Sign in Subscribe
5 min read

exploits.club Weekly Newsletter 46 - AI Finds Bugs, Barcode Fuzzing, 17 Year Old Browser Bugs, and More

exploits.club Weekly Newsletter 46 - AI Finds Bugs, Barcode Fuzzing, 17 Year Old Browser Bugs, and More

Some bugs, exploits, and write-ups to interrupt your doomscrolling. Annnnnyways ๐Ÿ‘‡

In Case You Missed It...

Resources And Write-Ups From This Week:

  • From Naptime to Big Sleep: Using Large Language Models To Catch Vulnerabilities In Real-World Code - Well everyone...its been a good ride. In a new post from P0 this week, the team announced they found a critical bug in SQLite with their Big Sleep AI Agent. The blog discusses the team's methodology and how they prompted the agent with recent commits and bugs. The vulnerability manifests from an edge condition in which an index is set to -1, allowing for an OOB write that corrupts 32 bits of a pointer. The post also includes output snippets from the agent's reasoning and the tools it leveraged, showing how the agent reached its conclusion. The team rounds out the post with a failed attempt to replicate the bug via fuzzing and some commentary on why the approach did not work.
  • Fuzzing between the lines in popular barcode software - Trail Of Bits released a blog post last week walking through the fuzzing of popular barcode scanning library, ZBar. After recognizing that it was being used by a client, the team decided to set up a fuzzer. This led to the discovery of a DOS bug and OOB write. The post talks about how the team decided this project likely wasn't fuzzed already, how to instrument the build, how to write a basic harness, and how to tweak a set-up to improve coverage. It's a great companion to their Testing Handbook.
  • Ancient Monkey: Pwning a 17-Year-Old Version of SpiderMonkey - When you think popping enterprise VPNs, you probably think command injection and arb file write. But what about 17-year-old JS bugs? @pspaul95 dropped a write-up discussing an exploit he wrote for Zscaler by way of exploiting pacparser. As it turns out, pacparser relies on an ancient version of Firefox's JS engine, SpiderMonkey. The post discusses this discovery and how @pspaul95 subsequently picked an n-day to PoC. From there, it breaks down the chosen bug and how it gives arbitrary bytecode execution, which can be leveraged into memory corruption. After that, it goes through the process of building an addrof primitive, and leaking lookupProperty to get the base address. Finally, the post rounds out by hijacking control flow and getting a shell.
  • Mind the v8 patch gap: Electron's Context Isolation is insecure - A fun blog from @S1r1u5_ discussing his recent research into Electron context isolation. The write-up starts with an overview of how context isolation works. He shows how Electron developers can open untrusted pages and prevent or restrict their access to Electron's internal APIs. From there, he looks at how Electron implements this under the hood with V8 isolates, and shows how V8 exploits can be leveraged to break this security barrier. Most developers don't regularly update their application's Electron version, leaving tons of desktop apps vulnerable to old V8 n-days.
  • Pacific Rim: Inside the Counter-Offensiveโ€”The TTPs Used to Neutralize China-Based Threats - A bit more on the Threat Intel side of things, but this week security company Sophos released information about China-Based Threats targeting their firewalls, which they have been tracking for more than five years. The report notes a handful of key takeaways for defenders at the top, discussing the use of both 0-days and n-days and the increased focus on edge devices across the industry. From there, the report looks at critical points in the timeline of Sophos's research, starting with a rootkit discovered in a Sophos subsidiary in 2018. The threat actors initially focused on mass attacks leveraging public and critical vulnerabilities in Sophos devices before shifting to stealth and going after more high-profile targets. It also looks at their more advanced tactics and improved OPSEC before rounding out with some conclusions.
  • Pwning the Chip8 Emulator with Blind Format Strings - Two blind format string exploits in two weeks? Well as it turns out @lucabtz_ took a look at Synacktiv's post from last week and realized he might be able to pull off something similar in a project he was working on. In his effort to exploit a Chip8 emulator, he realized he could trigger an arbitrary printf call, but the output would be shown to the emulator and thus be entirely blind. The post then walks through his exploitation of this issue, how he could leak libc base address, overwrite a GOT entry, and get arbitrary code exec.
  • Achilles' Heel of JS Engines: Exploiting Modern Browsers During WASM Execution - Slides were released this week discussing recent WASM bugs and how to get started potentially looking for them yourself. The 106 slide deck covers a ton of information, ranging from background and bug metrics, WASM attack surfaces, bug hunting methodology, and fuzzing set-ups, and finally, a full case study of CVE-2024-1939. If you are interested in getting up to speed on the state of WASM vulns and exploitation, we can't think of a better place to get started.

Interesting Job Postings:

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Don't forget to check out https://bug.directoryIt's growing weekly, and we are still looking for more people to contribute. We recently pushed updates from our most recent newsletters!

Your second brain - strictly for bugs

We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.
Feel free to join the exploits.club Discord server here ๐Ÿ‘‰ https://discord.gg/2dxN2Gtgpx

Same time next week? See you then ๐Ÿดโ€โ˜ ๏ธ

Published by:

exploits.club