Annnnnnnyways 👇 80 NEWSLETTERS 🎉

In Case You Missed It...

• Fuzzing 1001: Introductory white-box fuzzing with AFL++ - new course from OST2!
• Pwnie Nominees for 2025 - Released this week. Check them out!!

Resources And Write-Ups From This Week:

• Trigon: exploiting coprocessors for fun and for profit (part 2) - @alfiecg_dev dropped a new heater on his blog this week as a follow-up to his Trigon research from March of this year. To catch you up, previously he was able to figure out how to map physical memory into a userland process, giving him a deterministic kernel exploit for iOS. At the time, only A10 devices were supported, but his new research extends support to A9(X) and A11. The post provides a bit of background on Kernel Text Read-only Region (KTRR) and discusses its two level enforcement. From there, the post moves to IO Reset Vector Base Address Register, and how it might be able to help determine the start and end addresses of the protected kernel region in newer chipsets. This helped to extend support forward to A10(X) and A11, but did not fix the backwards compatibility issues. For that, attention was turned to the always-on co-processor, and what followed was quite a bit of trial and error to remap the AOP to somewhere readable / writable, and get code exec. This allowed for support with the A9 as well, but left A7 and A8(X) unexploited.
• My 'Blind Date' with CVE-2025-29824 - "So my mentor dropped this assignment on me: “CVE-2025-29824 was used in-the-wild to pwn Windows machines - figure out how they did it." Who doesn't love a good set-up problem? Well safe to say that Ong How Chong from Star Labs was able to come through on the assignment, and this new blog post serves as the "show-your-work" segment. The post starts with a quick patch analysis, where we quickly key in on two modified functions. The patch moved a "release" call from a cleanup function into a subsequent close function. Because cleanup does not guarantee there are no outstanding I/O requests, this release could have previously lead to a UAF, which was what was floating around in-the-wild. The post then goes on to take a deeper look at the associated structures and functions, figuring out how to craft a trigger PoC.
• CVE-2025-4919: Corruption via Math Space in Mozilla Firefox - The next part of this week's newsletter might as well be called "editor struggles to understand various browser bug". If there are any browser experts out there, we are hiring. We don't have any money...or equity...but we could get you a sticker...if we design and print them. Anyways, first up on the browser docket is this Firefox bug from Pwn2Own 2025. Browser-hacking beast Manfred Paul stepped on stage in Berlin this year with an IonMonkey bug. Specifically, addition conducted in an array bounds check does not account for potential Modulo semantics, breaking fundamental assumptions of how the check is carried out. This can then be levied into an OOB read / write, and a full PoC is included to demonstrate how the exploit is carried out.
• Pre-Auth SQL Injection to RCE - Fortinet FortiWeb Fabric Connector (CVE-2025-25257) - A new post from the Watchtowr team analyzes a recent SQLi leading to RCE in FortiWeb Fabric Connector. The post starts with everyone's favorite...a bit of bindiffing. Right off the bat, it seems they have tried to bury the fixes - but fear not, the team quickly keys in on get_fabric_user_by_token. In there we find a classic SQL injection. Dump the user input directly into the query string, what could go wrong? The team then takes a detailed look at the CFG to figure out how this could be triggered, and crafts a PoC to demonstrate (with a classic SQL comment trick). From there, the team figures out how to convert to full, pre-auth RCE. They do this with a neat little .pth trick, where they write a python file to the site-packages directory, and then visit a python-based, cgi-bin endpoint, triggering /bin/python and executing their malicious package. After a bit of trial and error, they were able to get this working for a reverse shell.
• Android: dng_sdk DeltaPerRow out-of-bounds read - A TAG-assisted vulnerability from P0 this week...but not confirmed in the wild(...?). Regardless, this out-of-bounds read in dng_sdk is the result of some improper validation from user-supplied parameters. Interestingly enough, even though it is built with UBSAN, it only compiles checks for signed int overflows, and does not catch the signed int underflow. TAG and P0 suspect this would be used to potentially bypass ASLR and could be reachable from remote contexts.

Interesting Job Postings:

• Vulnerability Researcher / Exploit Developer @ REDLattice (On-Site: Annapolis, MD)
• Senior Security Engineer @ Kandji (On-Site: Miami, FL)
• Capability Development Engineer @ Bishop Fox (Remote)
• Internship Vulnerability Researcher @ CENSUS (Thessaloniki, Central Macedonia, Greece)

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Want to support us? Buy us a coffee ☕️

Don't forget to check out https://bug.directory!

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️