Welcome to another edition of "it's-4:30AM-in-the-airport-and-I-need-to-finish-this-before-my-flight-so-it-can-go-out-on-time". Annnnnnyways 👇

In Case You Missed It...

• Off By One CFP - Get 'em in by April 2nd!
• Announcing Pwn2Own Berlin - Name a better crossover episode than OffensiveCON and Pwn2Own...we will wait. Also, AI anyone?
• SecTube - Last week, @Print3M_ put together a collection of security talks spanning a range of different categories including Binary Exploitation and RE. It's a great resource, be sure to give it a look!
• Obsidian is now free for work - Local, powerful, pro-consumer and now free for work. Throw out your Notion databases. We are an opinionated newsletter, sue us.

Resources And Write-Ups From This Week:

• Securing tomorrow's software: the need for memory safety standards - Google is back and yet again pushing for memory safety - this week calling for a "common framework for specifying and objectively assessing memory safety assurances". The post highlights many of the advancements made in the past several years (mitigations, new language adoption, traditional bug finding techniques, etc), but notes that they have not stopped the influx of memory corruption bugs found in the wild. The team then suggests what the hopeful outcomes of a standardized framework would look like, and make a public commitment to helping research and fund efforts within the area.
• Hacking the Xbox 360 Hypervisor Part 1: System Overview - @Grimdoomer continues his run of great content, this week publishing part 1 of his work on the Xbox 360 hypervisor. This first part is focused primarily on necessary background and "setting the stage". It first takes a look at different aspects of the CPU and protected memory. The post then transitions to focus on the hypervisor specifically, reviewing its features and then deep diving on the one known bug - the 4548 system call handler bug. The post ends with some conclusions, and leaves us on an eager cliffhanger waiting for the new bug and PoC promised in part 2.
• Uncovering Apple Vulnerabilities: diskarbitrationd and storagekitd Audit Part 3 - Kandji released their third and final addition to the series they have been running on bugs found in diskarbitrationd and storagekitd. This most recent post, the team walks through a privesc logic bug that results from improper permission checks in storagekitd. Essentially, when using the diskutil command to mount/unmount a disk, a call to storagekitd is made, which then communicates to diskarbitrationd. storagekitd is unsandboxed and running as root, so diskarbitrationd gives it full access. Therefore, the permission checking needs to happen from the storagekitd side of the house...which it doesn't. The post then talks about exploitation, as well as Apple's initial shot at a patch...and then their second shot at a patch.
• How GitHub uses CodeQL to secure GitHub - Looking to find more bugs in your research? Or maybe you play for the blue team and want to help make sure you are shipping secure code. This new post out of GitHub shows off how they choose to use CodeQL, and might spark some good ideas for your own workflows. The post mainly focuses on how they create custom query packs and custom queries with an emphasis on effectiveness, maintainability, and simplicity. It goes through the details of actual configuring a repository to use these query packs, and discusses how they choose what to actually write. It also discusses using the tool for variant analysis across multiple code bases based on previously reported bugs. It's a great primer if you are looking to add a new tool to the tool belt.
• RSync: Heap Buffer Overflow, Info Leak, Server Leaks, Path Traversal and Safe links Bypass - A nice little two-bug-chain for RCE in Rsync. Oh, and then just three other bugs as well for good measure...obviously. This new write-up in the Google Security Research repo takes a look at a heap overflow checksum bug, resulting from some improper size checking. This, when combined with an info leak that stems from uninitialized stack contents, can lead to arbitrary code exec on a server running Rsync. As mentioned, the post also goes on to detail 3 additional bugs - an arbitrary file leak, arbitrary file write, and a safe-link bypass. The post ends with a link to the security advisory and corresponding patches.
• Is this memory safety here in the room with us? - DistrictCon 2025 took place last week, and @halvarflake released his day 1 closing keynote slides for your enjoyment. The slides go over the 4000 foot view of what "memory safety" actually is, and then take a look at how it's usually achieved. It then takes a look at the 5 flavors of memory safety (each with their own unique unicorn avatar) and discusses their approach, their pros/cons, and their traction. The presentation ends with some takeaways and some thoughts on where this leaves us and where the push for memory safety is taking us. It's a wonderful overview of where we are and what comes next.
• The Best Security Is When We All Agree To Keep Everything Secret (Except The Secrets) - NAKIVO Backup & Replication (CVE-2024-48248) - Everyone's favorite ASM Labs Blog is back with an unauthenticated Arbitrary File Read vulnerability in NAKIVO's Backup and Replication solution. Watchtowr took to their site earlier this week to document the bug in traditional Watchtowr fashion - full of equal part memes and technical details. It starts with an overview of the product as well as a bit about its tech stack. When they mentioned that it uses Spring Framework, we actually stopped reading - so the rest is on you, my dear reader. Jk... it walks through the relevant classes and web requests and then demonstrates how an oversight in the functionality intended for retrieving pictures allows for arbitrary file read. It then looks at ways to escalate this primitive to something "more scary", eventually figuring out how to dump all the stored credentials.

Interesting Job Postings:

• Sr. Principal Product Vulnerability Researcher @ Palo Alto Networks (On-Site: Santa Clara, CA)
• Offensive Security Engineer, Device @ World (On-Site: San Francisco, CA)
• Sr Pentest Security Engineer, Devices & Services @ Amazon (On-Site: Bellevue, WA)
• Cybersecurity Researcher @ TwoSix Technologies (On-Site: Arlington, VA)
• Senior Offensive Security Researcher @ Oracle (On-Site: Denver, CO | Columbia, MD)

Wrapping Up...

As always, thanks for stopping by. We will be at RE//verse this week - feel free to say hi!

We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Don't forget to check out https://bug.directory!

We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️