exploits.club Weekly Newsletter 60 - kCTF Patch Gaps, USB Restricted Mode Bypasses, LLM Harnesses, and More
2025 - where every headline looks like it came from The Onion. Annnnnnyways π
In Case You Missed It...
- Phrack 71 PDF and CFP - Phrack released their the Phrack 71 PDF last week AND put out a continued notification about their CFP, which ends April 1st. Get your papers in!
- RomHack 2025 CFP - Speaking of CFP, RomHack has opened theirs - submit before May 19th!
Resources And Write-Ups From This Week:
- From Convenience to Contagion: The Half-Day Threat and Libarchive Vulnerabilities Lurking in Windows 11 - What happens when Windows decides to support multiple new archive formats in the file explorer? Bugs...obviously. This week, Devcore put together a write-up detailing some vulnerabilities they found after Windows decided to introduce 11 new archive file formats to be supported natively. The classic "zip-slip" makes an appearance (plus a patch bypass). The post then transitions to talking a bit about libarchive, such as its control flow, some interesting quirks, and what it means for the Windows attack surface. It takes a look at two bugs found by MORSE in the library, and then notes how the Microsoft patch was never actually back-ported to the libarchive source - leading to a patch gap which the team was able to demonstrate in a bug bounty.
- Patch-Gapping the Google Container-Optimized OS for $0 - A behemoth of a post from @h0mbre_ and a must read for any Linux researchers out there. The post goes over a UAF that was found in
/net/sched, which h0mbre PoC'd in an attempt to patch gap the COS 105 instance of kCTF. As mentioned, the post is extremely in-depth, starting out with reviewing the patch (which...has maybe the best commit message of all time (?)), and attempting to trigger the bug. In true VR/ExDev fashion, things immediately don't go to plan with the trigger - after a bit of troubleshooting, the culprit is a kernel config option. From there, we get into good ole exploit dev, which fills the remainder of the post and goes step by step through the process. Not only is the post extremely technical, but it does a great job documenting the ins-and-outs of what vuln research / exploit dev is actually like (rabbit holes, help from friends, finding random useful blog posts, etc). - Minimal LLM-based fuzz harness generator - LLMs and fuzzing - the hot new couple that everyone is talking about. This week, ADALogics put together a little blog post explaining how you can use an LLM and some program logic to quickly stand-up a harness and get to work. The team notes that this probably won't help you compete with Googleβs OSS-Fuzz-gen, but is meant to serve as a primer. The methodology hinges on using Fuzz Introspector to determine an entry point's key features, and then converting that information to a prompt for an LLM to use. It's a pretty simple and straight forward method. Unfortunately, the post does not cover how to determine if the subsequent crashes you find are in your harness or in the target codebase - you're on your own for that one.
- First analysis of Apple's USB Restricted Mode bypass (CVE-2025-24200) - When iOS 18.3.1 dropped, its safe to say that most VR forensic teams were having a bad day. The patch addressed a USB Restricted Mode bypass which was reported by Citizen Lab. In a recent blog post, Quarkslab took a look at the patch diff in Binja and decided to do a bit of root cause analysis. The post walks through the major changes, before shifting gears and approaching what is actually accessible from within USB Restricted Mode. The team does a bit of experimenting with Frida to confirm their suspicions about the entry point, before theorizing about how this might be triggered in real conditions
- Writing a Ghidra processor module - @jonas__rudloff spent some time blogging about his recent work creating a Ghidra processor module for the iRISC processors. The post builds off of some previous research he has done on iRISC, and then new entry starts with a high level overview of some of the major takeaways and findings thus far. It then gets into a breakdown of Ghidra Sleigh, and how new architectures can be defined with some Sleigh code and some XML. It then goes through the process of writing this Sleigh code for iRISC in a step-by-step manner, and iteratively improving it after each disassembly attempt.
- Dropping a 0 day: Parallels Desktop Repack Root Privilege Escalation - To really get the context for this one, you should first check out a bug last year detailed on Mykola's blog. We deliver the news to you though, so the tl;dr is a privesc on x86_64-based Macs through Parallels because updates are conducted with a SUID binary, which can be used to run an attacker controlled script. Fast forward to today, and our good friend @patch1t was able to bypass the patch (something he is no stranger to) in two different ways. He's reported these 7 months ago, but has seen no vendor action soooo free 0-days.
- Mastering the Microsoft Azure Bounty Program - If you were unaware of the scope included in the Azure Bug Bounty program...wellll so were we. And at first, so was @vv474172261 before he realized that there are actually a handful of binary targets to focus on. In his recent blog post, he goes through his experience hacking on these targets and getting some cold hard cash from Microsoft. He poked specifically at NetX and NetX Duo, and the blog includes 4 bug patterns (and many variants) he found in the target before Microsoft listed it out-of-scope (lol). From there, he pivoted over to azure-uamqp-c, finding an OOB-write. The post ends with him finding...11 UAFs across a handful of projects by looking for a specific pattern. Microsoft finally listed all open-source libraries as out of scope.
Interesting Job Postings:
- Vulnerability Researcher @ Cisco (On-Site: Fulton, MD)
- Director of Offensive Security Research and Community @ Cobalt (Remote)
- Offensive Security Engineer via Code Red Partners (On-Site: San Francisco, CA)
- Senior Anti-Cheat Engineer @ Amazon Games (On-Site: Seattle, WA)
- InfraSec-HLS Fuzz Testing Specialist @ Amazon (On-Site: Herndon, VA)
Wrapping Up...
As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.
Follow us on X - we occasionally Tweet poor attempts at memes
Don't forget to check out https://bug.directory!
We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.
Feel free to join the exploits.club Discord server here π https://discord.gg/2dxN2Gtgpx
Same time next week? See you then π΄ββ οΈ
