Are all your friends in Berlin, popping Pwn2Own targets and listening to talks on world class research, while you are at home doing none of that? Yeah, no...us either. Annnnnnyways 👇

In Case You Missed It...

• Pwn2Own & OffensiveCon - If you are in Berlin, consider us jealous. Pwn2Own and OffensiveCon are taking place at the moment. We will be sure to bring updates next week, but at the time of writing Star Labs is in the lead with 8 points headed into Day 2. And if you are at OffensiveCon, you should go to each of the booths and tell them to sponsor this really cool newsletter on VRED...
• Debugging iOS and Android - Just think, your partly-read Jonathan Levin books need a companion, and we got an unplanned release just this week! Topics include "System-level programming, Debugging, Reverse Engineering, Hooking & Tracing on Darwin, Linux and Android platforms, with a strong emphasis on ARM64"

Resources And Write-Ups From This Week:

• Breaking the Sound Barrier Part I: Fuzzing CoreAudio with Mach Messages - Project Zero posted, so you know we had to check it out. More specifically, @dillon_franke took to the P0 blog to talk about some of his recent work fuzzing CoreAudio via Mach IPC messages. The post starts with an overview of "Knowledge-Driven" fuzzing, a technique Dillon credits to @NedWilliamson, which involves rapid iteration on a harness based on initial code coverage and weaknesses. The post then gets into specifics, looking at the attack vector, detailing Mach IPC messages, the web browser sandbox, and previous research in the area. After settling on coreaudio as the target, the post moves to research methodology, in which a basic fuzz harness is created, reviewed and subsequently improved 4 times. The post rounds out with with a full root cause analysis of the type confusion bug identified by the fuzzer. A great fuzzing post and an even better research mindset / methodology post.
• Operationalizing browser exploits to bypass Windows Defender Application Control (WDAC) - @chompie1337 is back this week on the X-Force blog, and she is weaponizing browser N-days. Specifically, the research centers around a recent technique from @0xBoku, where he was able to BYO-backdoor'ed electron app to bypass WDAC. Chompie wanted to escalate this technique, by BYO-backdoor'ed electron app with a vulnerable V8 version, in order to get native code exec on the victim's machine. She starts with a "ground-truth", picking out a vulnerable V8 commit, compiling it on Linux, and running a pre-existing exploit against it to make sure it works. From there, she starts the adaptation process to an old VS Code build on Windows with the necessary C2 payload. This ended up proving to be more difficult than expected , requiring more memory, argument smuggling, and persuading TurboFan to play nice. The post wraps up with some operational considerations and some remaining questions
• Fuzzing Windows Defender with loadlibrary in 2025 - Let the Windows content keep on rolling. This post builds on a previous post getting loadLibrary to work with more recent versions of Windows Defender. The new research starts with a detailed overview of Defenders Lua VM to get a better understanding of the program and the potential attack surface. From there, the post moves to discuss the fuzzing efforts, specifically a "simple fuzzing setup that is capable of driving the latest 64-bit mpengine.dll version on Linux". The back half of the write-up discusses getting this set-up working with AFL++, and then flipping over to Honggfuzz for better optimization. The post wraps up potential issues in this implementation, but considers the progress made thus far as a win.
• How I ruined my vacation by reverse engineering WSC - It's no secret that the best research comes from work done on planes and in hotel rooms. Seems as though @es3n1n may agree. During some time at an Airbnb in Seoul, they fired up Binja to do some reversing of Windows Security Center after a special request came in for help with a clean implementation of  no-defender without reliance on AVs. The post opens with a bit of RE in order to better understand how AVs use the WSC API and how to inject code that replicates the same functionality. From there, 4 additional days of research ensue involving debugging WSC to understand how a calling process is validated, impersonating WinDefend, rebuilding the validation algorithm, identifying a victim process, and finally cleaning up code. Also - if you have ever been stuck trying to do something x86 specific on a M-series MacBook, you are sure to sympathize with some of the painpoints here.
• CVE-2025-32464: Overflowing HAProxy regsub converter - A quick hitter out of Codean Labs discussing a heap overflow they found in partnership with Doyensec. Specifically, the bug affects load balancer and proxy, HAProxy. The vulnerability stems from a functionality that allows regexes to be included in incoming requests and be handled by transformers on the web server. The regsub converter performed a size check on the wrong object before a copy, leading to a heap overflow. The post points out that the content of the overflow is uncontrollable, making it an unlikely candidate for RCE, but still making it powerful enough for an unauthorized attacker to knock a server offline.
• Oracle VM VirtualBox - VM escape via VGA device - A VirtualBox int overflow leading to an allocation of 0, whereas the size is tracked to be bigger...fun. And while the summary is a bit sparse, the included proof of concept shows how the issue was used to perform a VM escape by performing a heap groom, achieving arb read / write, breaking ASLR, gaining RIP control, and escaping the VM. Easy right? Each of the primitives is explored in a bit more depth after the initial PoC overview, walking through the specific objects and functions used.

Interesting Job Postings:

• Offensive Security Engineer, Red Team X @ Meta (On-Site: Bellevue, WA)
• Cryptography Research Scientist @ Riverside Research (On-Site: Beavercreek, OH)
• Security Research Engineer @ Cisco TALOS (On-Site: Austin, TX | Ann Arbor, MI | Raleigh, NC | Fulton, MD | Atlanta, GA | Boston, MA)
• Cyber Capability Research Engineer @ RTX (On-Site: Cambridge, MA)
• Principal Game Security Engineer @ Scopely (Remote)

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Don't forget to check out https://bug.directory!

We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️