exploits.club Weekly Newsletter 79 - Lenovo LPEs, WhatsApp Vulns, Forgotten Syzkaller Bugs, And More
NO movie night for Love Island USA this season? Bro - come on, thats the best part....annnnyways π
In Case You Missed It...
- Jack Dorsey Downloaded Cursor - Jk...kinda. But a cool project.
- DistrictCon CFP Opening Soon - Want to be harshly judged by an elite panel of industry legends? This is a great opportunity!
Resources And Write-Ups From This Week:
- Uncovering Privilege Escalation Bugs in Lenovo Vantage - Atredis released a new post this week on a handful of LPE bugs they found while conducting some research on the Lenovo Vantage, "a common management platform bundled with Lenovo laptops". The write-up starts with an overview of the application's architecture, taking a look at the LenovoVantageService, its attack surface, and its authentication flow. It then does a deep dive on the bugs identified and disclosed, including SQL injections, a logic bug, and a path traversal paired with a TOCTOU.
- Call, Crash, Repeat: WhatsApp Hacking - @datalocaltmp (great handle) released slides for his REcon 2025 WhatsApp hacking talk. The presentation starts with a quick overview, laying out the feature set and the juicier focus areas. It takes a look at the calling and messaging architecture, going over the various related protocols and then moves to everyone's favorite part - taking a look at the bugs. This includes a URL validation bug, an OOB write, an OOB read, a voice chat bug.
- Mobilizing Cyber Power: The Growing Role of Cyber Militias in Chinaβs Network Warfare Force Structure - Not as technical, but interesting nonetheless - Margin Research released the "first detailed study of China's cyber militia system since 2015". The highlights include: China's ability to mobilize the militia much quicker than traditional "military reserves", how this militia force plays a vital supporting role to the PLA, and how the cyber units and militia are becoming more diversified, professional, and elite. The full report runs 79 pages, covering these areas in much more detail, and taking a deep look at the militia in action through a case study.
- Buried in the Log. Exploiting a 20 years old NTFS Vulnerability - Who doesn't love a good 20 year old bug? If nothing else, it gives you that little bit of hope to keep auditing that super picked-over target. @immortalp0ny released a post this week about his research into the Windows NTFS implementation, and the vulnerability he identified and exploited with a specifically crafted virtual disk. The bug in-question is an int overflow, which he was then able to escalate to an out-of-bounds read and eventually a UAF. The post does a wonderful job outlining the structs and memory layout you need to be aware of, and walking through the continuous iteration of taking a primitive, turning it into something else, and crafting an exploit little-by-little.
- CVE-2023-52927: Turning a Forgotten Syzkaller Report into a kCTF Exploit - @qriousec team (more specifically, @seadragnol) dropped a write-up about taking an "invalid" syzkaller report and turning it into a kCTF exploit. The bug in-question was in everyone's favorite subsystem these days,
nf_tables, and the first part of the post walks through the relevant technical netfilter details and dataflow - information which is subsequently used to RCA and exploit the bug. The forgotten syzkaller report was a UAF that was 2 years old and had no reproducer. Thus the journey started with a look at the backtrace, and the crafting of a reproducer. This includes a nice little section about attempts and failures, including the quote: "Stuck! Stuck! Stuck!" - something that we just don't see highlighted often enough in VR posts. But after successfully figuring out the reproducer, he then goes into crafting an exploit, including switching the primitive, causing a leak, getting read / write, and finally RIP control. - CVE-2025-53367: An exploitable out-of-bounds write in DjVuLibre - More Linux bugs? Yes please. This GitHub report walks through a DjVuLibre vulnerability that could be triggered on a Linux desktop by opening a specifically crafted malicious file. More specifically, the OOB write was triggered by parsing and not checking the run-length encoded data, which lead to a heap overflow. The GitHub security lab team was able to put together a PoC for RCE (though they say it is a bit unreliable due to the ASLR bypass technique), and released a video of it running. They plan to release the source code on their research repo in the coming weeks.
Interesting Job Postings:
- Senior Reverse Engineer @ Embark Studios (Stockholm, Stockholm County, Sweden)
- Mid-level Vulnerability Researcher @ Battelle (On-Site: Columbus, OH)
- Security Researcher @ Vercel (Remote)
- Senior Embedded Vulnerability Researcher @ Draper (On-Site: Reston, VA)
- Principal Offensive Security Researcher @ Oracle (On-Site: Denver, CO | Columbia, MD)
Wrapping Up...
As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.
Follow us on X - we occasionally Tweet poor attempts at memes
Want to support us? Buy us a coffee βοΈ
Don't forget to check out https://bug.directory!
Feel free to join the exploits.club Discord server here π https://discord.gg/2dxN2Gtgpx
Same time next week? See you then π΄ββ οΈ
