We get a lot of questions about if this is an AI generated newsletter...you really think AI can make shitty jokes and typos like we can? Get outta here...annnnnnyways 👇

In Case You Missed It...

• CFPSec Update - You all should start using this bad boy...mostly so that we don't have to do all the leg work for you in future newsletters.
• The Exploit Development Lifecycle Keynote - We covered this keynote from @chompie1337 when the slides dropped last year, but the video is now available, so give it a watch!
• GhidraMCP - The MCP RE Vibe train keeps chugging. We covered the Ida and Binja versions, and @lauriewired has put together an MCP server for Ghidra. The holy trinity, completed.

Resources And Write-Ups From This Week:

• The Evolution of Dirty COW - Linux hackers rejoice - @u1f383 released two juicy blog posts last week detailing the "Evolution of Dirty Cow". Part 1 starts with an overview of the original bug, CVE-2016-5195 providing the technical background needed to understand the subsystem, the root cause of the vulnerability, and the patch. From there, part 2 takes a look at two well known variants: Huge Dirty COW and SHM (Shared Memory) Dirty COW, walking though copy-on-write bugs and giving you all the relevant context needed to understand their root cause. As Pumpkin mentions, its always useful to dig into classic bugs, and maybe it will inspire new thoughts for your future research projects.
• Code reuse in the age of kCET and HVCI - A tale as old as time - new mitigations drop, leading to new techniques. And Windows has really been trying to spoil the fun over the last few years with kernel-mode Intel CET (kCET) and Hypervisor-Protected Code Integrity (HVCI). Thankfully @slowerzs is here to bring back the fun, exploring an alternate way to execute a kernel payload. The new post walks through the different the methodology used to discover this technique - starting with some symbolic execution to identify interesting functions who dynamically determine instruction pointer targets. From there, he targets __long_jump and discusses how he crafted a valid JOP chain. The post rounds out with the PoC and some conclusions on if this technique is ultimately useful.
• What keeps kernel shadow stack effective against kernel exploits? - Keeping the ball rolling with the mitigation talk, @standa_t released a new post yesterday to discuss a bit more about how a kernel shadow stack works. The post starts with an overview of what a shadow stack is and it's purpose, before getting into a bit more how user and kernel mode shadow stacks are kept "effective." The post points out that kernel-enforced shadow stacks alone cannot be effective and points out a few ways this approach could be bypassed by attackers. It then moves into describing the solution, supervisor shadow stack restrictions (SSSCheck), discussing how this improves the effectiveness of the mitigation and how its implemented.
• MindshaRE: Using Binary Ninja API to Detect Potential Use-After-Free Vulnerabilities - Exploring the Binja API to identify UAFs? Yeah - sign us up. This post out of ZDI explores a new technique to use Binja's medium level IL and SSA form to build DFGs and identify use-after-frees via code analysis. The main concept here is to map memory allocations, memory loads, and deallocation in an effort to pinpoint potentially vulnerable code paths. After going through the theory, the post then moves on to test out the method on some previously identified CVEs, demonstrating how it works and can actually find bugs. It covers some gaps in the tooling as well, and includes a link to the full source-code should you want to play with it yourself!
• XSS To RCE By Abusing Custom File Handlers - Kentico Xperience CMS - An XXS in a an exploits.club feels criminal, but don't click away yet. Even author @chudyPB says he's not a fan but that this one is fun. And it is, we swear. Anyways, coming out of Watchtowr (because it wouldn't be a newsletter if they weren't included somehow) this new post discusses how they popped Kentico Xperience CMS. The CMS includes an endpoint for unauthenticated file uploads and a different endpoint for unauthenticated resource fetching, which lead to XSS. The XSS vulnerability can be exploited to perform actions on behalf of an authenticated administrator. This includes modifying settings to permit the upload of executable files (e.g., ASPX files), which can then be used to achieve RCE. A pretty fun chain!

Interesting Job Postings:

• Senior Vulnerability Researcher @ Booz Allen Hamilton (On-Site: Fort Meade, MD)
• Offensive Hardware Security Researcher @ NVIDIA (On-Site: Santa Clara, CA)
• Intermediate Vulnerability Research Engineer @ GitLab (Remote)
• Principal Security Researcher - Linux @ Huntress (Remote)
• Reverse Engineer, Threat Research Engineering, GovCloud (Remote) @ Crowdstrike (Remote)

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Don't forget to check out https://bug.directory!

We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️