Believe it or not, there was a time when the only way for many of us to play video games was to grab a roll of quarters and head to the mall. Even though there’s a working computer or video game console in essentially every house now doesn’t mean we don’t look back with a certain nostalgia on those times, though. Some have turned to restoring vintage arcade cabinets and others build their own. This hackerspace got a unique request for a full-sized arcade cabinet that was also easily portable as well.

The original request was for a portable arcade cabinet, and the original designs were for a laptop-like tabletop arcade. But further back-and-forth made it clear they wanted full-size cabinets that just happened to also be portable. So with that criteria in mind the group started building the units. The updated design is modular, allowing the controls, monitor, and Raspberry Pi running the machines to be in self-contained units, with the cabinets in two parts that can quickly be assembled on-site. The base is separate and optional, with the top section capable of being assembled on the base or on something like a tabletop or bar, and the electronics section quickly drops in.

While the idea of a Pi-powered arcade cabinet is certainly nothing new, the quick build, prototyping, design, and final product that’s mobile and quickly assembled are all worth checking out. There is even more information on the build at the project’s GitHub page including Fusion 360 models. If you need your cabinets to be even more portable, this tabletop MAME cabinet is a great place to start.

This week saw an impressive pair of takedowns pulled off by law enforcement agencies around the world. The first was the 911 S5 botnet, Which the FBI is calling “likely the world’s largest botnet ever”. Spreading via fake free VPN services, 911 was actually a massive proxy service for crooks. Most lately, this service was operating under the name “Cloud Router”. As of this week, the service is down, the web domain has been seized, and the alleged mastermind, YunHe Wang, is in custody.

The other takedown is interesting in its own right. Operation Endgame seems to be psychological warfare as well as actual arrests and seizures. The website features animated shorts, a big red countdown clock, and a promise that more is coming. The actual target was the ring that manage malware droppers — sort of middlemen between initial shellcode, and doing something useful with a compromised machine. This initial volley includes four arrests, 100+ servers disrupted, and 2,000+ domains seized.

The arrests happened in Armenia and Ukraine. The messaging around this really seems to be aimed at the rest of the gang that’s out of reach of law enforcement for now. Those criminals may still be anonymous, or operating in places like Russia and China. The unmistakable message is that this operation is coming for the rest of them sooner or later.

Checkpoint CloudGuard

And now we turn to the massive number of security and VPN appliances that got detailed exploit write-ups this week. And up first is the Watchtowr treatment of Check Point CloudGuard appliance, and the high priority information exposure CVE. This vulnerability already has a patch, so the obvious starting point is patch diffing. Thanks to a new log message in the patch, it’s pretty clear that this is actually a path traversal attack.

The vulnerable endpoint is /clients/MyCRL, which is a file download endpoint used for fetching updates to the VPN client. Based on Check Point’s CVSS string regarding this vulnerability, that endpoint is accessible without any authentication. The thing about this endpoint is that it takes an argument, and returns the file requested based on that argument. There is a list of allowed files and folders, but the check on incoming requests uses the strstr() C function, which simply checks whether one string contains a second.

One of the entries on this list was the CSHELL/ directory, which is the last piece of the puzzle to make for a nasty exploit. Send a POST to /clients/MyCRL requesting aCSHELL/../../../../../../../etc/shadow and the shadow password file is returned. This gives essentially arbitrary file read due to path traversal on a public endpoint.

Interestingly, the vendor states that the issue only affects devices with username-and-password authentication enabled, and not with the (much stronger) certificate authentication enabled.

There’s some definite weirdness going on with how the CVSS score was calculated, and how Check Point opted to disclose this. Cross-referencing from another vendor’s statement, it becomes clear that the fastest way to turn this into a full exploit is by grabbing the password hashes of users, and any legacy local users with password-only accounts can be mined for weak passwords. But make no mistake, this is an unauthorized arbitrary file read vulnerability, and the hash capture is just one way to exploit it. Attacks are ongoing, and the fix is available.

Fortinet FortiSIEM

One of my most/least favorite things to cover is trivial vulnerability patch bypasses. There’s nothing that disturbs and amuses like knowing that a Fortinet command injection in the NFS IP address was rediscovered in the NFS mount point field of the exact same endpoint.

If the botched fix wasn’t bad enough, the public disclosure was almost worse. There was over a month of lag between the disclosure and reproduction of the reported issue. Then Fortinet silently rolled out patches a couple weeks later, with no disclosure at all. The CVEs were eventually released, but then claimed to be a duplicate, and published in error. And now finally the whole story is available.

Ivanti Landesk

And rounding out the appliance vulnerabilities is this one in the Avanti Landesk, where a data flow can reach a strncpy() call, that takes user-supplied input for the number of bytes to copy, and a fixed buffer destination. Overflowing that buffer allows for function pointer overwrite, and writing even more data into this area eventually reaches a read-only section of memory. The write attempt triggers an exception, which bounces through a few functions, and eventually calls a pointer that has already been overwritten in the attack. A bit of Return Oriented Programming (ROP) magic, and the shellcode is marked executable and jumped into, for arbitrary code execution.

The flaw does require a low-privilege user account, and the vulnerable code hasn’t been in the product since the 2021.1 release. Ivanti has issued a CVE, but since the last vulnerable release is outside its support window, there won’t be any patches published.

Bricking 600,000 Routers

This one is just odd. Last year, the US ISP Windstream had about 600,000 DSL routers crash and permanently die over three days. The theory at the time was that this was a flubbed firmware upgrade, but researchers from Lumen did some quick detective work, and managed to snag malicious binaries that were actively flowing to the Windstream network.

It turns out that those routers were infected by the Chalubo malware, although the the initial infection vector is still unknown. Given the circumstances, it’s likely due to an internal breach at Windstream, possibly even an insider attack. Chalubo is designed to enable remote access, and can be used to launch DDOS attacks, among other capabilities. It’s not typical for this malware to immediately wipe devices, leading to the speculation that the malware was used for plausible deniability, to shield the actual perpetrators. This has signs of being an insider attack, by a disgruntled admin at Windstream, though there is not any hard evidence at the moment.

Bits and Bytes

Like a bad penny, North Korea has come back up with the FakePenny malware campaign. In Microsoft’s fun APT naming scheme, this is the work of Moonstone Sleet, whose usual strategy is to backdoor popular software and spread it however they can. In a major ransomware deployment, Moonstone Sleet requested $6.6 million in Bitcoin, which is quite the step up from previous campaigns.

And lastly, Ticketmaster seems to have a 560 million user data breach on its hands. Data brokers on the Breach Forums claim to have this in a 1.3 terabyte database, and is willing to part with it for merely half-a-million dollars. There is a bit of a backstory here, as Breach Forums is run by ShinyHunters, and the whole operation was shut down by the FBI a couple weeks ago. That didn’t last long, and it looks like they’re back, and back in business.

BoostBot provides AI-powered mobile game bots to automate tedious gameplay tasks for popular games like Mafia City, Rise of Kingdoms, Last Shelter Survival, and more. The bots can be used to auto farm resources, build structures, complete tasks, and shield bases just like a real player would. BoostBot allows you to run the bot locally […]

Source

We are big fans of programmed texts for education. You know, the kind where you answer a question and go to a new page based on your answer. But they can also be entertaining “choose your own adventure” stories. You might say, “You are standing in front of an oak door, two meters high, with an iron handle. Do you a) open it? b) knock on it? c) ignore it?” Then, based on your answer, you go to a different part of the story. These are tough to write, but you can get some help using Yarn Spinner and the Yarn scripting language.

The original purpose of Yarn is to produce conversations for games. There’s a tutorial for that. The difference is to produce a book, you get a choose your own adventure PDF at the end. For the tutorial, you can try to read the text on the left-hand side of the editor or just press Test (at the top) and let it “read” the tutorial to you, which is a little more fluid.

The scripting language is mostly text, but you can have branching logic, which is critical for the book generation. You can also set variables as in:

<<set $gold to 5>>

Then you can test variables with <<if>> as you might expect. You can also jump to other parts of the script using <<jump>>. This works with nodes that look like this:

title: HackadayNode
---// Yarn script goes here===

That’s about it. We took the liberty of writing a cheeky Hackaday adventure. The source code is available, too. You’ll notice the script is simplistic. It doesn’t merge the lines, so if you have, say, three jumps to node X, you will get three copies of node X in the book. Then again, that helps your page count, and it doesn’t distract from the enjoyment of the finished product. And, yes, we added the title graphic after the fact.

It should be possible to write programmed instruction material with this, too. Why just pretend to submit a project to Hackaday when you could do it for real so easily?

Wait a second, read that title again. This isn’t a throwback 3D printing project at all. That’s “RepTrap” as in reptile trap, and it’s a pretty clever way to study our cold-blooded friends in their natural habitat.

Now, game cameras — or trail cameras, if you’re less interested in eating what you see — are pretty much reduced to practice. For not that much money you can pick up one of these battery-powered devices, strap it to a tree, and have it automatically snap high-quality pictures of whatever wildlife happens to wander past. But nearly all of the commercially available game cameras have pyroelectric infrared sensors, which trigger on the temperature difference between a warm-blooded animal and the ambient temperature of the background. But what to do when you’re more interested in cold-blooded critters?

Enter [Mirko], who stumbled upon this problem while working with a conservation group in Peru. The group wanted to study snakes, insects, and other ectothermic animals, which are traditionally studied by trapping with pitfalls and other invasive techniques. Unable to rely on PIR, [Mirko] rigged up what amounts to a battery-powered light curtain using a VL53L4CD laser time-of-flight sensor. Mounted above the likely path of an animal, the sensor monitors the height of everything in its field of view. When an animal comes along, cold-blooded or otherwise, RepTrap triggers a remote camera and snaps a picture. Based on the brief video below, it’s pretty sensitive, too.

[Mirko] started out this project using an RP2040 but switched to an ESP32 to take advantage of Bluetooth camera triggering. The need for weatherproofing was also a big driver for the build; [Mirko] is shooting for an IP68 rating, which led to his interesting use of a Hall sensor and external magnet as a power switch.

 

MGAI is your AI wingman for online dating, developed by AI platform Novo AI and dating coach Ice White. It provides you with exactly what to say next to women on dating apps or social media, plus with extra context and advice. It combines AI with human expert advice for optimal messaging and profiles. MGAI […]

Source