Welcome back to another edition of bringing-vr-news-straight-to-your-inbox-so-you-dont-have-to-rely-on-the-algorithmic-overlords ... unless, of course, you found us via an algorithm...then of course remember to like, retweet, subscribe. Annnnnnyways 👇

In Case You Missed It...

• Its Pwn2Own Ireland Week - Pwn2Own Ireland is taking place now! At the time of writing, Viettel Cyber Security is in first with 24 points and $150k in prizes. We are looking forward to the conclusion of the contest, and the subsequent write-ups. Good luck to all the teams with remaining attempts.
• SideQuest YouTube Channel - exploits.club friend @0x_shaq recently started posting long form YouTube videos doing VR related projects. We think you should check it out. A few weeks ago he documented 2.5 hours of popping LLaMA.cpp N-days, and now he's working on a Squirrel lang series.

Resources And Write-Ups From This Week:

• Linux kernel instrumentation from Qemu and Gdb - Quarkslab put together a nice write-up discussing how to analyze binaries or kernel modules in a stealthy manner to prevent triggering anti-debug detections. The post walks through how to build a kernel, enable GDB integration, and run it with QEMU. It then walks through a handful of useful gdb commands and demonstrates ways to make your workflow more effective with a combination of breakpoints and hooks. While the technique only works in kernel versions newer than 4.0, the post finishes with an example of backporting to 3.10.
• Memory Management - Part 1: Virtual memory and Paging concepts - @reodus released a wonderful first entry into his new memory management blog series. This installment starts with an overview of physical vs virtual memory. It then jumps into an explanation of paging and page tables, looking specifically at Intel x86-64 and how address translation works. After discussing control registers, the post rounds out with an example in windbg, looking at the actual translation process and solidifying the concepts. If you are getting into low-level work, or just looking to brush up on your memory management knowledge, this is a great spot to get started!
• CVE-2024-44068: Samsung m2m1shot_scaler0 device driver page use-after-free in Android - After you dusted off your memory management skills, why not take a look at this Sammy ITW bug that was triaged this week as part of P0s 0-days In-the-Wild initiative? The bug itself resides in a Samsung driver related to media decoding. The post leads with the parameter and IOCTL which trigger the bug, and steps through how we get from entry point to trigger. The main issue here relates to a missing incrementation on a refcount, which leads to potentially having virtual pages mapped to freed physical pages. It then talks about potential exploit strategies with this primitive, speculating that the attackers likely leveraged a Kernel Space Mirroring Attack exploit flow.
• 'Reflections on Trusting Trust', but completely by accident this time - New post from the club down the block, this time discussing an LLVM compiler bug, and the journey it took to triage it. Written by @duk, the post steps through the cursed "compiler-compiler" bug, first found by @dougall. This one is long and wildly in-depth as it discusses LLVM internals, cross-compilation issues, and most importantly...how badly build systems suck. Its a fun read, and if you aren't already somewhat familiar with LLVM internals, you can expect to be just as fun on the 2nd...or 3rd pass of it.
• SELinux bypasses - As the intro of this post succinctly describes, "this post aims at giving an overview of what SELinux is, how it is implemented, and how to bypass it, from the point of view of Android kernel exploitation." And we would say it crushes that objective with flying colors. After a comprehensive overview of SELinux core concepts like policies, types, attributes, and classes, the post takes a look at how checks are actually implemented. From there, it covers 6 bypasses, attempting them on three different OEM handsets and noting potential shortcomings.
• CVE-2024-26926 Analysis - This short paper takes a look at a recent binder bug to assess its criticality. It starts by diffing the patches to better understand the issue in question, and concludes that the buggy code was missing an alignment check when copying userspace data where binder expected it to be 4-byte aligned. From there, it looks at attempting to hit the associated code path by finding a necessary entry point meeting the required criteria (no previous alignment checks, controlled offset). The analysis discusses the potential outcomes of the vulnerable code, assessing each of them for potential undefined behavior occurring as a result of the missing check. In the end, the post determines the bug "will not lead to an inconsistent state immediately", and is probably not exploitable.
• Oracle VM VirtualBox 7.0.10 r158379 Escape - If you have been following us for a while (or more likely, following @theFlow0 for a while), you may remember the VirtualBox escape which came out back in February. This week, @Diego_AltF4 took to the Zeroclick blog to do an in-depth review of the bug and exploit. The post fills you in on the necessary Virtio-net background and then takes a look at the patch diff to better understand the vulnerability itself. After pinpointing the OOB write, the post then talks through setting up a lab environment and triggering the bug. Finally, it walks through the exploit strategy step-by-step, explaining how to obtain a leak to bypass ASLR and corrupt pfnConfigRead. The blog ships complete with full exploit code and a demo as well.
• Cross-Process Spectre Exploitation - This crazy post from grsecurity discusses a cross-process Spectre attack resulting from an Incomplete Branch Prediction Barrier (IBPB) bug. The post first takes a look at IBPB and how it is intended to work. It notes that most user sensitive programs don't even have it enabled (OpenSSH, sudo, polkit), but that its intended to prevent programs running on the same thread from influencing each others speculative control flow. The post then demonstrates how branch (mis)prediction works, before bringing in IBPB as a means of showing how it invalidates predictions....only it doesn't as there is a bug in the microcode. As such, the post goes on to show how this can be leveraged into a fully working exploit to leak memory from another process.

Interesting Job Postings:

• Multiple Internship Opportunities @ Quarkslab (On-Site: Paris, France)
• Staff Product Security Engineer @ Aurora (On-Site: Seattle, WA)
• Principal Vulnerability Researcher @ Palo Alto Networks (On-Site: Santa Clara, CA)
• Vulnerability Researcher I/II @ Research Innovations Incorporated (On-Site: San Antonio, FL)
• Senior Malware Reverse Engineer @ Booz Allen Hamilton (On-Site: Annapolis Junction, MD)

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Don't forget to check out https://bug.directory! It's growing weekly, and we are still looking for more people to contribute. We recently pushed updates from our most recent newsletters!

We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.
Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️