exploits.club Weekly Newsletter 67 - Hacking Toothbrushes, Emulating iPhones, Un-exploitable but ITW, and More
We might not actually know how tariffs work, but we can tell you a handful of ARM64 opcodes off the top of our head. Is that something to be proud of? No idea...annnnnnyways π
In Case You Missed It...
- Ep 4: Where The WarLocks Stay Up Late - We haven't yet shouted out this podcast, but Episode 4 just dropped with Eduart Steiner. If you are a fan of hacking history, then this is certainly not a show to miss!
- BlackHat Asia Slides - These are slowly going up on the site, should also start to hit YouTube over the next few months so stay tuned!
Resources And Write-Ups From This Week:
- Emulating an iPhone in QEMU - Emulation enthusiasts rejoice, this new post out of eShard is all about their journey attempting to emulate an iPhone with QEMU...UI and all. The article starts by surveying current open-source solutions and highlights their strengths and weaknesses. The team then describes their novel kernel patching methodβbooting into PongoOS and using checkra1nβs KPF module to apply kernel patches directly. The post moves on to highlight the adventures in getting software rendering to work, attempting to circumvent the GPU entirely, and discusses how an environment was set up to use GDB for debugging. After several additional hours of patching and head-scratching, they were able to get the lock screen password prompt to appear.
- Brushing Up on Hardware Hacking Part 1 - PiFex Configuration - We know you have been looking for the right time to finally get into hardware hacking. And well, @wrongbaud thinks it's today and over the last month, he went ahead and supplied you with all the materials you would need. Specifically, the new series on the VoidStar Security Blog covers his adventures in hacking an electronic toothbrush from AliExpress. Part 1 starts with some configuration of the needed tooling - specifically the PiFex board and its corresponding services. From there, Part 2 with the hardware teardown, identifying the components and the various interesting peripheral targets. It then moves on, showing how to dump the firmware, do the necessary RE, and modify the firmware image to re-flash. Finally, part 3 takes a deep dive with SWD, and discusses how OpenOCD can be configured and used to perform actions such as flash write and erase.
- Hack the channel: A Deep Dive into DVB Receiver Security - Sometimes, you find research targets in the unlikeliest of places...say cleaning out your garage. The Synacktiv team was doing a bit of spring cleaning when they came across an old DVB receiver and started to poke at it. This weird spurt of inspiration resulted in quite a fun blog post. The write-up covers how the team was able to dump the firmware, do a bit of analysis on it, determine its compression method and base address, and set it up to do some reversing. Next, the team started reversing where IR codes are handled, quickly realizing the NEC IR protocol was implemented incorrectly, forcing them to reverse engineer the custom wrong implementation to figure out how to interact with it. The post then looks at two vulnerabilities the team found - straight forward buffer overflows which turned out to not be exploitable due to size limitations and the surrounding data layouts. Overall, a fun project - go search your garage for something similar.
- Is The Sofistication In The Room With Us? - X-Forwarded-For and Ivanti Connect Secure (CVE-2025-22457) - Watchtowr should start paying us for all this free press. Conversely, these newsletters would be much shorter if they didn't continue to provide great research for free...so I guess we are even. This week they are back, going after everyone's favorite vendor...Ivanti Connect Secure. This time, the team targeted a recently patched buffer overflow n-day originally touted as un-exploitable, only to be found actively exploited in the wild, though it was originally deemed un-exploitable...? The post starts with a patch diff, zeroing in on the
dispatchRequestfunction, which seemed to have been completely re-written. The team was able to quickly key-in on the root cause: no size checking when parsing out theX-Forwarded-Forheader from an HTTP request. The post then discusses Ivanti's original claim as to why the bug was deemed un-exploitable - essentially the payload can only contain numbers and a period. Unfortunately, someone in-the-wild was more cracked than the team thought, and was able to take that primitive to RCE. - Uncovering a 0-Click RCE in the SuperNote Nomad E-ink Tablet - We show brand this newsletter at low-level, hard target vuln researchers and reverse engineers. Meanwhile, your friendly neighborhood author and editor spends his weekends occasionally poking at soft targets and finding "../" style bugs. Then he even has the audacity to self-promote it - can you believe that? Anyways...this post covers a bug in the SuperNote Nomad e-ink tablet that resulted in a remotely installable rootkit. When firmware images are signed with debug keys, the bootloader is unlocked by default, an undocumented web server suffers a straightforward path traversal, and updates are applied automatically when detected in a specific directory location....well yeah, you get a whole lot of nothing good.
- FASTRPC_ATTR_KEEP_MAP logic bug allows fastrpc_internal_munmap_fd to concurrently free in-use mappings leading to UAF - A newly disclosed bug from @sethJenkins. Initially found on the Samsung S23, the vuln is a race condition that arises when the DSP address space is completely full, resulting in a UAF.
Interesting Job Postings:
- Senior Embedded Vulnerability Researcher @ Draper (On-Site: Reston, VA)
- Offensive Security Engineer @ Palantir (Hybrid: Seattle, WA)
- Senior Offensive Engineer @ Roblox (Hybrid: San Mateo, CA)
- Junior Reverse Engineer / Vuln Researcher @ Nightwing (On-Site: Huntsville, AL)
- Vulnerability Researcher Internship - Fall 2025 @ Tesla (On-Site: Palo Alto, CA)
Wrapping Up...
As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.
Follow us on X - we occasionally Tweet poor attempts at memes
Don't forget to check out https://bug.directory!
We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.
Feel free to join the exploits.club Discord server here π https://discord.gg/2dxN2Gtgpx
Same time next week? See you then π΄ββ οΈ
