exploits.club Weekly Newsletter 81 - Safari Spills, SonicWall Overflows, Pixel 8 KGDB, and More
Your friendly neighborhood editor will BE at HACKER SUMMER CAMP! Just look out for a beard, black t-shirt, and backpack...you won't miss me. Annnnnnnyways π
In Case You Missed It...
- Print Copies Of Phrack - Snag yours if you'll be at one of the events!
- P0 becomes Transparent - Project Zero released some new disclosure guidelines they are trialing in an effort to reduce patch gap times.
- Pwn2Own Ireland Announced - Ladies and Gentleman, start your engines...
- Interrupt Labs Releases "Vuln Research Development Content" - Get up to speed on assembly
Resources And Write-Ups From This Week:
- Oops Safari, I think You Spilled Something! - Safari fans rejoice. Exodus dropped a nice write-up on fun bug they have been sitting on since February of 2023. In typical Exodus fashion, the post starts with an intro, providing enough background to get you up to speed, even if you know nothing about browsers. This walks you through the DFG compiler, speculation, on-stack replacement exits and JSObject memory layout. You WILL be tested on that information later in the post, as we then move into the vulnerability. Walking backwards from the crash PoC and the crash trace, we slowly unwind that a value isΞ© expected to be spilled to the stack and its...not. So instead, we pop an initialized variable. From there, exploitation. Spray the stack for a type confusion and getting arb read / write. The blog does, however, conveniently leave out the alleged PAC bypass.
- Stack Overflows, Heap Overflows, and Existential Dread (SonicWall SMA100 CVE-2025-40596, CVE-2025-40597 and CVE-2025-40598) - Who doesn't love some trivial memory corruption from poor http header parsing. Thankfully, our friends over at Watchtowr are here to serve. The team set their sights on SonicWall, and found a stack overflow that looks exactly as you would expect...sscanf into a fixed size buffer like it's 1999. Then, they found. heap overflow which was arguably worse, using a safe version of
sprintf, but bypassing the built-in size check by passing -1 as the parameter. Also, a reflected XSS, just for good measure. - Debugging the Pixel 8 kernel via KGDB - Let's be honest...vuln research is like 60% setting up debug environments. Okay fine...80%. Well, if you are an Android researcher, @andreyknvl might be able to help cut that time down. His new blog post puts forth a step-by-step process to get kernel debugging over a serial connection working for a Pixel 8. It starts with a rundown of the needed hardware, and then walks through how to build a custom kernel with KGDB enabled. From there, it talks set-up, ways to break into KGDB, and how to get gdb attached. Finally we kill some watchdogs, fix some issues, and boom..we are set-up and good to go.
- Qualcomm DSP Kernel Internals - Look, we know the beginning of the blog post states that it is not intended to "cover every detail"...but damn its certainly thorough. @streypaws released a deep dive on Qualcomm's FastRPC DSP kernel system that has as much info as you could possibly want. It walks through high level overviews, structures, data flows, context management...really the whole 9 yards. If this is a subsystem you would ever be interested in poking at, this would be the first place to start.
- Exploiting the Synology TC500 at Pwn2Own Ireland 2024 - A new Pwn2Own write-up dropped last week from InfoSect covering the bug they found in the Synology camera. The team was able to grab the firmware online and get it set-up and emulated. From there, they enumerated the attack surface, noting some customization to the open-source cietweb webserver. Digging deeper, they found a fun format string bug. They were able to use it to remotely obtain an info leak and an arb write (by way of a stack write). Those two primitives combined for an arb read...and well yeah from there it's game over.
- Let Me Cook You a Vulnerability: Exploiting the Thermomix TM5 - Yes, we did have to look up what a Thermomix TM5 is before reading this post. And yes...we kinda want one now. The team at Synacktiv had other ideas for this particular kitchen apparatus though. Their blog from July starts with a hardware analysis of the device, dumping firmware, going through a rundown of the peripheral devices, and outlining some interesting emulation options. After that, the post moves to look at the firmware update file, breaking down the file structure, and looking at the encryption scheme. The team then figures out how to perform a firmware downgrade attack, and taking it a step further, is able to gain persistence due to an improper implementation of secure boot.
Interesting Job Postings:
- Vulnerability Research Engineer and Developer @ Booz Allen Hamilton (On-Site: Quantico, VA)
- Senior Vulnerability Researcher @ TwoSix Technologies (On-Site: Arlington, VA)
- Senior Security Engineer, Cryptography @ Trail Of Bits (Remote, US)
- Staff Vehicle Security Engineer @ Lucid Motors (On-Site: Newark, CA)
- Firmware Security Engineer @ AMD (On-Site: Austin, TX)
Wrapping Up:
As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.
Follow us on X - we occasionally Tweet poor attempts at memes
Want to support us? Buy us a coffee βοΈ
Don't forget to check out https://bug.directory!
Feel free to join the exploits.club Discord server here π https://discord.gg/2dxN2Gtgpx
Same time next week? See you then π΄ββ οΈ
