It's a beautiful day to _{break your laptop at the hinge} find a bug. Annnnnnnyways 👇

In Case You Missed It...

• Linux Exploitation April/May Updates - The best Linux VR/ExpDev repo just got its bimonthly update for March and April. And don't worry, because we will be hearing from @andreyknvl later in this same newsletter
• Linux Kernel Exploitation Resources - If that wasn't enough Linux content for you, well @ri5255 just put together a new blog series detailing a handful of modern Linux kernel exploit techniques.

Resources And Write-Ups From This Week:

• CVE-2024-44236: Remote Code Execution vulnerability in Apple macOS - ZDI took to their blog this week to talk about a recent OOB write on MacOS (CVE-2024-44236). The bug specifically affects the Scriptable Image Processing System (sips), and takes advantage of a lack of proper validation when processing an ICC Profile File. The post includes a full RCA, walking through the relevant source code and highlighting how the missing check leads to the invalid memory access. It also has a bit of information related to detection guidance, specifically keying in on ways that ICC Profile files might be transferred to a vulnerable device.
• Two Bytes Of Madness: Pwning the Linux Kernel with A 0x0000 Written 262636 Bytes Out-Of-Bounds - The title of this one is enough to just make you scratch your head a bit. Maybe exploit dev isn't actually the career field for you if some people are turning fixed sized, null-byte OOB writes into full blown privescs. The bug in question here was in the Linux network package scheduler, and the full-write up covers all the juicy details, starting with what packets need to be sent in order to result in this unique underflow condition leading to the oob write. The majority of the post, though, focuses on the details that we know you are most interested in - how is this possible to exploit? Well, the team was able to use it to corrupt pipe->files, free the pipe, cause a UAF, and get arbitrary R/W...obviously. Maybe I'll just become a webdev instead.
• kASLR Internals and Evolution - Interested in the history of kASLR on Windows? Well @r0keb has got just the post for you, released on his blog earlier this week. The post intends to serve as an overview of kASLR's internals and its development throughout various Windows releases. More than that though, it talks about interesting ways that various previous versions could be bypassed. Specifically, it outlines a list of flags that could be used with NtQuerySystemInformation to get back a KM address in Windows 10. It takes a look at the internals of this function, detailing why it was such a reliable bypass, and explaining how the technique was ultimately restricted in 24H2 (well...depending on if you think Admin-to-Kernel is a security boundary).
• Kernel Exploitation Techniques: Turning The (Page) Tables - A new post from Linux kernel hacker @sam4k1 in which he talks about targeting page tables to gain read/write primitives. The blog starts with an overview of page tables and how they work on Linux. It then transitions into the good stuff...exploitation. After an explanation of how user page table allocation actually works, we turn our attention to page table corruption, understanding various different primitives and how they can be escalated through techniques like Dirty Pagetables or PageJack. Finally, the post discusses what happens when you actually have control of a page table...what do you do? Well thankfully that question is answered through a handful of different approaches, before rounding off with a note about something that keeps exploit devs up at night...caching.
• SysOwned, Your Friendly Support Ticket: SysAid On-Premise Pre-Auth RCE Chain (CVE-2025-2775 And Friends) - Another week, another Watchtowr post...like clockwork at this point. This week, the team took a look at SysAid's on-premise IT Service Management (ITSM) platform, and identified 4 bugs. In typical Watchtowr fashion, the post walks through all the findings in detail, outlining the background and the interesting attack surface before diving into the findings themselves. 3 of the findings are pre-auth XXEs, all in different endpoints. From there, they are able to escalate to a full admin takeover via a post-auth command injection. The disclosure timeline, included at the end, is a fun read as well....reminiscent of @b1ack0wl's post.
• External fuzzing of USB drivers with syzkaller - @andreyknvl shared slides from his recent talk at SAFACon, where he demonstrated how to rediscover CVE-2024-53104 by fuzzing USB drivers with syzkaller. The slides include some great diagrams which provide an overview of the Linux USB stack and the communication flow. It then presents some challenges with fuzzing this subsystem, but demonstrates how syzkaller can be adapted in a way that makes it serviceable. From there, the deck focuses on CVE-2024-53104, giving an overview of the vulnerability, before transitioning to how it could be rediscovered with some custom syscall descriptions.

Interesting Job Postings:

• Offensive Security Engineer @ Meta (On-Site: Menlo Park, CA)
• Vulnerability Researcher II @ Research Innovations Incorporated (On-Site: St Pete Beach, FL)
• Offensive Embedded Security @ Lucid Motors (On-Site: Newark, CA)
• Anti-Cheat Engineer @ Amazon Games (On-Site: Seattle, WA)
• Vulnerability Research Co-Op, Fall 2025 @ Battelle (On-Site: Columbus, OH)

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Don't forget to check out https://bug.directory!

We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️