4 min read

exploits.club Weekly Newsletter 68 - PAC bypasses, Anti-Cheat Hooks, StarLink Terminal Firmware Dumps, And More

exploits.club Weekly Newsletter 68 - PAC bypasses, Anti-Cheat Hooks, StarLink Terminal Firmware Dumps, And More

What do CVEs, tariffs, and Jesus Christ all have in common this week?

They keep dying and coming back to life.
Came up with that one ourself - took us an extra day to work it out though, which is why we are a bit tardy. Happy Easter to those who celebrate!

Annnnnyways 👇

In Case You Missed It...

Resources And Write-Ups From This Week:

  • MCTF 2025 - Write-up Sec Mem - Pwn - A CTF challenge that involves bypassing PAC in the Linux kernel? Yeah, sign us up. This new post from @0xItarow, walks through the recent CTF challenge they wrote and discusses it's intended solve. The priv-esc challenge includes a vulnerable kernel driver that gives players an arbitrary read and a partial overwrite primitive. The partial overwrite could be used to hijack control flow, if PAC wasn't enabled. The post then takes a quick detour into how PAC works in the Linux kernel, before coming back to the challenge at hand. Using the arbitrary read, you are able to find your task_struct, leak the A PAC key, and compute use that to sign our own pointer. After that, its business as usual.
  • SSD Advisory – extract() double-free(5.X)/use-after-free(7.X/8.X) - New disclosure out of SSD this week for a double free / UAF style bug in PHP. Specifically, PHP's extract function which is used to "import variables in the current symbol table from an array". While the bug is slightly different across versions, the core vulnerable code pattern exists in 5.x, 7.x, and 8.x. "Why not 6.x" I hear you ask? Because PHP ... that's why. Anyways, the post moves on to talk about exploitation, turning the vuln into an arbitrary read / write and providing full exploit code.
  • Inside Riot Vanguard's Dispatch Table Hooks - We are a sucker for a good anti-cheat right up, and thankfully @Archie_1997 came through for us this week. In this new post, they cover some of the various hooks that Riot's Vanguard put into place. Spurred by some readings on "Guarded Regions", the research first takes a look at the SwapContext hook before jumping into taking a look at the system call hooks. Building on the research done by Aidan Khoury’s and Daax’s article, Archie is then able to give a full list of system calls that are hooked by the anti-cheat.
  • iOS 18.4 - dlsym considered harmful - This EC is PAC'ed full of PAC fun...sorry. Anyways, Synacktiv put together a fun post about triaging a strange bug they found while assessing an iOS application that made use of dynamic symbol resolution using dlopen and dlsym. The crux of the bug is that for some specific functions, the pointer seemed to be incorrectly signed, resulting in a crash. The post then perfectly encapsulates the bug triaging process from there, where ever subsequent experiment run ends with significantly more questions and no real answer. As they venture down into the internals, they slowly uncover that if a symbol has a certain flag set, dyld has a logic issue and is missing key instructions like XPACI.
  • A First Glimpse of the Starlink User Terminal - DARKNAVY took to their blog this week to do a quick teardown of the Starlink User Terminal. The post starts with an overview of the hardware components, before removing the eMMC and dumping the unencrypted firmware contents, and briefly venturing through the contents to get a basic lay of the land. From there, it turns over to emulation. The team was able to build an emulation environment with QEMU and use it for debugging. They also stumble across some ssh keys when the device determines its a user terminal that leads them to theorize...is Elon watching you? Its a fun post, and we hope the debug and dynamic environments yielded some cool findings to share down the line.
  • Kernel-Hack-Drill: Environment For Developing Linux Kernel Exploits - Everyone knows that 99% of vuln research is trying to figure out how to get your target up and running and ideally with good debug set-up. Well this new post from @a13xp0p0v should help all you Linux hackers out - especially if you have been seeing cool techniques flying around on X and are feeling a bit left out. The Zer0con presentation walks through CVE-2024-50264 in depth, providing a root-cause analysis and discussing potential exploit strategies. It then introduces a new project Alexander has been working on - kernel-hack-drill - a "playground for Linux kernel exploitation experiments". The repo is intended to give you a kernel module to practice with certain primitives and provide examples of the latest techniques. And you know it works, because using this project he was able to help brainstorm and develop his exploit for CVE-2024-50264.

Interesting Job Postings:

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Don't forget to check out https://bug.directory!

Your second brain - strictly for bugs

We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️