Nov 21, 2024 5 min read

exploits.club Weekly Newsletter 48 - FireFox Animations, OOO bugs, LibAFL Advanced Fuzzing, and More

Welcome to all our new readers filtering in this week from the Paged Out! #5 community ad. We are happy to know you share our affinity for extremely poor graphic design. Annnnyways 👇

In Case You Missed It...

Paged Out! #5 Available Now - Everyone's favorite technical magazine is back for its fifth edition. Also...dig exploits.club.pagedout.institute txt...Yeah that's pretty badass
Binary Ninja 4.2 Release - Lots of goodies in this update, including some Pseudo-C improvements (and decompilation to other languages like Rust), new product offering packages, MSVC RTTI extraction, and more. Hey @psifertex - Binja could sponsor us and hook up EC readers...just an idea...

Resources And Write-Ups From This Week:

OZZ: Identifying Kernel Out-of-Order Concurrency Bugs with In-Vivo Memory Access Reordering - Typically "OOO" means a beach, a fruity drink, and Slack notifications on silent. However, a team of researchers decided that while you vacation, they are finding bugs and writing killer papers about them. In this Atlanta <> South Korea crossover that would make J.I.D and NewJeans jealous, researchers introduce a new tool called Ozz, designed to detect out-of-order concurrency bugs in operating system kernels. Ozz leverages in-vivo out-of-order execution emulation, a novel technique that enables real-time modification of memory access order during execution. This is paired with hypothetical memory barrier testing, where memory barriers are removed or bypassed, and the kernel is observed for malfunctions to evaluate the necessity of those barriers for maintaining correctness. That's a lot of jargon, but what you do need to know is that it found 11 bugs in the latest version of the Linux kernel.
Hop-Skip-FortiJump-FortiJump-Higher - Fortinet FortiManager CVE-2024-47575 - These days, would it really be an EC newsletter if it didn't include an enterprise appliance exploit from Watchtowr? This week, the team dug into the FortiJump vulnerability. The post walks through FortiManager's intended functionality before discussing how it can be abused by an untrusted "device." It then demonstrates setting up an environment, finding the command injection, and writing an exploit. The big surprise, though, was the patch, which didn't even address the correct code path. Fortinet doing Fortinet things.
Firefox Animation CVE-2024-9680 - It's been a while since we covered a good Firefox bug, and this recent post from @DimitriFourny should scratch that itch. In his newest write-up, he looks at CVE-2024-9680, a UAF (actually 2!) in Animation timelines. The post starts by walking through the patch, explaining how animation timelines work, and finally pointing out both the UAFs. The post looks at both manifestations of this bug, ultimately concluding that the 2nd bug, the Animation UAF, is much more likely to be the one actually identified ITW and provides an arbitrary write PoC.
Android Security Paper 2024 - Android released its "Android Security Paper 2024" this week. The 55-page behemoth attempts to detail all the latest security measures deployed at each level of the stack on modern Android devices. Starting with hardware mitigations and running up to applications and privacy, the paper works as a high-level explainer for any area you may be curious about.
Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474 - The Watchtowr team wasn't done with enterprise-level system calls though, and decided to follow-up their Fortinet research with an analysis of the recent PAN-OS bugs as well. In this second post, the team first looks at the authentication bypass resulting from...the server just turning off authentication if you ask nicely enough in the X-PAN-AUTHCHECK HTTP header. After that, it's on to priv esc, which resulted from a PHP command injection via a POST request parameter. Sooo a few HTTP requests and you have a root shell...nice.
Leveling Up Fuzzing: Finding more vulnerabilities with AI - Another week, another story about the increasing chances of your unemployment. Google is back to talk about how AI is finding even more bugs now. The OSS-Fuzz team and their AI-powered fuzzing initiatives seem to be paying off, as this blog post rounds up some recent wins from the effort. Of note are the 26 new vulnerabilities found in projects already on OSS-Fuzz. Not only that, but the tool can generate fuzz targets, fix compilations issues, and triage crashes. So basically...it might be better than you.
Strengthening FreeBSD: Addressing Vulnerabilities Through Synacktiv’s Code Audit - Synacktiv recently teamed up with FreeBSD for an assessment of critical FreeBSD functionality and ended up publishing a 108-page report with 27 total vulnerabilities...20 of which were noted to be exploitable. Some more interesting bugs include a kernel UAF, and an OOB read / write in the TPM pass-through device. The write-ups for each of the 27 bugs include detailed information, diagrams, and source code...we would hire Synacktiv should we ever decide to write our own OS.
Advanced Fuzzing With LibAFL - @domenuk released his Ekoparty slides this week, filled to the brim with helpful fuzzing tips. The deck starts with a brief overview of fuzzing and then discusses LibAFL specifically, noting the components that make it unique. Then, it walks through some basic examples of using LibAFL to fuzz various targets, providing key tricks for optimizations and features that might be useful in certain conditions. This includes talking through fuzzing simple CLI applications, OSes, and blackbox targets.
Reverse Engineering iOS 18 Inactivity Reboot - @naehrdine decided to take a look into recent claims from law enforcement officials (by way of 404 media) that iPhones will randomly reboot on iOS 18 due to inactivity. After confirming her own device would reboot after 72 hours, she went reverse engineering and found that the SEP keeps track of the last unlock time, and if the time threshold is exceeded, then the AppleSEPKeyStore kernel module will tells userland to initialize a reboot. The post walks through these findings in Binja, pointing out the key code paths responsible, and wraps up with some takeaways and thoughts on this mitigation.

Interesting Job Postings:

Junior Vulnerability Researcher @ Battelle (On-Site: Columbus, OH)
Offensive Hardware Security Researcher @ NVIDIA (On-Site: Santa Clara, CA)
Senior Anti-Cheat Engineer @ Amazon Games (On-Site: San Diego, CA)
Vulnerability Research Intern @ TwoSix (On-Site: Arlington, VA)
Security Researcher / Developer @ Horizon3.ai (Remote)
Automotive Threat Researcher @ Trend Micro (Remote)

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Don't forget to check out https://bug.directory! It's growing weekly, and we are still looking for more people to contribute. All of the November newsletters should be included by the end of the month.

We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.
Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️