Happy Turkey Day to all who celebrate. I hope your Thanksgiving is full of burnout-curing turkey. And if you aren't in North America...well maybe tell your American and Canadian buddies they are looking a bit slimmer these days...they will certainly be able to use the ego boost after a few days in a food coma. Annnnnnyways 👇

In Case You Missed It...

• Browser Exploitation Workshop - @alisaesage released the full recording of her Browser exploitation workshop from VXCON 2024 on YouTube.
• 3rd Edition of Security Engineering Book Now Free - The best Black Friday deal of the week
• SANS HackFest Hollywood Summit 2024 Talks Now Online

Resources And Write-Ups From This Week:

• Finding Bugs in Chrome with CodeQL - Google released a blog this week to talk about some new updates which are sure to excite CodeQL fans. The team has been working closely with GitHub to improve their Chrome databases so that you can quickly grab one and start running queries. Also, Chrome has started to include custom queries directly in the source tree, which is sure to help you get spun up.
• How to develop n-day chrome exploit for electron applications - About 3 weeks ago, we discussed a post from @S1r1u5_ which detailed how Electron apps typically run old versions of V8 and thus will be vulnerable to n-day browser exploits. This week, @Hperalta89 explains how you might cash in on this, providing a full walk-through of converting a Chrome n-day memory corruption bug to pop calc. The post starts with understanding how to do recon and find the proper version. After that, it explains how to generate read/write primitives by leveraging an object and a float array. From there, we hijack control flow, inject shellcode, evade ASLR and finally pop calc.
• Simple macOS kernel extension fuzzing in userspace with IDA and TinyInst - If the 30-page Kext fuzzing post from 2 weeks ago didn't fully scratch your MacOS itch, don't worry because Project Zero has got you covered. In their most recent post, @ifsecure talks through his recent work fuzzing AppleAVD and the unique approach he took to rip the kernel extension to userland. The write-up starts with some background and history before providing an overview of how IDA can be used to rebase the kernel module and export it. From there, once the kernel-specific functions are rewritten to be user-friendly, the binary can be instrumented with a custom Tinyinst module and fuzzed with Jackalope. The post rounds out with 3 bug reports, all OOB-reads, that the fuzzer found.
• RomCom exploits Firefox and Windows zero days in the wild - What do Threat Intel Analysts and Browser exploit devs both love? ITW browser chains..which is why this weeks post from ESET Research is sure to make all parties happy. The post discusses a recent campaign by Russia-aligned threat actor RomCom. The team provides an overview of RomCom and some other activities they have been associated with before turning to their most recent Firefox chain. It starts with a high-level overview, discussing the way these exploits were served, and then takes a look at each of the two bugs and their exploit code individually. The first, CVE-2024-9680, we covered last week and is a UAF in Animation Timeline. The second sage is a priv esc via the Windows Task Scheduler, abusing an undocumented RPC endpoint. Patch analysis and IoCs are also included.
• Bootkitty: Analyzing the first UEFI bootkit for Linux - ESET researchers were busy this week because only a day after the RomCom post, the team released a second post about the "first UEFI bootkit targeting Linux." Following an interesting post on VirusTotal, the team dug into this interesting UEFI application called bootkit.efi. It appeared as though the main goal was to disable signature verification and preload two ELF binaries via init. While it relies on self-signed certs, meaning UEFI Secure Boot would prevent the attack, the code is designed to boot the kernel seamlessly, whether it can disable signature verification and carry out its malicious intent or not. The post takes a detailed look at how this actually works under the hood, before turning to a bit of additional speculation about a possibly related kernel module named BCDropper, which appears to share the same author.
• Gaming Engines: An Undetected Playground for Malware Loaders - If you are game developer or enthusiast and you've ever been a little sketched out by downloading other indie devs projects directly from things like itch.io...well Check Point Research might have just proved you have good reason to be. In a recent malware campaign they uncovered, malicious actors used Godot and GDScript to spread their crypto miners. GDScript can run system commands and is not inherently sandboxed by Godot, thus making it a wonderful delivery vehicle for malware. The malicious code was delivered via Stargazers Ghost network. Checkpoint looks at some of the anti-sandboxing and emulation techniques the code uses, and looked at what payload is downloaded and how it works.
• Blazingly fast parsing, part 2: lazy parsing - The V8 blog released part two of their series "explaining how V8 parses JavaScript as fast as possible." This post specifically looks at lazy parsing, what it is, how it works, and some of its inherent challenges. The write-up opens by explaining the problem lazy parsing is intended to solve before discussing the most significant challenge...variable allocation. The vast majority of the rest of the post is dedicated to understanding ways around this challenge, and explaining the evolution of V8's approach as it has continued to improve over the years.
• One line a day CVE-2024-42477/CVE-2024-42478/CVE-2024-42479: llama.cpp Memory Leak & Arbitrary Read & Write Vulnerability - A few weeks ago, we shouted out a video from @0x_shaq in which he took a look at two n-days in llama.cpp and wrote an exploit for them. This week,  Hackyboiz found the same target interesting and walked through the same bugs and exploitation. The post covers a bit of background on the RPC server built into llama.cpp, before discussing the arb read and write bugs and how they can be triggered. It ends with a full PoC.

Interesting Job Postings:

• Vulnerability Research @ Nightwing (On-Site: Indialantic, FL)
• Sr. Security Software Engineer (Starlink) @ SpaceX (On-Site: Hawthorne, CA)
• Vulnerability Researcher I @ Research Innovations (On-Site: Melbourne, FL)
• Vulnerability Researcher III @ Crowdstrike (Remote: India)
• AI Vulnerability Researcher @ Carnegie Mellon University (On-Site: Pittsburgh, PA)

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Don't forget to check out https://bug.directory! It's growing weekly, and we are still looking for more people to contribute. All of the November newsletters should be included by the end of the month.

We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.
Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️