We've officially subbed out "Crypto Bros and NFT Profile Pics" for "Vibe coders and Walmart Studio Ghibli Art." And if you don't know what any of that means... let us know what touching grass feels like. Annnnnnyways 👇

In Case You Missed It...

• Google Chrome Targeted 0Day ITW - Not too much info on this one yet, but Kaspersky broke the news earlier this week. Looking forward to t full write-up coming soon!
• RE with Claude - We made fun of Vibe Coders, but...could be all in on Vibe RE.
• A maintainer’s guide to vulnerability disclosure - GitHub (and by extension Microsoft) wants you to stay in their ecosystem. That's no secret, but if you run an OSS project and are looking for a good way to set-up disclosures, this isn't a bad way to get started.
• Burp Through The Ages - A little FBF action for your Thursday.

Resources And Write-Ups From This Week:

• Blasting Past Webp - It's been a year and a half since the WebP 0-day craze (yes you read that right - you're old) and this week, Project Zero came through with an analysis of the NSO's full chain discovered in the wild. It's way too long to try and properly outline here but the highlights include: A quick outline of some previous work on the core vulnerability, an analysis of the actual PKPass delivered as part of the exploit, identification of two files within the pass with misleading extensions, additional information embedded into the WebP file via a plist for the heap groom, some fake objects in a TIFF file, and finally some thoughts on caveats related to ASLR and PAC. This post builds on Ian's 2024 OffensiveCon Talk which is equally worth the watch if the topic is of interest.
• How To Find Fully Remote Bugs With Reverse Engineering - Sticking with the P0 theme, Natalie Silvanovich gave a Keynote at RE//verse this month which is now available on YouTube. The talk centers around her work assessing Google Messages on Samsung Devices, and digs into the various different 0-click attack surfaces which she assessed for potential viability. The talk is packed full of methodology goodies as well as useful insights for any Android fans out there. It ends with a bug she found in an audio decoder, which is triggered in an automated fashion for the transcription of voice memo messages. We actually covered this bug when it first was released in this advisory.
• Pwning Millions of Smart Weighing Machines with API and Hardware Hacking - They always told us in school to make sure the reader was hooked right before the thesis. Clearly @spaceraccoonsec was paying attention, because he hit us with the "I was able to take over millions of internet-connected health devices", there was no going back. The post revolves around the fact that there are a lot of internet connected scales (yeah...for weighing yourself) that all use the same OEM and libraries. While reversing the Android app, he found a handful of juicy endpoints, many of which suffered from SQLi. Then, he turned to the device itself, connected to some debug pins, and got a basic shell which helped to work out the user authentication flow from the hardware's point of view. He noticed a potential slip-up in the server side logic for validation, and was able to leverage it into device takeover for any device id (up to a million of them (!!!)) Pretty sweet.
• Land ahoy: leaving the Sea of Nodes - Some of you weirdos like posts about V8 internals. Which means that today is your lucky day, as the V8 dev blog returned to discuss their shift away from Sea of Nodes in Turbofan. If you are normal aren't familiar with Sea Of Nodes, don't worry - the post gives a nice intro into the concept and discusses why the team initially chose to use it when ditching Crankshaft and writing TurboFan from scratch. After beautifully outlining the concepts that have been refined for the last 10 years, the post then turns to why they are more of a headache than a benefit. It details things like cache unfriendliness, difficult visual representation, complex scheduler, and many...many more. As a result, the team is moving back to a more traditional CFG IR.
• CimFS: Crashing in memory, Finding SYSTEM (Kernel Edition) - STAR Labs is featured for the 2nd time in two weeks - this time, they are detailing their (attempted) path to a Windows LPE at Pwn2Own 2024. The post starts with a high level overview of cimfs.sys, which handles the CIM file format. This file format allows for another file system to be mounted and read via the Win32 API. And while this feature was intended for privileged use only, a little slip up allowed for a nice auth bypass so that unpriv users could use it. From there, the post pivots into fuzzing methodology - identifying the juicy parser logic and putting together a fuzzer to target it. With 7 new bugs, the post takes a look at triaging and exploiting an OOB Read. And while the bug itself was patched before P2O, we are still quite lucky to get a nice write-up from it!
• Reversing unknown file download protocol - As many of you know, we are a sucker for a good YouTube video. @gynvael came through this week with a new upload about reversing unknown protocols. The tutorial walks through how you can analyze Wireshark traffic, and re-implement its logic in Python in order to interact with the corresponding server. It picks out a CTF example and shows you how to do it in real-time, and is great for those who are looking to brush up on their protocol analysis and reversing skills. If you enjoy it, he also links out to his upcoming training on the same topic!

Interesting Job Postings:

• Senior Security Researcher @ Crystal Peak Security (Remote)
• Senior Software Engineer, V8 Bug Detection @ Google (On-Site: Warsaw, Poland)
• Offensive Android Security @ Samsung Research America (On-Site: Mountain View, CA)
• Principal Vulnerability Researcher @ Two Six Technologies (On-Site: Arlington, VA)
• Security Researcher @ Cisco Talos (On-Site: Baltimore, MD)

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Don't forget to check out https://bug.directory!

We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️