We spent atleast 15 minutes trying to write a joke about the difference between SCIFs in Arlington and the beaches in Barcelona that was both funny and politically vague. Conclusion: its impossible. Annnnyways 👇

In Case You Missed It...

• OffensiveCon Tickets - Annnnnnd they are gone in just 5 hours. But you can still get on the waitlist if you missed them, so be sure to sign up!
• REverseConf Talk Schedule Is Live - Headed to Orlando next month? Check out the talk schedule which went up this week.
• Configuring a tmux layout for pwndbg - A pretty cool write-up on getting a clean pwndbg set-up to put different views in individual panes.

Resources And Write-Ups From This Week:

• Exploitation Walkthrough and Techniques - Ivanti Connect Secure RCE (CVE-2025-0282) - Ivanti seems to continue to take the "all press is good press" approach to security. Over the last week, the labs team at Watchtowr released a 2 part blog series detailing CVE-2025-0282, a fairly straightforward stack overflow. Part 1 covered the patch diffing necessary to determine the root cause, as well as the development of a crash PoC. Part two then expanded on that research, working to develop a full exploit. Exploitation was complicated a bit by mitigations and program state, but the team could put together a fake object with a fake vtable pointer and pivot the stack, ropping to success.
• Security through transparency: RP2350 Hacking Challenge results are in - Its rare that we see companies do things that make us feel "good" inside...especially when it comes to security. This week, Raspberry Pi is trying to flip the script. The company launched a hacking challenge on their newest RP2350 - retrieve a secret value from the OTP memory and get $10k. However, the 30 day deadline passed with no submissions, so the company extended another 30 days and bumped the payout to $20k. Andddd well, that certainly enticed some of you hardware freaks to start poking at it. The write-up includes 4 valid submissions, each of which takes a different approach to retrieving the value (3 of which rely on some sort of fault injection). And even though the company said they were only going to pay out 1 submission, they decided to reward all the valid entries fully. Nice!
• Reverse-engineering a VNA ECal Interface With Cynthion - Did we only come across this article for the first time this week because our lord and savior @travisgoodspeed tweeted about it? Maybe. But just because we are late to the party doesn't mean we can't still bring it to you guys. In this fun reverse engineering-focused write-up, @miek@mastodon.social walks through his process of figuring out VNA communication protocol so that he can implement his own Ecal module and save some 💸. The post opens with a bit of reverse engineering on ECal software to see how it works, but quickly moves to USB device emulation using Cynthion and Facedancer. From there, it becomes a game of running, seeing what is expected from the device, and implementing handlers. Add in a little troubleshooting and some weird protocol quirks with addressing, and you have yourself an open-source Ecal module.
• Samsung S24: Out of bounds write in APE Decoder - It's not every day that new Android zero-click attack surfaces get dropped. But then again, @natashenka is not every other researcher. This week, an issue became unrestricted, and it demonstrates the dangers of that really useful feature that makes it so you don't have to re-listen to your friends 3AM drunk audio message about girl and/or guy problems...thats right, RCS audio transcription. Turns out, this is on by default, and the audio is thrown directly to Monkey's Audio (APE) decoder. This decoder had an overflow in a dmabuf write due to improper size checking and thus could be used to crash the target device's C2 process. While it's not clear if this particular bug is exploitable, it is clear that no one is (publicly) talking about this attack surface.
• A Brief JavaScriptCore RCE Story - A great post from @qriousec on a bug in the WebKit JavaScript engine. The team spotted a trivial unitized memory issue they spotted in a WebKit commit, and knowing that it would quickly be patched, decided to look at if it was exploitable. The post starts with a brief overview of the bug and the patch, giving the relevant info needed for us non-browser folks. Then it walks through two exploitation examples. The first is on an x86-64 Linux box, in which the strategy is for arb read/write is laid out. But they don't wrap up there and instead move on to an example for MacOS, in which they demonstrate how to revise the exploit strategy to bypass the platform's JIT memory protections. And for PAC? Well..." Pointer Authentication (PAC) remains an unbroken mitigation in this case. In a fully hardened macOS environment, our exploit would likely fail due to PAC verification, it's a big challenge waiting for us". Remember - you all chose this career path of perpetual pain and suffering.
• Linux Kernel: Integer Overflow in eBPF XSK map_delete_elem Leads to Out-of-Bounds - It feels like we have been covering Windows bugs for weeks now, so it feels good to finally get back to some Linux Kernel stuff. This one was pretty straightforward...what do you get when a user-signed integer is compared with an unsigned size check? Nothing good. This potentially negative signed value is then used as an index for a write, resulting in an OOB write. And its important to remember to always do your variant analysis, because you could get two-for-the-price-of-one vulnerable pattern, as seen in this second issue which is virtually identical but affects a different area of the code.
• Linux Kernel: Out of bounds Read in ksmbd_vfs_stream_read - Failing to account for values potentially being negative seems to be a theme in this weeks Linux kernel patches. In this issue, a kernel leak via an OOB read due to a potentially negative index. This bug was in Ksmbd (which we talked about last week as well), and includes a PoC demonstrating just how it would work. And as we said above...do your variant analysis because the same pattern exists in the corresponding write function as well, as evidenced by this second security report.

Interesting Job Postings:

• Sr Distinguished Engineer, Vulnerability Research @ Palo Alto Networks (On-Site: Santa Clara, CA)
• Hardware Security Modules Engineer @ Anchorage Digital (Remote)
• Senior Vulnerability Researcher @ ARM (On-Site: Austin, TX)
• Junior Vulnerability Researcher @ Battelle (On-Site: Colombus, OH)
• Offensive Android Security Specialist @ Samsung (On-Site: Mountain View, CA)

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Don't forget to check out https://bug.directory!

We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️