Sign in Subscribe
5 min read

exploits.club Weekly Newsletter 75 - Speaker Hacking, Old Video Game Bugs, SecureBoot Bypasses, And More

exploits.club Weekly Newsletter 75 - Speaker Hacking, Old Video Game Bugs, SecureBoot Bypasses, And More

Honestly...that's not bad. Annnnnyways 👇

A Giveaway?

That’s right — after practically begging the Binary Ninja team to sponsor us, our hard work has finally paid off. Even better? They’ve agreed to do a giveaway.

How to enter:
1. Subscribe to the newsletter.
2. Tell a friend. (Okay, technically this one’s optional)

That’s it. On Thursday, June 26th, we’ll randomly pick one lucky subscriber and send them a free Binary Ninja personal license.Enter for your chance to start using the decompiler of the people — built by reverse engineers, for reverse engineers.

In Case You Missed It...

Resources And Write-Ups From This Week:

  • Streaming Zero-Fi Shells to Your Smart Speaker - Who doesn't love a good Pwn2Own write-up? This week, Ret2Systems took to their blog to talk about their Sonos Era 300 exploit they used as part of the SOHO smashup last year. The post starts with a bit of recon, explaining why the device was chosen for their smashup research and performing a step-by-step teardown. From there, the team uses the ball diagrams from the eMMc datasheet to figure out how to dump and re-write the flash. Because the speaker had shipped before NCC Group's bootloader bugs had been fully patched, Ret2 was able to take advantage of the previous research to establish a foothold on the device. With the foothold, the team quickly decided to go after the HLS streaming protocol in the anacapad binary, finding an OOB write. They subsequently used this to trigger an info leak and a stack overflow, chaining together for RCE.
  • Exploiting Heroes of Might and Magic V - Synacktiv-and-fun-old-video-game-research is slowly becoming our new favorite media genre. In their most recent post, the team decided to go after the 2006 Ubisoft classic, Heroes of Might and Magic V. The post starts with a small overview, explaining how players can create maps, and what contents are included in the exported map archive (which can then be shared with other players online). It seems as though Ubisoft rolled their own zip library for this "proprietary" file type, and ended up with a buggy implementation - the decompressed data can cause a heap overflow. After doing a bit of heap analysis to better understand the freelist and some potential corruption targets, the team finds a reachable vtable and puts together a nice little JOP chain.
  • How to Find Vulnerabilities in Web Browsers - Do you read the super cool browser bugs we post in here each week and think..."gosh, I wish I could do that"? Yeah, us too. Thankfully, @ifsecure has come to the rescue. This week, he put out slides on his recent intro talk given at a student-organized conference. And it is 63 slides of absolute gold, ranging from "what is a web browser" to actual case studies of some recent bugs. It covers things like C++ object lifecycles, Javascript callbacks, JIT bugs, research methodology and a FireFox demo. If you are looking to get into browsers, this is an excellent starting point.
  • Hydroph0bia (CVE-2025-4275) - A fun UEFI post dropped this week from @NikolajSchlej. The post kicks off with some background and quirks on NVRAM and discusses how SecureBoot works in any Insyde H2O-based firmware. One of the big issues that immediately stands out is the lack of verification as to who created certain non-volatile variables, leading to a blind trust situation. So, with a little bit of C, the post demonstrates how to make "the firmware trust everything signed by our certificate, including UEFI drivers that we can then run rather early in BDS phase by using the DriverXXXX mechanism."
  • Solo: A Pixel 6 Pro Story (When one bug is all you need) - What are they feeding the interns these days? A recent STAR Labs intern was tasked with analyzing a Pixel 7/8 Mali GPU exploit and porting it to the Pixel 6 Pro. For some reason, the Pixel 6 Pro uses a different Mali GPU, and one of the two bugs in the original chain was unsupported. The post starts with a RCA of the bug which seems to work across both GPU versions, an OOB write resulting from an int overflow. To assist in exploiting this bug, a leak is used in the original chain - one which is not present for the Pixel 6 Pro. But what if you didn't need both bugs? Can you convert the int overflow to a leak as well? Well, it turns out you can - the post explores how this was done, touching on Android-isms along the way.
  • catdoc zero-day, NVIDIA, High-Logic FontCreator and Parallel vulnerabilities - Cisco Talos put together a short write-up for a handful of different bugs they have disclosed over the last few months. Of note are 2 catdoc memory corruption bugs, both of which the vendor did not respond to but have had patches merged directly into Debian. In addition, the team listed a handful of Parallels bugs, most interesting of which seems to be a directory traversal in PVMP package unpacking. Finally, there was an int overflow in NVIDIA's cuobjdump and an OOB read in High-Logic FontCreator. All the bugs have a short technical write-up underneath their respective TALOS ids.

Interesting Job Postings:

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Want to support us? Buy us a coffee ☕️

Don't forget to check out https://bug.directory!

Your second brain - strictly for bugs

We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️

Published by:

exploits.club