Goooooood morning, afternoon and evening hackers. Hope everyone is having is having a week full of great bug hunting👇

In Case You Missed It...

• Pwndbg 2025.01 Release - Adds official support for LLDB, as well as lots of other goodies. Check it out!
• Google Patch Reward Program Bounty Increases Scope and Payout - Get paid to submit patches for in-scope projects. Who doesn't want that?
• Pwn2Own Automotive - At the time of writing this, day two has just wrapped up with Fuzzware.io on top. We are looking forward to the write-ups to come!

Resources And Write-Ups From This Week:

• NaN Of Your Business - My Favorite Unintended CTF Solution - Here is a fun write-up about someone who is younger than you figuring something out that you almost certainly wouldn't have. And who doesn't love that to start their Thursday? The post covers a CTF challenge from the Spokane Cyber Cup (SCC), which was intended to demonstrate the dangers of floating point rounding. While the write-up does include a run-through of the intended solution, it then details an even more interesting solve submitted by an underclassman in high school. He was able to use NaN due to a handful of program quirks, mainly a fail open design and cast to a long long (which (long long)NaN equals 0...who knew). Pretty fun, be sure to give it a read!
• Reverse Engineering Call Of Duty Anti-Cheat - To every kid who has fired up cheat engine, gone through the tutorial, and then gone on Twitter to ask "how 2 bypass anti-cheat".... we recommend checking this post out. It's not all that often that research on modern anti-cheats is released, but thats precisely what @ssnossnossno has done. The post covers the numerous protections the user-mode cheat puts in place. For starters, there is Arxan, the obfuscation tool. That in itself is going to make life a pain, but on top of that, it seems like Treyarch has rolled its own pointer encryption for essential pointers. And then you have mitigations like hook detections, checking for Windows "Test Mode", detecting for cheat logging and visuals, anti-debugging, anti-signature scanning (this one was cheeky), traffic monitoring, and more. The write-up does a great job of covering each relevant aspect of the AC, discussing its implementation, and theorizing about potential ways around some of them. A must-read for any game hackers.
• MacOS Sandbox Escape via Type Confusion in coreaudiod/CoreAudio Framework - A fun type confusion bug from a P0 report residing in the CoreAudio Framework. Specifically, users retrieve objects via a ID, and the privileged process assumes the type of the retrieved object without actually checking or verifying. This opens the door for fetching a smaller or incompatible object type, triggering the type confusion. The bug report then goes on to demonstrate with a crash PoC, and wraps up with the affected routines.
• L0PSec Rust RE Video - We just want to take a minute to shout out this channel in general. High quality RE content can sometimes be hard to find, but if you are in search then L0PSecs channel is an underrated gold mine. This video reviews a malware sample originally covered by Patrick Wardle in a blog post at the beginning of this year. L0Psec specifically goes into the project to better understand a behavior the malware seems to demonstrate (searching logs for a "restart initiated"), but uses it broadly to go over some Rust reversing fundamentals. He goes through it in real-time, so you can see his personal workflow. And, even better...he uses Binary Ninja.
• Checking whether an ARM NEON register is zero - A quick and fun post from @lemire which starts with a quick walkthrough of some interesting, powerful instructions in ARM NEON. The post reviews C code examples, showing how you can leverage special instructions to do various tasks you've probably had to do before (ie: add the values from two arrays into a third). However, in explaining this, a "deceptively" tricky problem arises - determining if an ARM NEON register contains only 0s. The rest of the post details a few approaches to trying to solve this problem efficiently, showing code examples and then explaining how many instructions they compile down to.
• Mercedes-Benz Head Unit security research report - Everyone loves car hacking. And this week, Kaspersky Security Services published a report on the Mercedes-Benz Head Unit which will hopefully scratch some of that "car hacking" itch you've been having. This post starts with the usual testing set-up (with a cool anti-theft bypass) and firmware unpacking and decryption. It then reviews the three types of IPC protocols the firmware uses to pass messages between its own threads, which helps the team to better understand the internal services. Finally - we get into the bug-hunting phase of the post, starting with a review of the internal network, which turned up a stack buffer overflow and a command injection, as well as an N-day (PwnKit) for privesc. It then looks at the USB attack surface, identifying a heap overflow, an arbitrary file write, and a broken integer check. The post wraps up with a complete list of CVEs assigned (13), and some notes on the "attack vectors" assessed.

Interesting Job Postings:

• Senior Vulnerability Researcher @ Arm (Hybrid: Austin, TX)
• Offensive Hardware Security Researcher @ NVIDIA (On-Site: Santa Clara, CA)
• Security Vulnerability Researcher @ Microsoft (Remote)
• Mobile Vulnerability Researcher @ Magnet Forensics (Remote)
• Security AI Technical Lead @ Cisco (On-Site: San Jose, CA)

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Don't forget to check out https://bug.directory!

We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️