What can you do with a cheap Linux machine with limited flash and only a single free GPIO line? Probably not much, but sometimes, just getting root to prove you can is the main goal of a project. If that happens to lead somewhere useful, well, that’s just icing on the cake.

Like many interesting stories, this one starts on AliExpress, where [Easton] spied some low-cost WiFi repeaters, the ones that plug directly into the wall and extend your wireless network another few meters or so. Unable to resist the siren song, a few of these dongles showed up in the mailbox, ripe for the hacking. Spoiler alert: although the attempt on the first device had some success by getting a console session through the UART port and resetting the root password, [Easton] ended up bricking the repeater while trying to install an OpenWRT image.

The second attempt, this time on a different but similar device, proved more fruitful. The rudimentary web UI provided no easy path in, although it did a pretty good job enumerating the hardware [Easton] was working with. With the UART route only likely to provide temptation to brick this one too, [Easton] turned to a security advisory about a vulnerability that allows remote code execution through a specially crafted SSID. That means getting root on these dongles is as simple as a curl command — no hardware hacks needed!

As for what to do with a bunch of little plug-in Linux boxes with WiFi, we’ll leave that up to your imagination. We like [Easton]’s idea of running something like Pi-Hole on them; maybe Home Assistant would be possible, but these are pretty resource-constrained machines. Still, the lessons learned here are valuable, and at this price point, let the games begin.

One of the most troubling trends of almost every modern consumer product that uses electricity is that the software that controls the product is likely to be proprietary and closed-source, which could be doing (or not doing) any number of things that its owner has no control over. Whether it’s a computer, kitchen appliance, or even a device that handles the electricity directly, it’s fairly rare to find something with software that’s open and customizable. That’s why [Traditional-Code9728] is working on a power bank with an open-source firmware.

From a hardware perspective the power bank is fairly open as well, with a number of options for connecting this device to anything else that might need power. It sports a bidirectional USB-C port as well as a DC barrel plug, either of which can either charge other devices or receive energy to charge its own battery. These ports can also accept energy from a solar panel and have MPPT built in. There’s also dual USB-A ports which can provide anywhere from five to 12 volts at 25 watts, and a color screen which shows the current status of the device.

While this is a prototype device, it’s still actively being worked on. Some future planned upgrades to the power bank include a slimmer design, charge limiting features to improve battery life, and more fine-tuned control of the output voltage and current on the USB-C port. With all of the software being open-source, as well as the circuit diagram and 3D printing files, it could find itself in plenty of applications as well. This power bank also stays under the energy limits for flying on most commercial airlines as well, but if you don’t plan on taking your power bank on an airplane then you might want to try out this 2000-watt monster instead.

We finally have some answers about the Windows IPv6 vulnerability — and a Proof of Concept! The patch was a single change in the Windows TCP/IP driver’s Ipv6pProcessOptions(), now calling IppSendError() instead of IppSendErrorList(). That’s not very helpful on its own, which is why [Marcus Hutchins]’s analysis is so helpful here. And it’s not an easy task, since decompiling source code like this doesn’t give us variable names.

The first question that needs answered is what is the list in question? This code is handling the option field in incoming IPv6 packets. The object being manipulated is a linked list of packet structs. And that linked list is almost always a single member list. When calling IppSendErrorList() on a list with a single member, it’s functionally equivalent to the IppSendError() in the fixed code. The flaw must be in the handling of this list with multiple members. The only way to achieve that criteria is to send a lot of traffic at the machine in question, so it can’t quite keep up with processing packets one at a time. To handle the high throughput, Windows will assemble incoming packets into a linked list and process them in batch.

So what’s next? IppSendErrorList(), takes a boolean and passes it on to each call of IppSendError(). We don’t know what Microsoft’s variable name is, but [Marcus] is calling it always_send_icmp, because setting it to true means that each packet processed will generate an ICMP packet. The important detail is that IppSendError() can have side effects. There is a codepath where the packet gets reverted, and the processing pointer is set back to the beginning of the packet. That’s fine for the first packet in the list, but because the function processes errors on the entire list of packets, the state of the rest of those packets is now much different from what is expected.

This unexpected but of weirdness can be further abused through IPv6 packet fragmentation. With a bit of careful setup, the reversion can cause a length counter to underflow, resulting in data structure corruption, and finally jumping code execution into the packet data. That’s the Remote Code Execution (RCE). And the good news, beyond the IPv6-only nature of the flaw, is that so far it’s been difficult to actually pull the attack off, as it relies on this somewhat non-deterministic “packet coalescing” technique to trigger the flaw.

CVE Hunting Made Easy

[Eddie Zhang] wanted to take the easy road to finding CVEs. To his immense credit, he did not ask ChatGPT to hallucinate vulnerabilities for him, but instead built an automation chain to find possible vulns. The idea is simple: Download as many WordPress plugins as he could, run Semgrep over the corpus, throw the results in a SQL database, and take a closer look at the most promising findings.

That starts by writing a SQL query, naturally. The interesting flaws were SELECTed, and then the different plugins run in a test bench setup to try to trigger actual vulnerable code. And it’s not a bad approach, judging by the 14 CVEs found in 3 afternoons of work.

Moodle

RedTeam Pentesting got to have a field day with the Moodle platform. Moodle is a web-based distance learning solution written in PHP. And to get the flavor of how this went, the test grading logic is written in PHP — and eval()‘d on the server during grading. Now it’s not quite as bad as it sounds. There is sanitization done, and the set of symbols, characters, and functions are rather limited.

PHP has a pretty interesting type system. Something like acos(2), inverse of the cosine of 2, returns a result of Not a Number, or NAN. The dot . symbol does string concatenation in PHP, and putting those together, acos(2) . acos(2) results in a string, NANNAN. It gets better, as it’s then possible to do bitwise manipulation of those strings, eventually unlocking the entire alphabet. A few more tricks like PHP’s variable functions, variable variables, and other fun language contortions. Eventually we get to system() and escape into the system.

Hacking the TSA

[Ian Carroll] and [Sam Curry] bring an unfortunate tale of clever hacking, cover ups, and incompetence. The actual hack is pretty straightforward, a SQL injection in a login system. The real problem is that this login is in the official airline security systems that controls the Known CrewMember and Cockpit Access Security System. That’s the list of people that get to skip TSA checkpoints altogether, and that get access to airplane cockpits in flight. Not good.

The good news is that after disclosure, the Department of Homeland Security quickly secured the vulnerable site. The takes a turn for the worse, when it came time for disclosure. TSA issues a factually incorrect statement about what is required to use the KCM system. [Ian] and [Sam] reached out again to try to set the record straight about the severity of the finding. In response, the TSA quietly deleted the FAQ that spells out how bad the vulnerability could be. Not a great look.

Bits and Bytes

For your data and packet capture needs, Wireshark 4.4 is out. Among the normal improvements, there’s better VoIP support, a handful of new protocols, and some IPv6 tweaks to make life easier.

Ever wondered how to do effective sandboxing in Linux? Hardened Linux has you covered. There are some obvious things like limited filesystem access, but it might be more useful to read about seccomp to limit the available system calls to your sandboxed program. The article is an overview of the individual techniques, and then some of the more popular all-in-one solutions like firejail, bubblewrap, and landlock.

Volt Typhoon, a collection of hackers believed to be working on behalf of the Chinese government has begun using a vulnerability in Versa Director to attack businesses. Version 22.1.4 of the network management platform fixes the vulnerability, which allowed for executable java filew to be disguised as PNGs and uploaded to the platform.

And finally, one of the sneakier ways to stay on a Linux system is to use udev. For attackers, it’s always a challenge to make sure the malware starts up on each boot, and yet doesn’t attract any attention. There are plenty of places to hide a startup hook, but this one creates a udev rule to automatically run early in boot when the /dev/random device is created. How often do you audit your udev files? Sneaky!

[The Thought Emporium] has been fascinated by holograms for a long time, and in all sorts of different ways. His ultimate goal right now is to work up to creating holograms using chocolate, but along the way he’s found another interesting way to manipulate light. Using specialized diffraction gratings, a laser, and a few lines of code, he explores a unique way of projecting hologram-like images on his path to the chocolate hologram.

There’s a lot of background that [The Thought Emporium] has to go through before explaining how this project actually works. Briefly, this is a type of “transmission hologram” that doesn’t use a physical object as a model. Instead, it uses diffraction gratings, which are materials which are shaped to light apart in specific ways. After some discussion he demonstrates creating diffraction gratings using film. Certain diffraction patterns, including blocking all of the light source, can actually be used as a lens as the light bends around the blockage into the center of the shadow where there can be focal points. From there, a special diffraction lens can be built.

The diffraction lens can be shaped into any pattern with a small amount of computer code to compute the diffraction pattern for a given image. Then it’s transferred to film and when a laser is pointed at it, the image appears on the projected surface. Diffraction gratings like these have a number of other uses as well; the video also shows a specific pattern being used to focus a telescope for astrophotography, and a few others in the past have used them to create the illusive holographic chocolate that [The Thought Emporium] is working towards.

There have been some hilarious issues on mobile devices over the years. The HTC Dream had a hidden shell that was discovered when a phone rebooted after sending a text containing just the word “reboot”. iOS has gotten in on the fun from time to time, and this time it’s ""::. Type the double quotes, a colon, and any other character, and Apple’s Springboard service crashes.

Another hacker dug in a bit, and realized that Springboard is trying to jump execution to a null pointer, leading to a crash. It’s very odd that user input breaks the query parser badly enough to jump to null like that. There are a couple interesting questions that we have to ask. Given that the crash trigger is quite flexible, "anything goes":x, is it possible to manipulate that function pointer to be something other than null? And perhaps more importantly, why is the code crashing, instead of an invalid address error as one would expect from a Pointer Authentication Code (PAC) violation? Regardless, the bug seems to be fixed in the latest iOS 18 builds.

Typing “”:: in various search bars (e.g. in Settings .app) on iOS, will cause a crash! https://t.co/P4Ax0z9W9F (by: @lorenzofb)

….let's dig into why

— Patrick Wardle (@patrickwardle) August 21, 2024

OpenBMC

OpenBMC is something of a reference Baseboard Management Controller, and as such it’s the upstream for other implementations. And it has a fairly serious issue, in the slpd-lite service, which just happens to be installed and enabled by default. SLP is the Service Location Protocol, a service discovery protocol, which is something of a predecessor to Zeroconf. Slpd-lite has a pair of issues that result in trivial heap reads and writes, beyond the intended buffer.

The slpd-lite project patched the issues about a week after disclosure, back in May. In June, the patch and an advisory was applied to OpenBMC itself. Nice and speedy action. Now to get all the downstream vendors to apply it, too.

WordPress LightSpeed Falls to Weak Hash

The LightSpeed Cache plugin for WordPress does something really clever, but in a way that managed to allow admin authentication bypasses. To cache pages that a logged-in user would see, the plugin’s crawler simulates each user loading the site, and caches that. To protect that cache, a random string is generated. The problem is that this random generation is seeded using the current time, only the microsecond portion of the time. So one of only a million possible values. And while a million is a lot when talking about physical objects, it’s not nearly enough when talking about cryptography.

To log in as a user using this weak hash, an attacker only has to guess te proper user ID (usually 1 is an admin) and then hit the right hash value. Lightspeed hash released a fix, but this is a severe issue, and we should expect to see exploitation attempts — And that didn’t take long. This one could be nasty, as something like 3.5 million sites are still running the vulnerable version of the plugin. Wordfence has already blocked 48,500 in the first 24 hours of this attack being publicly known.

Insulin, Privacy, and Firewalls

[Remy] fron Greynoise Labs is on a bit of a crusade against insecure Bluetooth. And make no mistake, Bluetooth can be a problem. Case in point, the FDA has issued a recall on a particular insulin pump, because the iOS app could enter a crash loop, and the continual Bluetooth re-connections drained the device’s batteries. Battery drain may seem like a mild inconvenience, but apparently over 200 people have reported injuries as a result.

So in this push for more secure use of Bluetooth, [Remy] mined a collection of Android applications for Bluetooth UUIDs. Those are unique identifiers of what kind of device is advertising Bluetooth. With this new treasure trove of identifiers, it was only natural to write a Bluetooth UUID scanner. And this is where a bit of a bizarre coincidence took place. At the some moment [Remy] fired up this scanner, his local Internet access dropped. As a result, his Firewalla firewall started advertising a Bluetooth Low Energy interface. The database returned a hit, and [Remy] had the Android APK to look at.

The Firewalla scheme for authenticating that BLE interface was lacking, with a handful of possible issues, like only checking the first 8 characters of a UUID key. And once past that initial hurdle, further administration tasks are secured using a JSON Web Token. That token’s signing key was global for all Firewally devices, and trivially derived from either firmware or the Android APK. And that’s not even all, since there were also command injection issues over the same Bluetooth link. Firewalla has released version 1.979 to address these issues.

Moar Bluetooth

If that wasn’t enough Bluetooth, the Zero Day Initiative has us covered, with coverage of a pair of flaws in the Autel Maxicharger vehicle charging station. The first was a simple buffer overflow in the Bluetooth data handling, leading to possible Remote Code Execution (RCE). The second issue was the presence of “Backup credentials” in the firmware’s WiFi handling.

Bits and Bytes

“Insufficient sanitization” is not a feature you want in your microservices. Spring’s Cloud Dataflow is a tool to plug data flows in to various other applications. Before a recent patch fixed it, Dataflow was doing some basic checks on file uploads, like looking for nulls or empty files. The problem was some very simple path traversal attacks. Name a package name with ../../../poc, and while the service may throw an error, it still creates the files as requested. 2.11.3 has shipped with the fix, so time to update!

And speaking of bypasses, ingress-nginx has a validation bypass, allowing unauthorized access to Kubernetes clusters using that controller. Kubernetes supports annotations as a sort of metadata system, and ingress-nginx was failing to properly validate those annotations, which could then be used for command injection.

And finally, I think I’ve played this video game. Except this time, someone actually tried to hack himself out of existence. The FBI discovered that a criminal had not only used stolen social security numbers to commit fraud, he had gone so far as to register his own death in a Government system, using stolen credentials. It didn’t turn out so well, as he was discovered alive, and sentenced to jail time for the effort.

FLUX is an AI text-to-image model developed by Black Forest Labs which features 12 billion parameters. This model excels in generating highly realistic and detailed images from text prompts, in some cases surpassing previous models like Stable Diffusion and even Midjourney in image quality and prompt accuracy. Flux is versatile, capable of producing photorealistic images, […]

Source

Although the designation ‘Air Force One’ is now commonly known to refer to the airplane used by the President of the United States, it wasn’t until Eisenhower that the US President would make significant use of a dedicated airplane. He would have a Lockheed VC-121A kitted out to act as his office as commander-in-chief. Called the Columbine II after the Colorado columbine flower, it served a crucial role during the Korean War and would result the coining of the ‘Air Force One’ designation following a near-disaster in 1954.

This involved a mix-up between Eastern Air Lines 8610 and Air Force 8610 (the VC-121A). After the Columbine II was replaced with a VC-121E model (Columbine III), the Columbine II was mistakenly sold to a private owner, and got pretty close to being scrapped.

Although nobody is really sure how this mistake happened, it resulted in the private owner stripping the airplane for parts to keep other Lockheed C-121s and compatible airplanes flying. Shortly before scrapping the airplane, he received a call from the Smithsonian Institution, informing him that this particular airplane was Eisenhower’s first presidential airplane and the first ever Air Force One. This led to him instead fixing up the airplane and trying to sell it off. Ultimately the CEO of the airplane maintenance company Dynamic Aviation, [Karl D. Stoltzfus] bought the partially restored airplane after it had spent another few years baking in the unrelenting sun.

Although in a sorry state at this point, [Stoltzfus] put a team led by mechanic [Brian Miklos] to work who got the airplane in a flying condition by 2016 after a year of work, so that they could fly the airplane over to Dynamic Aviation facilities for a complete restoration. At this point the ‘nuts and bolts’ restoration is mostly complete after a lot of improvisation and manufacturing of parts for the 80 year old airplane, with restoration of the Eisenhower-era interior and exterior now in progress. This should take another few years and another $12 million or so, but would result in a fully restored and flight-worthy Columbine II, exactly as it would have looked in 1953, plus a few modern-day safety upgrades.

Although [Stoltzfus] recently passed away unexpectedly before being able to see the final result, his legacy will live on in the restored airplane, which will after so many years be able to meet up again with the Columbine III, which is on display at the National Museum of the USAF.

Acobot allows you to create an AI chatbot or assistant for your website that is designed to grow your e-commerce business. The chatbot is aimed at engaging with your website visitors, converting them into paying customers, and keep them coming back for more. Acobot addresses common e-commerce challenges such as low conversion rates, high cart […]

Source

Recaster AI is an e-commerce tool which lets you generate SEO content and keywords for your product images. Simply add your product images or import CSV data, and Recaster AI will produce content for every necessary field on your e-commerce platform. It works great for stores that sell many items on Shopify, WordPress, Amazon, Ali […]

Source

SEOlligence is an AI-powered tool that translates and fills in the SEO elements of the product page in order to localize your online shop and be product SEO-friendly in each language. With SEOlligence, businesses can improve their search rankings, drive organic traffic, and attract more customers. The tool is compatible with all e-commerce platforms and […]

Source

WiziShop is an all-in-one ecommerce platform that makes it easy to create and manage your online store. With powerful and user-friendly tools, free education and training, WiziShop helps you achieve long-term success. There are cloud-based features and AI-powered productivity tools all designed to help you get your store up and running as quick as possible.

Source

De acuerdo a un nuevo tweet de kopite7kimi, el insider más confiable cuando se trata de filtraciones de Nvidia, parece que la compañía verde no lanzará sus nuevas GeForce RTX 50 con arquitectura Blackwell en el 2024, sino que lo hará a principios del 2025.

Dado que la CES 2025 se llevará a cabo en Las Vegas del 7 al 10 de enero, es muy probable que Nvidia cambie los planes de anunciar sus próximas GPUs en un evento propio (más allá de que estará presente en la Gamescom de este año) y lance las tarjetas pocos después.

Históricamente, los anuncios de Nvidia se llevan a cabo en agosto y las primeras placas de cada arquitectura se lanzan a fines de septiembre o principios de octubre, como ocurrió con la RTX 3090 y RTX 4090, respectivamente. En la CES por lo general se ha presentado las variantes para laptops de la última arquitectura de Nvidia, pero esta vez quizás se anuncien las GPUs de escritorio y para laptops de manera simultánea, o dejen estas últimas para más adelante.

Por supuesto, la decisión de Nvidia no es casual. Ni AMD ni Intel planean lanzar nuevas GPUs de escritorio en el 2024, por lo que GPUs como la RTX 4080 SUPER o RTX 4090 siguen siendo las tarjetas gráficas más potentes del mercado y no tienen un competidor directo (sobre todo la última, mucho menos en ray  tracing).

Más allá de que las RTX 40 no han tenido mucha competencia por parte de AMD, sin importar cuan baratas cuestan las RX 7900 XT o RX 7900 XTX, Nvidia es una compañía, y como tal generaría muchos ingresos con las ventas de la Serie RTX 50, pero dado el gran crecimiento que ha tenido la empresa verde en estos últimos años, quizás el dinero no es una preocupación apremiante y las RTX 40 aun tienen mucha vida por delante.

I think we won't see RTX 50 until CES.

— kopite7kimi (@kopite7kimi) July 22, 2024

Acerca de Nvidia

Desde su fundación en 1993, NVIDIA (NASDAQ: NVDA) ha sido pionera en el campo de la aceleración computacional. La invención de la GPU por parte de la compañía en 1999 estimuló el crecimiento del mercado de juegos para PC, redefinió los gráficos por ordenador, inauguró la era de la IA moderna y ha contribuido a la digitalización industrial en todos los mercados. En la actualidad, NVIDIA es una empresa de infraestructuras informáticas completas con soluciones a escala de centro de datos que están revolucionando la industria.

La entrada Nvidia lanzaría la Serie GeForce RTX 50 con Arquitectura Blackwell a principios del 2025 según información de un reconocido Insider apareció primero en PC Master Race Latinoamérica.

GetResponse is a professional email marketing platform that offers solutions for businesses of all sizes. With their new AI Email Generator, you can create high-quality emails and subject lines quicker than ever. GetResponse provides a suite of marketing tools including email marketing, website building, marketing automation, and ecommerce marketing. Whether you’re a new business looking […]

Source

To install Stable Diffusion locally will require a bit of Python and GitHub knowledge, but it’s not too difficult and really you can have the whole thing set up and running in less than an hour! The easiest way to install Stable Diffusion in my opinion is using the AUTOMATIC1111 WebUI tool on GitHub. To […]

Source

Styleriser offers AI-powered curation for eyewear and apparel for your ecommerce store. The AI recommendations can increase your conversion rate, decrease returns, and enhance your customers shopping experience. Styleriser uses an AI called StyleIQ with real-time facial analysis, which creates a unique shopping experience by highlighting items that match your shoppers’ colors and style.

Source

Describely is an AI-powered marketing tool that instantly generates high-quality product descriptions, titles, meta tags, and more for ecommerce websites. It streamlines product content creation by integrating with your product catalog and ecommerce platforms. Describely offers bulk content generation, custom brand voice, integrated review flow, and seamless ecommerce integrations with most popular platforms like Shopify.

Source

Zevi AI is a neural search engine for eCommerce brands to boost conversion and improve average order value. The tool features a full integration with Shopify to help manage your store and provide useful analytics, it also provides enterprise solutions for bigger businesses and stores.

Source

Rep AI is an AI-powered eCommerce concierge, specifically designed for Shopify merchants. It offers a guided shopping experience, handling the entire process for your customers within a chat interface. With behavioral AI and conversational AI, Rep provides personalized recommendations, understands natural language, and answers product-related questions. It integrates seamlessly with various Shopify stores and helps […]

Source

Tras del lanzamiento de Hellblade 2 y XDefiant, además de otros próximos F1 24 y Serum, Nvidia publicó el nuevo set de controladores 555.85 con soporte oficial y mejoras de optimización para  todos los títulos mencionados.

Según el desarrollador de Lossless Scaling, este set de drivers tiene un problema con el Frame Generation de dicha aplicación (LSFG 2.0), aumentando el uso de GPU 3 o 4 veces más de lo que deberían. Así que si están usando LSFG 2.0, no instalen estos controladores.

F1 24, Hellblade 2 y Serum cuentan y/o contarán con soporte para DLSS, DLAA y Frame Generation, mientras que XDefiant es compatible con Reflex para reducir la latencia.

Los interesados en descargar el nuevo set 555.85 de Nvidia pueden hacerlo en su sitio web oficial o desde la herramientas GeForce Experience o la Beta de la App de Nvidia.

En caso de tener un rendimiento inferior al de previos controladores, es recomendable deshabilitar el overlay de la App de Nvidia, el cual reduce el rendimiento según reportó un usuario de Guru3D.

Errores de juego solucionados

• Tekken 8 puede fallar aleatoriamente durante el juego en tarjetas gráficas GeForce GTX serie 10. [4503216]
• Horizon Forbidden West Complete Edition: Menor utilización de GPU cuando Reflex está configurado en “Activado + Boost” [4412035]

Errores generales corregidos

• Blender Cycles: el desenfoque de movimiento se representa incorrectamente con algunas arquitecturas de GPU [4607411]

Productos Soportados en los drivers 555.85:

La entrada Nuevos Drivers GeForce 555.85 para F1 24 (DLSS 3), Hellblade 2 (DLSS 3), Serum (DLSS 3) y XDefiant (Reflex) apareció primero en PC Master Race Latinoamérica.