exploits.club Weekly Newsletter 51 - Indoor Camera Bugs, SD Card Cheaters, Linux CTF Sandboxes, and
Good morning, afternoon, and evening Exploits Club friends. Now that its officially December, you can change your terminal themes to something Holiday themed in celebration. Annnnnnyways... bit of a shorter edition this week 👇
In Case You Missed It...
- TyphoonCon 2025 CFP - Get your papers in!
- The December 2024 Security Update Review - Lots of patches, lots of crits, lots of fun.
Resources And Write-Ups From This Week:
- 1Exploiting the Lorex 2K Indoor Wifi at Pwn2Own Ireland - InfoSect released a write-up this week detailing their exploit for the Lorex 2K camera which they demoed at Pwn2Own Ireland earlier this year. The bug itself was a pre-auth stack overflow in the login protocol....take that username and password and throw them directly into some fixed-size stack buffers....nice. The back half of the post focuses primarily on exploitation. While the team had a handful of mitigations and constraints, they eventually found some useful gadgets to pivot the stack and ROP to the shellcode.
- SpongeBox: Bringing Linux Logical Vulnerabilities Back To Life: BlueWater CTF 2024 - A fun post about a recent Linux CTF chal which was inspired by some old bugs. The challenge is a simple server that supports 3 commands: create, connect (to a sandbox), and communicate. Using a combination of logic bugs, it becomes possible to leak an fd to
uid_map. That can be chained together with another logic bug that allows writing to the leaked fd with a privileged process. That explanation doesn't actually do the beautiful challenge or subsequent write-up justice, though, so go read it for yourself! - New dog, old tricks: DaMAgeCard attack targets memory directly thru SD card reader - In the wise words of popular hacker Justin Timberlake... What Comes Around, Goes Around. This week, what's old is yet again new as PT Swarm runs us through the history of I/O DMA and its inherent security issues throughout the years. The post starts all the way back in 1995, and after the lesson in history, takes a look at the increased adoption of the SD Express standard. The standard was first proposed in 2018 but only recently gained traction. The team used a PCILeech on 4 different devices to demonstrate the range of protections (or lack thereof) in current consumer devices. The AYANEO Air Plus, a Windows Handheld Gaming PC, had no IOMMU, meaning full memory access, making for some happy cheaters.
- Hunting the Mongoose: Discovering 10 Vulnerabilities in the Mongoose Web Server Library - We are starting to think that maybe the most effective way to find bugs is to go to OSS-Fuzz, find coverage gaps, and write a better harness for yourself....but you probably already knew that. If you need more convincing, though, look no further than the 10 Mongoose bugs dumped by Nozomi Networks earlier this week. The team noticed that the existing harness did not test any of Mongoose library's TLS functionality. Due to the complexity of TLS fuzzing, the team came up with a strategy to set up a mock connection to create the TLS initial state. From there, they were able to fuzz the handshake function just as they would in a regular TLS connection. The post then walks through an int underflow it found and provides a list of the other 9 bugs and their impact.
- Decrypting CryptProtectMemory without code injection - A small deep dive into CryptProtectMemory from @slowerzs. The post reverse engineers the function, deciphering that it is simply a wrapper around an IOCTL. The cryptography driver does the heavy lifting, and the post follows how different keys are generated within this driver and summarizes how protected memory is actually decrypted. Using this logic, a usermode client to perform the same operations was written, allowing for memory decryption without code injection.
- Cleo Harmony, VLTrader, and LexiCom - RCE via Arbitrary File Write (CVE-2024-50623) - A little less low-level, but no less impactful. The team over at Watchtowr drafted up a post this week on RCE via an arbitrary file write. The vulnerability affects a handful of Cleo products and has been the target of some recent ransomware operators. The vulnerability itself is some botched path sanitization in an HTTP request's header, allowing for arb file read/write. The post walks through looking at the actual Java in charge of this vulnerable functionality and the patch for path sanitation...which appears to be bypassable, though that is left "as an exercise to the reader".
- Some Fun Bugs:
- VMA UAF when nascent MM is accessed through forked userfaultfd or khugepaged after aborted fork
- Windows Kernel registry security descriptor refcount may overflow when referenced by too many transacted operations
- Chrome - WASM Type Confusion
- Windows Kernel double-fetch in the loading of remote registry hives, leading to memory corruption
- Adobe Acrobat Reader Font Private Point Numbers Out-Of-Bounds Read Vulnerability
Interesting Job Postings:
- Principal Zero-Day Vulnerability Researcher @ ZScaler (Remote)
- Vulnerability Researcher @ Cisco (Remote)
- Early Career Vulnerability Researcher @ Battelle (On-Site: Columbus, OH)
- Intermediate Vulnerability Research Engineer @ GitLab (Remote)
- Senior Vulnerability Researcher @ Nightwing (On-Site: Indialantic, FL)
Wrapping Up...
As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.
Follow us on X - we occasionally Tweet poor attempts at memes
Don't forget to check out https://bug.directory! It's growing weekly, and we are still looking for more people to contribute. All of the November newsletters should be included here soon (we have been lazy...sorry).
We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.
Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx
Same time next week? See you then 🏴☠️
