Sign in Subscribe
5 min read

exploits.club Weekly Newsletter 76 - Tesla Wall Charger Bugs, Chrome PoCs, Secure Boot Arb Writes, And More

exploits.club Weekly Newsletter 76 - Tesla Wall Charger Bugs, Chrome PoCs, Secure Boot Arb Writes, And More

Pacers in 7. Annnnyways πŸ‘‡

Don't Forget!

We are doing a Binary Ninja personal License Giveaway! All you have to do is:
1. Subscribe to the newsletter.

C'mon - that should be easy enough.

Winner will be contacted NEXT THURSDAY (June 26th) via the email used for your newsletter subscription. Huge shoutout to Binary Ninja for providing a license and sponsoring the newsletter.

In Case You Missed It...

Resources And Write-Ups From This Week:

  • Exploiting the Tesla Wall connector from its charge port connector - When Synacktiv found out you could potentially update the Tesla wall-charger from the perspective of a Tesla car...well that sounds like too juicy of an attack surface to pass up. Even better, the protocol and the feature set appeared to be totally undocumented, making for quite the interesting research project. In their newest blog post, they deep-dive into their process for assessing this unknown protocol - starting with setting up an environment, and then moving into hardware and software RE. After taking a look at the feature set, the team realized one of the old firmware versions contained a remotely accessible debug shell. They decided they could downgrade the firmware, retrieve the WiFi credentials over the Unified Diagnostic Services stack, connect to the setup AP, and access that shell. This was part of the exploit they used for Pwn2Own, chained together with a buffer overflow in the debug shell's parsing logic to obtain full RCE.
  • The Unreasonable Effectiveness of Fuzzing for Porting Programs - Not really security related, but certainly some potential use cases for your workflow if you are interested in picking them out. ML and Distributed Systems researcher Russell Power wrote up an experiment about using LLMs to port a program from C to Rust. Normally, that wouldn't be exploits.club worthy, but one of the unique ways he did it was by differential fuzzing - essentially port a small module, and then have an LLM write a fuzz harness for both the C and the Rust version, and ensure that the outputs of random inputs are the same. If that sounds familiar, it might be because a very similar technique has been used to find CPU bugs, such as in this paper...or this one.
  • Fault Injection – Follow the White Rabbit - HN Security published a bit of recent research on their blog this week. The idea was to adapt a technique where EMFI was used to bypass Secure Boot on an ESP32 V3 chip, and use voltage injection instead. The post works through the initial set-up process and the steps necessary to adapt the initial research. After proving the viability of the attack, the research then moves to looking at making the glitch more effective by using some advanced features of the ChipWhisperer Husky and leveraging gdb and a binary search to help narrow the timing window down.
  • Dissecting CVE-2024-12695: Exploiting Object.assign() in V8 - Researchers from Bugscale were looking through the Chromium bug tracker when they stumbled across Bug 383647255. The bug looked interesting, and so they decided to try and exploit it. The post starts with a brief primer in Objects and Hashes, before moving into an RCA of the issue. The core issue is the ability to overwrite an object's identity hash, which breaks a fundamental V8 assumption. The post then takes a look at how this becomes a vulnerability, taking advantage of some missing indices checks around what should never be an out-of-range value and corrupting metadata. Exploitation then gives an in-depth run-through of how to actually take advantage of this primitive, complete with lots of graphs, code snippets, and fantastic explanations.
  • Is b For Backdoor? Pre-Auth RCE Chain In Sitecore Experience Platform - Another week, another COTS gets embarrassed by WatchTowr. This time, its Sitecore’s Experience Platform, which is vastly popular (22k instances exposed) and used across a number of big-name companies. The team was able to chain 2 trivial bugs together - hard-coded creds and a path traversal zip slip - and pop the whole thing. Not only that, but for good measure they found a second post-auth RCE that they included a brief blurb about as well. The post walks through each of these bugs in extreme depth, explaining the data flows and core issues along the way.
  • Another Crack in the Chain of Trust: Uncovering (Yet Another) Secure Boot Bypass - Binarly posted about a memory corruption bug in a module signed with Microsoft's third-party UEFI certificate. The core issue here, as is increasingly common for most bugs of this style, is improper handling of NVRAM variables. As such, the team was able to gain a pretty straightforward arb write. The research starts with a bit of an overview of Secure Boot and the interesting attack surface, as well as the team's general approach to poking at and enumerating new targets. From there, it shows how their tooling was able to hint at this bug specifically, and then how they were able to take advantage of it. Even though the write was constrained to writing 0s, the team pointed it at gSecurity2, which effectively allowed them to disable Secure Boot.

Interesting Job Postings:

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Want to support us? Buy us a coffee β˜•οΈ

Don't forget to check out https://bug.directory!

Your second brain - strictly for bugs

We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.

Feel free to join the exploits.club Discord server here πŸ‘‰ https://discord.gg/2dxN2Gtgpx

Same time next week? See you then πŸ΄β€β˜ οΈ

Published by:

exploits.club