>_SkillsHub

> offensive-vuln-classes

offensive-vuln-classes skill from SnailSploit/Claude-Red

fetch
$curl "https://skillshub.wtf/SnailSploit/Claude-Red/offensive-vuln-classes?format=md"
SKILL.mdoffensive-vuln-classes

SKILL: Week 1: Vulnerability Classes with Real-World Examples

Metadata

Description

Exploit development curriculum covering core vulnerability classes with real-world CVE case studies: stack/heap buffer overflows, use-after-free, integer overflows, format strings, type confusion, and race conditions. Use when learning or teaching vuln classes, researching specific CVE patterns, or building exploit dev knowledge.

Trigger Phrases

Use this skill when the conversation involves any of: vulnerability classes, buffer overflow, use-after-free, UAF, heap overflow, stack overflow, type confusion, integer overflow, format string, memory corruption, CVE case study, exploit development, Day 1-7

Instructions for Claude

When this skill is active:

  1. Load and apply the full methodology below as your operational checklist
  2. Follow steps in order unless the user specifies otherwise
  3. For each technique, consider applicability to the current target/context
  4. Track which checklist items have been completed
  5. Suggest next steps based on findings

Full Methodology

Week 1: Vulnerability Classes with Real-World Examples

Course Overview

created by AnotherOne from @Pwn3rzs Telegram channel.

This document is Week 1 of a multi‑week exploit development course, focusing on core vulnerability classes and real‑world exploitation context.

Next Week we'll focus on using fuzzing to identify new vulnerabilites and in week 3 we'll focus on using patch diffing to find n-days

Day 1: Memory Corruption Fundamentals

Stack Buffer Overflow

What It Is: A stack overflow occurs when a program writes more data to a buffer located on the stack than it can hold, causing adjacent memory to be overwritten. This can corrupt important data like return addresses, allowing attackers to redirect program execution.

Case Study - CVE-2024-27130 (QNAP QTS/QuTS hero Stack Overflow):

  • The Bug: QNAP's QTS and QuTS hero operating systems contained multiple buffer copy vulnerabilities where unsafe functions like strcpy() were used to copy user-supplied input into fixed-size stack buffers without proper size validation. The vulnerabilities affected the web administration interface and file handling components. POC
  • The Attack: An authenticated remote attacker could send specially crafted requests with oversized input to vulnerable endpoints. The unchecked data would overflow stack buffers, corrupting adjacent memory including return addresses and saved frame pointers.
  • The Impact: Remote code execution with the privileges of the QNAP system service. The attacker could gain complete control over the NAS device, accessing stored data, pivoting to other network resources, or installing persistent backdoors.
  • The Fix: QNAP released QTS 5.1.7.2770 build 20240520 and QuTS hero h5.1.7.2770 build 20240520 in May 2024, replacing unsafe string copy functions with bounds-checked alternatives and implementing additional input validation.
  • Why It Matters: Stack overflows remain common in embedded devices and NAS systems running legacy C/C++ code. They're particularly dangerous in internet-facing administration interfaces and often provide the initial foothold for sophisticated attack chains against enterprise infrastructure.

Use-After-Free (UAF)

What It Is: A use-after-free vulnerability occurs when a program continues to use a pointer after the memory it points to has been freed. This creates a "dangling pointer" that can be exploited by carefully controlling heap allocations to place attacker-controlled data where the freed object once lived.

Case Study - CVE-2024-2883 (Chrome ANGLE Use-After-Free):

  • The Bug: Google Chrome's ANGLE (Almost Native Graphics Layer Engine) component, which translates OpenGL ES API calls to DirectX, Vulkan, or native OpenGL, contained a use-after-free vulnerability. The bug occurred when WebGL contexts were destroyed while still referenced by pending graphics operations, leaving dangling pointers to freed graphics objects.
  • The Attack: An attacker could create a malicious HTML page with specially crafted WebGL JavaScript code that triggered rapid creation and destruction of graphics contexts. By carefully timing these operations, the attacker could cause ANGLE to reference already-freed memory. Using heap spray and heap feng-shui techniques, the attacker could control the contents of the freed memory region.
  • The Impact: Remote code execution via a crafted web page with no user interaction beyond visiting the page. By placing a fake object in the freed memory location, the attacker could hijack control flow and execute arbitrary code in the renderer process. This could be chained with sandbox escape exploits for full system compromise.
  • The Fix: Google Chrome 123.0.6312.86 (released March 2024) fixed the vulnerability by implementing proper lifetime management for graphics objects and adding reference counting to prevent premature destruction of objects still in use.
  • Why It Matters: UAF vulnerabilities are particularly dangerous in browsers and complex C++ applications where object lifetimes are difficult to track. Graphics subsystems like ANGLE are attractive targets because they handle untrusted content and have complex state management. They're a favorite target for advanced attackers because they offer fine-grained control over program execution.

Heap Buffer Overflow

What It Is: Similar to stack overflows, heap overflows occur when a program writes beyond the boundaries of a dynamically allocated buffer on the heap. Instead of corrupting stack frames, heap overflows typically corrupt heap metadata or adjacent objects, leading to memory corruption when the heap allocator later processes the corrupted structures.

Case Study - CVE-2023-4863 (libWebP Heap Buffer Overflow):

  • The Bug: The libWebP library, used by Chrome, Firefox, Edge, and many other applications for processing WebP images, contained a heap buffer overflow in the BuildHuffmanTable() function. When parsing specially crafted WebP images with malformed Huffman coding data, the function would write beyond the allocated buffer boundaries. POC
  • The Attack: An attacker could embed a malicious WebP image in a web page or send it via messaging apps. When the victim's browser or application attempted to decode the image, the overflow would occur. The attacker could control the overflow data to corrupt heap metadata and adjacent objects.
  • The Impact: Remote code execution with no user interaction beyond viewing a web page or opening an image. Exploited as a zero-day in the wild before public disclosure. The vulnerability affected billions of devices across multiple platforms (Windows, macOS, Linux, Android, iOS).
  • The Fix: libWebP 1.3.2 (September 2023) fixed the bounds checking in BuildHuffmanTable(). Chrome 116.0.5845.187, Firefox 117.0.1, and other affected software released emergency patches.
  • Why It Matters: Heap buffer overflows in image parsers are particularly dangerous because images are ubiquitous and processed automatically. This vulnerability demonstrated the supply chain risk of widely-used libraries - a single bug in libWebP affected dozens of major applications. Modern heap exploitation techniques can bypass ASLR and other protections when combined with information leaks.

Out-of-Bounds Read (Info Leak)

What It Is: Reading past buffer bounds without modifying memory. Frequently used to leak pointers, object metadata, and kernel layout to defeat KASLR and build arbitrary read/write primitives.

Case Study - CVE-2024-53108 (Linux AMDGPU Display Driver OOB Read):

  • The Bug: In the AMD display driver’s EDID/VSDB parsing path, insufficient bounds checking allowed out-of-bounds reads when extracting identifiers, leading to slab-out-of-bounds access under KASAN.
  • The Attack: A crafted display/EDID data stream could trigger an OOB read in kernel space. While not directly granting write primitives, the info leak can expose kernel memory contents and aid in bypassing KASLR.
  • The Impact: Information disclosure and potential system instability.
  • The Fix: Kernel updates tightened length validation within the AMD display capability parsing logic to ensure all reads stay within EDID buffer bounds. DIFF
  • Why It Matters: Pure OOB reads are valuable for building reliable exploit chains (e.g., pairing with separate write primitives), especially in kernel contexts where defeating KASLR is pivotal.

Uninitialized Memory Use

What It Is: Using stack/heap/pool memory before it is initialized. Contents may include stale pointers, capability flags, or structure fields.

Case Study - CVE-2024-26581 (Linux Kernel Netfilter Uninitialized Variable):

  • The Bug: The Linux kernel's netfilter subsystem contained an uninitialized variable vulnerability in the nf_tables component. When processing netlink messages to configure firewall rules, the nft_pipapo_walk() function failed to initialize a local variable before use. The uninitialized stack variable could contain residual data from previous function calls, including kernel pointers and sensitive memory addresses. POC
  • The Attack: An attacker with CAP_NET_ADMIN capability (obtainable via unprivileged user namespaces on many distributions) could trigger specific netfilter operations that caused the uninitialized variable to be read and copied back to userspace through netlink responses. By repeatedly triggering the vulnerable code path and analyzing returned data, an attacker could extract kernel memory contents including heap/stack addresses.
  • The Impact: Information disclosure leading to KASLR (Kernel Address Space Layout Randomization) bypass. The leaked kernel addresses could then be used to reliably exploit other kernel vulnerabilities, turning potential denial-of-service bugs into privilege escalation or code execution. This vulnerability was particularly dangerous when combined with other netfilter bugs for full LPE chains.
  • The Fix: Linux kernel 6.8-rc1 (February 2024) added proper initialization of the variable using designated initializers: struct nft_pipapo_match *m = NULL; and added explicit zero-initialization for stack structures. Additionally, the patch enabled stricter compiler warnings (-Wuninitialized) for the netfilter subsystem.
  • Why It Matters: Uninitialized memory reads are frequently the first stage in exploit chains, providing the entropy reductions needed to bypass modern mitigations like KASLR. They're particularly valuable in kernel exploitation where defeating ASLR is essential for reliable exploitation. The combination of unprivileged user namespaces granting CAP_NET_ADMIN and uninitialized memory leaks in netfilter makes this class of vulnerability accessible to local attackers without requiring root privileges.

Reference Counting Bugs

What It Is: Incorrect increments/decrements or overflows in reference counters controlling object lifetime (filesystems, networking, drivers).

Case Study - CVE-2022-32250 (Linux Netfilter nf_tables Use-After-Free):

  • The Bug: The Linux kernel's netfilter subsystem (net/netfilter/nf_tables_api.c) had a reference counting error in the nf_tables component. An incorrect NFT_STATEFUL_EXPR check failed to properly track expression object lifetimes during rule updates, leading to premature object destruction while references still existed.
  • The Attack: A local attacker with the ability to create user/network namespaces (unprivileged on many distributions) could manipulate nf_tables firewall rules to trigger the reference counting bug. By creating and modifying stateful expressions in specific sequences, the attacker could cause the kernel to free an object while it was still being referenced, creating a use-after-free condition.
  • The Impact: Local privilege escalation from any user to root on systems allowing unprivileged namespaces (default on Ubuntu, Debian, and others). The UAF primitive could be exploited for arbitrary kernel memory read/write, typically used to modify credentials or overwrite function pointers. Affected Linux kernels from 4.1 (2015) through 5.18.1 (2022). Public exploit available.
  • The Fix: Linux kernel 5.18.2+ corrected the reference counting logic for stateful expressions, ensuring proper lifetime tracking during rule operations. The patch added explicit reference count increments/decrements at the appropriate points in the code path.
  • Why It Matters: Reference counting bugs are subtle and can lead to premature free → use-after-free conditions, or refcount overflow → free while references remain. They're particularly dangerous in kernel code where object lifetime management is critical. The accessibility via unprivileged user namespaces made this vulnerability particularly impactful for local privilege escalation.

NULL Pointer Dereference

What It Is: Dereferencing a NULL pointer in privileged code. While modern systems typically prevent user-space mapping of NULL pages, kernel NULL pointer dereferences remain a significant source of denial-of-service vulnerabilities and can occasionally enable privilege escalation in specific contexts.

Case Study - CVE-2023-52434 (Linux SMB Client NULL Pointer Dereference):

  • The Bug: The Linux kernel's SMB (CIFS) client implementation contained a NULL pointer dereference vulnerability in the smb2_parse_contexts() function. When parsing server responses during SMB2/SMB3 connection establishment, the code failed to properly validate offsets and lengths of create context structures before dereferencing pointers. Malformed create contexts with invalid offsets could cause the kernel to access unmapped memory addresses, triggering a NULL pointer dereference.
  • The Attack: A malicious or compromised SMB server could send crafted SMB2_CREATE responses with invalid create context structures. When a Linux client attempted to mount the share or access files, the kernel would parse these malformed contexts without proper bounds checking. The vulnerability was triggered during the mount operation or file access, requiring only that a user attempt to connect to the malicious server.
  • The Impact: Denial of service affecting Linux kernels from 5.3 through 6.7-rc5. The NULL pointer dereference caused an immediate kernel panic with the error "unable to handle page fault for address: ffff8881178d8cc3" in the smb2_parse_contexts() function. Any user with permission to mount SMB shares could trigger the vulnerability, making it exploitable in multi-user environments. CVSS Score: 8.0 (High) with attack vector: Adjacent Network, requiring low privileges and no user interaction.
  • The Fix: Linux kernel patches (versions 5.4.277, 5.10.211, 5.15.150, 6.1.80, and 6.6.8+) added comprehensive validation of create context offsets and lengths before dereferencing. The patches ensure all pointer arithmetic stays within allocated buffer boundaries during SMB protocol parsing.
  • Why It Matters: NULL pointer dereferences in network protocol parsers are particularly dangerous because they can be triggered remotely by malicious servers or through man-in-the-middle attacks. While modern kernel protections prevent NULL page mapping (mitigating historical privilege escalation techniques), the DoS impact remains critical for availability.

Key Takeaways

  1. Memory corruption remains prevalent: Despite decades of security research, memory corruption bugs continue to plague software, especially in C/C++ codebases.
  2. Defense-in-depth is essential: Each real-world example shows attackers bypassing multiple protection mechanisms (DEP, ASLR, CET, XFG, safe-linking).
  3. Modern mitigations raise the bar but don't eliminate risk: While technologies like CET shadow stack and safe-linking make exploitation harder, determined attackers continue to find bypasses.
  4. Root causes are similar, but contexts differ: Stack, heap, and UAF bugs share common root causes (inadequate bounds checking, lifetime management) but require different exploitation techniques.
  5. Legacy components remain vulnerable: Years-old vulnerabilities in office parsers and archive handlers continue to be exploited due to slow patching.

Discussion Questions

  1. What commonalities do you see across the memory corruption vulnerability classes covered today?
  2. Why do memory corruption vulnerabilities persist despite decades of research into memory-safe languages?
  3. How do the exploitation techniques differ between stack, heap, and UAF vulnerabilities?
  4. What defense mechanisms were bypassed in each example, and what does that tell us about the current state of exploit mitigation?
  5. How do reference counting bugs lead to use-after-free conditions, and why are they particularly difficult to detect?
  6. What role do information leaks (like OOB reads and uninitialized memory) play in modern exploit chains?

Day 2: Logic Vulnerabilities and Race Conditions

Race Conditions

What It Is: A race condition occurs when the behavior of software depends on the relative timing of events, such as the order in which threads execute. When multiple threads or processes access shared resources without proper synchronization, an attacker can manipulate the timing to cause unexpected behavior.

Common Patterns:

  1. File System Race Conditions: Check a file's permissions, then open it (attacker swaps the file between check and open).
  2. Double-Fetch: Kernel reads user-mode memory twice, attacker modifies it between reads.
  3. Synchronization Primitives: Missing or incorrect use of locks, mutexes, or atomic operations.

Real-World Context - Windows TOCTOU Race Condition (CVE-2024-26218):

  • The Bug Pattern: A Time-of-Check Time-of-Use (TOCTOU) race condition in the Windows Kernel allowed an attacker to exploit a timing window between validation and usage of kernel resources. The vulnerability occurred when the kernel checked permissions or resource states but didn't atomically perform the subsequent operation, allowing a racing thread to modify the resource state between check and use.
  • The Attack:
    1. Check Phase: Kernel validates resource permissions/state (e.g., file access rights, object ownership).
    2. Race Window: Attacker's thread modifies the resource state (e.g., replaces object, changes permissions).
    3. Use Phase: Kernel operates on the now-modified resource, assuming the original validated state.
    4. Result: Privilege escalation by operating on resources with elevated privileges.
  • The Impact: Local privilege escalation from low-privileged user to SYSTEM. CVSS Score: 7.7 (HIGH). Affected Windows 10, Windows 11, and Windows Server 2019/2022 systems. Patched in April 2024 (Microsoft Patch Tuesday).
  • Why It's Hard to Fix: Requires atomic check-and-use operations, proper locking mechanisms across complex kernel subsystems, or defensive copying to ensure the checked state matches the used state. Many kernel operations assume sequential execution without considering concurrent modification.

Time-of-Check Time-of-Use (TOCTOU)

What It Is: TOCTOU is a specific type of race condition where there's a gap between checking a condition and using the result. During that gap, the condition can change, invalidating the check.

Classic Example - Symbolic Link Attacks:

1. Program checks if /tmp/important_file is safe to write
2. [RACE WINDOW] Attacker creates symlink: /tmp/important_file -> /etc/passwd
3. Program writes to /tmp/important_file (now actually /etc/passwd)

Real-World Impact:

  • Privilege Escalation: TOCTOU bugs in privileged programs can allow unprivileged users to modify protected files.
  • Bypass Security Checks: Authentication or authorization checks can be circumvented if the resource changes between check and use.
  • Data Corruption: Unexpected file modifications can corrupt system state.

Recent Example - 7-Zip Symlink Path Traversal (CVE-2025-11001/11002):

  • The Bug: Improper validation of symlink targets in ZIP extraction allowed directory traversal via crafted symlinks, enabling writes outside the intended extraction directory.
  • The Attack: A malicious archive embeds symlinks that resolve to sensitive paths; when extracted, files are written to arbitrary locations, enabling code execution scenarios depending on target path.
  • The Impact: Arbitrary file write leading to potential RCE in user context.
  • The Fix: Updates addressed symlink conversion and validation logic during extraction to prevent traversal outside the destination directory.

Double-Fetch Vulnerabilities

What It Is: A double-fetch occurs when kernel code reads user-mode memory twice, assuming it won't change between reads. An attacker with multiple threads can modify the memory after the first read but before the second, causing kernel code to operate on inconsistent data.

Case Study - CVE-2023-4155 (Linux KVM AMD SEV Double-Fetch):

  • The Bug: A double-fetch race condition in the Linux kernel's KVM (Kernel-based Virtual Machine) AMD Secure Encrypted Virtualization (SEV) implementation. KVM guests using SEV-ES or SEV-SNP with multiple vCPUs could trigger the vulnerability by manipulating shared guest memory that the hypervisor reads twice without proper synchronization.
  • The Bug Pattern: The VMGEXIT handler in the hypervisor read guest-controlled memory to determine which operation to perform. An attacker could modify this memory between the first read (validation) and second read (usage), causing inconsistent behavior.
  • The Attack:
    1. First Read: Hypervisor reads guest memory to validate the VMGEXIT reason code.
    2. Race Window: Attacker's vCPU thread modifies the guest memory containing the reason code.
    3. Second Read: Hypervisor reads the modified value and processes a different operation than validated.
    4. Result: Recursive invocation of the VMGEXIT handler, leading to stack overflow.
  • The Impact: Denial of service (DoS) via stack overflow in hypervisor. In kernel configurations without stack guard pages (CONFIG_VMAP_STACK), potential guest-to-host escape.
  • The Fix: Linux kernel patches added proper synchronization to ensure the VMGEXIT reason code is read once and stored in a local variable, preventing the double-fetch condition. Added checks to prevent recursive handler invocation.
  • Why It's Hard to Fix: Requires identifying all locations where hypervisor code reads guest memory multiple times, copying guest data into hypervisor memory once, and operating on the stable copy. Performance considerations make defensive copying expensive in virtualization hot paths.

Logic Flaws in Authentication and Authorization

What It Is: Bugs in the logical flow of authentication or authorization checks that allow attackers to bypass security boundaries without exploiting memory corruption.

Case Study - CVE-2024-0012 (Palo Alto PAN-OS Authentication Bypass):

  • The Bug: Palo Alto Networks PAN-OS software contained an authentication bypass vulnerability in its management web interface. The vulnerability allowed an unauthenticated attacker to bypass authentication checks entirely and gain administrator privileges without providing any credentials.POC
  • The Attack: An attacker with network access to the PAN-OS management web interface could send specially crafted requests that bypassed authentication logic. No credentials or user interaction were required—the attacker could directly gain administrator access by exploiting the flaw in the authentication validation code.
  • The Impact: Complete authentication bypass allowing unauthenticated remote attackers to gain PAN-OS administrator privileges. This enabled attackers to perform administrative actions, tamper with firewall configurations, extract sensitive data, or chain with other vulnerabilities like CVE-2024-9474 for further exploitation.
  • The Fix: Palo Alto released patches in versions 10.2.12, 11.0.6, 11.1.5, and 11.2.4 (November 2024) that corrected the authentication validation logic. Additionally, Palo Alto recommended restricting management interface access to only trusted internal IP addresses as a defense-in-depth measure.
  • Why It Matters: Logic flaws in authentication and authorization can lead to privilege escalation (user becomes admin), horizontal privilege escalation (user A accesses user B's data), or authentication bypass (access without credentials) - all without memory corruption. Missing checks, state confusion, parameter tampering, and session management flaws are common patterns. This vulnerability demonstrates how authentication logic flaws in network devices can provide complete system compromise without requiring memory corruption exploitation.

Arbitrary Write (Write-What-Where)

What It Is: The attacker can write a controlled value to a controlled address.

Case Study - CVE-2024-21338 (Windows AppLocker Driver Arbitrary Function Call → Arbitrary Write):

  • The Bug: The Windows AppLocker driver (appid.sys) contained a vulnerability in its IOCTL handler (control code 0x22A018) that allowed an attacker with local service privileges to call arbitrary kernel function pointers with controlled arguments. The IOCTL was designed to accept kernel function pointers for file operations but remained accessible from user space without proper validation. POC
  • The Attack: An attacker could impersonate the local service account and send a specially crafted IOCTL request to \Device\AppId with malicious function pointers. By choosing the right gadget function, the attacker could perform a 64-bit copy to an arbitrary kernel address - specifically targeting the PreviousMode field in the current thread's KTHREAD structure. Corrupting PreviousMode to KernelMode (0) bypasses kernel-mode checks in syscalls like NtReadVirtualMemory and NtWriteVirtualMemory, granting arbitrary kernel read/write capabilities from user mode.
  • The Impact: Local privilege escalation from local service (or admin via impersonation) to kernel-level arbitrary read/write. This primitive enabled the sophisticated FudModule rootkit to perform direct kernel object manipulation (DKOM), disable security callbacks, blind ETW telemetry, and suspend PPL-protected security processes.
  • The Fix: Microsoft released patches in February 2024 (Patch Tuesday) that added an ExGetPreviousMode check to the IOCTL handler, preventing user-mode initiated IOCTLs from triggering the arbitrary callback invocation.
  • Why It Matters: This represents a sophisticated evolution beyond traditional BYOVD (Bring Your Own Vulnerable Driver) techniques. By exploiting a zero-day in a built-in Windows driver, attackers achieved a truly fileless kernel attack with no need to drop or load custom drivers. The arbitrary write primitive (achieved via PreviousMode corruption) is a canonical technique to flip privilege bits, overwrite function pointers, or modify security policy data. This case demonstrates how IOCTL handlers with insufficient input validation can provide powerful primitives for kernel exploitation, especially when they accept function pointers or allow object confusion.

Locking/RCU Misuse

What It Is: Incorrect lock ordering, missing locks, or misuse of RCU leading to races on freed objects.

Case Study - CVE-2023-32629 (Linux Netfilter nf_tables Race Condition):

  • The Bug: The Linux kernel's netfilter nf_tables subsystem contained a race condition vulnerability due to improper locking when handling batch operations. The vulnerability occurred in the transaction handling code where concurrent access to nf_tables objects wasn't properly synchronized, allowing use-after-free conditions.POC
  • The Attack: An attacker with CAP_NET_ADMIN capability (obtainable through unprivileged user namespaces on many distributions) could exploit the race by sending concurrent netlink messages to manipulate nf_tables rules. By carefully timing these operations across multiple threads, the attacker could trigger a window where one thread frees an object while another thread still holds a reference to it.
  • The Impact: Local privilege escalation from unprivileged user to root on systems with unprivileged user namespaces enabled (default on Ubuntu, Debian, Fedora, and others). The use-after-free primitive could be exploited to gain arbitrary kernel read/write capabilities, typically used to modify process credentials or overwrite kernel function pointers. Affected Linux kernels prior to version 6.3.1 (May 2023).
  • The Fix: Linux kernel 6.3.1 added proper locking mechanisms around nf_tables batch transaction processing, implemented reference counting to track object lifetimes correctly, and ensured atomic operations for concurrent access to shared netfilter data structures.
  • Why It Matters: Locking and RCU misuse leads to reproducible UAF and memory corruption in hot paths like filesystems, networking, and timers. Incorrect lock ordering, missing locks, and RCU violations are particularly dangerous in kernel code where concurrency is pervasive. The netfilter subsystem continues to be a recurring source of such vulnerabilities due to its complexity and extensive use of concurrent data structures.

Key Takeaways

  1. Logic vulnerabilities don't require memory corruption: Authentication bypasses, TOCTOU flaws, and arbitrary write primitives can be as impactful as traditional memory corruption.
  2. Concurrency bugs enable sophisticated exploits: Double-fetch, race conditions and locking misuse are difficult to reproduce but provide reliable exploitation when timing is controlled.
  3. Arbitrary write is the ultimate primitive: Whether achieved through IOCTL handlers, PreviousMode corruption, or RCU misuse, arbitrary kernel write enables privilege escalation, security callback disabling, and rootkit deployment.
  4. User namespaces expand attack surface: Many kernel vulnerabilities (netfilter, io_uring) become exploitable from unprivileged contexts when user namespaces grant capabilities like CAP_NET_ADMIN.
  5. Defense requires atomic operations: TOCTOU vulnerabilities demonstrate that check-then-use patterns are inherently racy; atomic check-and-use operations, proper locking, and defensive copying are essential.

Discussion Questions

  1. How do double-fetch vulnerabilities differ from traditional TOCTOU race conditions and what makes them particularly dangerous in hypervisor contexts?
  2. Compare the exploitation complexity of authentication logic flaws versus kernel race conditions Which provides more reliable exploitation and why?
  3. How does the arbitrary write primitive achieved in CVE-2024-21338 (via PreviousMode corruption) differ from traditional buffer overflow-based arbitrary write, and what advantages does it provide to attackers?
  4. What role do user namespaces play in the exploitability of kernel bugs like CVE-2023-32629, and should distributions reconsider their default unprivileged namespace policies?

Day 3: Type Confusion, Integer, Parser Vulnerabilities

Type Confusion Vulnerabilities

What It Is: Type confusion occurs when a program processes an object as a different type than intended. This can happen in dynamically-typed languages, during unsafe type casts, or in JIT compilers that make incorrect assumptions about object types.

Why They're Dangerous:

  • Objects of different types have different memory layouts
  • Treating Type A as Type B can expose internal pointers, corrupt metadata, or provide arbitrary read/write primitives
  • In JIT compilers, type confusion can bypass sandbox protections

Real-World Example - CVE-2024-7971 (V8 TurboFan Type Confusion):

Background: V8 is the JavaScript engine powering Chrome, Edge, and Node.js. TurboFan is V8's optimizing JIT compiler that converts JavaScript to highly-optimized machine code based on runtime type information.

The Bug: TurboFan's CheckBounds elimination optimization incorrectly assumed array element types during JIT compilation. When encountering a polymorphic inline cache (an optimization for code that handles multiple types), TurboFan sometimes confused tagged pointers (Heap objects) with SMI (Small Integers, V8's immediate integer representation).POC

The Attack:

  1. Type Confusion Setup: Craft JavaScript with polymorphic inline cache that triggers speculative optimization on mixed SMI/HeapNumber array.

    // Simplified concept (not actual exploit):
let arr = [1, 2, 3]; // SMI array
arr[0] = 1.5; // Now mixed SMI and HeapNumber
// TurboFan optimizes assuming one type, confusion occurs

  2. Primitive Construction: The type confusion allowed creating a fake JSArray with a controlled backing store pointer.

  3. Memory Corruption: By corrupting the length field of the fake array, the attacker achieved out-of-bounds read/write capabilities.

  4. Sandbox Escape: Pivot to WASM RWX (read-write-execute) page for shellcode execution, bypassing V8's sandbox.

Mitigations Bypassed:

  • V8 Sandbox (Pointer Compression): The V8 sandbox isolates JavaScript objects from native memory. The attacker bypassed this using pointer compression primitives.
  • CFI (Control-Flow Integrity): JIT-generated code is often exempt from CFI checks, allowing the attacker to execute arbitrary code.

The Fix: V8 patched the CheckBounds elimination logic to correctly track type information during optimization passes.

Why It Matters: Browser exploitation is a high-value target for attackers. Type confusion in JIT compilers is a common vulnerability class, with new variants discovered regularly.

JIT Compiler Exploitation Concepts

Background on JIT Compilation:

  • JIT compilers observe runtime behavior and generate optimized machine code
  • They make assumptions based on type inference and profiling
  • When assumptions are violated but the compiler doesn't properly handle it, bugs occur

Common JIT Vulnerability Patterns:

  1. Type Confusion: Incorrect type inference leading to wrong optimizations
  2. Bounds Check Elimination: Removing safety checks based on incorrect assumptions
  3. Register Allocation Bugs: Incorrect register usage leading to data corruption
  4. Inline Cache Poisoning: Manipulating cached type information

Exploitation Primitives Built from Type Confusion:

  • addrof: Leak object addresses (information leak for ASLR bypass)
  • fakeobj: Create fake objects with controlled structure (type confusion)
  • arbitrary read/write: Out-of-bounds access to any memory location
  • code execution: Pivot to RWX pages or corrupt code pointers

Integer Overflow, Underflow, and Truncation

What They Are:

  • Overflow: Exceeding maximum value (e.g., INT_MAX + 1 wraps to INT_MIN)
  • Underflow: Going below minimum value (e.g., 0 - 1 becomes UINT_MAX for unsigned)
  • Truncation: Losing data when converting larger to smaller type (e.g., (uint32_t)0x100000000 becomes 0)

Why They're Dangerous: Integer bugs often lead to memory corruption because integers are used for:

  • Buffer sizes in memory allocation
  • Loop counters and array indices
  • Length checks and bounds validation

Common Exploitation Pattern:

// Vulnerable code pattern:
size_t size = user_controlled_value1 + user_controlled_value2;  // Overflow!
char *buf = malloc(size);  // Allocates small buffer due to wrap-around
memcpy(buf, user_data, original_large_size);  // Heap overflow

Case Study - CVE-2024-38063 (Windows TCP/IP Integer Underflow RCE):

  • The Bug: The Windows TCP/IP stack contained a critical integer underflow vulnerability in its IPv6 packet processing code. When handling specially crafted IPv6 packets with malformed extension headers, the TCP/IP driver (tcpip.sys) performed arithmetic operations that could result in an integer underflow, leading to out-of-bounds memory access. The vulnerability occurred during IPv6 packet reassembly when calculating buffer sizes for packet fragments.
  • The Attack: A remote unauthenticated attacker could send specially crafted IPv6 packets to a vulnerable Windows system over the network. The malformed packets would trigger the integer underflow during packet reassembly or extension header processing, causing a buffer overflow in kernel memory. The attack sequence:
    1. Craft IPv6 packets with specific extension header configurations
    2. Trigger the underflow in size calculations (e.g., size = header_length - offset where offset > header_length)
    3. The underflowed value wraps to a large unsigned integer (e.g., -1 becomes 0xFFFFFFFF)
    4. Kernel allocates small buffer based on wrapped value modulo some limit
    5. Subsequent copy operation uses original large size, causing heap overflow
    6. Heap overflow leads to kernel memory corruption and RCE
  • The Impact: Remote Code Execution with SYSTEM privileges on affected Windows systems. CVSS Score: 9.8 (Critical). Affected Windows 10 (all versions from 1507 through 22H2), Windows 11 (21H2, 22H2, 23H2, 24H2), and Windows Server versions from 2008 through 2022. The vulnerability was particularly dangerous because:
    • Network-reachable without authentication
    • No user interaction required
    • Kernel-level code execution
    • Affects default Windows configurations with IPv6 enabled
    • Potentially wormable (could propagate automatically like SMBGhost)
  • The Fix: Microsoft released patches in August 2024 (Patch Tuesday KB updates including KB5041580, KB5041585, KB5041587) that added proper bounds checking to IPv6 packet processing and corrected integer arithmetic operations in the TCP/IP stack to prevent underflow conditions. The fix ensured that all subtraction operations check for underflow before use.
  • Why It Matters: This demonstrates how integer underflow in network protocol parsers can lead to critical RCE vulnerabilities. The bug affected fundamental networking code that processes untrusted network input, making it a prime target for wormable exploits similar to SMBGhost (CVE-2020-0796) and EternalBlue. It highlights the ongoing challenges of secure integer arithmetic in performance-critical kernel code where bounds checking overhead is often minimized. The vulnerability also underscores why integer underflow is just as dangerous as overflow—when an unsigned calculation goes negative, it wraps to a massive positive value (e.g., 0 - 1 = 0xFFFFFFFF for 32-bit), defeating size limits and causing massive over-allocation or buffer overflows.

Signed vs. Unsigned Integer Vulnerabilities

The Issue: C/C++ performs implicit conversions between signed and unsigned integers, following complex rules that can surprise developers.

Case Study - CVE-2024-47606 (GStreamer Signed-to-Unsigned Integer Underflow):

  • The Bug: The GStreamer multimedia framework contained a signed-to-unsigned integer conversion vulnerability in the qtdemux_parse_theora_extension function within qtdemux.c. The vulnerability occurred when a gint (signed integer) size variable underflowed to a negative value (e.g., -6 or 0xFFFFFFFA in 32-bit representation), which was then implicitly cast to an unsigned 64-bit integer, becoming 0xFFFFFFFFFFFFFFFA. This massive value was passed to gst_buffer_new_and_alloc for memory allocation.

  • The Attack: An attacker could craft a malicious MP4/MOV media file with specially structured Theora extension data designed to trigger the signed integer underflow. The attack flow:

    1. Malicious media file contains Theora extension with crafted size fields
    2. qtdemux_parse_theora_extension calculates size using signed arithmetic
    3. Calculation underflows: size = field1 - field2 where field2 > field1, resulting in negative value (e.g., -6)
    4. Negative 32-bit value (0xFFFFFFFA) is cast to 64-bit unsigned (0xFFFFFFFFFFFFFFFA)
    5. gst_buffer_new_allocate_sysmem_new_block adds alignment/header to this huge size
    6. Addition causes overflow of slice_size variable, wrapping back to small value (0x89 bytes)
    7. Only 0x89 bytes allocated despite huge requested size
    8. Subsequent memcpy in gst_buffer_fill copies large data into tiny buffer
    9. Buffer overflow overwrites GstMapInfo structure, corrupting function pointers
    10. gst_memory_unmap calls corrupted mem->allocator->mem_unmap_full function pointer
    11. Function pointer hijack achieves arbitrary code execution

  • The Impact: Remote code execution when processing malicious media files.

    • GStreamer is used by countless applications (GNOME, KDE, Firefox, Chrome, VLC derivatives)
    • Media files are commonly shared and automatically processed
    • Exploitation provides reliable function pointer hijack primitive
    • Affects both desktop and embedded systems (smart TVs, IoT devices)

  • The Fix: GStreamer 1.24.10 (December 2024) fixed the vulnerability by:

    • Adding explicit checks for negative values before casting signed to unsigned
    • Using safe integer arithmetic that detects underflow
    • Validating size calculations before memory allocation
    • Implementing bounds checking on all Theora extension parsing

  • Why It Matters: This is a textbook example of signed-to-unsigned conversion vulnerabilities (CWE-195). In C/C++, implicit conversions between signed and unsigned integers follow complex rules that developers often misunderstand:

    • Negative signed integers become huge positive unsigned values when cast
    • The bit pattern is preserved, but interpretation changes
    • Compilers often don't warn about these dangerous conversions
    • The issue is especially common in size calculations where subtraction can go negative

    The vulnerability demonstrates the full exploitation chain from integer bug to code execution: underflow → type confusion → allocation mismatch → heap overflow → structure corruption → function pointer hijack. It's a perfect teaching example of why mixing signed and unsigned arithmetic in security-critical code is dangerous.

Parser Vulnerabilities

What They Are: Parsers convert structured data (files, network protocols, etc.) into internal program representations. Their complexity makes them prime targets for fuzzing and exploitation.

Why Parsers Are Vulnerable:

  1. Complexity: Handling numerous edge cases, optional fields, nested structures
  2. Performance vs. Safety Trade-offs: Optimizations often bypass safety checks
  3. Incomplete Specifications: Real-world data doesn't always match RFC specs
  4. Legacy Compatibility: Supporting old, broken implementations introduces bugs

Common Parser Vulnerability Classes:

Network Protocol Parsers:

QUIC / HTTP/3:

  • Attack Surface: Coalesced frames, reorder/timing corner cases
  • Vulnerability Types: Integer overflows in frame length parsing, state machine confusion
  • Reference: RFC 9000 (QUIC), RFC 9114 (HTTP/3)

HTTP/2:

  • Attack Surface: Stream state machine, flow control
  • Vulnerability Types: Integer edge cases in flow control, stream desync
  • Common Bugs: Missing max-stream checks, improper GOAWAY handling
  • Reference: RFC 7540

gRPC / Protobuf:

  • Attack Surface: Length encoding, type coercion, FFI boundaries
  • Vulnerability Types: Length truncation across language FFI, map/list coercion
  • Common Bugs: Varint parsing errors, recursive message handling

GraphQL:

  • Attack Surface: Query complexity, input coercion, resolver recursion
  • Vulnerability Types: DoS via complex queries, type coercion bypass
  • Common Bugs: Missing depth limits, injection through variables

File Format Parsers:

Image Formats (PNG, JPEG, GIF, WebP):

  • Complexity: Compression algorithms, color spaces, metadata chunks
  • Common Bugs: Integer overflows in dimension calculation, heap overflows in decompression
  • Historic Examples: libpng chunk handling, libjpeg progressive decoding

Document Formats (PDF, Office, RTF):

  • Complexity: Embedded objects, macros, fonts, encryption
  • Common Bugs: Font parser overflows, object stream handling, macro execution
  • Attack Value: High - often opened by users without suspicion

Archive Formats (ZIP, RAR, 7z):

  • Complexity: Compression algorithms, encryption, file metadata
  • Common Bugs: Path traversal, symlink attacks, decompression bombs
  • Recent Example: 7-Zip symlink vulnerability (covered in Day 2)

Multimedia Parsers (MP4, AVI, MKV):

  • Complexity: Multiple codec support, container formats, subtitle handling
  • Common Bugs: Integer overflows in frame size calculations, codec-specific bugs
  • Attack Vector: Malicious media files shared on messaging platforms

Network Protocol Parser Example:

Case Study - CVE-2024-27316 (nghttp2 HTTP/2 CONTINUATION Frame DoS):

  • The Bug: The nghttp2 HTTP/2 library (used by Apache httpd, nginx, and many other servers) contained a vulnerability in its handling of CONTINUATION frames. According to the HTTP/2 specification (RFC 7540), HEADERS frames can be split across multiple CONTINUATION frames when header data is too large. However, nghttp2 failed to limit the total accumulated size of header data across CONTINUATION frames. An attacker could send an unlimited number of CONTINUATION frames, each adding to the accumulated header buffer in memory without any upper bound, leading to unbounded memory consumption.

  • The Attack: An attacker could establish an HTTP/2 connection to a vulnerable server and execute the following attack sequence:

    1. Send a valid HEADERS frame to start a new stream
    2. Send continuous CONTINUATION frames without setting the END_HEADERS flag
    3. Each CONTINUATION frame adds data to the accumulated header buffer
    4. Server allocates more memory for each CONTINUATION frame received
    5. Process repeats until server memory is exhausted
    6. Server becomes unresponsive or crashes due to OOM (Out of Memory)

    The attack was extremely efficient because:

    • Single TCP connection could exhaust gigabytes of server memory
    • Very low bandwidth required from attacker (small CONTINUATION frames)
    • No authentication or special privileges needed
    • Attack could bypass many rate-limiting mechanisms

  • The Impact: Denial of Service via memory exhaustion. CVSS Score: 7.5 (High). Affected:

    • nghttp2 library versions prior to 1.61.0
    • Apache HTTP Server 2.4.17 through 2.4.58 (when HTTP/2 enabled)
    • nginx with nghttp2 module
    • Major CDNs and cloud load balancers using nghttp2
    • Countless web services and APIs using HTTP/2

    Real-world impact included service outages at major web properties when the vulnerability was disclosed in April 2024. Attackers could crash servers or force them to become unresponsive with minimal resources, making it attractive for DDoS attacks.

  • The Fix: Multiple fixes were deployed:

    • nghttp2 v1.61.0 (April 2024): Added NGHTTP2_DEFAULT_MAX_HEADER_LIST_SIZE limit (default 64KB) for total accumulated header size across all CONTINUATION frames
    • Apache httpd 2.4.59 (April 2024): Implemented H2MaxHeaderListSize directive to limit total header size
    • Servers now reject connections that exceed reasonable header accumulation thresholds
    • Added counters to track number of CONTINUATION frames per HEADERS

  • Why It Matters: This vulnerability is part of a broader class of HTTP/2 protocol implementation flaws discovered in 2024, including:

    • CVE-2023-44487 (HTTP/2 Rapid Reset): Stream creation/cancellation DoS
    • CVE-2024-27316 (this one): CONTINUATION frame memory exhaustion
    • Multiple similar issues across different HTTP/2 implementations

    The vulnerability demonstrates several important security principles:

    1. Protocol Complexity: HTTP/2's frame-based design with stream multiplexing creates complex state machines prone to resource exhaustion bugs
    2. Specification Gaps: RFC 7540 didn't mandate limits on CONTINUATION frame accumulation, leaving implementations vulnerable
    3. Defense in Depth: Proper parser implementation requires:
      • Per-frame size limits (existed)
      • Total accumulated size limits (was missing)
      • Frame count limits
      • Time-based limits
    4. Resource Accounting: Parsers must track resource consumption across related operations, not just individual operations
    5. Fuzzing Limitations: This bug survived years of fuzzing because traditional fuzzers focus on crashes, not gradual resource exhaustion

    The attack is particularly effective because it exploits the legitimate protocol mechanism (CONTINUATION frames) rather than malformed data, making it harder to detect and block without breaking legitimate large-header use cases.

WebAssembly Runtime Vulnerabilities

What They Are: WebAssembly (WASM) runtimes execute portable bytecode in browsers and standalone environments. They're essentially sophisticated parsers with JIT compilers that translate WASM bytecode to native machine code while maintaining sandboxing guarantees.

Attack Surface:

  • WASM JIT Optimization Bugs: Similar to JavaScript JIT bugs, type confusion in Wasmtime, Wasmer
  • WASI Sandbox Escapes: Host-call interfaces providing escape routes
  • Memory Model Bugs: Typed-Func-Refs, GC, Tail-calls, Memory64 features expanding attack surface
  • Register Allocation Errors: Compiler backend bugs leading to incorrect code generation
  • Stack Map Generation: Missing or incorrect metadata for garbage collection

Case Study - CVE-2022-31146 (Wasmtime Use-After-Free via Missing Stack Maps):

  • The Bug: Wasmtime's code generator (Cranelift) contained a critical bug where functions using WebAssembly reference types (externref) were missing required metadata (stack maps) for runtime garbage collection. During Cranelift's migration to the regalloc2 register allocator in version 0.37.0, the concept of "aliased virtual registers" was introduced to improve efficiency. However, aliasing resolution was accidentally not applied to the list of virtual registers holding reference values. This caused regalloc2 to incorrectly believe that registers containing live reference-typed values were actually dead, leading to omitted stack maps for those values. When garbage collection occurred, the collector would mistakenly think that Wasm stack frames had no live references to GC-managed objects and would prematurely reclaim and deallocate them.

  • The Attack: To trigger the vulnerability:

    1. A Wasmtime host passes a non-null externref value to a WebAssembly module
    2. The Wasm module uses reference type operations (e.g., table.get or table.set on x86_64)
    3. A garbage collection is triggered while active Wasm frames are on the stack (either through sufficient externref activity or explicit GC request from host)
    4. The GC incorrectly reclaims live externref objects due to missing stack maps
    5. The function continues executing and accesses the freed memory
    6. Result: Use-after-free condition allowing potential arbitrary code execution

  • The Impact: Use-after-free vulnerability affecting Wasmtime versions 0.37.0 through 0.38.1 (May-July 2022). Any embedding running WebAssembly modules with reference types was potentially vulnerable. The bug could lead to:

    • Memory corruption when accessing freed GC objects
    • Arbitrary code execution if attacker could control freed memory contents
    • Sandbox escape in browser contexts or server-side WASM environments
    • Crash or undefined behavior in production WASM applications

    The vulnerability was particularly insidious because it was introduced during a performance optimization (register allocator migration) and went undetected because Wasmtime's fuzz target for GC and stack maps (table_ops) was mistakenly not performing actual work.

  • The Fix: Wasmtime 0.38.2 (July 2022) corrected the aliasing resolution to properly apply to all virtual registers, including those holding reference values. This ensured regalloc2 received accurate liveness information and generated correct stack maps for all frames using reference types. Additional fuzzing improvements were implemented to ensure the GC fuzz target actually exercises garbage collection.

  • Workarounds: Users unable to immediately upgrade could:

    • Disable reference types proposal via wasmtime::Config::wasm_reference_types(false)
    • Downgrade to Wasmtime 0.36.0 or earlier (pre-regalloc2 migration)

  • Why It Matters: This vulnerability demonstrates several critical aspects of WebAssembly runtime security:

    1. Compiler Backend Complexity: Modern JIT compilers have intricate register allocation and code generation logic where subtle bugs can have severe security implications
    2. GC Integration Challenges: Reference types and garbage collection add significant complexity to WASM runtimes, requiring precise coordination between generated code and runtime
    3. Performance vs. Security Trade-offs: Optimizations like register aliasing can introduce security bugs if not carefully implemented
    4. Fuzzing Effectiveness Depends on Validation: Even with fuzzing infrastructure, bugs can persist if the fuzzer isn't actually exercising the intended code paths
    5. Stack Map Accuracy is Critical: Missing or incorrect stack maps are a common source of GC-related vulnerabilities across many language runtimes (not just WASM)

Key Takeaways

  1. Type safety is critical: Languages without strong type systems or with unsafe casts are prone to type confusion. JIT compilers in browsers and WASM runtimes make type assumptions that, when violated, create exploitable conditions.
  2. JIT compilers are complex attack surfaces: Optimizing compilers (V8 TurboFan, Cranelift) make assumptions about types and register allocation that, when wrong, create exploitable conditions. Even performance optimizations like register allocator migrations can introduce subtle security bugs.
  3. Integer bugs are subtle and pervasive: They're easy to miss in code review, often require specific input ranges to trigger, and can lead to memory corruption when used for size calculations. Signed/unsigned confusion is particularly dangerous.
  4. Parser complexity breeds vulnerabilities: Network protocol parsers (HTTP/2, QUIC), file format parsers (images, documents, archives), and media parsers all handle untrusted input and are prone to integer overflows, bounds checking failures, and state machine confusion.
  5. WASM runtimes face unique challenges: Combining JIT compilation, garbage collection, and sandboxing creates complex interactions where bugs in register allocation, stack map generation, or memory model handling can lead to use-after-free and sandbox escapes.
  6. Defense requires multiple layers:
    • Safe integer libraries (e.g., SafeInt for C++) and bounds-checked operations
    • Compiler warnings (-Wformat-security, -Wuninitialized) and static analysis
    • Runtime checks and sanitizers (though they have performance costs)
    • Language-level solutions (e.g., Rust's type system and integer overflow detection)
    • Continuous fuzzing of parsers and JIT compilers
    • Proper validation of all inputs, especially in parser state machines

Discussion Questions

  1. Why are JIT compilers (both JavaScript engines and WASM runtimes) particularly prone to type confusion and register allocation vulnerabilities? What makes optimizing compilers more vulnerable than interpreters?
  2. How can developers safely perform integer arithmetic in security-critical code, especially when calculating buffer sizes or array indices? What are the pitfalls of mixing signed and unsigned integers?
  3. What are the trade-offs between performance and safety when handling integer operations and parser validation? How do production systems balance these concerns?
  4. How do modern languages like Rust address integer overflow and type safety issues? Why do these problems persist in C/C++ despite decades of awareness?
  5. Why are parser vulnerabilities so common across different domains (network protocols, file formats, media codecs)? What common patterns lead to parser bugs?
  6. What makes WebAssembly runtime security particularly challenging compared to traditional native code or interpreted languages? How do reference types and garbage collection complicate WASM JIT compilation?
  7. How effective is fuzzing at discovering the types of vulnerabilities covered today (type confusion, integer bugs, parser flaws)? What are the limitations of fuzzing for finding these bug classes?

Day 4: Format String and Injection Vulnerabilities

Format String Vulnerabilities

What They Are: Format string vulnerabilities occur when user-controlled data is passed as the format string argument to functions like printf, sprintf, fprintf, syslog, and similar functions in C/C++.

The Core Issue: Format functions use special directives (e.g., %s, %x, %n) to interpret subsequent arguments. When an attacker controls the format string, they can:

  1. Read arbitrary memory using %s and %x directives
  2. Write arbitrary memory using the %n directive (writes number of bytes output so far to a pointer)
  3. Crash the program by causing invalid memory access

How They Work:

Safe Usage:

printf("%s", user_input);  // user_input is data, not format string

Vulnerable Usage:

printf(user_input);  // user_input IS the format string - DANGEROUS!

Real-World Example - CVE-2023-35086 (ASUS Router Format String RCE):

Background: ASUS RT-AX56U V2 and RT-AC86U routers contained a format string vulnerability in their web administration interface (httpd daemon).

The Bug: The do_detwan_cgi module's logmessage_normal function directly used user-controlled input as a format string when calling syslog(), without any sanitization:

void logmessage_normal(char *user_input) {
    syslog(LOG_INFO, user_input);  // VULNERABLE!
}

The Attack (Multi-Stage):

Stage 1 - Information Leak:

1. Attacker authenticates to router admin interface (or exploits auth bypass)
2. Sends HTTP request with format string: %p.%p.%p.%p
3. Router logs this to syslog, leaking stack addresses
4. %p directives reveal stack layout and defeat ASLR
5. Attacker maps out memory layout for reliable exploitation

Stage 2 - Arbitrary Write:

6. Attacker crafts format string with %n directive
7. Sends: %<offset>$<width>x%<target>$n
8. Overwrites function pointer or return address on stack
9. Redirects execution to attacker-controlled shellcode
10. Result: Remote Code Execution with root privileges

Mitigations Bypassed:

  • ASLR: Bypassed via format string information leak (%p directives)
  • Stack Canaries: Format string write can overwrite return address directly without touching canary
  • Authentication: Initially required admin access, but later found exploitable without authentication

The Fix: ASUS firmware updates

void logmessage_normal(char *user_input) {
    syslog(LOG_INFO, "%s", user_input);  // Safe - user input is data, not format
}

Additionally implemented input validation and enabled -Wformat-security compiler warnings.

Why It Matters: Format string vulnerabilities in embedded devices and routers are particularly dangerous because:

  • Devices often run outdated firmware
  • Many are internet-facing (UPnP, remote administration)
  • Compromise provides persistent network access
  • Can be chained with other vulnerabilities for full device takeover

Application-Specific Parser and File Handling

What They Are: Vulnerabilities in parsers for archive formats, office documents, and other non-web file types. These provide initial access vectors through malicious file sharing.

Case Study - CVE-2023-38831 (WinRAR Archive Parsing RCE):

  • The Bug: WinRAR's archive handling code improperly processed archives containing both a folder and a file with the same name. When extracting, WinRAR could be tricked into executing a file when the user double-clicked what appeared to be a folder in the archive.

  • The Attack: An attacker created a specially crafted RAR archive containing:

    1. A folder named "document.pdf" containing malicious executable
    2. A file named "document.pdf" containing benign PDF

    When a user double-clicked the entry in WinRAR, it would extract and execute the malicious executable instead of opening the PDF.

  • The Impact: Remote code execution with user privileges when opening crafted archives. Widely exploited by multiple threat actor groups (trading firms, cryptocurrency targets). Affected WinRAR versions before 6.23.

  • The Fix: WinRAR 6.23 corrected the handling logic to prevent ambiguous filename processing and added warnings for suspicious archive structures.

  • Why It Matters: Archive parsers (ZIP, RAR, 7z) are common attack vectors for initial access via email attachments and file sharing. Logic flaws in extraction handling complement traditional memory corruption bugs.

Document/Formula Parser Issues:

Case Study Context - CVE-2023-21716 (Microsoft Word RTF Remote Code Execution):

  • The Bug: Microsoft Word's Rich Text Format (RTF) parser contained a heap-based buffer overflow vulnerability. When processing specially crafted RTF documents, the parser failed to properly validate the size of font table entries before copying data into a heap buffer.
  • The Attack: An attacker could craft a malicious RTF document with oversized font table entries. When a victim opened the document in Microsoft Word, the parser would overflow the heap buffer during font processing, corrupting adjacent memory structures.
  • The Impact: Remote code execution with user privileges when opening a malicious RTF file. No user interaction beyond opening the document was required.
  • The Fix: Microsoft released patches in February 2023 (KB5002289 and related updates) that added proper bounds checking to the RTF font table parser and implemented safe buffer copy operations.
  • Defense: Apply patches immediately, use Office in protected view for untrusted documents, implement email attachment filtering, and enable Microsoft Defender Application Guard where available.
  • Why It Matters: Legacy parser components in office suites remain valuable targets due to widespread deployment and slow patching cycles. Document-based exploits are effective for initial access in enterprise environments. RTF parsers are particularly attractive because RTF files are often trusted more than macros and can bypass some security controls.

Key Takeaways

  1. Code/Data separation is fundamental: Format string vulnerabilities demonstrate the danger of treating user input as format specifiers rather than data. When code and data mix (user input as format string), attackers gain powerful primitives.
  2. Format strings provide dual primitives: The %x and %s directives enable arbitrary memory reads (information disclosure for ASLR bypass), while %n enables arbitrary memory writes (overwriting return addresses, function pointers).
  3. Archive and document parsers are high-value targets: File formats are shared via email and messaging, automatically processed, and often trusted by users. Logic flaws (WinRAR filename confusion) and memory corruption (Word RTF heap overflow) both lead to RCE.
  4. Parser complexity breeds vulnerabilities: Archive formats (ZIP, RAR, 7z) and document formats (RTF, PDF, Office) have complex specifications, legacy compatibility requirements, and performance optimizations that introduce security bugs.
  5. Embedded devices amplify risk: Format string bugs in router firmware (ASUS) are particularly dangerous because devices run outdated software, are internet-facing, and provide persistent network access when compromised.
  6. Defense requires safe APIs and validation: Using printf("%s", user_input) instead of printf(user_input), enabling compiler warnings (-Wformat-security), implementing input validation, and sandboxing parsers are essential defense layers.

Discussion Questions

  1. Why do format string vulnerabilities provide both information disclosure and arbitrary write capabilities? How does the %n directive enable memory writes, and why is this more powerful than traditional buffer overflows?
  2. How do format string exploits differ between 32-bit and 64-bit architectures in terms of stack layout, argument passing conventions, and exploitation techniques?
  3. Compare the WinRAR filename confusion vulnerability (logic flaw) with the Word RTF heap overflow (memory corruption). Which is easier to exploit reliably, and why do both attack vectors remain prevalent?
  4. Why do parser vulnerabilities in archive and document formats continue to be common despite decades of research into safe parsing? What makes formats like RTF, PDF, and ZIP particularly prone to security bugs?
  5. How can organizations defend against malicious document and archive attacks? What role do sandboxing (Protected View, containers), static analysis, and user education play?
  6. What compiler flags, static analysis tools, and runtime protections can help prevent format string vulnerabilities in C/C++ code? Why do these bugs still appear in embedded device firmware?

Day 5: Drivers, Filesystems, and Boot Vulnerabilities

IOCTL/Syscall Handler Vulnerabilities

What It Is: Faulty user↔kernel marshalling and validation in system calls or device control paths (e.g., Windows DeviceIoControl, Linux ioctl).

Case Study - CVE-2023-21768 (Windows AFD.sys Buffer Size Confusion):

  • The Bug: The Windows Ancillary Function Driver (AFD.sys), which handles socket operations, had a buffer size confusion vulnerability in its IOCTL handler. When processing IOCTL_AFD_SELECT requests, the driver failed to properly validate the relationship between user-provided buffer size and the actual structure size.
  • The Attack: An attacker could call DeviceIoControl() with a specially crafted input buffer where the declared size didn't match the actual data size. The driver would allocate a buffer based on one size value but copy data based on another, leading to an out-of-bounds write in kernel pool memory.
  • The Impact: Local privilege escalation from standard user to SYSTEM. The OOB write primitive was used to corrupt adjacent kernel objects in the pool, hijacking control flow. Exploited in the wild before patching.
  • The Fix: Microsoft KB5022845 added strict validation ensuring user-provided length matched expected structure size, used ProbeForRead() to validate user pointers, and implemented additional bounds checking before memory operations.
  • Why It Matters: IOCTL/syscall handlers are common attack vectors due to size/bounds confusion, trusting user pointers without probing, double-fetch issues, and incomplete pointer chasing. These lead to LPE via UAF/OOB/arbitrary write and sandbox escapes.

Driver and Peripheral Interface Vulnerabilities

What They Are: Validation failures and memory corruption in device drivers handling USB, HID, audio/video, network interfaces, and legacy hardware. Drivers represent a massive attack surface due to complex state machines, insufficient input validation, and third-party code quality issues.

Case Study - CVE-2024-53150 (Linux ALSA USB-Audio OOB Read):

  • The Bug: The Advanced Linux Sound Architecture (ALSA) USB audio driver failed to properly validate the bLength field of USB device descriptors when traversing clock descriptors. When parsing malformed audio streaming interface descriptors with shorter-than-expected bLength values, the driver could read beyond allocated buffer boundaries.
  • The Attack: An attacker with physical access or USB emulation capabilities (e.g., BadUSB, malicious USB device, or compromised USB hub) could craft a USB audio device with bogus descriptors containing shortened bLength fields. When the device enumerated, the kernel driver would traverse these descriptors without proper bounds checking, leading to out-of-bounds reads.
  • The Impact: Local information disclosure and potential privilege escalation from user to root. The out-of-bounds read primitive could leak sensitive kernel memory contents, including addresses to defeat KASLR. Added to CISA's Known Exploited Vulnerabilities catalog in April 2025.
  • The Fix: Linux kernel 6.12.2 (December 2024) added comprehensive descriptor validation, checking bLength against sizeof() for clock source and clock multiplier descriptors, and validating array bounds for clock selector descriptors before traversal.
  • Why It Matters: Driver vulnerabilities dominate Windows exploits (20+ vulnerabilities in drivers like RasMan since 2022) and are increasingly targeted in Linux. USB/HID/audio/video drivers are particularly vulnerable due to complex parsing requirements and are exploitable via physical access or emulated devices.

Bring Your Own Vulnerable Driver (BYOVD):

What It Is: A technique where attackers abuse legitimate but vulnerable signed drivers to gain kernel-level access on Windows systems. While not a vulnerability per se, BYOVD is widely used in exploit chains.

Case Study Context - Lazarus Group Driver Abuse:

  • The Technique: Attackers drop a legitimate but vulnerable signed driver (e.g., old versions of ASUS, Gigabyte, or MSI drivers) that Windows will load due to valid signature.
  • The Attack: Once loaded, the vulnerable driver provides arbitrary kernel read/write primitives through its IOCTL interface. Attackers use this to disable security features (PatchGuard, AV/EDR), load unsigned drivers, or escalate privileges.
  • The Evolution: Microsoft's response included Driver Blocklist expansion and Vulnerable Driver Blocklist. Advanced groups like Lazarus shifted from BYOVD to direct zero-day kernel exploits after 2023 due to increased detection.
  • Defense: Enable Vulnerable Driver Blocklist (HVCI/Memory Integrity), monitor for unusual driver loads, implement application control policies.

Win32k.sys Graphics/Window Manager Issues:

Case Study - CVE-2025-24983 (Win32k Use-After-Free EoP):

  • The Bug: A use-after-free in the Windows Win32k kernel subsystem allowed an authorized local attacker to elevate privileges. Classified under CWE‑416, it was added to CISA’s KEV in March 2025.
  • The Attack: By manipulating window/GUI objects via Win32k APIs, a local attacker could trigger the UAF and corrupt kernel memory to achieve SYSTEM.
  • The Impact: Local privilege escalation to SYSTEM.
  • The Fix: Microsoft updated Win32k to harden object lifetime handling and mitigate the UAF condition.
  • Why It Matters: Win32k remains a frequent target due to complex GUI state and broad exposure to unprivileged code.

Filesystem and Mounting Vulnerabilities

What They Are: Logic flaws in filesystem handling, mounting operations, and file metadata processing. Increasingly exploited for privilege escalation in multi-user and container environments.

Case Study - CVE-2023-0386 (OverlayFS Privilege Escalation):

  • The Bug: The Linux OverlayFS implementation failed to properly validate file capabilities when copying files from lower to upper layers. The vulnerability allowed bypassing user namespace UID/GID mapping for setuid/setgid binaries.
  • The Attack: An attacker in an unprivileged container could create a specially crafted OverlayFS mount structure where setuid binaries from the lower layer retained elevated privileges when copied to the upper layer, despite being in a user namespace.
  • The Impact: Container escape and privilege escalation from unprivileged user to root on the host system. Affected Kubernetes clusters, Docker environments, and systems using OverlayFS for container storage.
  • The Fix: Linux kernel 6.2+ added proper capability validation during file copy operations, ensuring user namespace mappings are respected and setuid/setgid bits are stripped appropriately.
  • Why It Matters: Filesystem logic flaws are common in Linux (OverlayFS, FUSE, NFS) and provide reliable privilege escalation paths in containerized environments. Improper ownership inheritance and permission checks are recurring patterns.

Pipe/Stream Splicing Issues:

Case Study - CVE-2022-0847 (Dirty Pipe):

  • The Bug: The Linux kernel's pipe implementation failed to properly initialize the PIPE_BUF_FLAG_CAN_MERGE flag when splicing pages from page cache into pipes. This allowed overwriting data in read-only files by splicing modified pages back.
  • The Attack: An attacker could open a read-only file (e.g., /etc/passwd), use splice() to create a pipe containing pages from that file, modify the pipe buffer, then splice it back to overwrite the original file contents.
  • The Impact: Local privilege escalation from any user to root by overwriting /etc/passwd or other privileged files. Extremely reliable exploitation requiring minimal permissions. Affected Linux kernels 5.8+ through 5.16.11.
  • The Fix: Linux kernel 5.16.11+ properly initializes pipe buffer flags and prevents splicing back to read-only files.
  • Why It Matters: Pipe and splice operations are complex kernel mechanisms with subtle state management requirements. Dirty Pipe demonstrated how initialization bugs can lead to powerful arbitrary file write primitives.

Malicious File/Mount Handling:

Case Study - CVE-2025-24071 (Windows File Explorer Credential Leak):

  • The Bug: Windows File Explorer improperly handled .library-ms files, which are XML-based library definition files. When parsing malicious .library-ms files with crafted UNC paths, Explorer would automatically attempt authentication to remote SMB shares.
  • The Attack: An attacker could create a .library-ms file pointing to \\attacker-server\share. When a user browsed a folder containing this file (even without opening it), Explorer would send NTLMv2 authentication credentials to the attacker's server.
  • The Impact: Credential harvesting via automatic NTLM authentication. Attacker captures NTLMv2 hashes for offline cracking or relay attacks. Similar issues exist with NTFS features allowing chained RCE (CVE-2025-24993).
  • The Fix: Windows patches restrict automatic network authentication during file parsing and add warnings for UNC paths in library files.
  • Why It Matters: File format parsers in GUI components often have network access capabilities. Credential leaks through automatic authentication are valuable for lateral movement in enterprise environments.

Boot and Security Feature Bypass Vulnerabilities

What They Are: Vulnerabilities that bypass boot-time security protections or kernel hardening features. Emerging prominently in 2024-2025 exploits for persistence and rootkit deployment.

Case Study - CVE-2025-47827 (Secure Boot Bypass):

  • The Bug: In IGEL OS before v11, the igel-flash-driver module improperly verified cryptographic signatures, allowing a crafted SquashFS root filesystem to be mounted and bypass Secure Boot protections.
  • The Attack: With physical access or admin control, an attacker could leverage the signature verification flaw during boot to load untrusted kernel code.
  • The Impact: Complete system compromise with kernel-level persistence. Enables evil-maid attacks, bypasses BitLocker, Windows Defender, and EDR solutions. Rootkit survives OS reinstallation if firmware is not reflashed.
  • The Fix: Vendor guidance for IGEL OS v10 is limited due to end-of-support; mitigation guidance focuses on revocation/DBX updates and upgrading to supported versions enforcing strict signature validation.
  • Why It Matters: Secure Boot bypasses enable persistent compromise below the OS level. Physical access scenarios (stolen laptops, interdiction) and supply chain attacks leverage these vulnerabilities for long-term persistence.

Kernel Hardening Evasion:

Case Study - CVE-2025-53136 (Windows Kernel Pointer Leak):

  • The Bug: Multiple Windows kernel functions exposed kernel memory addresses through information disclosure vulnerabilities. Specifically, NtQuerySystemInformation and related APIs leaked kernel heap and pool addresses.
  • The Attack: An attacker could call specific system information query APIs to leak kernel addresses, defeating Kernel Address Space Layout Randomization (KASLR). These leaks are chained with other vulnerabilities (UAF, OOB write) to reliably exploit kernel bugs.
  • The Impact: Information disclosure enabling exploitation of kernel vulnerabilities. KASLR bypass is a prerequisite for modern kernel exploitation. Often combined with vulnerabilities like CVE-2023-21768 (AFD.sys) for full privilege escalation chains.
  • The Fix: Microsoft added restrictions to information query APIs, reducing precision of returned information or requiring elevated privileges for sensitive queries.
  • Why It Matters: Kernel hardening features (KASLR, SMEP, SMAP, Control Flow Guard) require information leaks to bypass. Pointer leaks are critical primitives in exploit chains and are actively targeted by attackers.

Key Takeaways

  1. Drivers are high-risk: expansive IOCTL surfaces and complex descriptor parsing create memory corruption and arbitrary read/write.
  2. IOCTL/syscall handlers are high-value targets: Size confusion and function pointer validation failures provide powerful LPE primitives without requiring traditional buffer overflows.
  3. Concurrency bugs enable sophisticated exploits: Double-fetch, race conditions and locking misuse are difficult to reproduce but provide reliable exploitation when timing is controlled.
  4. Arbitrary write is the ultimate primitive: Whether achieved through IOCTL handlers, PreviousMode corruption, or RCU misuse, arbitrary kernel write enables privilege escalation, security callback disabling, and rootkit deployment.
  5. User namespaces expand attack surface: Many kernel vulnerabilities (netfilter, io_uring) become exploitable from unprivileged contexts when user namespaces grant capabilities like CAP_NET_ADMIN.
  6. Defense requires atomic operations: TOCTOU vulnerabilities demonstrate that check-then-use patterns are inherently racy; atomic check-and-use operations, proper locking, and defensive copying are essential.
  7. Physical/adjacent vectors matter: USB/Thunderbolt/emulated devices are attacker-controlled input.

Discussion Questions

  1. Which testing strategies most effectively surface IOCTL handler bugs in complex drivers?
  2. Why are IOCTL handlers such prevalent sources of kernel vulnerabilities, and what validation patterns should be mandatory for all IOCTL implementations?
  3. How can developers design IOCTL interfaces to prevent size confusion and arbitrary function call vulnerabilities while maintaining performance and flexibility?
  4. What monitoring best detects Secure Boot tampering and unexpected kernel module loads?
  5. Which container runtime settings most reduce OverlayFS and mount attack viability?
  6. How should organizations treat removable and emulated devices to minimize driver-exposed risk?

Day 6: Impact Assessment and Vulnerability Classification

Understanding Impact Categories

Remote Code Execution (RCE):

  • Definition: Attacker can execute arbitrary code on the target system remotely without physical access.
  • Impact: Highest severity - complete system compromise possible.
  • Examples from This Week:
    • CVE-2024-27130 (QNAP): Stack overflow → RCE
    • CVE-2024-2883 (Chrome ANGLE): UAF → RCE via heap corruption
    • CVE-2023-4863 (libWebP): Heap overflow → RCE
    • CVE-2024-7971 (V8): Type confusion → RCE via arbitrary R/W
    • CVE-2023-35086 (ASUS Router): Format string → RCE via stack overwrite

Local Privilege Escalation (LPE):

  • Definition: Attacker with limited access can gain higher privileges (user → root/SYSTEM).
  • Impact: High severity - allows persistence, defense evasion, lateral movement.
  • Examples:
    • Windows Kernel TOCTOU (CVE-2024-26218): User → SYSTEM via race condition exploitation
    • Driver IOCTL bugs: Standard user → Administrator/SYSTEM

Information Disclosure / Info Leak:

  • Definition: Attacker can read data they shouldn't have access to.
  • Impact: Medium to High - often chained with other bugs to bypass ASLR.
  • Examples:
    • Format string leaks: Bypass ASLR by leaking libc addresses
    • Speculative execution (Spectre): Leak kernel memory from userland
    • Uninitialized memory reads: Leak heap/stack contents

Denial of Service (DoS):

  • Definition: Attacker can make a service unavailable without gaining code execution.
  • Impact: Low to Medium - disrupts availability but doesn't compromise confidentiality/integrity.
  • Examples:
    • Decompression bombs: Exhaust memory/CPU
    • Algorithmic complexity attacks: Trigger worst-case performance
    • Crash bugs without exploitable primitives

Exploitability Factors

Attack Complexity:

  • Low: Attacker can repeatedly exploit with minimal effort.
  • High: Requires complex preparation, rare conditions, or user interaction.

Example Comparison:

  • Low Complexity: Buffer overflow in network daemon (CVE-2024-27130)
  • High Complexity: Browser type confusion requiring specific JavaScript execution order (CVE-2024-7971)

Attack Vector:

  • Network: Exploitable remotely over network (highest threat)
  • Adjacent: Requires local network access
  • Local: Requires local access to system
  • Physical: Requires physical access

Privileges Required:

  • None: No authentication needed
  • Low: Standard user access required
  • High: Administrative access required

User Interaction:

  • None: Fully automated exploitation
  • Required: Victim must perform action (click link, open file)

CVSS Scoring System

Base Score Components (Intrinsic qualities):

  • Attack Vector (AV): Network/Adjacent/Local/Physical
  • Attack Complexity (AC): Low/High
  • Privileges Required (PR): None/Low/High
  • User Interaction (UI): None/Required
  • Scope (S): Unchanged/Changed (does exploit affect resources beyond vulnerable component?)
  • Impact to Confidentiality (C), Integrity (I), Availability (A): None/Low/High

Temporal Score Components (Change over time):

  • Exploit Code Maturity: Not Defined/Proof-of-Concept/Functional/High
  • Remediation Level: Official Fix/Temporary Fix/Workaround/Unavailable
  • Report Confidence: Unknown/Reasonable/Confirmed

Environmental Score (Organization-specific):

  • Modified Base Metrics based on local environment
  • Considers organizational security requirements

Score Ranges:

  • 0.0: None
  • 0.1-3.9: Low
  • 4.0-6.9: Medium
  • 7.0-8.9: High
  • 9.0-10.0: Critical

Exercise: Classify 10 Real CVEs

For each CVE below, determine:

  1. Vulnerability Class (Stack overflow, UAF, Type confusion, etc.)
  2. Impact Type (RCE, LPE, Info Leak, DoS)
  3. CVSS Score Estimate (Low/Medium/High/Critical)
  4. Exploitability (Low/Medium/High complexity)
  5. Priority (How urgently should this be patched?)

Cases for Classification:

  1. CVE-2024-27130 (QNAP Stack Overflow)

    • Class: ?
    • Impact: ?
    • CVSS: ?
    • Exploitability: ?
    • Priority: ?

  2. CVE-2024-2883 (Chrome ANGLE UAF)

    • Class: ?
    • Impact: ?
    • CVSS: ?
    • Exploitability: ?
    • Priority: ?

  3. CVE-2023-4863 (libWebP Heap Overflow)

    • Class: ?
    • Impact: ?
    • CVSS: ?
    • Exploitability: ?
    • Priority: ?

  4. CVE-2024-7971 (V8 TurboFan Type Confusion)

    • Class: ?
    • Impact: ?
    • CVSS: ?
    • Exploitability: ?
    • Priority: ?

  5. CVE-2023-35086 (ASUS Router Format String)

    • Class: ?
    • Impact: ?
    • CVSS: ?
    • Exploitability: ?
    • Priority: ?

  6. CVE-2022-34718 (Windows tcpip.sys EvilESP)

    • Class: ?
    • Impact: ?
    • CVSS: ?
    • Exploitability: ?
    • Priority: ?

  7. 7-Zip Symlink Path Traversal (CVE-2025-11001/11002)

    • Class: ?
    • Impact: ?
    • CVSS: ?
    • Exploitability: ?
    • Priority: ?

  8. CVE-2023-4155 (Linux KVM AMD SEV Double-Fetch)

    • Class: ?
    • Impact: ?
    • CVSS: ?
    • Exploitability: ?
    • Priority: ?

  9. CVE-2021-24105 (Dependency Confusion Attack)

    • Class: ?
    • Impact: ?
    • CVSS: ?
    • Exploitability: ?
    • Priority: ?

  10. CVE-2023-44487 (HTTP/2 Rapid Reset)

    • Class: ?
    • Impact: ?
    • CVSS: ?
    • Exploitability: ?
    • Priority: ?

Common Mistake Patterns in Classification

  1. Confusing Impact with Exploitability:

    • High impact doesn't mean easy to exploit
    • Critical CVE might have high complexity

  2. Ignoring Real-World Context:

    • Lab exploit != Production exploitation
    • Mitigations affect real-world exploitability

  3. Over-relying on CVSS:

    • CVSS is standardized but imperfect
    • Context matters: SQL injection in admin panel vs. public-facing

  4. Neglecting Chaining:

    • Info leak alone: Medium severity
    • Info leak + RCE primitive: Critical
    • Consider full attack chain

Industry Standards and Reporting

Responsible Disclosure:

  1. Report to vendor through appropriate channel (security@, bug bounty)
  2. Allow reasonable time for fix (typically 90 days)
  3. Coordinate public disclosure
  4. Publish technical details after fix available

Reporting Templates:

  1. Summary: One-sentence description
  2. Impact: What can attacker achieve?
  3. Affected Versions: Precisely list versions
  4. Prerequisites: Auth required? User interaction?
  5. Steps to Reproduce: Detailed, repeatable
  6. Proof of Concept: Code/commands to demonstrate
  7. Suggested Fix: If applicable
  8. References: Related CVEs, papers

Key Takeaways

  1. Impact != Exploitability: Critical bugs can be hard to exploit; easy exploits might have limited impact.
  2. Context is crucial: Same bug class has different severity in different contexts.
  3. Standardization helps: CVSS provides common language, but isn't perfect.
  4. Chaining amplifies impact: Multiple medium bugs can create critical exploit chain.
  5. Reporting matters: Clear, detailed reports help vendors fix vulnerabilities faster.

Discussion Questions

  1. How should organizations prioritize patching when faced with hundreds of vulnerabilities?
  2. What are the limitations of CVSS scoring, and how can they be addressed?
  3. When is it ethical to publicly disclose a vulnerability before a patch is available?
  4. How do bug bounty programs affect the economics of vulnerability research and disclosure?

Day 7: Capstone Project — Recent Vulnerability Triage and PoC Validation

  • Goal: Apply the week's concepts by selecting several 2024–2025 vulnerabilities, correctly classifying and understanding them, locating and safely testing PoCs, and explaining what the vulnerability is, how it works, and how it can be chained.
  • Activities:
    • Select Targets (4–6 CVEs):
      • Choose recent CVEs from 2024–2025 spanning at least 3 categories: memory corruption, logic/auth, parser/media, kernel/drivers, networking/protocol, boot/supply chain.
      • Prefer items with public advisories and PoCs or detailed technical analyses.
    • For Each CVE, Complete the Following:
      1. Identify: Product/component, affected versions, vulnerability class (CWE), primary impact (RCE/LPE/Info Leak/DoS). Collect links to vendor advisory, NVD, and KEV (if listed).
      2. Understand: Summarize the root cause and vulnerable code path or state machine. Capture the key preconditions and trust boundaries.
      3. PoC Discovery and Test: Find a public PoC; verify authenticity; pin to a commit or release tag; note all prerequisites. If no PoC exists, move on we will get to it later on. try to understand how does that poc works
      4. Explain (what/how/chain): In ~150–250 words, explain:
        • What the vulnerability is (class, component, versions, impact)
        • How it works (root cause and exploit path)
        • How it could be chained (e.g., info leak → ASLR bypass → RCE; sandbox escape → LPE)
      5. Risk & Priority: Provide CVSS v3.1/v4 estimate, EPSS (if available), KEV status, and remediation priority in a realistic enterprise context.
    • Chaining Exercise (At least 1 chain):
      • Design a plausible multi-step chain using two or more selected CVEs (or one CVE plus a generic primitive), describing preconditions, boundary crossings, and final impact.

Deliverables

  • A short report (“Vulnerability Card”) per CVE and one chaining write-up.
  • PoC references pinned to commit SHA/tag; note any modifications you made.

Report Template (use per CVE)

# CVE-YYYY-NNNNN – Title

- Class / CWE:
- Impact (RCE/LPE/Info Leak/DoS):
- Affected product & versions:
- Sources: [Vendor advisory], [NVD], [KEV], [PoC link]
- Lab environment:
  - Host OS / kernel / packages:
  - Target build/version:
  - Isolation controls (snapshot, no outbound):
- Reproduction steps:

1. ...
2. ...

- How it works (root cause and exploitation path):
- Chaining opportunities (with what and why it works):
- Risk rating: CVSS v3.1/v4 (your calc), EPSS, KEV status

Suggested Sources

  • NVD, CISA KEV, vendor advisories and security bulletins
  • Google Project Zero, ZDI, ICS-CERT advisories
  • Exploit-DB, GitHub code search (e.g., CVE-2025 poc, proof-of-concept)
  • Academic/industry blogs with technical write-ups

Submission Checklist

  • report.md with one Vulnerability Card per CVE and one chain write-up
  • Links to advisories/NVD/KEV, PoC URLs with commit SHAs/tags
  • Environment details and exact reproduction steps
  • Evidence artifacts (logs/PCAPs/crash traces/screenshots)
  • Mitigation/detection guidance and remediation priority
<!-- Written by AnotherOne from @Pwn3rzs Telegram channel -->

> related_skills --same-repo

> offensive-xxe

offensive-xxe skill from SnailSploit/Claude-Red

> offensive-xss

offensive-xss skill from SnailSploit/Claude-Red

> offensive-windows-mitigations

offensive-windows-mitigations skill from SnailSploit/Claude-Red

> offensive-windows-boundaries

offensive-windows-boundaries skill from SnailSploit/Claude-Red

┌ stats

installs/wk0
░░░░░░░░░░
github stars12
██░░░░░░░░
first seenMar 18, 2026
└────────────

┌ repo

SnailSploit/Claude-Red
by SnailSploit
└────────────