Preview
Open Original
Welcome to exploits.club, spoooky edition. It’s basically the exact same, except there is one mention of vMTE. Annnnnyways 👇
In Case You Missed It...
- Future Architecture Technologies: POE2 and vMTE - More pain and suffering in the works for exploit devs
- Pwn2Own Ireland Results** **- Congrats to the Summoning Team for taking this years Master of Pwn
- DistrictCon Speaker Line-Up Announced - Another oppor…
Welcome to exploits.club, spoooky edition. It’s basically the exact same, except there is one mention of vMTE. Annnnnyways 👇
In Case You Missed It...
- Future Architecture Technologies: POE2 and vMTE - More pain and suffering in the works for exploit devs
- Pwn2Own Ireland Results** **- Congrats to the Summoning Team for taking this years Master of Pwn
- DistrictCon Speaker Line-Up Announced - Another opportunity to snag tickets coming later next month
Resources And Write-Ups From This Week:
- One‑Click Memory Corruption in Alibaba’s UC Browser: Exploiting patch-gap V8 vulnerabilities to steal your data - Interrupt Labs (specifically, @seal9055) dropped a post about popping a popular Chinese browser. Specifically, the team took a look at UC Browser, which is actively developed by a subsidiary of Alibaba. As it turns out, they don’t love patching the underlying Chrome engine, leaving about a 1.5 year patch gap to take a look at. The team picked out a nice looking CVE and PoC, walking through how the original bug came to exist and how the PoC works. From there, the post turns to talk post exploit, looking at what can be abused if you don’t escape the sandbox. The remainder of the write-up walks through how to use the arb r/w to enable a UXSS and extract data from sensitive sites. Pretty slick.
- LPE via refcount imbalance in the af_unix of Ubuntu’s Kernel - The winning Linux entry for TyphoonPWN by @ky1ebot received its own write-up on the @SecuriTeam_SSD site this week. The Ubuntu LPE targeted the af_unix subsystem. This system has recently gone through a bit of a refactor to replace the garbage collection algorithm, and well...that means new bugs. And even though Ubuntu still uses the old GC algo, it pulled in a partial refactor for the new implementation (accidentally?), causing a refcount imbalance which can lead to a UAF. After RCAing the bug, the post walks through exploitation, using cross-cache attack, leaking KASLR, and ropping to overwrite modprobe.
- Paint it blue: Attacking the bluetooth stack - Bluetooth bugs are so cool. Synacktiv thinks so as well, having spent some time writing out a PoC for CVE-2023-40129, “an integer underflow in the GATT protocol, which is accessible without authentication or user interaction.” In their new write-up, the team walks through the Bluetooth stack, discussing the different layers, services, and auth/authz implementation. From there, they do an RCA of the bug, explaining how they can underflow the packet length var to be -2. Now if you are wondering “how could that possibly be exploitable?”... well, same. Turns out these guys and girls are just better than you (and me), and the rest of the post demonstrates how they get a relative read/write, bypass ASLR, get PC control, and then get code exec on Jemalloc AND Scudo devices.
- O(N) the Money: Scaling Vulnerability Research with LLMs - Much has been said about vuln research and LLMs. And everyone tends to have very reasonable takes, keeping emotions and bias entirely at bay. Last month, the inaugural Offensive AI Con took place in Oceanside, CA. @noperator was in attendance, giving a talk on how to LLMs can help to scale the VR process while still keeping resource constraints in mind. This week, he posted the talk and a full transcript on his blog. The ideas range from methodology (how do we prioritize target and subsystem selection? How can agents do the same?) down to technical implementation, including his two open source tools, Raink and Slice.
- What the hell are we doing? - The title of this blog post is something we ask often, but maybe not in the same context @addisoncrump_vr had in mind. The thesis of the post is fuzzing research has stalled because contributions have either been “incremental and merely sound impressive or presented in ways that obscure their utility.” Not convinced? Don’t worry, the post comes with 2 case studies, highlighting the idea that we have lost the plot and only care about technical complexity and statistical significance. Addison ends with a call to action, asking people to “identify whether your contribution is meaningful beyond the classic understanding of statistical significance.”
- CVE-2018-8617 Analysis - @wetw0rk7 came out of the Ret2 Browser training feeling inspired, and decided to PoC out CVE-2018-8617. 30 hours later, and he had a full custom read / write. Thankfully for us, the whole process was documented in a follow-up blog post. Step 1, per usual, was to RCA the bug, learning more about how a public crash PoC works and determining what causes the eventual type confusion. Next, we move to exploitation, looking at what object to pick for an arb r/w, overcoming a handful of limitations, and getting code exec.
- WebAudio AudioWorklets run V8 with disabled denormalized floats - @5aelo has declared this his “favorite bug of the last few years” - that is quite high praise. There is a comment on here that explains the bug as well as a minimal PoC.
Interesting Job Postings:
- Security Researcher @ depthfirst (On-Site: San Francisco, CA)
- Vulnerability Researcher @ RTX (On-Site: Gloucestershire, UK)
- Offensive Security (SEAR) @ Apple (On-Site: Remote)
- Principal Vulnerability Researcher @ Two Six Technologies (On-Site: Arlington, VA)
Wrapping Up:
Don’t forget to check out https://bug.directory!
Your second brain - strictly for bugs