Hiding Executable Javascript in Images That Pass Validation

Here’s an interesting proof-of-concept that could be useful or hazardous depending on the situation in which you encounter it. [jklmnn] drew inspiration from the work of [Ange Albertini] who has documented a way to hide Javascript within the header of a .gif file. Not only does it carry the complete code but both image and the Javascript are seen as valid.

With just a little bit of work [jklmnn] boiled down the concept to the most basic parts so that it is easy to understand. Next, a quick program was written to automate the embedding of the Javascript. Grab the source code if you want to give it a try yourself.

Let’s get back to how this might be useful rather than harmful. What if you are working on a computer that doesn’t allow the browser to load Javascript. You may be able to embed something useful, kind of like the hack that allowed movies to be played by abusing Microsoft Excel.

Reverse Engineering the D-Link WPS Pin Algorithm

sub_4D56F8

A router with WPS requires a PIN to allow other devices to connect, and this PIN should be unique to every router and not derived from other easily accessible data found on the router. When [Craig] took a look at the firmware of a D-Link DIR-810L 802.11ac router, he found exactly the opposite; the WPS PIN was easily decipherable because it was generated entirely from the router’s MAC address and could be reverse engineered by sniffing WiFi.

When [Craig] was taking a look at the disassembled firmware from his router, he noticed a bit of code that accessed the NVRAM used for storing device-specific information like a serial number. This bit of code wasn’t retrieving a WPS pin, but the WAN MAC address instead. Instead of being unique to each device and opaque to every other bit of data on the router, the WPS pin was simply generated (with a bit of math) from the MAC address. This means anyone upstream of the router can easily derive the WPS pin of the router, and essentially gives everyone the keys to the castle of this router.

A few years ago, it was discovered the WPS pin was extremely insecure anyway, able to be brute-forced in a matter of minutes. There are patches router manufacturers could apply to detect these brute force attacks, closing that vulnerability. [Craig]‘s code, though, demonstrates that a very large number of D-Link routers effectively broadcast their WPS PIN to the world. To make things even worse, the BSSID found in every wireless frame is also derived from the WAN MAC address. [Craig] has literally broken WPS on a huge number of D-Link routers, thanks to a single engineer that decided to generate the WPS PIN from the MAC address.

[Craig] has an incomplete list of routers that are confirmed affected on his site, along with a list of confirmed unaffected routers.

A Better Anonabox with the Beaglebone Black

A few weeks ago, Anonabox, the ill-conceived router with custom firmware that would protect you from ‘hackers’ and ‘legitimate governments’ drew the ire of tech media. It was discovered that this was simply an off-the-shelf router with an installation of OpenWrt, and the single common thread in the controversy was that, ‘anyone can build that. This guy isn’t doing anything new.’

Finally, someone who didn’t have the terrible idea of grabbing another off the shelf router and putting it up on Kickstarter is doing just that. [Adam] didn’t like the shortcomings of the Anonabox and looked at the best practices of staying anonymous online. He created a Tor dongle in response to this with a Beaglebone Black.

Instead of using wireless like the Anonabox and dozens of other projects, [Andy] is using the Beaglebone as a dongle/Ethernet adapter with all data passed to the computer through the USB port. No, it doesn’t protect your entire network; only a single device and only when it’s plugged in.

The installation process is as simple as installing all the relevent software, uninstalling all the cruft, and configuring a browser. [Adam] was able to get 7Mb/sec down and 250kb/sec up through his Tor-ified Ethernet adapter while only using 40% of the BBB’s CPU.

Using Excel to Watch Movies at Work

The Excel subreddit exploded earlier this week when redditor [AyrA_ch] shared his custom spreadsheet that allowed him to play video files on a locked-down work computer. How locked down? With no access to Windows Media Player and IE7 as the only browser (all plugins disabled, no HTML5), Excel became the unlikely hero to cure a 3-hour boredom stint.

Behind the cascade of rectangles and in the land of the Excel macro, [AyrA_ch] took advantage of the program’s VBA (Visual Basic for Applications) functions to circumvent the computer’s restrictions. Although VBA typically serves the more-complex-than-usual macro, it can also invoke some Windows API commands, one of which calls Windows Media Player. The Excel file includes a working playlist and some rudimentary controls: play, pause, stop, etc. as well as an inspired pie chart countdown timer.

As clever as this hack is, the best feature is much more subtle: tricking in-house big brother. [AyrA_ch]‘s computer ran an application to monitor process usage, but any videos played through the spreadsheet were attributed to Excel, ensuring the process usage stayed on target. You can download it for yourself over on GitHub.

This Message Will Self-Destruct in 5 Seconds

Good morning, Mr. Hunt. Your mission, should you choose to accept it… blah blah blah… This post will self-destruct in five seconds.

This is [Diego Trujillo Pisanty's] latest project dubbed “This Tape Will Self-Destruct“, and it’s a fully functional small scale printer, whose media catches on fire immediately after printing. Beyond the obvious Mission Impossible connection, you could also think of it as real-life snapchat — just throw a webcam on there and some faxing capabilities…

Apparently [Diego] was inspired to build this machine after the BBC reported that a Kremlin security agency was upgrading the office with typewriters in attempt to reduce privacy leaks from computer hardware, in fear of WikiLeaks and [Edward Snowden].

It is an art piece (the horror!) but is actually quite the piece of hardware. So unfortunately, like most art pieces, the artist doesn’t give much detail on how it works, because that would ruin the illusion of the project… or something. Still, it’s an amusing project. Video below.

Continue reading “This Message Will Self-Destruct in 5 Seconds”

Hackaday 10th Anniversary: [1o57] and the Art of Encryption

[Ryan] a.k.a. [1o57] comes from an age before anyone could ask a question, pull out their smartphone, and instantly receive an answer from the great Google mind. He thinks there’s something we have lost with our new portable cybernetic brains – the opportunity to ask a question, think about it, review what we already know, and reason out a solution. There’s a lot to be said about solving a problem all by yourself, and there’s nothing to compare to the ‘ah-ha’ moment that comes with it.

[1o57] started his Mystery Challenges at DEFCON purely by accident; he had won the TCP/IP embedded device competition one year, and the next year was looking to claim his title again. The head of the TCP/IP embedded competition had resigned from his role, and through a few emails, [1o57] took on the role himself. There was a miscommunication, though, and [1o57] was scheduled to run the TCP/IP drinking competition. This eventually morphed into a not-totally-official ‘Mystery Challenge’ that caught fire in email threads and IRC channels. Everyone wanted to beat the mystery challenge, and it was up to [1o57] to pull something out of his bag of tricks.

The first Mystery Challenge was a mechanical device with three locks ready to be picked (one was already unlocked), magnets to grab ferrous picks, and only slightly bomb-like in appearance. The next few years featured similar devices with more locks, better puzzles, and were heavy enough to make a few security officials believe [1o57] was going to blow up the Hoover dam.

With a few years of practice, [1o57] is turning crypto puzzles into an art. His DEFCON 22 badge had different lanyards that needed to be arranged to spell out a code. To solve the puzzle, you’ll need to talk to other people, a great way to meet one of [1o57]‘s goals of getting all the natural introverts working together.

Oh. This talk has its own crypto challenge, something [1o57] just can’t get out of his blood:

We talked for a little bit, and 0×06 0x0a1 MFY YWXDWE MEOYOIB ASAE WBXLU BC S BLOQ ZTAO KUBDR HG SK YTTZSLBIMHB

BadUSB Means We’re All Screwed

Does anyone else get the feeling that the frequency of rather horrible vulnerabilities coming to light is accelerating? Off the top of our head, there’s Heartbleed, Shellshock, and now this one. The BadUSB exploit attack stems from the “invisible” microcontroller in most USB devices.

We first heard about it when we were attending DEFCON in August. The exploit had been announced the same week at Blackhat but there wasn’t much information out yet. Now the talk has been posted and there’s a well-explained overview article at Big Mess o’ Wires.

Here’s how this one goes: all USB devices rely on a microcontroller to handle the peripheral-side of USB communications. The computer doesn’t care which microcontroller, nor does it have a way of knowing even if it wanted to. The uC is “invisible” in this situation, it’s the interface and data flowing through it that the computer cares about. BadUSB is an attack that adds malicious functionality to this microcontroller. To the computer it’s a perfectly normal and functional USB device, while all the bad stuff is happening on the peripheral’s controller where the computer can’t see it.

badusb

How deeply do you think about plugging each and every USB device? Check out what happens at 19:20 into the video below. The USB device enumerates and very quickly sets up a spoofed Ethernet connection. You can still load a webpage via WiFi but the fake connection is forwarding packets to a second server.

Once discovered, you can wipe the computer and this will stop happening; until you plug the same device again and reinfect. Worse yet, because the controller is invisible to the computer there’s almost no way to scan for infected devices. If you are smart enough to suspect BadUSB, how long will it take you to figure out if its your mouse, your keyboard, a thumb drive, a webcam, your scanner… you get the point.

Continue reading “BadUSB Means We’re All Screwed”