Phrack turns 40.
The digital drop is live.
Download it. Archive it. Pass it on.
💾 https://www.phrack.org

#phrackat40 #phrack72

Can You Write A Web Server in PURE BASH?! (no socat, no netcat, no external tools) 🍿

https://www.youtube.com/watch?v=L967hYylZuc

📣 Introducing the IDA Domain API: a new open-source Python API that makes scripting in IDA simpler and more consistent.
https://hex-rays.com/blog/introducing-the-ida-domain-api

T-Mobile claimed selling location data without consent is legal—judges disagree
T-Mobile can't overturn $92 million fine; AT&T and Verizon verdicts still to come.
https://arstechnica.com/tech-policy/2025/08/t-mobile-claimed-selling-location-data-without-consent-is-legal-judges-disagree/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social

I reverse engineered Lockbit's Linux ESXi variant, also explaining how I did some of the steps! For the fun of it, cause reverse engineering is lots of fun. Enjoy! https://hackandcheese.com/posts/blog1_lockbit/

👀
https://social.anoxinon.de/@Codeberg/115033790447125787

CVE ID: CVE-2025-54948
Vendor: Trend Micro
Product: Apex One
Date Added: 2025-08-18
Notes: https://success.trendmicro.com/en-US/solution/KA-0020652 ; N/A ; https://nvd.nist.gov/vuln/detail/CVE-2025-54948
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2025-54948

New Project Zero issue:

Linux >=6.4: epoll: UAF via race between ep_eventpoll_release() and eventpoll_release_file() because mutex_unlock() is not ownership-drop-safe

https://project-zero.issues.chromium.org/issues/430541637

CVE-2025-38349

ECC.fail: Mounting Rowhammer Attacks on DDR4 Servers with ECC Memory

https://ecc.fail/

Teachning stones to remember things was a mistake.

[RSS] A Fuzzy Escape - A tale of vulnerability research on hypervisors

https://bughunters.google.com/blog/5800341475819520/a-fuzzy-escape-a-tale-of-vulnerability-research-on-hypervisors

Elastic Response to Blog ‘EDR 0-Day Vulnerability’

https://discuss.elastic.co/t/elastic-response-to-blog-edr-0-day-vulnerability/381093

"The reports lacked evidence of reproducible exploits. Elastic Security Engineering and our bug bounty triage team completed a thorough analysis trying to reproduce these reports and were unable to do so."

The FBI has published an evergreen advisory warning about cryptocurrency recovery scammers lurking everywhere. The minute you mention online that you might have lost money to a crypto scam, you will be flooded with come-ons from "recovery experts" who hold out the unlikely promise of recovering your funds -- for a fee.

These scammers prey on people who are understandably frantic after having just suffered a potentially life-altering financial loss, and are desperate for a quick solution. Far too many people who get burned by crypto get victimized a second time by these charlatans. I probably delete a dozen or more comments each week from my blog that are left by these dirtballs.

https://www.ic3.gov/PSA/2025/PSA250813

In the context of the Chatcontrol attempt to get Americans to scan our photos with AI so we can be reported to Europol, the EU has even bigger plans in this direction. And they are honestly (I am told) asking for experts to advise them on these plans. You can apply until September 1st to be part of the expert group:
https://berthub.eu/articles/posts/possible-end-to-end-to-end-come-help/

A fascinating story about a #DoS #vulnerability in the Expat #XML parser

#Recursion kills: The story behind CVE-2024-8176 / #Expat 2.7.0 released, includes security fixes

https://blog.hartwork.org/posts/expat-2-7-0-released/

Meanwhile, if you abuse the API and don't comply, asan might complain but that's not a #curl security problem.

https://hackerone.com/reports/3302518

Any fool can write code that a computer can understand. Good programmers write code that humans can understand.

— Martin Fowler

#complexity

No CPU Challenge by Demostue Allst★rs

Evoke 2025 party Alternative Platforms compo winner.

An Amiga AGA demo that entirely runs on the copper. This is the same capture from real hardware, that was presented in the compo.

https://youtu.be/OXT5MrDdyB8
https://www.pouet.net/prod.php?which=104753

(Edit: updated YouTube link, due to audio sync issues)

#amiga #demoscene #evoke2025

wrote a new big blog post today that is very relevent to my interests. you may be interested in reading

IF YOU LOVE IT, DOWNLOAD IT.

https://erysdren.me/blog/2025-08-16/

And we're live with Pentium II: https://youtube.com/live/Jt4_ekA7q4M?feature=share

Preparing a post about lafleur, the CPython JIT fuzzer I develop.

It has found 4 JIT crashes so far:
#136996: "JIT: `executor->vm_data.valid` assertion failure in `unlink_executor`".
#137007: "JIT: assertion failure in _PyObject_GC_UNTRACK".
#137728: "Assertion failure or `SystemError` in `_PyEval_EvalFrameDefault` in a JIT build".
#137762: "Assertion failure in `optimize_uops` in a JIT build".

Contributions welcome!

https://github.com/search?q=repo%3Apython%2Fcpython+lafleur&type=issues

#Python #CPython #fuzzer #fuzzing #lafleur #JIT