Little Bobby Tables Just Registered a Company…

Sometimes along comes a tech story that diverges from our usual hardware subject matter yet which just begs to be shared with you because we think you will find it interesting and entertaining.

XKCD 327, Exploits of a Mom (CC BY-NC 2.5).
XKCD 327, Exploits of a Mom (CC BY-NC 2.5).

You will no doubt be familiar with the XKCD cartoon number 327, entitled “Exploits of a Mom”, but familiarly referred to as “[Bobby Tables]”. In it a teacher is ringing the mother of little [Robert’); DROP TABLE Students; –], whose name has caused the loss of a year’s student records due to a badly sanitized database input. We’ve all raised a chuckle at it, and the joke has appeared in other places such as an improbably long car license plate designed to erase speeding tickets.

It's nice to see that Companies House sanitise their database inputs.
It’s nice to see that Companies House sanitise their database inputs.

Today we have a new twist on the Bobby Tables gag, for someone has registered a British company with the name  “; DROP TABLE “COMPANIES”;– LTD“. Amusingly the people at Companies House have allowed the registration to proceed, so either they get the joke too or they are unaware of the nuances of a basic SQL exploit. It’s likely that if this name leaves Her Majesty’s civil servants with egg on their faces it’ll be swiftly withdrawn, so if that turns out to be the case then at least we’ve preserved it with a screenshot.

Of course, the chances of such a simple and well-known exploit having any effect is minimal. There will always be poor software out there somewhere  that contains badly sanitized inputs, but we would hope that a vulnerability more suited to 1996 would be vanishingly rare in 2016.

If by some chance you haven’t encountered it before we’d recommend you read about database input sanitization, someday it may save you from an embarrassing bit of code. Meanwhile we salute the owner and creator of this new company for giving us a laugh, and wish them every success in their venture.

Police Want Alexa Data; People Begin to Realize It’s Listening

It is interesting to see the wide coverage of a police investigation looking to harvest data from the Amazon Echo, the always-listening home automation device you may know as Alexa. A murder investigation has led them to issue Amazon a warrant to fork over any recordings made during the time of a crime, and Amazon has so far refused.

Not too long ago, this is the sort of news would have been discussed on Hackaday but the rest of my family would have never heard about it. Now we just need to get everyone to think one step beyond this and we’ll be getting somewhere.

What isn’t being discussed here is more of concern to me. How many of you have a piece of tape over your webcam right now? Why did you do that? It’s because we know there are compromised systems that allow attackers to turn on the camera remotely. Don’t we have to assume that this will eventually happen with the Echo as well? Police warrants likely to affect far less users than account breaches like the massive ones we’ve seen with password data.

All of the major voice activated technologies assert that their products are only listening for the trigger words. In this case, police aren’t just looking for a recording of someone saying “Alexa, help I’m being attacked by…” but for any question to Alexa that would put the suspect at the scene of the crime at a specific time. Put yourself in the mind of a black hat. If you could design malware to trigger on the word “Visa” you can probably catch a user giving their credit card number over the phone. This is, of course, a big step beyond the data already stored from normal use of the system.

It’s not surprising that Amazon would be served a warrant for this data. You would expect phone records (although not recordings of the calls) to be reviewed in any murder case. Already disclosed in this case is that a smart water meter from the home reported a rather large water usage during the time of the murder — a piece of evidence that may be used to indicate a crime scene clean-up effort.

What’s newsworthy here is that people who don’t normally think about device security are now wondering what their voice-controlled tech actually hears them say. And this is a step in the right direction.

Automated Vacuum Lettuce Seed Placement

[Jethro Tull] is a name you may well associate with a 1970s prog/folk rock band featuring a flautist, but the original [Tull] was an inventor whose work you benefit from every day. He was a British lawyer and landowner who lived over the turn of the 18th century, and who invented among other things the mechanical seed drill.

Were [Tull] alive today he would no doubt be impressed by the work of [Akash Heimlich], who has created an exquisite vacuum seed placer for his rooftop hydroponic lettuce farm. Unlike the continuous rows of seed on the Berkshire earth of [Tull]’s farm, the lettuce seed must be placed in an even grid on a foam substrate for the hydroponic equivalent. This was an extremely tedious task when done by hand, so [Akash] set about automating the process with a vacuum seeder that is a thing of beauty.

It uses a simple yet effective mechanism involving a row of pipettes connected to a vacuum line, that are rotated over a vibrating hopper of seeds from which each one collects a single seed, before being rotated back over the foam where the seeds are dropped in a neat row through 3D-printed funnels. The foam is advanced, and the process is repeated until there is a neat grid of seeds. In only four minutes it can deliver 150 seeds, reducing several hours work into under half an hour.

The whole machine is controlled by an Arduino, with a couple of stepper motors to move foam and pipettes alongside the vibrator motor. You can see its operation in the video below the break.

Continue reading “Automated Vacuum Lettuce Seed Placement”

Santa Knows If Your Contact Form Uses PHPMailer < 5.2.18

PHPMailer, one of the most used classes for sending emails from within PHP, has a serious vulnerability in versions less than 5.2.18 (current version). The security researcher [Dawid Golunski] just published a limited advisory stating that PHPMailer suffers from a critical flaw that might lead an attacker to achieve remote code execution in the context of the web server user. PHPMailer is used by several open-source projects, among them are: WordPress, Drupal, 1CRM, SugarCRM, Yii and Joomla. A fix has been issued and PHPMailer is urging all users to upgrade their systems.

To trigger this vulnerability (CVE-2016-10033) it seems that the attacker only has to make the web application send out an email using the vulnerable PHPMailer class. Depending on the application itself, this can be accomplished in different ways, such as contact/feedback forms, registration forms, password email resets and so on.

Upon a quick diff analysis, we found that the vulnerable code seems to lie in the following lines of the class.phpmailer.php:

Continue reading “Santa Knows If Your Contact Form Uses PHPMailer < 5.2.18”

UK Government to Hold Drone Licensing Consultation

All over your TV and radio this morning if you live in the UK is the news that the British government is to hold a consultation over the licensing of multirotors, or drones as they are popularly known. It is being reported that users will have to sit a test to acquire a licence before they can operate any machine that weighs above 250 g, and there is the usual fog of sloppy reporting that surrounds any drone story.

This story concerns us on several fronts. First, because many within our community are multirotor enthusiasts and thus we recognise its importance to our readership. And then because it takes as its basis of fact a series of reported near misses with aircraft that look very serious if taken at face value, but whose reported facts simply don’t match the capabilities of real multirotors. We’ve covered this issue in the past with an incident-by-incident analysis, and raised the concern that incident investigators behave irresponsibly in saying “It must have been a drone!” on the basis of no provable evidence. Indeed the only proven British collision was found to have been with a plastic bag.

Of course irresponsible multirotor fliers who threaten public safety should be brought to book. Lock them up, throw away the key, whatever is appropriate. But before that can be done, any debate must be conducted on a level playing field. Our final concern is that this is an issue which is being framed almost entirely on the basis of one side’s interest groups and hysteria on the part of the uninformed about a new technology, rather than a balanced examination of the issues involved. It’s the old “People are having fun. This must be stopped!” idea that infects so much lawmaking, and it’s not very pretty.

Fortunately while it is being reported in some quarters as a done deal as in “Drone fliers must sit a test”, in fact this story is “The Government will ask people what they think about drone fliers sitting a test”. It’s a consultation, which means a Parliamentary committee will sit down and hear evidence before deciding on any legislation. The good news about consultations is that they are open to submissions from the general public, so if you are a British multirotor flier you can submit your own arguments. We will keep you posted with any news about the consultation as we have it.

Header image: 최광모 [CC BY-SA 4.0], via Wikimedia Commons.

Hedgefund Startup Powered By Crowdsourced Code

In the financial sector, everyone is looking for a new way to get ahead. Since the invention of the personal computer, and perhaps even before, large financial institutions have been using software to guide all manner of investment decisions. The turn of the century saw the rise of High Frequency Trading, or HFT, in which highly optimized bots make millions of split-second  transactions a day.

Recently, [Wired] reported on Numerai — a hedge fund founded on big data and crowdsourcing principles. The basic premise is thus — Numerai takes its transaction data, encrypts it in a manner that hides its true nature from competitors but remains computable, and shares it with anyone who cares to look. Data scientists then crunch the numbers and suggest potential trading algorithms, and those whose algorithms succeed are rewarded with cold, hard Bitcoin.

Continue reading “Hedgefund Startup Powered By Crowdsourced Code”

Reliably Exploiting Apport in Ubuntu

[Donncha O’Cearbhaill] has successfully exploited two flaws in Apport, the crash report mechanism in Ubuntu. Apport is installed by default in all Ubuntu Desktop installations >= 12.10 (Quantal). Inspired by [Chris Evan] work on exploiting 6502 processor opcodes on the NES, [Donncha] describes the whole process of finding and exploiting a 0-day on a modern linux system.

One of the flaws, tracked as CVE-2016-9949, relies on a python code injection in the crash file. Apport blindly uses the python eval() function on an unsanitized field (CrashDB) inside the .crash file. This leads directly to arbitrary python code execution. The other flaw, tracked as CVE-2016-9950, takes advantage of a path traversal attack and the execution of arbitrary Python scripts outside the system hook_dirs. The problem arises when another field (Package) from the crash report file is used without sanitizing when building a path to the package hook files.

CVE-2016-9949 is easily exploitable, if an attacker can trick a user into opening a specially crafted file (apport .crash file), the attacker can execute the python code of his/her choice. Two details make it a very interesting exploit.

The first thing to note is the exploit’s reliability. Given that it is pure python code execution, an attacker doesn’t have to worry about ASLR, Non-Exec Memory, Stack Canaries and other security features that Ubuntu ships by default. As the author notes:

“There are lots of bugs out there which don’t need hardcore memory corruption exploitation skills. Logic bugs can be much more reliable than any ROP chain.”

Another interesting detail is that the exploit file doesn’t need to have the .crash extension, as long as its content starts with the string “ProblemType: ” and the file extension is not associated already with other software, Ubuntu considers it being of mime-type type=”text/x-apport” (for example, .ZlP or .0DF). This significantly improves the chances of an unsuspecting user being fooled into open the file.

Continue reading “Reliably Exploiting Apport in Ubuntu”