Happy December - where hacking music changes from "lofi / future garage" over to "lofi / future garage - Christmas themed". Annnnnyways 👇

In Case You Missed It...

• AFL++ v4.30c Release
• Graphics Programming Conference 2024 Videos - It's not directly security...but it's cool.

Resources And Write-Ups From This Week:

• OtterRoot: Netfilter Universal Root 1-day - @_0xTen released a post earlier this week detailing a 1-day in the Linux kernel which he was able to leverage in KernelCTF due to a patch gap. The post starts with a brief introduction to kernel exploitation and nf_tables, giving you all the requisite background knowledge to understand the vulnerability. It then provides an RCA and patch review of of CVE-2024-26809, a double free caused caused by a missing flag toggle. The second half of the post goes over exploitation, walking through the necessary steps to trigger the bug, bypass KASLR, hijack control flow, ROP to privesc...and get the KCTF flag. Not satisfied to stop there though, the author then discusses how the exploit was made more generic, such that it "works stably, regardless of target".
• Lorex 2K Indoor WiFi Security Camera: Multiple Vulnerabilities - If you woke up this morning thinking "damn, I really want to read a 39-page white paper covering multiple vulnerabilities in an indoor WiFi security camera"...you should probably get outside a bit more. But, before you do that, you can head over to Rapid7's site and scratch that itch. In their most recent blog post, the team discloses a chain of 5 vulnerabilities that allowed them to achieve unauthenticated remote code execution at Pwn2Own 2024. The exploit works in 2 phases, first by using an auth bypass and an oob read to leak a secret value and reset the administrator's password. From there, a null deref is used to restart the device and authenticated buffer overflow is triggered to get code exec.
• SSD Advisory: ksthunk.sys Integer Overflow (PE) - Wait, stop me if you have heard this combination before: "Windows Streaming Service" and "some handlers to make 32bit process work properly". Well, it continues to profit, as this recent disclosure from SSD demonstrates. The blog reviews the vulnerable IOCTL, pointing out where the int overflow is and how it quickly leads to a heap overflow. It then calls out a handful of potential blockers, making the bug a bit more difficult to trigger, such as the huge copy, which will cause a fault at unmapped memory. From there, it talks exploitation, using the "Named-pipe technique" to get arb r/w and escalate priv. It comes with full exploit code as well!
• MmScrubMemory - The Nemesis of Virtual Machine Introspection - Have you ever solved a problem the "easy" way, only for it to come back to haunt you in the future? This story from @PetrBenes may ring just a bit too close to home for you in that case. In his blog post from this week, he walks through his experience with MmScrubMemory, a pesky function that seems to thwart VM introspection at just about every turn. The post discusses his first encounter 6 years ago, followed by a second one just a year later. In both cases, while he found a workaround that served his purpose at the time, it left his fundamental question ("how to allocate non-paged kernel memory such that MiScrubMemoryWorker won't touch it") unanswered. However, the post reflects on his recent third encounter with this functionality and how he was able to do dynamic analysis to determine what actually triggers it. From there, he discloses a satisfying solution that prevents remapping the root of the page table structure.
• Windows Sockets: From Registered I/O to SYSTEM Privileges - If you thought we were done talking about Windows...well, we aren't. A new blog from Exodus this week covers  CVE-2024-38193, a use-after-free vulnerability in the afd.sys Windows driver. As is typical with Exodus posts, the first half ensures the reader gets up to speed on the necessary subsystems to understand the vulnerability and exploit. In this case, it provides a nice overview of the Windows Registered I/O (RIO) extension and some of its associated kernel structures used by the afd.sys driver. From there, it covers the race condition between cacheing and dereferencing a buffer, which leads to our UAF. The final section of the post covers exploitation in 3 phases: heap spray, trigger, and privesc. An arb r/w is achieved by abusing the internal RIO Send and Receive mechanisms.
• 0x00 - Introduction to Windows Kernel Exploitation - Keep the Windows train rolling babyyyy. You've now read all these blog posts, and you're thinking..."huh, how do I do that?" Well good news for you, @wetw0rk_bot has got you covered with this new "Intro to Windows Kernel Exploitation". It starts with an overview of how to get a debugging set-up. After that, it shows how to load an intentionally vulnerable driver, so you can start practicing real exploitation. The rest of the post covers exploitation of a traditional stack overflow on Windows 7. The plan for future posts in the series is to walk from that starting point to more modern bugs on Windows 11 systems. We look forward to it!
• Android's CVE-2020-0238 (AccountTypePreferenceLoader) - VR stories tend to be about wins. But VR tends to be...well, mostly about losses tbh. Which is why we resonated heavily with this new post from @vr_progress (maintained by @0x_shaq) . It covers the triage and RCA of an Android bulletin bug (CVE-2020-0238) labeled a high with type EOP. However, after careful analysis, it becomes evident that this logic bug has a handful of pre-reqs, making it impractical to craft a useful exploit in a real-world context.

Interesting Job Postings:

• Summer 2025 Internship @ Vector 35 (On-Site: Melbourne, FL)
• Kernel Security Researcher @ Apple (Remote)
• Security Engineer @ Cisco TALOS (Remote)
• Senior Vulnerability Researcher @ Dark Circuit Labs (On-Site: Quantico, VA)
• Windows Vulnerability Research & Detection @ Crowdstrike (Remote)

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Don't forget to check out https://bug.directory! It's growing weekly, and we are still looking for more people to contribute. All of the November newsletters should be included by the end of the month.

We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.
Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️