Last week, [Al Williams] wrote up a his experience with a book that provided almost too much detailed information on how to build a DIY x-ray machine for his (then) young soul to bear. He almost had to build it! Where the “almost” is probably both a bummer because he didn’t have an x-ray machine as a kid, but also a great good because it was a super dangerous build, of a typical sort for the 1950s in which it was published.

Part of me really loves the matter-of-factness with which “A Boy’s First Book of Linear Accelerators” tells you how you (yes you!) can build a 500 kV van der Graff generator. But at the same time, modern me does find the lack of safety precautions in many of these mid-century books to be a little bit spooky. Contrast this with modern books where sometimes I get the feeling that the publisher’s legal team won’t let us read about folding paper airplanes for fear of getting cut.

A number of us have built dangerous projects in our lives, and many of us have gotten away with it. Part of the reason that many of us are still here is that we understood the dangers, but I would be lying if I said that I always fully understood them. But thinking about the dangers is still our first and best line of defense. Humility about how well you understand all of the dangers of a certain project is also very healthy – if you go into it keeping an eye out for the unknown unknowns, you’re in better shape.

Safety isn’t avoiding danger, but rather minimizing it. When we publish dangerous hacks, we really try to at least highlight the most important hazards so that you know what to look out for. And over the years, I’ve learned a ton of interesting safety tricks from the comments and fellow hackers alike. My ideal, then, is the spirit of the 1950s x-ray book, which encourages you to get the hack built, but modernized so that it tells you where the dangers lie and how to handle them. If you’re shooting electrons, shouldn’t the book also tell you how to stay out of the way?

The hot news this week is that Kaspersky is banned in the USA. More specifically, Kaspersky products will be banned from sale in the US starting on September 29. This ban will extend to blocking software updates, though it’s unclear how that will actually be accomplished. It’s reasonable to assume that payment processors will block payments to Kaspersky, but will ISPs be required to block traffic that could contain antivirus updates?

WordPress Plugin Backdoor

A Quartet of WordPress plugins have been found to have recently included backdoor code. It’s a collection of five Open Source plugins, seemingly developed by unrelated people. Malicious updates first showed up on June 21st, and it appears that all five plugins are shipping the same malicious code.

Rabbit AI API

The Rabbit R1 was released to less than thunderous applause. The idea is a personal AI device, but the execution has been disappointing, to the point of reviewers suggesting some of the earlier claims were fabricated. Now it seems there’s a serious security issue, in the form of exposed API keys that have *way* too many privileges.

The research seems to be done by the rabbitude group, who found the keys back in May. Of the things allowed by access to the API keys, the most worrying for user privacy was access to every text-to-speech call. Rabbitude states in their June 25 post, that “rabbit inc has known that we have had their elevenlabs (tts) api key for a month, but they have taken no action to rotate the api keys.” On the other hand, rabbit pushed a statement on the 26th, claiming they were just then made aware of the issue, and made the needed key rotations right away.

MOVEit is Back

Last year a severe vulnerability in MOVEit file transfer server led to some big-deal compromises in 2023 and 2024. MOVEit is back, this time disclosing an authentication bypass. The journey to finding this vulnerability starts with an exception, thrown whenever an SSH connection is attempted with a public key.

…the server is attempting to open the binary data representing our auth material, as a file path, on the server.

Uh-oh. There’s no way that’s good. What’s worse, that path can be an external SMB path. That’s even worse. This behavior does depend on the incoming connection referencing a valid username, but this has the potential to enable password stealing, pass-the-hash attacks, and username mapping. So what’s actually going on here? The SSH server used here is IPWorks SSH, which has some useful additions to SSH. One of these additions seems to be an odd delegated authentication scheme that goes very wrong in this case.

The attack flow goes like this: Upload a public SSH key to any location on the MOVEit server, log in with any valid username signing the connection with the uploaded key, and send the file location of the uploaded key instead of an actual key. Server pulls the key, makes sure it matches, and lets you in. The only pesky bit is how to upload a key without an account. It turns out that the server supports PPK keys, and those survive getting written to and read from the system logs. Ouch.

The flaws got fixed months ago, and a serious effort has been carried out to warn MOVEit customers and get them patched. On the other hand, a full Proof of Concept (PoC) is now available, and Internet monitoring groups are starting to see the attack being attempted in the wild.

Cat File: Pop Calc

We all know not to trust files from the Internet. Don’t execute the script, don’t load the spreadsheet, and definitely don’t install the package. But what about running cat or strings on an untrusted file? Apparently the magic of escape strings makes those dangerous too. The iTerm2 terminal was accidentally set to allow “window title reporting”, or copying the window title to the command line. Another escape code can set that value, making for an easy way to put an arbitrary command on the command line. One more quirk in the form of tmux integration allowed the injection of a newline — running the arbitrary command. Whoops. Versions 3.5.0 and 3.5.1 are the only iterm2 versions that are vulnerable, with version 3.5.2 containing the fix.

Putting LLM to Work During Naptime

There’s been a scourge of fake vulnerability reports, where someone has asked ChatGPT to find a vulnerability in a project with a bug bounty. First off, don’t do this. But second, it would be genuinely useful if a LLM could actually find vulnerabilities. This idea intrigued researchers at Google’s Project Zero, so they did some research, calling it “Project Naptime”, in a playful reference to napping while the LLM works.

The secret sauce seems to be in extending an LLM to look at real code, to run Python scripts in a sandbox, and have access to a debugger. The results were actually encouraging, that LLM could eventually be a useful tool. It’s not gonna replace the researcher, but it won’t surprise me to cover vulnerabilities found by a LLM instead of a fuzzing tool. Or maybe that’s an LLM guided fuzzer?

Github Dishes on Chrome RCE

Github’s [Man Yue Mo] discovered and reported CVE-2024-3833 in Chrome back in March, a fix was released in April, and it’s now time to get the details. This one is all about how object cloning and code caching interacts. Cloning an object in a particular circumstance ends up with an object that exists in a superposition between having unused property fields, and yet a full property array. Or put simply, the internal object state incorrectly indicates there is unused allocated memory. Try to write a new property, and it’s an out of bounds write.

The full exploit is involved, but the whole thing includes a sandbox escape as well, using overwritten WebAssembly functions. Impressive stuff.

Bits and Bytes

[Works By Design] is taking a second crack at building an unpickable lock. This one has some interesting features, like a ball-bearing spring system that should mean that levering one pin into place encourages the rest to drop out of position. A local locksmith wasn’t able to pick it, given just over half-an-hour. The real test will be what happens when [LockPickingLawyer] gets his hands on it, which is still to come.

Gitlab just fixed a critical issue that threatened to let attackers run CI pipelines as arbitrary users. The full details aren’t out yet, but CVE-2024-5655 weighs in at a CVSS 9.6, and Gitlab is “strongly recommending” immediate updates.

This week Jonathan Bennett and Doc Searls chat with Igor Pecovnik and Ricardo Pardini about Armbian, the Debian-based distro tailor made for single-board computers. There’s more than just Raspberry Pi to talk about, with the crew griping about ancient vendor kernels, the less-than-easy ARM boot process, and more!

– https://www.armbian.com/
– https://github.com/armbian

Did you know you can watch the live recording of the show right in the Hackaday Discord? Have someone you’d like use to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

Have you ever read about something and thought, “Gee whiz! Why did I never think about that?” That was my reaction to reading about a feature commonly associated with Klipper called adaptive bed leveling or adaptive mesh leveling. Too bad I don’t typically use Klipper, but it all worked out, and I’ll show you how it might work for you.

What Is It?

Once a luxury, most 3D printers now come with some kind of bed level sensor. The idea is that the printer can probe the bed to determine the shape of the build plate and then adjust the build plate accordingly. So if a particular spot on the bed is 0.5 mm too high, the nozzle can rise 0.5 mm when it is in that area. There are several techniques Marlin firmware uses, including what I usually use: UBL. Some people scan the bed once and hope it won’t change much. Others will do a time-consuming scan before each print.

However, adaptive bed leveling is a bit different. The idea is that the printer only probes the area where the part is going to print. If your print bed is 235 mm x 235 mm but your part is 50 mm square, you could just probe the points under the 50 mm square.

This does several things. For a given number of points, there is less motion, so it should be faster. Also, for the same number of points, you will have a much denser mesh and, thus, a better idea of what the bed is at any given point. You could even reduce the number of points based on the size of the part you are printing.

When you think about it, it is a dead simple idea. What’s not to love? For most print jobs, you’ll have less work for the printer, faster prints, and a denser mesh. But how do you do it?

How Do You Do It?

Can you make this work with your printer? Maybe. The trick is you need a way to tell your printer firmware to restrict the mesh area. You also need a way to have the slicer output a bounding box for the part, but that’s usually not hard. If you had to, you could even post process your Gcode and figure that out, but you probably won’t have to.

I

f you use linear or bilinear leveling, you are in business. That’s because the G29 command for bilinear accepts an L, R, F, and B parameter that lets you set the left, right, front, and back measurements of the probing grid. You can also set the number of probe points with H. Actually, H sets one side of the square, so if H=5, you will probe 25 points in the area.

However, I use UBL, and on one of my printers, I think I’m out of luck without changing something in the firmware. While there is a mesh inset setting, it is set when you build the firmware, so it won’t be practical to change it on the fly.

However, two of my printers are Ender 3 v2 Neo machines. By themselves, they use some odd variant of normal leveling, but I long ago flashed them with the excellent “professional” firmware by [mriscoc]. This is Marlin configured for these machines and — at least the version I use — has UBL set. But, there’s a catch.

The firmware has some custom Gcodes that start with C. C29 sets the mesh size and location very much like other versions. For some reason, it also sets the temperature. Here’s the documentation:

C29 Ln Rn Fn Bn Tn Nn Xn Ym : set probing mesh inset (Left, Right, Front, Back) in mm. T is the probing temperature (T0 doesn’t change the current bed temperature) and N is the density or amount of grid points NxN, it is posible to set a NxM density by using X and Y. In UBL use G29 S# to save to a mesh slot number #.

Try It!

Just as an experiment, I sent the following to the printer via a terminal:

C29 L100 R150 F100 B150 T0 N5

Nothing happened. But when I performed a G29 P1 to probe the bed, it obeyed the new restriction. All that was left was to make the slicer output the correct startup code. Of course, if you are using bilinear levelling, you’ll use G29 instead and have to change a few of the arguments.

Engage Start Up Sequence

Most slicers allow you to put placeholder variables in your Gcode scripts. You may have to look it up for your slicer. There are also plugins that can do the work, but you’d need to change their G29 to C29 (in my case). I mostly use SuperSlicer, which is forked from PrusaSlicer, which is forked from Slic3r.

Here’s part of my startup code:

G28 ; home all
C29 L{first_layer_print_min[0]} R{min(190,first_layer_print_max[0])} F{first_layer_print_min[1]} B{min(180,first_layer_print_max[1])} T0 N5
G29 P1  ; probe
G29 A   ; activate (may not be needed?)
G29 F2  ; Fade height 2mm (or whatever you want)

That’s it. If you have a line that purges your nozzle, you might want to correct it using similar logic or just add a few skirt loops in the slicer and forget about it. Note that I probe 25 points, which might be a bit much for a small part. It would be nice to write a script to detect how big a part is and adjust things. Note that Prusa has enough power to do this totally in the start code, but it would be different in Slic3r or Cura. If you look around, there are a few different examples of doing this for both slicers and various firmware that you will — no doubt — have to adapt to your circumstances.

I need to crack into the firmware for my other printer to see if a similar C command is feasible to add. But that’s for another day, especially since the C29 command is provided as object code only, so I’ll have to start from scratch. Luckily, I’m used to building (and rebuilding) Marlin for all the machines, especially that one, since it is a custom blend of many parts. I may switch out to bilinear leveling. Or, I could break down and go to Klipper, I suppose.

We want to try fast scanning next. Of course, things are simple if you tram your flat bed once and forget it. That is until something changes.

When a ransomware attack targets something like a hospital, it quickly becomes a high-profile event that understandably results in public outrage. Hospitals are supposed to be backstops for society, a place to go when it all goes wrong, and paralyzing their operations for monetary gain by taking over their information systems is just beyond the pale. Tactically, though, it makes sense; their unique position in society seems to make it more likely that they’ll pay up.

Which is why the ongoing cyberattack against car dealerships is a little perplexing — can you think of a less sympathetic victim apart from perhaps the Internal Revenue Service? Then again, we’re not in the ransomware business, so maybe this attack makes good financial sense. And really, judging by the business model of the primary target of these attacks, a company called CDK Global, it was probably a smart move. We had no idea that there was such a thing as a “Dealer Management System” that takes care of everything from financing to service, and that shutting down one company’s system could cripple an entire industry, but there it is.

Water may seem like the enemy for anyone who gets in trouble while swimming, but it’s really time that they’re fighting. Even a strong swimmer can quickly become exhausted fighting wind and waves; add in the hypothermia that’ll eventually set in even in water as warm as a bath, and the difference between life and death can come down to seconds. Getting help to a floundering swimmer isn’t easy, though, as lifeguards can only swim so fast.

But a new remotely operated rescue boat aims to change that, by getting to someone in trouble as fast as possible. Named EMILY, for “Emergency Integrated Lifesaving Lanyard,” the unit is a compact electrically powered rescue boat that can be rapidly deployed by lifeguards, who remotely pilot it to the victim. The boat’s deck is covered with what looks like survival gear, most of which would probably be of more use to the lifeguard upon their arrival than to the swimmer, who would likely just use the boat for flotation. As such, this makes way more sense than sending a drone out there, which at best could only drop a life ring. At $12,000 a piece, these boats aren’t cheap, but for the families who lost their kids in 2022 who donated them, they probably seem like quite a bargain. Here’s hoping they pay off.

We can’t be sure, but we’ve got a vague memory of playing a game called Lunar Landing way back in the day. It would likely have been on a TRS-80 in our local Radio Shack store, and if memory serves, we never got particularly good at the text-based simulator. Happily, though, we can now at least attempt to foist our lack of skills off on a 55-year-old bug in the software. Recently discovered by the excellently named Martin C. Martin while trying to optimize the fuel burn schedule to land softly with the most fuel remaining — the key to a high score, as we recall — the bug makes it so a tiny change in burn rate gives wildly different results. The post-mortem of his search and the analysis of the code, written by high school student Jim Storer only months after the real moon landing in 1969, is very interesting. We especially appreciated the insights into how Storer wrote it, revealed via personal communications. It’s a great look at a piece of computer history, and hats off to both Storer and Martin — although we haven’t seen a CVE posted for this yet.

We know that Minitel terminals are highly collectible, but this is ridiculous. Granted, the Minitel occupies a unique place in computer history, and the boxy design of the original CRT and keyboard terminal was not without its charms. But this particular terminal seems to have had a Very Bad Day in the recent past and is now on the chopping block for a mere €430. To be fair, the eBay user in France has listed the Dalí-esque Minitel as an objet d’art; at that price, we’d like to at least get some usable parts from it to fix other terminals, but that doesn’t seem likely. Somebody will probably buy it, though — no accounting for taste.

And finally, AnimaGraffs is back, this time with a deep dive into the Bell 407 helicopter. We’ve been big fans of his work for a while and have featured a few of his videos in this space, including his look inside the SR-71 Blackbird spy plane. The new video is richly detailed and includes not only the engineering that goes into rotorcraft but also the physics that makes them work and makes them so challenging to fly. Enjoy!

Every once in a while, there’s a Hackaday article where the comments are hands-down the best part of a post. This happened this week with Al Williams’ Ask Hackaday: How Do You Make Front Panels?. I guess it’s not so surprising that the comments were full of awesome answers – it was an “Ask Hackaday” after all. But you all delivered!

A technique that I had never considered came up a few times: instead of engraving the front of an opaque panel, like one made of aluminum or something, instead if you’re able to make the panel out of acrylic, you can paint the back side, laser or engrave into it, and then paint over with a contrast color. Very clever!

Simply printing the panel out onto paper and laminating it got a number of votes, and for those who are 3D printing the enclosure anyway, simply embossing the letters into the surface had a number of fans. The trick here is in getting some contrast into the letters, and most suggested changing filament. All I know is that I’ve tried to do it by painting the insides of the letters white, and it’s too fiddly for me.

But my absolute favorite enclosure design technique got mentioned a number of times: cardboard-aided design. Certainly for simple or disposable projects, there’s nothing faster than just cutting up some cardboard and taping it into the box of your desires. I’ll often do this to get the sizes and locations of components right – it’s only really a temporary solution. Although some folks have had success with treating the cardboard with a glue wash, paint, or simply wrapping it in packing tape to make it significantly more robust. Myself, if it ends up being a long-term project, I’ll usually transfer the cardboard design to 3DP or cut out thin plywood.

I got sidetracked here, though. What I really wanted to say was “thanks!” to everyone who submitted their awesome comments to Al’s article. We’ve had some truly hateful folks filling the comment section with trash lately, and I’d almost given up hope. But then along comes an article like this and restores my faith. Thanks, Hackaday!

Way back in 2020, I actually read the proposed US legislation known as EARN IT, and with some controversy, concluded that much of the criticism of that bill was inaccurate. Well what’s old is new again, except this time it’s the European Union that’s wrestling with how to police online Child Sexual Abuse Material (CSAM). And from what I can tell of reading the actual legislation (pdf), this time it really is that bad.

The legislation lays out two primary goals, both of them problematic. The first is detection, or what some are calling “upload moderation”. The technical details are completely omitted here, simply stating that services “… take reasonable measures to mitigate the risk of their services being misused for such abuse …” The implication here is that providers would do some sort of automated scanning to detect illicit text or visuals, but exactly what constitutes “reasonable measures” is left unspecified.

The second goal is the detection order. It’s worth pointing out that interpersonal communication services are explicitly mentioned as required to implement these goals. From the bill:

Providers of hosting services and providers of interpersonal communications services that have received a detection order shall execute it by installing and operating technologies approved by the Commission to detect the dissemination of known or new child sexual abuse material or the solicitation of children…

This bill is careful not to prohibit end-to-end encryption, nor require that such encryption be backdoored. Instead, it requires that the apps themselves be backdoored, to spy on users before encryption happens. No wonder Meredith Whittaker has promised to pull the Signal app out of the EU if it becomes law. As this scanning is done prior to encryption, it’s technically not breaking end-to-end encryption.

You may wonder why that’s such a big deal. Why is it a non-negotiable for the Signal app to not look for CSAM in messages prior to encryption? For starters, it’s a violation of user trust and an intentional weakening of the security of the Signal system. But maybe most importantly, it puts a mechanism in place that will undoubtedly prove too tempting for future governments. If Signal can be forced into looking for CSAM in the EU, why not anti-government speech in China?

This story is ongoing, with the latest news that the EU has delayed the next step in attempting to ratify the proposal. It’s great news, but the future is still uncertain. For more background and analysis, see our conversation with the minds behind Matrix, on this very topic:

Bounty or Extortion?

A bit of drama played out over Twitter this week. The Kraken cryptography exchange had a problem where a deposit could be interrupted, and funds added to the Kraken account without actually transferring funds to back the deposit. A security research group, which turned out to be the CertiK company, discovered and disclosed the flaw via email.

Kraken Security Update:

On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform.

— Nick Percoco (@c7five) June 19, 2024

All seemed well, and the Kraken team managed to roll a hotfix out in an impressive 47 minutes. But things got weird when they cross referenced the flaw to see if anyone had exploited it. Three accounts had used it to duplicate money. The first use was for all of four dollars, which is consistent with doing legitimate research. But additionally, there were more instances from two other users, totaling close to $3 million in faked transfers — not to mention transfers of *real* money back out of those accounts. Kraken asked for the details and the money back.

According to the Kraken account, the researchers refused, and instead wanted to arrange a call with their “business development team”. The implication is that the transferred money was serving as a bargaining chip to request a higher bug bounty payout. According to Kraken, that’s extortion.

There is a second side to this story, of course. CertiK has a response on their x.com account where they claim to have wanted to return the transferred money, but they were just testing Kraken’s risk control system. There are things about this story that seem odd. At the very least, it’s unwise to transfer stolen currency in this way. At worst, this was an attempt at real theft that was thwarted. The end result is that the funds were eventually completed.

There are two fundamental problems with vuln disclosure/bounty:
#1 companies think security researchers are trying to extort them when they are not
#2 security researchers trying to extort companies https://t.co/I7vnk3oXi5

— Robert Graham 𝕏 (@ErrataRob) June 20, 2024

Report Bug, Get Nastygram

For the other side of the coin, [Lemon] found a trivial flaw in a traffic controller system. After turning it in, he was rewarded with an odd letter that was a combination of “thank you” and your work “may have constituted a violation of the Computer Fraud and Abuse Act”. This is not how you respond to responsible disclosure.

I received my first cease and desist for responsibly disclosing a critical vulnerability that gives a remote unauthenticated attacker full access to modify a traffic controller and change stoplights. Does this make me a Security Researcher now? pic.twitter.com/ftW35DxqeF

— Lemon (@Lemonitup) June 18, 2024

Emoji Malware

We don’t talk much about malware in South Asia, but this is an interesting one. DISGOMOJI is a malware attributed to a Pakistani group, mainly targeting government Linux machines in India. What really makes it notable is that the command and control system uses emoji in Discord channels. The camera emoji instructs the malware to take a screenshot. A fox triggers a hoovering of the Firefox profiles, and so on. Cute!

Using Roundcube to break PHP

This is a slow moving vulnerability, giving that the core is a 24-year old buffer overflow in iconv() in glibc. [Charles Fol] found this issue, which can pop up when using iconv() to convert to the ISO-2022-CN-EXT character set, and has been working on how to actually trigger the bug in a useful way. Enter PHP. OK, that’s not entirely accurate, since the crash was originally found in PHP. It’s more like we’re giving up on finding something else, and going back to PHP.

The core vulnerability can only overwrite one, two, or three bytes past the end of a buffer. To make use of that, the PHP bucket structure can be used. This is a growable doubly-linked list that is used for data handling. Chunked HTTP messages can be used to build a multi-bucket structure, and triggering the iconv() flaw overwrites one of the pointers in that structure. Bumping that pointer by a few bytes lands in attacker controlled data, which can land in a fake data structure, and continuing the dechunking procedure gives us an arbitrary memory write. At that point, a function pointer just has to be pointed at system() for code execution.

That’s a great theoretical attack chain, but actually getting there in the wild is less straightforward. There has been a notable web application identified that is vulnerable: Roundcube. Upon sending an email, the user can specify the addresses, as well as the character set parameter. Roundcube makes an iconv() call, triggering the core vulnerability. And thus an authenticated user has a path to remote code execution.

Bits and Bytes

Speaking of email, do you know the characters that are allowed in an email address? Did you know that the local user part of an email address can be a quoted string, with many special characters allowed? I wonder if every mail server and email security device realized that quirk? Apparently not, at least in the case of MailCleaner, which had a set of flaws allowing such an email to lead to full appliance takeover. Keep an eye out for other devices and applications to fall to this same quirk.

Nextcloud has a pair of vulnerabilities to pay attention to, with the first being an issue where a user with read and share permissions to an object could reshare it with additional permissions. The second is more troubling, giving an attacker a potential method to bypass a two-factor authentication requirement. Fixes are available.

Pointed out by [Herr Brain] on Hackaday’s Discord, we have a bit of bad news about the Arm Memory Tagging Extensions (MTE) security feature. Namely, speculative execution can reveal the needed MTE tags about 95% of the time. While this is significant, there is a bit of chicken-and-egg problem for attackers, as MTE is primarily useful to prevent running arbitrary code at all, which is the most straightforward way to achieve a speculative attack to start with.

And finally, over at Google Project Zero, [Seth Jenkins] has a report on a trio of Android devices, and finding vulnerabilities in their respective kernel drivers. In each case, the vulnerable drivers can be accessed from unprivileged applications. [Seth]’s opinion is that as the Android core code gets tighter and more secure, these third-party drivers of potentially questionable code quality will quickly become the target of choice for attack.

This week Jonathan Bennett and Simon Phipps chat with Matthew Hodgson and Josh Simmons about Matrix, the open source decentralized communications platform. How is Matrix a Git for Communications? Are the new EU and UK laws going to be a problem? And how is the Matrix project connected with the Element company?

– https://matrix.org/blog
– https://element.io/

Did you know you can watch the live recording of the show right in the Hackaday Discord? Have someone you’d like use to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

I did something recently I haven’t done in a long time: I recompiled the Linux kernel. There was a time when this was a common occurrence. You might want a feature that the default kernel didn’t support, or you might have an odd piece of hardware. But these days, in almost all the cases where you need something like this, you’ll use loadable kernel modules (LKM) instead. These are modules that the kernel can load and unload at run time, which means you can add that new device or strange file system without having to rebuild or even restart the kernel.

Normally, when you write programs for Linux, they don’t have any special permissions. You typically can’t do direct port I/O, for example, or arbitrarily access memory. The kernel, however, including modules, has no such restriction. That can make debugging modules tricky because you can easily bring the system to its knees. If possible, you might think about developing on a virtual machine until you have what you want. That way, an errant module just brings down your virtual machine.

History

Some form of module support has been around since Linux 1.2. However, modern kernels can be built to include support for things or support them as modules. For example, you probably don’t want to put drivers for every single known video card in your kernel. But it is perfectly fine to build dozens or hundreds of modules you might need and then load the one you need at run time.

LKMs are at the heart of device drivers, file system drivers, and network drivers. In addition, modules can add new system calls, override existing system calls, add TTY line disciplines, and handle how executables run.

In Use

If you want to know what modules you have loaded, that’s the lsmod command. You’ll see that some modules depend on other modules and some don’t. There are two ways to load modules: insmod and modprobe. The insmod command simply tries to load a module. The modprobe command tries to determine if the module it is loading needs other modules and picks them up from a known location.

You can also remove modules with rmmod assuming they aren’t in use. Of course, adding and removing modules requires root access. You can usually run lsmod as a normal user if you like. You might also be interested in depmod to determine dependencies, and modinfo which shows information about modules.

Writing a Module

It is actually quite easy to write your own module. In fact, it is so simple that the first example I want to look at is a little more complex than necessary.

This simple module can load and unload. It leaves a message in the system messages (use dmesg, for example) to tell you it is there. In addition, it allows you to specify a key (just an arbitrary integer) when you load it. That number will show up in the output data. Here’s the code:

#include <linux/module.h>
#include <linux/moduleparam.h>
#include <linux/printk.h>

MODULE_AUTHOR("Al Williams");
MODULE_DESCRIPTION("Hackaday LKM");
MODULE_LICENSE("GPLv2"); // many options, GPL, GPLv2, Proprietary, etc.

static int somedata __initdata=0xbeef; // this is just some static variable available only at init
static int key=0xAA; // you can override this using insmod
// Note 0644 means that the sysfs entry will be rw-r--r--
module_param(key,int,0644); // use module_param_named if you want different names internal vs external
MODULE_PARM_DESC(key,"An integer ID unique to this module");

static int __init had_init(void)
{
  // This is the usual way to do this (don't forget \n and note no comma after KERN_INFO), but...
  printk(KERN_INFO "Hackaday is in control (%x %x)\n",key,somedata);
  return 0;
}

static void __exit had_exit(void)
{
  // ... you can also use the pr_info macro which does the same thing
  pr_info("Returning control of your system to you (%x)!\n",key);
}

module_init(had_init);
module_exit(had_exit);&lt;/pre&gt;

This isn’t hard to puzzle out. Most of it is include files and macros that give modinfo something to print out. There are some variables: somedata is just a set variable that is readable during initialization. The key variable has a default but can be set using insmod. What’s more, is because module_param specifies 0644 — an octal Linux permission — there will be an entry in the /sys/modules directory that will let the root set or read the value of the key.

At the end, there are two calls that register what happens when the module loads and unloads. The rest of the code is just something to print some info when those events happen.

I printed data in two ways: the traditional printk and using the pr_info macro which uses printk underneath, anyway. You should probably pick one and stick with it. I’d normally just use pr_info.

Building the modules is simple assuming you have the entire build environment and the headers for the kernel. Here’s a simple makefile (don’t forget to use tabs in your makefile):

<pre>obj-m += hadmod1.o

PWD := $(CURDIR) # not needed in most cases, but useful if using sudo

all:
    make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules

clean:
    make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean</pre>

Once you build things, you should have a .ko file (like hadmod.ko). That’s the module. Try a few things:

1. sudo insmod hadmod.ko   # load the module

2. sudo dmesg  # see the module output

3. cat /sys/modules/hadmodule/key   # see the key (you can set it, too, if you are root)

4. sudo rmmod hadmod.ko  # unload the module

5. sudo insmod hadmod.ko key=128   # set key this time and repeat the other steps

That’s It?

That is it. Of course, the real details lie in how you interact with the kernel or hardware devices, but that’s up to you. Just to give a slightly meatier example, I made a second version of the module that adds /proc/jollywrencher to the /proc filesystem. Here’s the code:

#include <linux/init.h>
#include <linux/module.h>
#include <linux/moduleparam.h>
#include <linux/printk.h>
#include <linux/uaccess.h>
#include <linux/fs.h>
#include <linux/proc_fs.h> // Module metadata
#include <linux/version.h>

MODULE_AUTHOR("Al Williams");
MODULE_DESCRIPTION("Hackaday LKM1");
MODULE_LICENSE("GPLv2"); // many options, GPL, GPLv2, Proprietary, etc.


static char logo[]=
"                                                                                \n"\
"                                                                                \n"\
"                                                                                \n"\
"           #@@@@@@                                            ,@@@@@@           \n"\
"              &@@@@@*                                       &@@@@@,             \n"\
"               @@@@@@%                                     @@@@@@#              \n"\
"   @@       .@@@@@@@@@                                    .@@@@@@@@@       .@#  \n"\
"   &@@@&  /@@@@@@@@@@@@                                   @@@@@@@@@@@@   @@@@*  \n"\
"    @@@@@@@@@@@@@@@@@@@@@#                             @@@@@@@@@@@@@@@@@@@@@,   \n"\
"      &@@@@@@@@@@@@@@@@@@@@@*    ,@@@@@@@@@@@@%     &@@@@@@@@@@@@@@@@@@@@@*     \n"\
"           ,*.  @@@@@@@@@@@/ .@@@@@@@@@@@@@@@@@@@@&  &@@@@@@@@@@#  **           \n"\
"                   @@@@@@, &@@@@@@@@@@@@@@@@@@@@@@@@@, %@@@@@&                  \n"\
"                     ,@& /@@@@@@@@@@@@@@@@@@@@@@@@@@@@@  @@                     \n"\
"                        &@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*                       \n"\
"                       %@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@.                      \n"\
"                       @@@@@@       #@@@@@@@.      /@@@@@@                      \n"\
"                      /@@@@&         @@@@@@.         @@@@@                      \n"\
"                      ,@@@@%      (@@@@@@@@@@&*      @@@@@                      \n"\
"                       @@@@@#  @@@@@@@@@@@@@@@@@@%  @@@@@&                      \n"\
"                       /@@@@@@@@@@@@@@@, #@@@@@@@@@@@@@@@                       \n"\
"                     @@ *@@@@@@@@@@@@@& ( @@@@@@@@@@@@@@ .@(                    \n"\
"                  %@@@@@. @@@@@@@@@@@@@@@@@@@@@@@@@@@@% #@@@@@*                 \n"\
"          (%&%((@@@@@@@@@@  @@@@@@@@@@@@@@@@@@@@@@@@% ,@@@@@@@@@@*#&&#/         \n"\
"      @@@@@@@@@@@@@@@@@@@@@@  @@@@@@@@@@@@@@@@@@@@(  @@@@@@@@@@@@@@@@@@@@@&     \n"\
"    @@@@@@@@@@@@@@@@@@@@@     @@@@@@*@@@@@@/%@@@@@&    *@@@@@@@@@@@@@@@@@@@@#   \n"\
"   @@@@.   @@@@@@@@@@@.         ..      .      .          (@@@@@@@@@@#   /@@@*  \n"\
"   @,        %@@@@@@@@                                    .@@@@@@@@.        &#  \n"\
"               ,@@@@@(                                     @@@@@@               \n"\
"             *@@@@@@                                        (@@@@@@             \n"\
"           @@@@@@,                                             %@@@@@@          \n"\
"                                                                                \n"\
"                                                                                ";

static struct proc_dir_entry *proc_entry;
static ssize_t had_read(struct file *f, char __user * user_buffer, size_t count, loff_t * offset)
  {
  size_t len;
  if (*offset>0) return 0; // no seeking, please!
  copy_to_user(user_buffer,logo,len=strlen(logo)); // skipped error check
  *offset=len;
  return len;
  }

#if LINUX_VERSION_CODE >= KERNEL_VERSION(5,6,0)
static struct proc_ops procop = // prior to Linux 5.6 you needed file_operations
{
  .proc_read=had_read
};
#else
static struct file_operations procop =
{
  .owner=THIS_MODULE,
  .read=had_read
#endif

static int __init had_init(void)
{
  // This is the usual way to do this (don't forget \n and note no comma after KERN_INFO), but...
  printk(KERN_INFO "Hackaday<1>; is in control\n");
  proc_entry=proc_create("jollywrencher",0644,NULL,&amp;procop);
  return 0;
}

static void __exit had_exit(void)
{
  // ... you can also use the pr_info macro which does the same thing
  pr_info("Returning control of your system to you...\n");
  proc_remove(proc_entry);
}

module_init(had_init);
module_exit(had_exit);

The only thing here is you have an extra function that you have to register and deregister with the kernel. However, that interface changed in Kernel 5.6, so the code tries to do the right thing. Until, of course, it gets changed again.

Once you load this module using insmod, you can cat /proc/jollywrencher to see your favorite web site’s logo.

Of course, this is a dead simple example, but it is enough to get you started. You can grab all the source code online. One great way to learn more is to find something similar to what you want to build and take it apart.

We don’t suggest it, but you can write an LKM in Scratch. If you really want to learn the kernel, maybe start at the beginning.

This article was prompted by a friend of mine asking for help on a board with an ESP32 heart. The board outputs 2.1 V instead of 3.3 V, and it doesn’t seem like incorrectly calculated feedback resistors are to blame – let’s take a look at the layout. Then, let’s also take a look at a recently sent in design review entry, based on an IC that looks perfect for all your portable Raspberry Pi needs!

What Could Have Gone Wrong?

Here’s the board in all its two-layer glory. This is the kind of board you can use to drive 5 V or 12 V Neopixel strips with a firmware like WLED – exactly the kind of gadget you’ll want to use for LED strip experiments! 3.3 V power is provided by a Texas Instruments TPS54308 IC, and it’s the one misfiring, so let’s take a look.

The design has an ESP32 on the opposite side of the switching regulator. For review purposes, let’s pull the regulator circuit out – disable all front layers (copper, silk, mask, courtyard and paste), hide vias, then box select the regulator circuit and move it out. I’ve also added net labels to the circuit – here’s a screenshot.

There are things done right here, for sure, and a few things that could be the culprit in improper regulation. If you want hints, you can see TPS54308 datasheet, page 22, for layout recommendations. Both SW and FB nodes are pretty long, and the FB trace goes right next to VOUT – before regulation.

Furthermore, from the pinout and also the layout recommendations, it appears this regulator is designed in a way that all switching circuitry can be. Yet, this design has the inductor go all the way to supposedly sensitive side. Thankfully, this is easy to fix.

Refresher – FB and SW traces have to be as short as possible, inductor as close to SW as possible, and the VOUT to FB connection can be a separate tracks on the other layer. With that in mind, let’s move the inductor to the other side of the regulator, move the FB resistors to the FB pin, and see how far we get.

My Take Versus TI’s Recommendation

This is my take. FB resistors moved to one side, switching components to the other, VOUT track on another layer. Add capacitors and vias as necessary, and pull tracks under components to get extra ground connections if needed. Of course, ideally, SW would be a copper polygon, and so would be VOUT. I’m also showing how EN could be pulled out, in case you needed that – in this particular schematic, EN can be safely left floating, but most regulators will want you to pull it either to VIN or to GND.

Since this is a TI chip, it also has a diagram for the layout recommendation! Let’s take a look how far off the mark we are, and it appears we aren’t that far. Curiously, it wants us to put SW onto another layer. Having switching current pass through extra inductance doesn’t sit right with me, personally, but my guess is that they want to minimize switching current flowing under the regulator, as the recommendation suggests.

Another part that’s curious to me, is a suggestion for a Kelvin connection for the FB net’s GND pin. TI also publishes data for evaluation boards, and the TPS54308 has such a board indeed. Seeing on the page 13 of the evaluation board datasheet, I’m not quite seeing a Kelvin connection, unless Kelvin is the name of the engineer involved in designing the board. I do see that GND is tapped with a via far away from the area where switching happens, so it might just be that.

At this point, I’m curious whether my take is a dealbreaker, but since TI’s recommendations are available, I might just end up implementing exactly that and sending the files back. So, we take this circuit, implant it back into the board, order a new revision, and keep our fingers crossed.

A Pi-suited UPS, On A Stamp

A week ago, [Lukilukeskywalker] has shared a board with us, asking for a design review. The board is a stamp that houses a LTC4040 chip, and the chip itself is a treat. It takes 5 V, outputs 5 V, and when connected, it generates 5 V from a battery. It supports both regular LiIon, can do up to 2.5 A, and appears to be a perfect option if you want to power a Raspberry Pi or any other 5 V-powered SBC on the go.

There are a few small nits to pick on this board. For instance, the connector for the battery is JST-SH, 3-pin, with one pin for BATT+. 2.5 A at 5 V means 12.5 W means up to 4 A at 3.5 V battery level, which might just melt a JST-SH connector or the gauge of wire you can attach to a JST-SH-sized metal contact. However, it’s switching regulator time, so let’s take a look at that specifically.

Here’s another thing you might notice immediately – lack of ground path from the IC’s ground connections, all the way under the switching path. In particular, the switching path is broken by a few traces, and it doesn’t appear that these traces must be there! Page 22 in the LTC4040 datasheet, which lists the layout recommendations, also stresses upon this, elaborating that “High frequency currents in the hot loop tend to flow along a mirror path on the ground plane which is directly beneath the incident path on the top plane of the board”.

Well, there are only two tracks that really interrupt the switching path above them, and both could be moved to the left. One of them is for a resistor that sets the charging current limit, and another goes to a castellated pad. Moving the latter is going to break the symmetry, but remember – it’s okay for a stamp to be asymmetric, that helps you ensure it’s mounted on your board correctly!

Sadly, while Linear Tech makes fancy tech, their evaluation board data isn’t as available as TI’s – there’s a PDF with schematics, but no layout data I could find. However, comparing to the pictures, you can see that the general layout of the switching area is correct, our hacker correctly uses polygons, the feedback circuit is pretty nice – it’s just these two tracks that are a bit uncouth when it comes to the switching regulator part of it. As for reviewing the rest of the board, you can read this article!

Towards A Powerful Future

Got switching regulator designs that didn’t quite work right when you put them to test, or that you’re yet to order and feel cautious about? Show them to us down below in the comments, and let’s take a look; your circuits deserve to operate at their best capacity possible.

And, as usual, if you would like a design review for your board, submit a tip to us with [design review] in the title, linking to your board files. KiCad design files strongly preferred, both repository-stored files (GitHub/GitLab/etc) and shady Google Drive/Dropbox/etc .zip links are accepted.

Attention, slackers — if you do remote work for a financial institution, using a mouse jiggler might not be the best career move. That’s what a dozen people learned this week as they became former employees of Wells Fargo after allegedly being caught “simulating keyboard activity” while working remotely. Having now spent more than twice as many years working either hybrid or fully remote, we get it; sometimes, you’ve just got to step away from the keyboard for a bit. But we’ve never once felt the need to create the “impression of active work” during those absences. Perhaps that’s because we’ve never worked in a regulated environment like financial services.

For our part, we’re curious as to how the bank detected the use of a jiggler. The linked article mentions that regulators recently tightened rules that require employers to treat an employee’s home as a “non-branch location” subject to periodic inspection. More than enough reason to quit, in our opinion, but perhaps they sent someone snooping? More likely, the activity simulators were discovered by technical means. The article contains a helpful tip to avoid powering a jiggler from the computer’s USB, which implies detecting the device over the port. Our guess is that Wells tracks mouse and keyboard activity and compares it against a machine-learning model to look for signs of slacking.

Speaking of the intersection of soulless corporate giants and AI, what’s this world coming to when AI walks you right into an online scam? That’s what happened to a Canadian man recently when he tried to get help moving Facebook to his new phone. He searched for a customer service number for Facebook and found one listed, but thought it would be wise to verify the number. So he pulled up the “Meta AI”-powered search tool in Facebook Messenger and asked if the number was legit. “No problem,” came the reply, so he called the number and promptly got attacked by the scammers on the other end, who within minutes used his PayPal account to buy $500 worth of Apple gift cards. From the sound of it, the guy did everything he should have to protect himself, at least up to a point. But when a company’s chatbot system gives you bad information about their own customer support, things like this are going to happen.

Just a reminder that we’re deep into con season now. Open Sauce should be just about wrapped up by the time this gets published, and coming up the week after is Teardown 2024 in Portland. The schedule for that has been released, which includes a workshop on retrocomputing with the “Voja4” Supercon badge. A little further on into the summer and back on the East Coast will be HOPE XV, which still has some tickets left. The list of speakers for that one looks pretty good, as does the workshop roundup.

And finally, if you have some STL models in need of a little creative mutilation, try out this STL twister online tool. It’s by our friend [Andrew Sink], who has come up with a couple of other interesting 3D tools, like the Banana for Scale tool and the 3D Low-Poly Generator. The STL Twister does pretty much what it says and puts the screws to whatever STL model you drop on it. The MakerBot Gnome mascot that pops up by default is a particularly good model for screwifying. Enjoy!

Last week, I stumbled on a marvelous book: “Giant Brains; or, Machines That Think” by Edmund Callis Berkeley. What’s really fun about it is the way it sounds like it could be written just this year – waxing speculatively about the future when machines do our thinking for us. Except it was written in 1949, and the “thinking machines” are early proto-computers that use relays (relays!) for their logic elements. But you need to understand that back then, they could calculate ten times faster than any person, and they would work tirelessly day and night, as long as their motors keep turning and their contacts don’t get corroded.

But once you get past the futuristic speculation, there’s actually a lot of detail about how the then-cutting-edge machines worked. Circuit diagrams of logic units from both the relay computers and the brand-new vacuum tube machines are on display, as are drawings of the tricky bits of purely mechanical computers. There is even a diagram of the mercury delay line, and an explanation of how circulating audio pulses through the medium could be used as a form of memory.

All in all, it’s a wonderful glimpse at the earliest of computers, with enough detail that you could probably build something along those lines with a little moxie and a few thousands of relays. This grounded reality, coupled with the fantastic visions of where computers would be going, make a marvelous accompaniment to a lot of the breathless hype around AI these days. Recommended reading!

There’s a popular Sysadmin meme that system problems are “always DNS”. In the realm of security, it seems like “it’s always Unicode“. And it’s not hard to see why. Unicode is the attempt to represent all of Earth’s languages with a single character set, and that means there’s a lot of very similar characters. The two broad issues are that human users can’t always see the difference between similar characters, and that libraries and applications sometimes automatically convert exotic Unicode characters into more traditional text.

This week we see the resurrection of an ancient vulnerability in PHP-CGI, that allows injecting command line switches when a web server launches an instance of PHP-CGI. The solution was to block some characters in specific places in query strings, like a query string starting with a dash.

The bypass is due to a Windows feature, “Best-Fit”, an automatic down-convert from certain Unicode characters. This feature works on a per-locale basis, which means that not every system language behaves the same. The exact bypass that has been found is the conversion of a soft hyphen, which doesn’t get blocked by PHP, into a regular hyphen, which can trigger the command injection. This quirk only happens when the Windows locale is set to Chinese or Japanese. Combined with the relative rarity of running PHP-CGI, and PHP on Windows, this is a pretty narrow problem. The XAMPP install does use this arrangement, so those installs are vulnerable, again if the locale is set to one of these specific languages. The other thing to keep in mind is that the Unicode character set is huge, and it’s very likely that there are other special characters in other locales that behave similarly.

Downloader Beware

The ComfyUI project is a flowchart interface for doing AI image generation workflows. It’s an easy way to build complicated generation pipelines, and the community has stepped up to build custom plugins and nodes for generation. The thing is, it’s not always the best idea to download and run code from strangers on the Internet, as a group of ComfyUI users found out the hard way this week. The ComfyUI_LLMVISION node from u/AppleBotzz was malicious.

The node references a malicious Python package that grabs browser data and sends it all to a Discord or Pastebin. It appears that some additional malware gets installed, for continuing access to infected systems. It’s a rough way to learn.

PyTorch Scores a Dubious 10.0

CVE-2024-5480 is a PyTorch flaw that allows PyTorch worker nodes to trigger arbitrary eval() calls on the master node. No authentication is required to add a PyTorch worker, so this is technically an unauthorized RCE, earning the CVSS of 10.0. Practically speaking it’s not that dire of a problem, as your PyTorch cluster shouldn’t be on the Internet to start with, and there’s no authentication as a design choice. It’s not clear the the PyTorch developers consider this a legitimate security vulnerability at all. It may or may not be fixed with version 2.3.

Next Level Smishing

My least favorite term in infosec has to be “smishing”, a frankenword for SMS phishing. Cell phone carriers around the world are working hard to blocking spam messages, making smishing an impossible task. And that’s why it’s particularly interesting to hear about a bypass that a pair of criminals were using in London. The technical details are light, but the police reported a “homemade mobile antenna”, “illegitimate telephone mast”, and “text message blaster” as part of the seized kit. The initial report sounds like it may be a sort of reverse stingray, where messages are skipping the regular cellular infrastructure and are getting sent directly to nearby cell phones. Hopefully more information will be forthcoming soon.

Zyxel’s NsaRescueAngel

The programmers at Zyxel apparently have a sense of humor, given the naming used for this mis-feature. Zyxel NAS units have a bit of magic code that writes a password for the new user, NsaRescueAngel, to the shadow password file. The SSH daemon is restarted, and upnp is fired off to request port forwarding from the outside world. One of the script names, possibly from a previous iteration, was open_back_door.sh, which seems to be sort of lampshading the whole thing.

It’s presumably intended to be a great troubleshooting tool, when a customer is stuck and needs help, to be able to visit a web url to enable remote access for a Zyxel tech. The problem is that the Zyxel NAS already has an authentication bypass flaw, and while it’s been patched, it wasn’t patched very well, making this whole scheme accessible without authentication, just by slapping /favicon.ico onto the url. The additional problems have been fixed in a more recent update.

Russian Secure Phablet?

A Twitter thread tells the story of a Russian secure device, left behind on the back of a bus in England. That’s an interesting premise. But the thread continues, that ‘conveniently the owner also left a briefcase with design notes, architecture, documentation, implementation, marketing material and internal Zoom demos about “trusted” devices too!’ OK, now this has to either be a fanfic, or a fell-off-the-back-of-a-truck story. There’s some convincing looking screenshots, and even rom dumps. What’s going on here?

Nobody knew how the devices worked, conveniently the owner also left a briefcase with design notes, architecture, documentation, implementation, marketing material and internal Zoom demos about "trusted" devices too! We'd all have been lost without those. https://t.co/LN7cTybxOV pic.twitter.com/j5OCHprSie

— hackerfantastic.x (@hackerfantastic) June 11, 2024

The most likely explanation is that somebody got their hands on a trove of data on these devices, and wanted to dump it online with a silly story. But fair warning, don’t trust any of the shared files. Who knows what’s actually in there. Taking a look at something untrusted like this is an art in itself, best done with isolated VMs and burner machines, maybe a Linux install you don’t mind wiping?

Bits and Bytes

Buskill just published their 8th warrant canary, a cryptographically signed statement attesting that they have not been served any secret warrants or national security letters that would undermine the trustworthiness of the Buskill project or code. In addition to a good cryptographic signature, this canary includes a handful of latest news headlines in the signed material, proving it is actually a recently generated document.

[Aethlios] has published Reset Tolkien, an open source tool for finding and attacking a very specific sort of weakness in time based tokens. The targeted flaw is a token generated from improper randomness source, like the current time. If the pattern can be found, a “sandwich attack” can narrow down the possible reset codes by requesting a reset code for a controlled account, requesting one for the target account, and then once again for the controlled account. The target code must come between the two known codes.

And finally, TPM security is hard. This time, the Trusted Platform Module can be reset by reclaiming the GPIO pins connected to it, and simulating a reboot by pulling the reset pin. This results in the TPM possibly talking to an application when it thinks it is talking to the CPU doing boot decryption. In short, it can result in compromised keys. Thanks to [char] from Discord for sending this one in!

This week Jonathan Bennett and Katherine Druckman chat with Steve Seguin about VDO.Ninja and Social Stream Ninja, tools for doing live WebRTC video calls, recording audio and video, wrangling comments on a bunch of platforms, and more!

– https://docs.vdo.ninja/
– https://docs.vdo.ninja/steves-helper-apps
– https://docs.vdo.ninja/sponsor

Did you know you can watch the live recording of the show right in the Hackaday Discord? Have someone you’d like use to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

We’ve been harping a lot lately about the effort by carmakers to kill off AM radio, ostensibly because making EVs that don’t emit enough electromagnetic interference to swamp broadcast signals is a practical impossibility. In the US, push-back from lawmakers — no doubt spurred by radio industry lobbyists — has put the brakes on the move a bit, on the understandable grounds that an entire emergency communication system largely centered around AM radio has been in place for the last seven decades or so. Not so in Japan, though, as thirteen of the nation’s 47 broadcasters have voluntarily shut down their AM transmitters in what’s billed as an “impact study” by the Ministry of Internal Affairs and Communications. The request for the study actually came from the broadcasters, with one being quoted in a hearing on the matter as “hop[ing] that AM broadcasting will be promptly discontinued.” So the writing is apparently on the wall for AM radio in Japan.

There was another close call this week with our increasingly active sun, which tried but didn’t quite launch a massive stream of plasma out into space. The M-class flare was captured in the act by the Solar Dynamics Observatory, which keeps an eye on what’s going on with our star. The video of the outburst is fascinating; it almost looks like a CGI render, but it’s real imaging and pretty spectacular. The active region on the sun’s surface suddenly belches out a few gigatons of plasma, which quickly get sucked right back down to the surface. You can actually see the material following ethereal lines of magnetic force, and the way it splashes when it hits the surface is just beautiful. Seeing this puts us in the mood for a feature on the SDO and how it gets these fascinating images, so stay tuned for that.

Also in space news, we’re saddened by the sudden loss of yet another of the Apollo astronauts. Bill Anders, lunar module pilot on Apollo 8, died Friday in a small plane crash off San Juan Island in Washington. Anders, 90, was piloting the Beechcraft T-34 Mentor, a single-engine military trainer aircraft from the 1950s. Anders’ only trip in space was Apollo 8, but what a trip it was. Along with Commander Frank Borman and pilot James Lovell, they were the first humans to leave Earth’s gravity well and visit another world, riding the mighty Saturn V rocket all the way to the Moon for a ten-orbit visit that paved the way for the landing on Apollo 11. He is also officially the luckiest photographer in history, having been in just the right place at just the right time to snap the famous “Earthrise” picture that gave us for the first time a Moon’s-eye-view of our fragile little world:

Godspeed, Major General Anders.

In more mundane news, a story from Maryland that should give anyone who depends on tools for a living a moment’s pause. Police cracked a massive tool-theft ring thanks to the actions of a carpenter who, sick of having his tools ripped off repeatedly, stashed a couple of AirTags among his stock in trade. When the inevitable occurred and his tools took a walk yet again, he tracked them to a storage facility and alerted police. They in turn conducted an investigation and got search warrants for twelve locations, where the scale of this criminal enterprise became apparent. Check out the photos in the story; mountains of cordless tools sorted by brand, DeWalt yellow here and Milwaukee red there. There’s a surprising amount of puke-green Ryobi, too; are people really trying to make money with those tools? Between the piles of cordless tools and the rows of air compressors, the total value of the haul is estimated to be from $3 to $5 million. Hats off to the carpenter for running his own mini-sting operation.

And finally, from the Genuinely Interesting Apps files we have ShadeMap, which does exactly what you think it does: plot shade and shadow on a map. It has controls for time and date, and zooms down to a pretty fine level of detail, even for the free version. Shadows from buildings, terrain, and trees are calculated and displayed, making it perfect for surveys of locations for solar power installations. There’s also supposed to be a way to virtually remove shadow-casting features, although we couldn’t find it; perhaps in a paid version? That would be a handy tool indeed to see which trees need to be cut down or which buildings demolished to improve your solar aspect. YMMV on that last one, of course.

Porting DOOM to everything that’s even vaguely Turing complete is a sport for the advanced hacker. But if you are just getting started, or want to focus more on the physical build of your project, a simpler game is probably the way to go. Maybe this explains the eternal popularity of games like PONG, Tetris, Snake, or even Pac-Man. The amount of fun you can have playing the game, relative to the size of the code necessary to implement them, make these games evergreen.

Yesterday was Tetris’ 40th birthday, and in honor of the occasion, I thought I’d bring you a collection of sweet Tetris hacks.

On the big-builds side of things, it’s hard to beat these MIT students who used colored lights in the windows of the Green Building back in 2012. They apparently couldn’t get into some rooms, because they had some dead pixels, but at that scale, who’s complaining? Coming in just smaller, at the size of a whole wall, [Oat Foundry]’s giant split-flap display Tetris is certainly noisy enough.

Smaller still, although only a little bit less noisy, this flip-dot Tetris is at home on the coffee table, while this one by [Electronoobs] gives you an excuse to play around with RGB LEDs. And if you need a Tetris for your workbench, but you don’t have the space for an extra screen, this oscilloscope version is just the ticket. Or just play it (sideways) on your business card.

All of the above projects have focused on the builds, but if you want to tackle your own, you’ll need to spend some time with the code as well. We’ve got you covered. Way back, former Editor in Chief [Mike Szczys] ported Tetris to the AVR platform. If you need color, this deep dive into the way the NES version of Tetris worked also comes with demo code in Java and Lua. TetrOS is the most minimal version of the game we’ve seen, coming in at a mere 446 bytes, but it’s without any of the frills.

No Tetris birthday roundup would be complete without mentioning the phenomenal “From NAND to Tetris” course, which really does what it says on the package: builds a Tetris game, and your understanding of computing in general, from the ground up.

Can you think of other projects to celebrate Tetris’ 40th? We’d love to see your favorites!

Microsoft is racing to get into the AI game as part of Windows 11 on ARM, calling it Copilot+. It’s an odd decision, but clearly aimed at competing with the Apple M series of MacBooks. Our focus of interest today is Recall, a Copilot+ feature that not only has some security problems, but also triggers a sort of visceral response from regular people: My computer is spying on me? Eww.

Yes, it really sort of is. Recall is a scheme to take screen shots of the computer display every few seconds, run them through character recognition, and store the screenshots and results in a database on the local machine hard drive. There are ways this could be useful. Can’t remember what website had that recipe you saw? Want to revisit a now-deleted tweet? Is your Google-fu failing you to find a news story you read last week? Recall saw it, and Recall remembers. But what else did Recall see? Every video you watched, ever website you visited, and probably some passwords and usernames you typed in.

Now to their credit, the folks at Microsoft knew this could be a problem, and took some steps to keep this data safe. The huge win here is that Windows 11 with Copilot+ will run an Azure AI instance right on the laptop, to do all the AI processing without sending any private data up to the cloud. And then on top of that, Recall data is encrypted at rest, which Microsft claims is enough to keep attackers and other users out. The problem there is that encryption at rest only protects data from a physical, offline attack. And even that is incredibly hard to get right.

So let’s cut to the chase. How bad is it? [Kevin Beaumont] took a look, and the results aren’t pretty. The description sounded like Recall uses a per-user encryption system like EFS to keep the data safe. It’s not. Any admin user can access all the Recall databases on the machine. And of course, malware that gets installed can access it too. There’s already a tool available to decode the whole database, TotalRecall.

Recall is only planned to run on these Copilot+ devices, and can be turned off by the end user. Some of the security problem can be fixed, like the cross-user availability of the data. It’s going to be much harder to fix the privacy and malware issues.

Modem Mystery

This is sort of a two-part story, starting with a real mystery. [Sam Curry] was doing some research on a vulnerability, and noticed something odd when sending HTTP requests from his home network to a test server. Each HTTP request was sent a second time, from a separate IP address. That’s odd. A bit of investigation discovered that these were HTTP packets that were sent through his cable modem, and the mystery IP was a DigitalOcean VM. The culprit was a compromised cable modem, but it’s still an open mystery, what exactly the purpose was of mirroring HTTP traffic this way. [Sam] went to his cable company to request a new modem, and turned the compromised unit over in the exchange, ruining his chance to figure out exactly what was on it.

The second part of this story is that curiosity about exactly how malware ends up on a modem eventually led [Sam] down the rabbit hole of Cox APIs and TR-069, the protocol that allows an ISP to manage devices at scale. The Cox API used a reverse proxy that could be tricked into showing a Swagger-ui page, nicely documenting all the API endpoints available. That API had a quirk. Send the same request multiple times, and it’s eventually accepted without authorization. That was the motherload, allowing for arbitrary access to customer devices via the TR-069 support.

So mystery solved? Was this how [Sam]’s modem was hacked? Cox responded very rapidly to the vulnerability report, closing the problematic APIs within hours. But the vulnerability just wasn’t old enough. The original modem malware was in 2021, and this API didn’t launch til 2023. The mystery continues.

Linux Flipping Pages in the Wild

CISA has added another two vulnerabilities to the their list of known-exploited. One is the Check Point arbitrary file leak that we covered last week, and the other is the Flipping Pages vulnerability in the Linux kernel, made public back in March, with the fix predating the announcement, in February.

The core bug itself is pretty simple. A NetFilter chain in the kernel can return one of multiple values, to indicate how to handle an incoming packet. The NF_DROP target drops the packet, frees the memory, and returns a user-supplied error value. The quirk here is that errors are negative values, and the rest of the NetFilter actions are positive values. And NetFilter allows a user to set that error value as a positive value, enabling an odd state where the packet is both dropped and accepted at the same time. The specific bug is a double free, which enables the Dirty Pagetable technique to overwrite arbitrary memory and trigger elevation.

That vulnerability became more important to get patched, once a Proof of Concept (PoC) was published, allowing for easy use. And it’s apparently getting used, given the CISA announcement.

Binding Android

Up next is a nice walk-through of an Android vulnerability making use of the Binder Inter-Process Communication (IPC) device. As all the apps on Android run sandboxed, Binder is both an important part of the OS, and very accessible to apps — and hence not a good place for a vulnerability.

On the other hand, Binder is fairly complicated. It’s doing memory management, connects multiple processes, transferring arbitrary data, and just generally has a difficult dance to do. It’s not surprising that there are vulnerabilities in that code. This one is a logic flaw in error handling, where an error can trigger the cleanup function to clean up unallocated objects. That results in a dangling pointer, which can be used for all sorts of things.

The first step in actual exploitation is to use the dangling pointer to leak a few bytes from kernel heap memory. That data can be used to build a fake binder object in the space, and then a delete function called on that fake object results in an “unlink”, or a way to modify kernel pointers. That unlink can be abused to build an arbitrary read primitive, by unlinking a fake pointer. The last trick is a cross-cache attack, where multiple objects are created and freed, to trick the allocator into putting something important under the dangling pointer. Putting it together, it allows a process to overwrite it’s own credentials struct, setting ID to root.

Make it a 9.8

When a company typos their latest CVE score, reporting it a full point worse than it is, what’s a researcher to do? In this case, put the time in to find a way to make the severity rating worth it. It’s a Remote Code Execution in the Progress Report server. The initial vulnerability report listed it as a post-authentication RCE.

The report server takes reports, and turns it into pretty graphs and charts. Those reports are in the form of a serialized stream. And yes, the flaw is a deserialization attack, a ridiculously deep chain that finally ends in loading an arbitrary .NET type, which leads easily to a process start command.

The vulnerability requires some sort of authenticated user to trigger. We’re looking for pre-auth exploitation here. How about a first-run endpoint that doesn’t have any authentication code applied, and doesn’t go away after the server is configured. It’s not the first software to fall to this trap, and won’t be the last.

Bits and Bytes

The Chrome Root Store is kicking out a trusted Certificate Authority. It doesn’t happen often, but one of the tools to keep CAs behaving is the threat of removing them the browser certificate store. “e-commerce monitoring GmbH” has been trusted for right around three years, and was fraught with problems from the very beginning.

Tavis has the rest of the Libarchive story. Why does Libarchive implement the RarVM, and why did Rar use a bytecode VM? Historical reasons.

The libarchive e8 vulnerability is actually really cool, but the ZDI advisory doesn't explain why it's so wild lol. For some reason, I know about RAR filters, so let me provide the background. 1/n

— Tavis Ormandy (@taviso) June 6, 2024

The Internet Archive is under attack by a Distributed Denial of Service attack (DDoS). It’s unclear exactly where the attack is coming from, but it is making the archive and the Wayback machine a bit spotty to access these days. And as the post says, it’s not just cyber-bullies trying to mess with our favorite library.

Extra Credit: Crypto is hard. This one takes a bit of time to work through and understand, but the gist is that one of NIST’s cryptography recommendations had a bit of an oversight in it. The scenario is that Alice and Bob both provide key material to produce an agreed upon shared key. When one party gets to pick some of the initialization data, as well as one of the keys used for this multi-key system, careful selection can lead to way too much control over the final produced key. The example given is an encrypted message app, that has a sneaky backdoor. This was discovered, never actually implemented that anyone knows of, and has been fixed in the NIST recommendation.

This week Jonathan Bennett and Rob Campbell chat with Brodie Robertson about Linux, Wayland, YouTube, Microsoft’s Windows Recall and more. Is Linux ready for new users? Is Recall going to kick off a migration? All this and more!

Main Channel: https://www.youtube.com/@BrodieRobertson

Podcast: https://www.youtube.com/@TechOverTea

Did you know you can watch the live recording of the show right in the Hackaday Discord? Have someone you’d like use to interview? Let us know, or contact the guest and have them contact us!

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

So you say you missed the Great Solar Storm of 2024 along with its attendant aurora? We feel you on that; the light pollution here was too much for decent viewing, and it had been too long a day to make a drive into the deep dark of the countryside survivable. But fear not — the sunspot that raised all the ruckus back at the beginning of May has survived the trip across the far side of the sun and will reappear in early June, mostly intact and ready for business. At least sunspot AR3664 seems like it’s still a force to be reckoned with, having cooked off an X-class flare last Tuesday just as it was coming around from the other side of the Sun. Whether 3664 will be able to stir up another G5 geomagnetic storm remains to be seen, but since it fired off an X-12 flare while it was around the backside, you never know. Your best bet to stay informed in these trying times is the indispensable Dr. Tamitha Skov.

Back here on our soon-to-be-incinerated planet, you know we’ve reached the peak of the AI hype curve when you see something like AI competitive thermal paste being hawked. That’s the marketing niche Cooler Master has staked out for its new Cyrofuze 5 thermal paste, which is supposed to somehow make your computer smarter by keeping it cooler? Or maybe not; it’s not really clear from Cooler Master’s Chinese website for the product what the AI advantages are, and sadly the Cryofuze 5 line doesn’t seem to be offered on the US site. Which is a shame, because the new smartening goo comes in six designer colors that for all the world look like a Bob Ross palette — it that alizarin crimson and phthalo blue? Who in their right mind wouldn’t want a chance to color coordinate their thermal grease while simultaneously making their machine more AI competitive?

Speaking of AI, we’ve covered a lot of interactions between humans and autonomous vehicles in this column, with most of them tending toward the violent. But we’ve finally got a more heartwarming interaction to report, where a pedestrian helped a stuck delivery vehicle out of a tough spot. The truck, which is really only a little bigger than those munchie-delivering robots that ply college campuses, maneuvered itself onto a driveway sporting a pair of speed bumps spaced almost exactly as far apart as the vehicle’s wheelbase. The front wheels made it over the first bump, but when it came time to climb both obstacles at the same time, the poor little truck just couldn’t manage it. The fact that the bumps were a significant fraction of the wheel diameter on the tiny truck likely didn’t help, but thankfully a pedestrian took pity and gave the little fella a push. The bot’s rear wheels seemed to be having trouble clearing the last bump, too; the video cuts off too soon to tell, but we’ll give it the benefit of the doubt.

Victim blame is generally in bad form, but if you don’t even bother to change the default password, can you really call a cyberattack a “break-in”? That’s the question we have after learning of an alarming increase in cyberattacks against public infrastructure in the US, including public water supplies in Pennsylvania and Texas. While the separate attacks resulted in no damage to the physical plants, the article links to a report listing some attacks that did result in damage, including an intentional release of 800,000 liters of sewage in Australia in 2000.

And finally, speaking of cybersecurity, if you’ve ever procrastinated on keeping your OS patched, what happened when a Windows XP machine was put online with no protection should spur you into action. YouTuber Eric Parker put an XP machine on the raw internet — no router, no firewall, and no anti-malware software. It only took about ten minutes for the first signs of infection to appear, and things went downhill pretty fast from there. Parker notes that the same setup on a Windows 7 machine resulted in no major malware infections after several hours, which should be a gut punch to those who fought so long against updating from XP.