exploits.club Weekly Newsletter 69 - Robot Dog Hacking, Null Writes, FastCGI Overflows, and More
Welcome everyone to what you have all been waiting for: exploits.club #69.
Yep...that's it. Thats all we have to say about it. Annnnnyways π
In Case You Missed It...
- Binja 5.0 Release - Firmware analysis updates, more iOS improvements, decompilation improvements, and more!
- Midnight Flag CTF 2025 Writeups - A collection of write-ups by @ptrYudai for the recent Midnight Flag CTF. Some cool challenges in here, so figured we would include them!
Resources And Write-Ups From This Week:
- The Jailbroken Unitree Robot Dog - Last week, DARKNAVY was hacking satellite terminals and this week they are going after robot dogs - this is starting to feel like the main character (or...vilian) of a Neal Stephenson novel. In this new post, the team walks through their preliminary research of the G02 Robot Dog. The post starts by walking through the full attack surface (cloud, user app, "device", etc), making note of the data flow and various protocols in place such as WebRTC and DDS. From there, the team is able to root the dog by using a previous research technique (yes...it is actually called "PawRoot"). The post wraps up with a look at the bootloader, noting that previously SecureBoot was not enabled and they were able to dump the firmware by patching U-Boot. However, that misconfig has since been addressed in newer updates.
- Exploiting the Synology DiskStation with Null-byte Writes - Ret2 dropped a post this week detailing their research for Pwn2Own Ireland 2024 and the exploit they wrote for the Synology DiskStation DS1823xs+. The post starts with a brief enumeration of the attack surface, identifying the in-scope packages and identifying the replication service as an interesting target. From there, the post takes a look at the relevant binaries and identifies a pretty interesting primitive - an arbitrary null-byte write due to mishandling of an error condition. The post then demonstrates how this primitive can be combined with the program logic to break ASLR via 2 different oracles. Finally, it rounds out with using a similar technique to achieve RCE after obtaining the leak. It's a sick exploit of a pretty interesting primitive - definitely worth the read.
- Fire In The Hole, Weβre Breaching The Vault: Commvault Remote Code Execution (CVE-2025-34028) - Our friends at Watchtowr set their sights on Commvault this week, and generally when they do that...well, they don't miss. The new post walks through the way they were able to get RCE on the "Data Protection or Cyber Resilience solution". In typical fashion, the post is exceptionally detailed, walking through the high level features of the product, keying in on an interesting
deployWebpackage.doendpoint, and identifying a very straightforward SSRF. From there, it was all about turning that into a successful exploit - which they were able to do by fetching a malicious zip file with a.jspin it, using a path traversal to put it in a web accessible directory, and triggering RCE. - CVE-2025-23016 - Exploiting the FastCGI library - From Watchtowr to Synacktiv...the two teams putting this newsletter on their back week-in and week-out. The French team put together a write-up on FastCGI this week, discussing its internals and walking through a vulnerability they found. The core issue was an integer overflow (on 32-bit systems) in
ReadParamswhich can subsequently be used to trigger a controllable heap overflow. The post then turns to exploitation, identifying a good target structure with some function pointers, setting-up the heap properly, and triggering the overflow. - Modern Anti-Abuse Mechanisms in Competitive Video Games - We covered a bit of anti-cheat research the last couple of weeks, and thus we would be remiss if we did not mention @dustriorg's recent BlackHat talk, which is available on YouTube now. The talk encompasses not only actual cheats, but also toxic player behavior, and explains what counter-measures companies are taking to combat abuse in all forms. Our personal favorite section discusses some of the "exotic" measures game developers are putting in place (quicksand, handicaps, nonsense error messages)...basically just straight up trolling cheat developers.
- How MiraclePtr Crushed Two Sandbox Escapes - A new disclosure from SSD which walks through two Chrome UAFs. The actual descriptions/RCA for the UAFs are shorter than this summary, so take a peek at the page yourself for more context, but the big takeaway here is how MiraclePtr actually prevents these bugs from being exploitable. The second half of the post walks through what MiraclePtr is, how it works, and why it is effective against the two bugs described.
Interesting Job Postings:
- Mobile & Browser Vuln Researchers @ Catalyst Security (Remote)
- Cyber Capability Research Engineer @ RTX (On-Site: Cambridge, MA)
- Security & Vulnerability Engineer @ Johns Hopkins Applied Physics Laboratory (On-Site: Laurel, MD)
- Founding Engineer - Security Researcher via Code Red Partners (Hybrid: New York, New York)
- Reverse Engineer @ Mission Technologies (On-Site: Fort Meade, MD)
- Staff Research Engineer - C/C++, Assembly, Reverse Eng @ Tenable (On-Site: Columbia, MD)
Wrapping Up...
As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.
Follow us on X - we occasionally Tweet poor attempts at memes
Don't forget to check out https://bug.directory!
We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.
Feel free to join the exploits.club Discord server here π https://discord.gg/2dxN2Gtgpx
Same time next week? See you then π΄ββ οΈ
