Instructions: Convince yourself of a bugs existence for multiple days on end, only to realize you are incorrect. Rinse and Repeat. Annnnnnyways 👇

In Case You Missed It...

• VRP for V8 Sandbox Extended - @5aelo brought attention to the updated Google Chrome VRP earlier this week. Now offering $5k for all memory corruption outside the sandbox, and controlled writes will yield $20k.
• The November 2024 Security Update Review - Microsoft and Adobe bulletin recaps from ZDI. Also monthly bulletins from all the other usual suspects (Android, Qualcomm, Safari, Samsung...there are more but we trust you to Google them).
• The RE Tool Of The People Finally Got A Dulge Edit - Where do we submit for an EC edit next?
• BlueHat 2024 Talks Are Up On YouTube
• The GuidedHacking Show Ep 2 - You're friendly neighborhood exploits.club editor was featured on the most recent podcast episode from Guided Hacking. Oh what, you thought we weren't gonna self-promote? Too bad.

Resources And Write-Ups From This Week:

• Pishi: Coverage guided macOS KEXT fuzzing - @R00tkitSMM released a 31 page blog post this week about his adventures in MacOS kext fuzzing. And when @richinseattle calls it the "best fuzzing blog post in recent years", then you know you are in for a good read. We can't do it the justice it deserves in 100 words, but you should go read it. It iterates on KextFuzz with an improved instrumentation method, does a deep dive on understanding coverage, talks through how to use feed coverage data to a fuzzier, and concludes with some benchmarks and final thoughts.
• Breaking Control Flow Flattening: A Deep Technical Analysis - A super cool post from @gegrgtezrze that will make you wish you paid a bit more attention in that graph theory class you slept through. The post details a Binary Ninja plugin he has been working on, which is intended to break Control Flow Flattening (CFF). This form of obfuscation works by putting all the code blocks into a giant switch statement, effectively destroying the original CFG. As such, the plugin works in 3 steps: first, identify the central switch statement, then find the variable used for the switching, and finally, work to reconstruct it. Each of these steps poses challenges within itself and is backed by a handful of graph theory ideas and formal theorem proving.
• Arc Browser UXSS, Local File Read, Arbitrary File Creation and Path Traversal to RCE - Arc has had its share of security issues as of recent, especially when it comes to their Arc Boosts. This week, @RenwaX23 decided to release some of his recent findings from poking at the browser, providing a little insight into why your IT team told you that "super cool productivity browser" is not on the "approved vendor software" list. The post starts with his identification of a deprecated and undocumented endpoint that allowed for remote 1-click installs of boosts, which could effectively be turned into 1-click UXSS. Not only that, but it also gave local file read as the JS had access to file://. But he wasn't satisfied, and figured out that the boost installs actually write to disk on the victim's computer, anndddd it's vulnerable to path traversal. Yikes. That was enough to pop calc and earn him $10k.
• Novel Inception/SRSO exploitation method - @theflow0 released a new exploit technique for Inception on the Google Security Research GitHub repo earlier this week. The new method works on AMD Zen 3 and Zen 4 "by controlling the full RAS." This is done by injecting the PhantomJMP after a dispatch serializing instruction. The post then talks about potential mitigations for this type of attack pinpoints 7 candidates for exploitation in the upstream Linux KVM, and includes a PoC for Zen 3.
• Visionaries Have Democratized Remote Network Access: Citrix Virtual Apps and Desktops (CVE Unknown) - The lab's team at watchTowr is back this week with a new blog post, this time focusing on Citrix Virtual Apps and Desktop. The post starts with an overview of the target, walking through how it works and why it might be an interesting solution for companies. After that, it takes a deep dive into the "session recording" feature and looks at how it's implemented under the hood. The post then reviews at a .NET deserialization vulnerability the team identified, resulting in unauthenticated RCE. The post is exceptionally well written and follows the code paths in an easy-to-understand manner, even with no prior knowledge of deserialization vulns.
• CVE-2024-47575: Fortinet ITW Unauth RCE - Have you guys ever heard of Fortinet? Apparently, they recently had an ITW unauthenticated RCE? Bad looks. Well, luckily for us, Rapid7 released a RCA and a PoC for the bug. The post starts with an overview of how to decrypt the firmware and then goes into some patch diffing. Because the CVE gave a bit of a description of the issue, identifying the relevant patch related to authentication checks within fgfmsd was relatively straightforward. From there, the team was able to lean on some prior research out of BishopFox to extract an x509 certificate from the firmware image. After a brief protocol analysis to determine packet structure, the team was able to trigger the command injection.
• POC 2024 Slide Deck Round Up:
  • Lights Out: Covertly turning off the ThinkPad webcam LED indicator by @andreyknvl
  • How I use a novel approach to exploit a limited OOB on Ubuntu at Pwn2Own Vancouver 2024 - by @u1f383
  • WebAssembly Is All You Need - Exploiting Chrome and the V8 Sandbox 10+ times with WASM by @0x10n
  • A New Era of macOS Sandbox Escapes by @patch1t
  • Apple Disk-O Party - by @theevilbit
  • VMware Workstation: Escaping via a New Route - Virtual Bluetooth by @hi_im_d4rkn3ss
  • GPUAF - Two ways of Rooting All Qualcomm based Android phones by @peterpan980927 and @st424204

Interesting Job Postings:

• Principal Vulnerability Researcher @ Zetier (On-Site: Arlington, VA)
• Vulnerability Research & Security Engineering Intern @ Tesla (On-Site: Palo Alto, CA)
• Vulnerability Researcher @ Kudu Dynamics (On-Site: Chantilly, VA)
• Senior Software Security Engineer, GeForce NOW @ NVIDIA (Remote)
• Software Reverse Engineer @ Caesar Creek Software (On-Site: Miamisburg, OH)

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Don't forget to check out https://bug.directory! It's growing weekly, and we are still looking for more people to contribute. We recently pushed updates from our most recent newsletters!

We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.
Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️