Posts

CVE-2023-4068 WASM Null vs JS Null Type Confusion () Bug Type V8 introduced a WASM null type for WebAssembly references while still keeping the JS null-value object. Some engine paths mistakenly treat the JS null-value as a WASM null. This type confusion allows reading or writing beyond the allocated JS null object. Commit 455d38ff8df7303474e8ead05cad659aac0a1bbc Bug Location From src/wasm/constant-expression-interface.cc: WasmValue DefaultValueForType(ValueType type, Isolate* isolate) { switch (type.kind()) { case kI32: case kI8: case kI16: return WasmValue(0); case kI64: return WasmValue(int64_t{0}); case kF32: return WasmValue(0....

CVE-2025-5419 Background Based on the ITW exploit (author unknown) found by Clement Lecigne and Benoît Sevens. Build Instructions Build d8 using: a) Run once git checkout 5c198837c21b9b6cde113c4cb35d00e6b368f9a5 gclient sync gn gen ./out/x64.debug gn gen ./out/x64.release b) Debug Build: You will need to patch the "ShouldZapGarbage" function in "./heap/zapping.h" to return false. This function returns false in release builds. ninja -C ./out/x64.debug d8 Release Build: ninja -C ./out/x64.release d8 Run with: C:\path\to\v8\v8\out\x64....

CVE-2025-5959 WebAssembly Type Canonicalization Bug CanonicalEquality::EqualValueType() Bug Type WebAssembly’s type canonicalization function (CanonicalEquality::EqualValueType()) (collapsing structurally equivalent types into a single unique form) does not take into account nullability (references that can be null) for references that are indexed (references that point to a previously defined type by index, like ref $t1). This causes one fatal flaw, the engine can’t tell the difference between a nullable type like ref null $t1 and a non-nullable one like ref $t1 for indexed reference types inside a type definition....

CoRCTF 2025 Rev Write Up Challenges rev/tagme rev/purely-functional-oop rev/roll rev/whatever-floats-your-boat Tagme Description: tag, you’re it! g, you’re it!tag Update: the flag does not contain the letter ‘p’ Download: tagme Summary: General idea for this challenge is you have a flag checker that works by taking in an input, growing the flag via an expansion look up table, finally the flag is checked to the same enqueue point as dequeue. There are several parts to this challenge that make it interesting lets start with the main function: void __fastcall __noreturn main(int a1, char **a2, char **a3) { char c; // [rsp+3h] [rbp-3Dh] char *lineptr; // [rsp+8h] [rbp-38h] BYREF size_t n; // [rsp+10h] [rbp-30h] BYREF unsigned __int64 i; // [rsp+18h] [rbp-28h] __ssize_t v7; // [rsp+20h] [rbp-20h] char *flag; // [rsp+28h] [rbp-18h] unsigned __int64 v9; // [rsp+30h] [rbp-10h] unsigned __int64 v10; // [rsp+38h] [rbp-8h] v10 = __readfsqword(0x28u); puts("Enter flag:"); lineptr = 0; n = 0; v7 = getline(&lineptr, &n, stdin); if ( v7 == -1 ) print("Illiterate"); if ( v7 <= 8 ) print("Short"); if ( v7 > 39 ) print("Long"); if ( strncmp("corctf{", lineptr, 7u) ) print("Ineligible"); if ( strncmp("}\n", &lineptr[v7 - 2], 2u) ) print("Ineligible"); set_up(); flag = lineptr + 7; v9 = v7 - 9; for ( i = 0; i < v9; ++i ) { c = flag[i]; if ( (i & 1) !...

So you just started at RIT, and you want to know how to make the most of your time here? Whether you’re new on campus, considering applying, or didn’t participate much in your first year and are looking to get involved now, this post provides a detailed breakdown of the opportunities available through RITSEC and how you can take full advantage of them. This post is mainly written with incoming first years or transfer students in mind, but others may find the information useful as well....

A Look at AFL++ Under The Hood How this post is structured The objective of this post is to allow anyone to gain an understanding of AFL at the level they want. I want to cover AFL at both a usage level and an internals level. At the end of this article, there are In-Depth sections that cover AFL in even more depth. One additional note. In the code snippets, I often use ....

In my little journey of learning about macOS/Apple security, I will be documenting things I have learned via blogpost. This might not be useful to most researches since they probably know more about this topic but this should be a good resource for other beginners in this field. For the first post, I will document my step in reversing a simple yet interesting malware, TinyShell. It’s important to not, I used Mitten Mac’s post as a reference....

Introduction For my project, I chose the ambitious goal of adding a backdoor to Linux’s iptables firewall. In order to do this, I had to delve deep into the Linux kernel and study the inner workings of the networking stack. Through my efforts, I was able to make iptables accept specially-crafted packets, even if the user-defined rules say otherwise. The Evil Bit In April 2003, the Internet Engineering Task Force published RFC3514, which defines a previously-unused bit of the IPv4 fragment offset field as the “evil bit” or security flag....

This is a place for RITSEC members to post about what they’re currently researching, cool projects, or anything RITSEC related. These posts contribute to the greater security community, so get your voice out there! We also have a tiered rewards program to incentivize our members to share what they’re woking on! For members, 1 blog post is equivalent to one research presentation, and making blog posts will earn you prizes!