exploits.club Weekly Newsletter 45 - BLE Fuzzing, $1mil Research, Blind Format Strings, and More
If we had a sponsorship, this is probably where it would go. The key to a successful business is to pick a target market that is like 2k total people. That's the secret they aren't telling you. Oh..and Happy Halloween π annnnnnnyways π
In Case You Missed It...
- OffensiveCON Save The Date - May 16th and 17th of 2025. Hope to see some of you there!
- RE//verse Speakers Last Call - If you are reading this, you still have 2 weeks to get your talks submitted. Don't miss it!
Resources And Write-Ups From This Week:
- Exploiting a Blind Format String Vulnerability in Modern Binaries: A Case Study from Pwn2Own Ireland 2024 - 2 format string bugs in 30 days?? Yep thats right. This week, Synacktiv released a write-up detailing their work popping the Synology TC500 security camera for Pwn2Own Ireland 2024. While bug itself was a straight forward format string issue, the subsequent exploitation was anything but. Constrained by modern mitigations and the inability to use
0x0-0xF
in their payload, the team set out to demonstrate how even in a blind context they were able to get a reliable write to the stack and then craft a nifty ROP chain. Sadly, the bug was patched just before the competition - but lucky for us, that meant they were able to write this blog post right away. - Security research on Private Cloud Compute - The Apple SEAR team must have hired Regis Philbin because this week they are asking "Who wants to be a millionaire?" In a follow-up to their Private Cloud Compute announcement back in June, the team released a new blog this week revealing the details of their new public bounty for the platform. The post comes complete with all the things you could want to get spun up: a virtual testing environment, an overview of the security platform, source code, and more. And yeah, you heard us right...RCE will bag you a $1mil. Not to shabby.
- Bluetooth Low Energy GATT Fuzzing - Quarkslab returns this week to talk about some recent BLE fuzzing done as part of an internship project. The post starts with a high level overview of the different layers in the BLE protocol, and dissects the ones most important to this specific research (ATT and GATT). After identifying 9 potential attack scenarios that might be interesting to test (which are outlined in more detail in the associated paper), a fuzzer was crafted using the WHAD framework. The post talks a bit about design decisions when it came to crafting the fuzzer and then looks at the results. A handful of vulnerabilities were identified, including an OOB write in the Bluedroid stack provided in the ESP-IDF framework, a DOS in the NimBLE Bluetooth stack, and a DOS against Sony headsets.
- A deep dive into Linuxβs new mseal syscall - Trail of Bits takes a look at the new
mseal
syscall in their newest blog post. The syscall, which is added as apart of Linux's 6.10 release, "allows developers to make memory regions immutable from illicit modification during runtime". This marks a paradigm shift for Linux kernel syscalls, as it is specifically tailored for exploit mitigation against remote attackers. The post first goes over the implementation, before discussing whatmseal
helps to mitigate - complete with actual demos! - Non-Uniform Distribution of VS Weapon Traits - Now look...your friendly editor here is not a Destiny player. So, when this paper says something like "grinding for a serviceable Multimach CCX roll in Iron Banner", it might as well be in a foreign language. That said, we can identify a good crypto "flaw" when we see one. Essentially, a handful of Destiny players realized that they weren't getting some sort of perk/weapon combo as often as the advertised odds would lead them believe. After a bit of statistical analysis with a popular inventory tracker tool, they realized there was some statistical significance between the expected and actual rate of acquisition for these weapons. The investigation sparked Bungie to review their own RNG code, and eventually acknowledged that the statistical results stemmed from an actual bug.
- The Windows Registry Adventure #4: Hives and the registry layout - Project Zero's released a continuation of their on-going Windows Registry series, this time taking a look at hives and registry layouts. The post reviews the structure of the registry tree "both at a high level (WinAPI) and low-level (internal system libraries and the kernel)". Sitting at nearly 10k words, your not likely to find a deep dive this deep on the topic anywhere else.
- Ghostscript wrap-up: overflowing buffers - We have been following the Ghostscript research from Codean Labs since July of this year. This newest and final installment into the series takes a look at 4 additional bugs identified but not used as part of the exploits the team crafted. In total, there are two stack overflows, a heap overflow, and an info leak. The write-up reviews the code leading to these bugs, and then demonstrates how they can be triggered with custom payloads. Overall, its a nice wrap-up to the series, which you should certainly check out if you haven't already.
- The Trials and Tribulations of the Exploit Development Lifecycle with Chompie! - A few weeks ago, @chompie1337 put out a slide deck about the Life Cycle of Exploit Development, which we covered back in EC #41. Well, lucky for us, this week she went on the Off By One Security stream to give her talk live. The stream doesn't stop there though, because her and host @Steph3nSims chat for about another 30 minutes, walking through Chompie's methodology for her Windows P2O bug and discussing a handful of other topics along the wya.
- A bit of a shorter edition today, so here are some fun bugs from this week:
Interesting Job Postings:
- Principal Zero-Day Vulnerability Researcher @ Zscaler (On-Site: San Jose, CA)
- Junior Vulnerability Researcher @ Battelle (On-Site: Columbus, OH)
- Security Researcher / Developer @ Horizon3.ai (Remote)
- Offensive Hardware Security Researcher @ NVIDIA (On-Site: Santa Clara, CA)
- Senior Offensive Security Engineer (IoT) @ Praetorian (Remote)
Wrapping Up...
As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.
Follow us on X - we occasionally Tweet poor attempts at memes
Don't forget to check out https://bug.directory! It's growing weekly, and we are still looking for more people to contribute. We recently pushed updates from our most recent newsletters!
We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.
Feel free to join the exploits.club Discord server here π https://discord.gg/2dxN2Gtgpx
Same time next week? See you then π΄ββ οΈ