This Week In Security: PHP Attack Defused, Scoreboard Manipulation, And Tillitis

October 7, 2022 by 1 Comment

If you use PHP, you likely use the Composer tool for managing dependencies, at least indirectly. And the good folks at SonarSource found a nasty, potential supply chain attack in this tool, when used in the Packagist repository. The problem is the support for arbitrary README filenames. When a package update shows up on Packagist, that service uses a Version Control Service (VCS) like Git or Mercurial to pull the specified readme location. That pull operation is subject to argument injection. Name your branch --help, and Git will happily run the help argument instead of doing the pull intended. In the case of Git commands, our intrepid researchers were unable to weaponize the issue to achieve code execution.

Composer also supports projects that use Mercurial as their VCS, and Mercurial has a --config option that has… interesting potential. It allows redefining a Mecurial command as a script snippet. So a project just has to contain a malicious payload.sh, and the readme set to --config=alias.cat=!hg cat -r : payload.sh|sh;,txt. For those keeping track at home, the vulnerability is that this cursed string of ugly is accepted by Composer as a valid filename. This uses the --config trick to redefine cat as a bit of script that executes the payload. It ends in .txt because that is a requirement of Composer.

So let’s talk about what this little hack could have been used for, or maybe still used for on an unpatched, private install of Packagist. This is an unattended attack that jumps straight to remote script execution — on an official package repository. If discovered and used for evil, this would have been a massive supply chain attack against PHP deployments. Instead, thanks to SonarSource, it was discovered and disclosed privately back in April. The official Packagist repo at packagist.org was fixed the day after disclosure, and a CVE and updated packages went out six days later. Great work all around.
Continue reading “This Week In Security: PHP Attack Defused, Scoreboard Manipulation, And Tillitis”

A purple PCB with an OLED display and various chips

A Neat Little Tool To Reset The Fuses On Your ATtiny

April 16, 2022 by 8 Comments

If you’re an experienced hacker, you’ve probably run into a problem at some point and thought “let’s make a tool to automate that”. A few hours later you’ve got your tool, but then realize that the amount of work you put into making the tool vastly exceeds what you would have needed to solve the original problem manually. That really doesn’t matter though: developing a fancy tool can be a rewarding experience that teaches you way more about the original problem than you would have learned otherwise. [sjm4306]’s ATtiny High Voltage Fuse Reset-er is a clever device that firmly falls into this category.

The problem it solves is familiar to anyone who’s ever worked with Atmel/Microchip’s ATtiny series of microcontrollers: set one of the configuration fuses incorrectly and you’re no longer able to reprogram your chip. Getting the ATtiny back to its original configuration requires a high-voltage programming step that involves pulling the reset pin to 12 V in what’s otherwise a 5 V system. You could simply grab a spare 12 V supply and hack together a level shifter with a few transistors, but where’s the fun in that?

[sjm4306]’s solution is built on a pretty purple PCB that contains an ATmega328, an OLED display, and sockets to accommodate various versions of the ATtiny series microcontrollers. To generate the required 12 V, one could simply use an off-the-shelf boost converter IC. But instead, he decided it would be interesting to make such a circuit out of discrete components and control it using the ATmega. After all, this chip already contains timers to generate PWM signals and an ADC to measure the converter’s output voltage, so all it took was to write some control logic in the form of a PID controller.

The end result, as you can see in the video embedded below, is a convenient little PCB that runs off a 5 V USB power supply and resets the fuses on your ATtiny at the push of a button. Sometimes, simple tools that do one thing well are all you need; however, if you’re looking for an all-in-one AVR programmer that also supports HV programming, check out this AVR Multi-Tool.

Continue reading “A Neat Little Tool To Reset The Fuses On Your ATtiny”

AVR Fuse Bits Explained

August 30, 2012 by 50 Comments

Every AVR microcontroller, from the ATtiny in your thermostat to the ATMega in your Arduino, stores its configuration in a series of fuse bits. These fuse bits control settings such as the multiplier of the internal oscillator (and thus the speed of the chip), or if the reset pin can be used as a GPIO pin. [YS] just put up an awesome tutorial for understanding these fuse/lock bits, and it’s just the reference guide you’ll need when you find your AVR is running 8 times slower than you would like.

As an example, [YS] uses the ATMega48 default settings. From the factory, the ‘Mega48 ships with it’s fuse bits set to use an 8MHz internal RC oscillator with the CKDIV8 bit set. This results in the chip operating at 1MHz, a bit slow for [YS]’ liking.

By looking at the datasheet for the ATMega48, [YS] found the CKDIV8 fuse was the 7th bit in the low fuse byte. From the factory, the default value for this byte is 0b01100010. To remove the ‘divide clock by 8’ bit, [YS] needed to change the low byte to 0b11100010, or 0xE2. This is done via AVRdude by appending lfuse:w:0xE2:m to the commands entered when programming.

Fuse bits don’t need to be scary. As long as you can convert between binary and hex, can remember there are 7 bits in a byte (remember to start counting from 0), and have access to an easy to use fuse calculator, it’s possible to change all the settings on any AVR you have on hand.



            


    



                    
                    
                
                    


        

        
Sanguino ATmega644P Board

                

            October 5, 2008 by 
            
                23 Comments            
        

        
    


    

        


The RepRap project, which is a printer that can make components using rapid prototyping technology, and it is designed so that it can eventually self replicate. Has released a new breakout board for the Sanguino that provides access to all the pins as screw terminals. The Sanguino is an Arduino compatible board based on the ATmega644P chip. You can populate the full board with all the components and have a fully functional single board. You could populate only the screw terminals and plug your Sanguino, and use it as a breakout board as well. The board design is released on Google Code.






            


    



                    
                        

                            
                        


                    
                    
                
                    


        

        
Magically Repair AVR Chips

                

            May 17, 2010 by 
            
                30 Comments            
        

        
    


    

        


If you’ve ever spent time working with AVR microcontrollers you’ve probably set the fuse bits incorrectly at least once. The ATmega fusebit doctor will automatically repair the fuse bits and get you back in business until your next mishap. The ATmega8 that powers the device has the chip signatures for the ATmega family stored inside so it will automatically detect which chip you’re trying to ‘unbrick’. From there it looks up the correct fuse bits and resurrects the sick microcontroller. This is useful in recovering a chip that has serial programming disabled, used the reset pin as I/O, or just enabled an external clock without the necessary hardware to deliver on that feature.


This magic is taken care of by using High Voltage Parallel Programming. We’ve seen HVPP used in the Arduino rescue shield and it is a valuable feature of the AVR Dragon, our favorite AVR programmer, as well as others. Still, you can hardly beat the ease of plugging a dead chip into this board and pressing one button. Oh, did you brick a member of the ATtiny family? There’s a rescue board for those too.


[Thanks Stewe]


            


    



                    
                    
                
                    


    

    

    

        
Lithium-Ion Batteries Power Your Devboards Easily

                

            March 14, 2024 by 
            
                24 Comments            
        

        
    


    

        
Last summer, I was hanging out with a friend from Netherlands for a week, and in the middle of that week, we decided to go on a 20 km bike trip to a nearby beach. Problem? We wanted to chat throughout the trip, but the wind noise was loud, and screaming at each other while cycling wouldn’t have been fun. I had some walkie-talkie software in mind, but only a single battery-powered Pi in my possession. So, I went into my workshop room, and half an hour later, walked out with a Pi Zero wrapped in a few cables.


I wish I could tell you that it worked out wonders. The Zero didn’t have enough CPU power, I only had single-core ones spare, and the software I had in mind would start to badly stutter every time we tried to run it in bidirectional mode. But the battery power solution was fantastic. If you need your hack to go mobile, read on.


 Continue reading “Lithium-Ion Batteries Power Your Devboards Easily” 


            


    



                    
                    
                
                    


    

    

    

        
Teardown: Cobra XRS 9740 Radar Detector

                

            March 18, 2020 by 
            
                46 Comments            
        

        
    


    

        
Drivers with a lead foot more often than not have Waze open on their phone so they can see if other drivers have spotted cops up ahead. But avoiding a speeding ticket used to involve a lot more hardware than software. Back before the smartphone revolution, that same driver would have had a radar detector on their dashboard. That’s not to say the gadgets are completely unused today, but between their relatively high cost (one of the top rated models on Amazon as of this writing costs over $300) and the inevitable false positives from so many vehicles on the road having their own radar and LIDAR systems, they’ve certainly become a less common sight over the years


The subject of today’s teardown is a perfect example of “Peak Radar Detector”. Manufactured back in 2007, the Cobra XRS 9740 would have been a fairly mid-range entry offering the sort of features that would have been desirable at the time. Over a decade ago, having an alphanumeric display, voice alerts, and a digital compass were all things worth shouting about on the box the thing was sold in. Though looking like some kind of Cardassian warship was apparently just an added bonus.


As the name implies these devices are primarily for detecting radar activity, but by this point they’d also been expanded to pick up infrared lasers and the strobe beacons on emergency vehicles. But false positives were always a problem, so the device allows the user to select which signals it should be on the lookout for. If you were getting some kind of interference that convinced the detector it was being bombarded with IR lasers, you could just turn that function off without having to pull the plug entirely.


But it’s important to remember that this device was built back when people were still unironically carrying around flip phones. Detecting laser and multi-band radars might sound like something pulled from the spec sheet of a stealth fighter jet, but this is still a piece of consumer electronics from more than a decade in the past. So let’s crack it open and take a look at what goes on inside a radar detector that’s only a few years away from being old enough to get its own driver’s license.


 Continue reading “Teardown: Cobra XRS 9740 Radar Detector”