exploits.club Weekly Newsletter 43 - Variant Analysis at Scale, SD Card Driver Bugs, TTE Trends, And More
TODO: Come up with a witty intro....annnnnways 👇
In Case You Missed It...
- LLMs And Security - @alexjplaskett put together a great thread of papers and blogs related to LLMs and their security applications
- Safe C++ - A proposal for Safe C++ came out last month, but we came across it floating around on X earlier this week.
Resources And Write-Ups From This Week:
- Safer with Google: Advancing Memory Safety - Google continues to push their memory safety blog posts on a semi-regular cadence these days, and this week has proven to be no different. In their newest post, the team recounts progress made thus far towards mitigating memory corruption bugs and discusses what the future holds - including areas where re-writes in Rust may make sense and how they plan to continue improving code safety in non-memory safe codebases. They conclude by mentioning this is the first in a series of blog posts that will go deeper on the logistics, so we are looking forward to future entries.
- Finding Vulnerability Variants at Scale - A fun new blog post on variant analysis at scale from @0xFBFBFBFB via Blackwing Intelligence's blog. The post starts by discussing a vulnerability he identified by fuzzing an old library called jpeg-recompress during a security audit of a large project. The bug itself is an int overflow which is subsequently used as apart of a buffer size calculation, leading to a heap overflow. The bug was the result of improper usage of a function in
libjpeg, likely due to some confusion surrounding the documentation. Because of this, 0xFBFBFBFB decided that some other projects may have fallen victim to the same pattern, so he decided to go on the hunt. He first used BigQuery against thebigquery-public-data.github_reposdataset. Of the 10,440 repos that returned, he then checked which ones had pre-compiled CodeQL databases, and from there identified 104 other codebases which were potentially vulnerable. The post ends with a chart of the affected software, including some heavy hitters like Chromium and WINE. - Vulnerabilities of Realtek SD card reader driver, part 1 - @zwclose decided to take a look at the Realtek SD card reader driver running on their Windows machine and...well lets just say it was particularly fruitful. The blog covers the 6 vulnerabilities identified and reported, ranging info leaks to arbitrary kernel read/write. It walks through each vulnerability, covering the basic necessary information required to understand the data flow and pinpoint the bug. The conclusion mentions a 7th vulnerability allowing access to physical memory with the card reader's DMA capability, which will be covered in a future entry.
- Low-Level Development on Retail Android Hardware - Reconnaissance and Prototyping a Bootloader - Have you ever thought "huh, I really want to write a bootloader for an off the shelf Android device to try and boot mainline Linux?" No? Well step aside, because that's exactly what @t1mschumi set out to do. In his first blog post, he takes us behind the scenes of the project, explaining the initial progress made on his Samsung Galaxy Core Plus. The post recaps the initial reverse engineering conducted on S-BOOT, talking through how he was able to enable verbose logging and review the overall boot flow. Equipped with a better understanding of how S-BOOT works under the hood, he was able to craft a simple executable and get it executed as expected. Afterwards, he troubleshoots some issues associated with loading and booting a kernel due to some finicky size constraints. It wraps up with some thoughts on next steps and where the project can go from here.
- Fortinet FortiGate CVE-2024-23113 - A Super Complex Vulnerability In A Super Secure Appliance In 2024 - Name a better combo than enterprise apps and 90s security practices. Our friends over at Watchtowr decided to check out a recent patch from Fortinet after it was noted as a format string vulnerability (yes...in 2024) being exploited in the wild. The post walks through a quick overview of the bug class for those of you who are younger than 20, then bindiffs to spot the vulnerability in the FortiGate appliance. Noting that the bug resides in part of the custom "FGFM Protocol", the team sets out to better understand how it works, and how to set-up a client (err...server?) to speak with the device. After finding a way to programmatically identify the vulnerability, they begin to scan customer devices, only to quickly note another roadblock: some versions do cert validation and others do not - a change which was never explicitly mentioned by the vendor. The post concludes with a way the detection team was able to circumvent these challenges and produce 3 categories of device: patched, vulnerable but requires trusted cert, and vulnerable but accepts self-signed cert. It's a fun write-up all around, and worth the read.
- How Low Can You Go - An Analysis of 2023 Time-to-Exploit Trends - A bit more on the Threat Intel side of the house, but Mandiant released their analysis regarding time-to-exploit trends in 2023. The big takeaways from the report are nicely summarized in the cute infographic at the beginning, including that 70% of the vulnerabilities they analyzed were first exploited as zero-days, and the average time-to-exploit for n-days was 5 days. Soooo yeah...may want to revisit those SLA windows.
- Chrome Exploitation - From Zero To Heap-Sandbox Escape - @matteomalvica released his BSides Oslo slides discussing Chrome exploitation. The slides start with a quick overview of the Chrome architecture and then discuss the V8 pipeline and it's various JIT compilers. Afterwards, it takes a look at type confusion bugs, leveraging three case studies from different time periods to demonstrate how the meta has shifted along with the increase in mitigations. And if you have followed us for a while, you know we love a good slide-deck...this one comes decked out with diagrams, code snippets, and a concept art sketches for what would we assume would be a banger sci-fi hacker show.
Interesting Job Postings:
- Winternship @ Trail Of Bits (Remote)
- Offensive Security Engineer, Hardware/Firmware @ Google (On-Site: Reston, VA)
- Firmware Engineer, MX Security @ Cisco (On-Site: San Francisco, CA)
- Principal Game Security Engineer @ Blizzard Entertainment (On-Site: Irvine, CA)
- Reverse Engineer @ Itezra (On-Site: Somewhere, MD)
Wrapping Up...
As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.
Follow us on X - we occasionally Tweet poor attempts at memes
Don't forget to check out https://bug.directory! It's growing weekly, and we are still looking for more people to contribute (Also we fixed the path issues for Windows if you were having problems).
We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.
Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx
Same time next week? See you then 🏴☠️
