If ChatGPT has been going too easy on your VR ideas, heres a quick way to make sure you get your ego checked. Annnnnnnyways 👇

In Case You Missed It...

• Binpool Release - Who wouldn't want a large scale dataset of vulnerable and patched binaries across 4 opt levels.
• OffensiveCon Schedule Release - Looks like a stacked line-up per usual. And, if you are going in person, you can get a special edition hardcover version of Phrack (if you want to snag us one, we wouldn't complain).

Resources And Write-Ups From This Week:

• Wormable Zero-Click Remote Code Execution (RCE) in AirPlay Protocol Puts Apple & IoT Devices at Risk - Well, let's not bury the lede...A pretty heavy hitter popped up earlier this week. The team over at Oligo dropped an Apple AirPlay Zero-click RCE...yeah. Not only that, but they also demonstrated how it could be wormable as well, allowing the attack to spread from device to device. How is this possible, you ask? Well the team found multiple auth bypasses, a handful of memory corruption vulns, and some logic bugs for good measure. Depending on the target (macOS, CarPlay, AirPlay SDK, etc), these bugs can be chained for full remote compromise. For example, for macOS, a user interaction bypass can be chained with a UAF, and all the sudden, you've got yourself a new Mac....nice.
• If the Person Who Finds a Web3 Hardware Wallet is a Hacker - DARKNAVY continues to drop good post after good post, this week demonstrating their recent research on crypto hardware wallets. Similar to their previous blog posts we have covered, this write-up starts with a bit of attack surface enumeration, looking at the 3 key areas: USB, NFC, and Bluetooth. For USB, they use the Cypherock X1 as a case study, showing how to actually communicate with the device and alluding to a vulnerability when parsing and handling external request data. For NFC, the team turns their attention to the Tangem wallet, explaining how the card communicates with a reader and identifying a potential PIN brute-force attack that may have existed in older versions of the firmware.
• Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis - Google's Threat Intel team took to their blog earlier to drop their yearly 0-day round up for 2024. Per usual, the report breaks down the 75 0-days identified ITW, summarizing key findings, trends, and predictions for 2025. Readers of this blog will be less-than-shocked to hear about the uptick in targeting of "security and networking" products...coughEnterprise VPNscough. In terms of numbers, there was a pretty even split this year, with 33 vulns going after enterprise tech (trending upward from 2023), while the other 42 targeted end-user platforms (trending downward...maybe because finding a system call is a lot easier than chaining 18 bugs together...just a thought). In terms of everyone's favorite topic, attribution, the team noted that ~30% of the attacks seemed to be state-sponsored espionage, while another 23% originated from commercial surveillance vendors. The post concludes with a case study of some actual bugs targeting WebKit and Firefox.
• Introducing AutoPatchBench: A Benchmark for AI-Powered Security Fixes - What's the worst part of fuzzing? Say it with me now...crash triage. Especially on the off chance that you just slapped a harness on something and did very little work up-front to understand the target...which we would never do, but, like, hypothetically. Anyways, Meta released a post on their engineering blog earlier this week discussing AutoPatchBench, an internal project to benchmark patches for bugs discovered through fuzzing. The post walks through the crux of where LLMs could be useful in the triage process, and then introduces the tool. AutoPatchBench is a dataset of 136 samples that can be used to benchmark your auto-patching solution. The post discusses how it might be implemented, and then demonstrates a case study from some of Meta's internal work.
• Overview of Map Exploitation in v8 - @Nyaaaaa_ovo took to his blog this week to analyze a handful of map related bugs for V8. The post starts with an overview of maps, explaining what it is and how V8 interprets it under the hood. From there, the post includes 7 different bugs which are all related. For 5 of the 7 bugs, a full RCA is performed, specifically demonstrating how maps played a role and discussing the resulting bug. If you are looking to get spun up on V8 internals and interested in maps, this is a great spot to get started.
• Attacker Control and Bug Prioritization - Taint analysis meets bug prioritization in this newly released paper. 2 researchers from Université Paris-Saclay released their research in formalizing attacker-controlled data to better contextualize the exploitability and thus the severity of bugs. The basis for this measurement is something they call the domain of control (DoC), and the framework helps to measure the DoC across different variables and function calls. This algorithm was implemented in a new open-source dynamic binary analysis tool named Colorstreams.

Interesting Job Postings:

• Offensive Security Engineer @ Palantir (On-Site: Seattle, WA)
• Principal Product Security Researcher @ Palo Alto Networks (On-Site: Santa Clara, CA)
• Vulnerability Researcher @ infosectcbr via @silviocesare
• Silicon Security Engineer @ Google (On-Site: Sunnyvale, CA)
• Kernel Security Researcher @ Apple (On-Site: Cupertino, CA)

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Don't forget to check out https://bug.directory!

We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️