcounts. The crux of the bug stems from the fact that bpf lock is running under rcu_lock, allowing for a lookup of arraymaps from array_of_maps (who names this shit) without increasing a refcount. As such the researcher demonstrated how this can be leveraged into a use-after-free, causing a kernel leak. From there, the post goes into further exploitation, demonstrating how this primitive can be used to achieve an eventual container escape.
• Streaming vulnerabilities from Windows Kernel - Proxying to Kernel - Part II - Following up their blog post a little over a month ago, DEVCORE have returned with more bugs in the kernel streaming attack surface. After Pwn2Own, the team took a look KS Event and identified a similar bug in which the conversion of a 32-bit request into a 64-bit one is mishandled. The post then details the ramifications of this, and how it can be used to perform a specific IOCTL with KernelMode. The team is able to convert this into an arbitrary increment primitive. After reviewing some of the traditional techniques one may use with this primitive, the team ends up working out their own exploit strategy to take this to full EoP.

Interesting Job Postings:

• Offensive Hardware Security Researcher @ NVIDIA (On-Site: Santa Clara, CA)
• Browser Security Researcher @ Apple (On-Site: Seattle, WA)
• Mobile Reverse Engineer @ Peraton (On-Site: Bethesda, MD)
• Hardware Security Engineer @ Cisco (Remote)
• Hypervisor/Firmware/Hardware Security Engineer via @phretor

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Don't forget to check out https://bug.directory! It's growing weekly, and we are still looking for more people to contribute (Also we fixed the path issues for Windows if you were having problems).

We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.


Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️