Revisiting our intro from last week, turns out the it can get worse - like speak-directly-to-the-camera-with-127-million-people-watching worse. Annnnnnyways 👇

In Case You Missed It...

• The Patch Report for February 2025 - ZDI monthly patch round-up is here, not as much chaos as last month but still some fun bugs.
• WOOT '25 Preliminary Call for Papers - Get your papers in by March 4th/March 11th (depending on which track - just read the post if you are confused).

Resources And Write-Ups From This Week:

• How PhysPuppet Achieves Use-After-Free on a Page of Memory - @bellis1000 has been putting together some great content over on YouTube in the last month, specifically covering the PhysPuppet iOS bug. The first episode in the series covers the bug itself, and demonstrates how it can be used to achieve a dangling PTE. The second video looks at exploitation, walking through the spray of IOSurfaces objects in order to achieve a R/W primitive. The videos are complete with some really nice animations and demos, so definitely give them a watch.
• Tracing Back to the Source | SPTM Round 3 - Dataflow Forensics has just released their 3rd entry into their blog series on Secure Page Table Monitor (SPTM) - a new service intended to help enforce memory space isolation in XNU. The post mainly walks through disassembly of the new code, trying to get a lay of the land and better understand SPTM's entrypoint, set-up, and functionality. It also takes a look at Trusted eXectuion Monitor (TXM), following much the same methodology. As the only public research into these areas, its sure to be a must read for *OS hackers.
• Llama's Paradox - Delving deep into Llama.cpp and exploiting Llama.cpp's Heap Maze, from Heap-Overflow to Remote-Code Execution - "Besides, I am so hungry for a binary-exp in AI Projects to prove my binary-exploitation things are not 'outdated', but that's another thing". From that moment, we were hooked on @retr0reg most recent post about his recent exploitation of Llama.cpp. The post is a behemoth of a write-up, covering pre-reqs and past research, all while tying in research methodology along the way. The bug identified is a heap overflow, and the post spends the majority of its word count discussing how to go about writing an exploit for it given the special heap management system.
• Being Overlord on the Steam Deck with 1 Byte - Who doesn't love the Steam Deck? And who doesn't love BIOS bugs? Quarkslab decided "why not both" and made that the topic of their most recent research project. The subsequent post walks through a few vulnerabilities they found, the most interesting being an arbitrary write of 1-byte (as the name suggests) and an arbitrary AND masking primitive (yes - its a thing). It then attempts to determine if this would be enough for exploitation. And if you are thinking "there's no way", well...you should give the rest of this one a read. The team is able to turn their very constrained bugs into an arb read/write, and then get code execution from there.
• Exploring a VPN Appliance: A Researcher’s Journey - It's been a while since we ripped on Fortinet, so this feels like the perfect opportunity to get back into the groove of things. Especially if they are going to use dependencies from the year 2000. Thats right, the team was using an open-source library from Apache that had not been updated for the last 25 years. The post then walks through a handful of vulnerabilities identified in this ancient code, including an OOB Null Write, an OOB read, and an integer underflow.
• !exploitable Ep 1 - Breaking IoT - Doyensec posted a blog this week about how they are cooler than your company and do retreats on cruises. And while they are on cruises, they write exploits. Specifically, the team set a goal of writing an exploit for an IoT, web and binary N-Day. This first entry into the blog series covers the IoT exploit, a stack overflow in the Tenda AC15. The team started with a heap overflow before finding and pivoting to a slightly easier bug. It walks through getting a debug set-up, identifying the bug, and ropping to system.
• ROPing our way to RCE - Continuing with the "exploiting old bugs with no mitigations" theme, on a recent engagement, modzero came across an outdated webserver with an overflow CVE from 2022 and no public exploit - so they decided to write one. The bug here is fairly straight forward, strcatting a user controlled value to a stack buffer with no bounds checks. The post then goes through finding some 32-bit ARM gadgets, using an unrelated path traversal to bypass ASLR, and ropping to system.

Interesting Job Postings:

• Director of Security Engineering @ Google DeepMind (On-Site: Mountain View, CA)
• Security Researcher @ Akamai Technologies (Remote)
• Security Researcher @ GitHub (Remote)
• Early Career Vulnerability Researcher @ Battelle (On-Site: Columbus, OH)
• Product and Hardware Security Penetration Tester @ Dark Wolf Solutions (On-Site: Colorado Springs, CO)

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Don't forget to check out https://bug.directory!

We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️