Security Hacks

1392 Articles

The printer's display with the exploit-loaded animation playing, saying "hacked by blasty" and a bunch more stuff

A Fun Exploit For Canon Printers Brings GDB Gifts

April 4, 2024 by 12 Comments

Modern printers make it all that much more tempting to try and hack them — the hardware generally tends to be decent, but the firmware appears to be designed to squeeze as much money out of you as possible while keeping your annoyance level consistently high. That’s why it’s nice to see this exploit of the Canon imageCLASS MF74XCdw series (MF742Cdw/MF743Cdw) by [blasty], triggerable over a network connection, with a story for our amusement.

In this post, we get a tale of how this hack came out of a Pwn2Own Toronto challenge, notes on the hardware involved, and we’re shown the journey to a successful hack. The Canon printer OS is built without many of the protections, which makes playing with it easier than with more modernized targets, but it’s nevertheless not straightforward. Still, exploiting a couple things like the SOAP XML implementation and the UTF8 encoder nets you an ability to play nice animations on the display, and most certainly, control over the entirety of the hardware if you wanted it.

One of the most fun things about this hack is the GDB stub recently included in the repo. If you wanted to debug Canon printers for fun or profit, [blasty] brings you a GDB stub to do that comfortably, with a respectable README that even has porting notes for other Canon ImageCLASS printer models, should you lay your hands on a different machine of despair. WiFi connectivity appears to be enough for this hack, so you better make sure you don’t have your network-connected printers exposed on the Internet — not that you needed more reasons to avoid that.

Three ZigBee radios in ESD bags, marked "Zigbee Sniffer", "Router" and "Coordinator".

Crash IoT Devices Through Protocol Fuzzing

April 2, 2024 by 1 Comment

IoT protocols are a relatively unexplored field compared to most PC-exposed protocols – it’s bothersome to need a whole radio setup before you can tinker on something, and often, for low-level experiments, just any radio won’t do. This means there’s quite a bit of security ground to cover. Now, the U-Fuzz toolkit from [asset-group] helps us make up for it.

Unlike fuzzers you might imagine, U-Fuzz doesn’t go in blindly. This toolkit has provisions to parse protocols and fuzz fields meaningfully, which helps because many of devices will discard packets they deem too malformed. With U-Fuzz, you feed it a couple packet captures, help it make some conclusions about packet and protocol structure, and get suggestions on how to crash your devices in ways not yet foreseen.

This allows for basically arbitrary protocol fuzzing, and to demonstrate, we get examples on 5G, CoAP and ZigBee probing alike, with a list of found CVEs to wrap the README up. As Wikipedia often states, this list is incomplete, and you can help by expanding it. Fuzzing is an underestimated tool – it will help you hack ubiquitous wireless protocols, proprietary standards, and smart home hubs alike.

Flipper Zero Panic Spreads To Oz: Cars Unaffected

April 1, 2024 by 15 Comments

A feature of coming to adulthood for any young person in the last quarter of the twentieth century would have been the yearly warnings about the danger of adulterated Halloween treats. Stories were breathlessly repeated of apples with razor blades in them, or of chocolate bars laced with rat poison, and though such tales often carried examples of kids who’d died horrible deaths in other far-away places, the whole panic was (as far as we know) a baseless urban legend.

It’s difficult not to be reminded of those times today then, as we read news from Australia warning about the threat from the Flipper Zero wireless hacking tool. It has the same ingredients, of an imaginary threat earnestly repeated by law enforcement officers, and lapped up by a credulous media with little appetite for verifying what they print.

This is a story which first appeared in mid-February in Canada, when a government minister singled out the Flipper Zero as a car theft tool and promised to ban it. This prompted a storm of derision from tech-savvy Canadians and others who immediately pointed out that vehicle security has long ago eclipsed the capabilities of the Flipper, and that there are far more pertinent threats such as those from CAN bus attacks or even RF boosters. Despite this debunking, it seems to have spread. Where will Flipper Mania pop up next?

Canada and Australia are both countries with a free press; that press should be doing their job on these stories by fact-checking and asking pertinent questions when the facts don’t fit the story. When it comes to technology stories it seems not doing this has become the norm.

Thanks [Peter Caldwell] for the tip.

anfractuosity's test setup showing the Pi under test and a few pieces of equipment used to perform the attack

Cold Boot Attack You Can Do With A Pi

April 1, 2024 by 2 Comments

A cold boot attack is a way to extract RAM contents from a running system by power cycling it and reading out RAM immediately after loading your own OS. How easy is it for you to perform such an attack? As [anfractuosity] shows, you can perform a cold boot attack with a Raspberry Pi, with a reasonably simple hardware setup and a hefty chunk of bare-metal code.

[anfractuosity]’s setup is simple enough. The Pi 4 under attack is set up to boot from USB drive, and a relay board has it switch between two possible USB drives to boot from: one with a program that fills RAM with , and another with a program that extracts RAM out through UART. The process is controlled by another Pi controlling the relays through GPIOs, that also monitors the target Pi’s UART and uses it as a channel to extract memory.

The outcomes are pretty impressive. After 0.75s of power-down, most of the image could be extracted. That’s without any cooling, so abusing a can of electronics duster is likely to improve these results dramatically. Want to play with cold boot attacks? [anfractuosity]’s code is great for getting your feet wet. Furthermore, the code examples provided serve as a wonderful playground for general memory attack research.

Raspberry Pi not fun enough for you anymore? Well then, you can always start playing with Android phones!

Exploit The Stressed-out Package Maintainer, Exploit The Software Package

March 31, 2024 by 10 Comments

A recent security vulnerability — a potential ssh backdoor via the liblzma library in the xz package — is having a lot of analysis done on how the vulnerability was introduced, and [Rob Mensching] felt that it was important to highlight what he saw as step number zero of the whole process: exploit the fact that a stressed package maintainer has burned out. Apply pressure from multiple sources while the attacker is the only one stepping forward to help, then inherit the trust built up by the original maintainer. Sadly, [Rob] sees in these interactions a microcosm of what happens far too frequently in open source.

Maintaining open source projects can be a high stress activity. The pressure and expectations to continually provide timely interaction, support, and updates can easily end up being unhealthy. As [Rob] points out (and other developers have observed in different ways), this kind of behavior just seems more or less normal for some projects.

The xz/liblzma vulnerability itself is a developing story, read about it and find links to the relevant analyses in our earlier coverage here.

Security Alert: Potential SSH Backdoor Via Liblzma

March 29, 2024 by 34 Comments

In breaking news that dropped just after our weekly security column went live, a backdoor has been discovered in the xz package, that could potentially compromise SSH logins on Linux systems. The most detailed analysis so far seems to be by [Andres Freund] on the oss-security list.

The xz release tarballs from 5.6.0 in late February and 5.6.1 on March 9th both contain malicious code. A pair of compressed files in the repository contain the majority of the malicious patch, disguised as test files. In practice, this means that looking at the repository doesn’t reveal anything amiss, but downloading the release tarballs gives you the compromised code.

This was discovered because SSH logins on a Debian sid were taking longer, with more CPU cycles than expected. And interestingly, Valgrind was throwing unexpected errors when running on the liblzma library. That last bit was first discovered on February 24th, immediately after the 5.6.0 release. The xz-utils package failed its tests on Gentoo builds.

Continue reading “Security Alert: Potential SSH Backdoor Via Liblzma”

This Week In Security: Peering Through The Wall, Apple’s GoFetch, And SHA-256

March 29, 2024 by 1 Comment

The Linux command wall is a hold-over from the way Unix machines used to be used. It’s an abbreviation of Write to ALL, and it was first included in AT&T Unix, way back in 1975. wall is a tool that a sysadmin can use to send a message to the terminal session of all logged-in users. So far nothing too exciting from a security perspective. Where things get a bit more interesting is the consideration of ANSI escape codes. Those are the control codes that moves the cursor around on the screen, also inherited from the olden days of terminals.

The modern wall binary is actually part of util-linux, rather than being a continuation of the old Unix codebase. On many systems, wall runs as a setgid, so the behavior of the system binary really matters. It’s accepted that wall shouldn’t be able to send control codes, and when processing a message specified via standard input, those control codes get rejected by the fputs_careful() function. But when a message is passed in on the command line, as an argument, that function call is skipped.

This allows any user that can send wall messages to also send ANSI control codes. Is that really a security problem? There are two scenarios where it could be. The first is that some terminals support writing to the system clipboard via command codes. The other, more creative issue, is that the output from running a binary could be overwritten with arbitrary text. Text like:
Sorry, try again.
[sudo] password for jbennett:

You may have questions. Like, how would an attacker know when such a command would be appropriate? And how would this attacker capture a password that has been entered this way? The simple answer is by watching the list of running processes and system log. Many systems have a command-not-found function, which will print the failing command to the system log. If that failing command is actually a password, then it’s right there for the taking. Now, you may think this is a very narrow attack surface that’s not going to be terribly useful in real-world usage. And that’s probably pretty accurate. It is a really fascinating idea to think through, and definitively worth getting fixed. Continue reading “This Week In Security: Peering Through The Wall, Apple’s GoFetch, And SHA-256”