1 year of exploits.club 🥳 Huge thank you to everyone who has come along for the journey, whether you joined last December or last week. This has truly been a testament to what one man can do when he is procrastinating his actual research. Annnnnyways 👇

In Case You Missed It...

• OffensiveCON 2025 CFP
• Phrack CFP Update - You now have until April 1st, 2025 to get your submissions in!
• OrangeCon 2025 Call For Trainers - Get your trainings in by Jan 15th
• tmp.out CFP extended - Jan 1st is the new deadline, you procrastinators.

Resources And Write-Ups From This Week:

• Linternals: Exploring The mm Subsystem via mmap - Everyone's favorite Linux internals series is back. That's right, this week @sam4k1 took to his blog for the latest installment of "Linternals", focusing specifically on the mm subsystem. The post starts with an overview of the system itself and the different functionality in encapsulates. It then takes a deep dive into how memory is mapped via mmap, complete with a journey through the kernel source. The end hints at the possibility of a part two, which we would love to see!
• The Qualcomm DSP Driver - Unexpectedly Excavating an Exploit - Project Zero and TAG went for an Avengers-style team up, releasing a blog on a recent ITW bug targeting the adsprpc driver. The team received a handful of reported kernel panics, and set to the task of trying to identify the relevant bug. Well, they got more than they bargained for. In addition to the ITW bug, the team also identified 5 additional bugs in the same driver. The post then proceeds to walk through each vuln, giving relevant structures and code paths as needed for understanding. It wraps up with "excavating the exploit", in which the teams try to devise an exploit method based on the kernel panic logs to mimic that which was being used ITW.
• Detailing the Attack Surfaces of the Tesla Wall Connector EV Charger - Pwn2Own automotive is fast approaching (Jan 22nd!), and ZDI continues their efforts to help expedite your research by releasing some overviews of the targets. This week, the team briefly enumerated the Tesla Wall Conector EV Charger's potential attack surface. The post starts with a tear down, noting some of the more interesting hardware components. The team then was able to dump the STM32 firmware, and theorized some potential ways to do the same for the connection module. They also included a bit of network analysis, detailing some open ports and endpoints the device reaches out to.
• Diving into ADB protocol internals pt 2 - Wayyyy back in September, we covered the first entry into Synactiv's diving into ADB protocols series. This week, the team release part 2 of 2! The newest entry specifically focuses on the host to device protocol and how communications are carried out. It opens with a brief overview of this flow when using an emulated device. After that, it looks at host-to-device protocol, detailing how the authentication process works, how commands get run on the device, and how files can be transferred. The post ends with some design decisions the team made when re-implementing the protocol themselves, and benchmarks of their Rust tool vs the out of the box adb tooling.
• Uncovering GStreamer secrets - Github Security Lab (and more specifically @Nosoynadiemas) released a post this week detailing how to find 29 (29!!) new bugs in GStreamer, GNOME's multimedia framework. The post opens with an introduction to GSTeamer and is followed by a table for all of the vulns. After that, it focuses on fuzzing methodology, discussing why media files are sometimes difficult to fuzz, and the unique approach which was taken with a corpus generator. Along the way, you learn more about the mp4 file format, and the algorithm used for the generator.
• Diving into Spooler: Discovering LPE and RCE Vulnerabilities in Windows Printer Driver - Back in 2021, @edwardzpeng et al shared a handful of print spooler vulnerabilities, including the now infamous PrintNightmare. The week the team released their slides from their BlackHat Europe talk, which revisited the attack surface to see if there was anything new to find. Spoiler alert: there was. The presentation details 30+ new bugs in a new attack surface, Windows Printer Driver Rendering. It then walks through three of these vulnerabilities in the resource parsing, xml parsing, and third-party driver, respectively.
• The Kernel Hacker's Guide to the Galaxy - @chompie1337 and @fuzzysec released slides from their Hackers To Hackers Conference talk, in which they focus specifically on "automating exploit engineering workflows". The slides start with an overview of past work in the area, detailing how, up till now, AEG has been largely theoretical. It then looks at how we might move towards more practical solutions and covers tool selection, bug trigger, and ideas for automation But it doesn't end there, going into how to leveraging LLMs, discussing mitigations, variant analysis, maintenance, and potential future work. And the whole thing is done with case studies to help illustrate the concepts.
• Diving Into Linux Kernel Security - Another talk coming out of the H2HC, this one from @a13xp0p0v. If you have ever wanted to start hacking and/or defending the Linux kernel but thought "no, that's too complex", well then look no further than this perfect primer. The talk approaches getting spun up on the kernel's security in a practical and straightforward manner, meant to serve as an outline for how to get started without getting too bogged down in the complexity. Furthermore, the talk also helps with kernel hardening, discussing some of the tools and configurations Linux leaves at your disposal and how to use them.

Interesting Job Postings:

• Vulnerability Research Intern @ TwoSix Technologies (On-Site: Arlington, VA)
• Lead IoT Offensive Security Engineer @ Praetorian (Remote)
• Cyber Security Research Associate @ UNSW (On-Site: Sydney, Aus)
• Senior Embedded Software Vulnerability Researcher @ MITRE (On-Site: Bedford, MA)
• Senior Vulnerability Researcher @ Interrupt Labs (On-Site: Washington, DC)
• Vulnerability Researcher @ RTX (On-Site: Austin, TX)

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Don't forget to check out https://bug.directory! It's growing weekly, and we are still looking for more people to contribute. All of the November newsletters should be included here soon (Next week, I swear).

We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.
Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️