Thin Client Hack

Hacking A Thin Client To Gain Root Access

[Roberto] recently discovered a clever way to gain root access to an HP t520 thin client computer. These computers run HP’s ThinPro operating system. The OS is based on Linux and is basically just a lightweight system designed to boot into a virtual desktop image loaded from a server. [Roberto’s] discovery works on systems that are running in “kiosk mode”.

The setup for the attack is incredibly simple. The attacker first stops the virtual desktop image from loading. Then, the connection settings are edited. The host field is filled with garbage, which will prevent the connection from actually working properly. The real trick is in the “command line arguments” field. The attacker simply needs to add the argument “&& xterm”. When the connection is launched, it will first fail and then launch the xterm program. This gives the attacker a command shell running under the context of whichever user the original software is running as.

The next step is to escalate privileges to root. [Roberto] discovered a special command that the default user can run as root using sudo. The “”hpobl” command launches the HP Easy Setup Wizard. Once the wizard is opened, the attacker clicks on the “Thank You” link, which will then load up the HP website in a version of Firefox. The final step is to edit Firefox’s default email program association to xterm. Now when the attacker visits an address like “mailto:test@test.com”, Firefox (running as root) launches xterm with full root privileges. These types of attacks are nothing new, but it’s interesting to see that they still persist even in newer software.

Hackaday Prize Entry: Ground Penetrating Radar

This year’s Hackaday Prize is heating up, and right now there are quite a few projects in the works covering domains that are rarely, if ever, seen coming out of a garage or a workshop. One of the most interesting is [Glenn Powers]’ Open Ground Penetrating Radar. It’s exactly what the title says: an open-source radar system that can see into the Earth for less than $500.

While ground penetrating radar is great for archaeology and people searching for hoards buried in the middle of farmland, the biggest application is safety. You need only to Google “Florida sinkhole” to see the value of peering into the Earth.

[Glenn] is building his ground penetrating radar with a bare minimum of parts. A Baofeng VHF/UHF My First Radio™ serves as the signal generator, the controller is just an optoisolator, and the switch controller is a 7404 hex inverter. It literally can’t get simpler than that.

Of course these components can only be assembled into a simple radar, and the real value of a ground penetrating radar is the ability to map an area. For that, [Glenn] is bringing out a Pi and a GPS dongle to control the whole thing. Visualization is provided by none other than the US Navy. If it works for submarines, it should work for a metal cart, right?

It’s a great project, not only in the fact that it could help a whole bunch of people, but as a prime example of doing so much without tens of thousands of dollars in test equipment.


The 2015 Hackaday Prize is sponsored by:

Race Conditions Exploit Granted Free Money On Web Services

[Josip] has been playing around with race conditions on web interfaces lately, finding vulnerabilities on both Facebook and Digital Ocean. A race condition can occur when a piece of software processes multiple threads using a shared resource.

For example, [Josip] discovered that he was able to manipulate page reviews using just a single Facebook account. Normally, a user is permitted to leave just one review for any given Facebook page. This prevents a single user from being able to skew the page’s overall ranking by making a bunch of positive or negative reviews. The trick to manipulating the system was to intercept the HTTP request that submitted the page review. The request was then replayed over and over in a very short amount of time.

Facebook’s servers ended up processing some of these requests simultaneously, essentially unaware that multiple requests had come in so close together. The result was that multiple reviews were submitted, artificially changing the pages overall ranking even though only one review actually showed up on the page for this user. The user can then delete their single review, and repeat this cycle over and over. It took Facebook approximately two months to fix this vulnerability, but in the end it was fixed and [Josip] received a nice bounty.

The Digital Ocean hack was essentially the exact same process. This time instead of hacking page reviews, [Josip] went after some free money. He found that he was able to submit the same promotional code multiple times, resulting in a hefty discount at checkout time. Digital Ocean wasted no time fixing this bug, repairing it within just ten days of the disclosure.

garage door indicator

Indicator For Forgetful-Minded Garage Door Users

[Gareth] had a friend who regularly forgot to close his garage door after parking his car and heading inside. Since [Gareth] was familiar with basic electronics and an overall good pal, he offered to make a device that would indicate whether the garage door was open or not.

The project starts off simple with an Arduino and ultrasonic distance sensor. Both are mounted to the ceiling of the garage with the ultrasonic sensor pointed down. When the garage door is open, the sensor outputs a shorter distance measurement than when the garage door is closed.

Now that the system knows when the door is open or closed, the next part was sending a signal inside the house. He could have run a wire up through the house walls to an LED indicator but decided to go wireless with a 433mhz transmitter. There is a second Arduino inside equipped with a 433mhz receiver. When the garage door is open, the Arduino inside the house flashes an LED reminding the forgetful occupant to close the door.

[Gareth] made all his code for both the sensor/transmitter and the receiver available on his site for anyone interested in making something similar.

Upgrading A Microsoft Surface To A 1 TB SSD

The Microsoft Surface Pro 3 is a neat little tablet, and with an i7 processor, a decent-resolution display, and running a full Windows 8.1 Pro, it’s the closest you’re going to get to a desktop in tablet format. Upgrading the Surface Pro 3, on the other hand, is nigh impossible. iFixit destroyed the display in their teardown, as did CNET. [Jorge] wanted to upgrade his Surface Pro 3 with a 1 TB SSD, and where there’s a will there’s a way. In this case, a very precise application of advanced Dremel technology.

Taking a Surface Pro 3 apart the traditional way with heat guns, spudgers, and a vast array of screwdrivers obviously wasn’t going to work. Instead, [Jorge] thought laterally; the mSSD is tucked away behind some plastic that is normally hidden by the small kickstand integrated into the Surface. If [Jorge] could cut a hole in the case to reveal the mSSD, the resulting patch hole would be completely invisible most of the time. And so enters the Dremel.

By taking some teardown pictures of the Surface Pro 3, printing them out to scale, and aligning them to the device he had in his hand, [Jorge] had a very, very good idea of where to make the incision. A Dremel with a carbide bit was brought out to cut into the metal, and after a few nerve-wracking minutes the SSD was exposed.

The only remaining task was to clone the old drive onto the new one, stuff it back in the Surface, and patch everything up. [Jorge] is using some cardboard and foam, but a sticker would do just as well. Remember, this mod is only visible when the Surface kickstand is deployed, so it doesn’t have to look spectacular.

Thanks [fridgefire] and [Neolker] for sending this in.

Adding PID Control To A Non-Adjustable Iron

Do remember your first soldering iron? We do. It plugged into the wall, and had no way to adjust the temperature. Most people call these kind of irons “fire starters.” Not only are they potentially unsafe (mainly because of the inadequate stand they come with) they can be hard to use, slow to heat up, and you never know what temperature you are soldering at.

[Mike Doughty] wondered if you could hack a cheap iron to be temperature controlled. He began by taking apart an iron, and adding a K-type thermocouple to the mica heating element with the help of a fiberglass sleeve. After a few tries at fitting and finding the right placement for the thermocouple, he then reassembled the iron, and attached everything to an off-the-shelf industrial PID controller.

Not one to trust that everything was working, [Mike] began to test the iron. He used a Hakko FG-100 soldering iron tip thermometer to measure the “real” temperature of tip, and compared it to the value the K-type thermocouple was reporting it to be. The results were fairly impressive (as seen in the video after the break). Only about 10 degrees out. Not too shabby.

He concluded that although it did work, it wasn’t a replacement for a high quality soldering station. We suspect the real problem with this idea is that the mica heating element is way to slow to respond to any thermal load that the tip is given (but then neither did the unmodified iron.) If you’re interested in hacking together your own soldering station, you might be interested in the open source soldering iron driver.

[via Dangerousprototypes]

Continue reading “Adding PID Control To A Non-Adjustable Iron”

Hackaday Retro Edition: TRS Wiki

1977 was a special year for computing history; this year saw the release of the 8085 following the release of the Z80 a year before. Three companies would launch their first true production computers in 1977: Apple released the Apple II, Commodore the PET 2001, and Tandy / Radio Shack the TRS-80 Model I. These were all incredibly limited machines, but at least one of them can still be used to browse Wikipedia.

[Pete]’s TRSWiki is a Wikipedia client for the TRS-80 Model I that is able to look up millions of articles in only uppercase characters, and low resolution (128×48) graphics. It’s doing this over Ethernet with a very cool Model I System Expander (MISE) that brings the lowly Trash-80 into the modern era.

The MISE is capable of booting from CF cards, driving an SVGA display and connecting to 10/100 Ethernet. Connecting to the Internet over Ethernet is one thing, but requesting and loading a web page is another thing entirely. There’s not much chance of large images or gigantic walls of text fitting in the TRS-80’s RAM, so [Pete] is using a proxy server on an Amazon Web Services box. This proxy is written in Java, but the code running on the TRS-80 is written entirely in Z80 assembly; not bad for [Pete]’s first project in Z80 assembly.


vt100normal The Hackaday Retro Edition is our celebration of old computers doing something modern, in most cases loading the old, no CSS or Javascript version of our site.

If you have an old computer you’d like featured, just load up the retro site, snap some pictures, have them developed, and send them in.