Day: January 31, 2020

The Multiyear Hunt For A Gameboy Game’s Bug

January 31, 2020 by 7 Comments

[Enddrift] had a real problem trying to run a classic game, Hello Kitty Collection: Miracle Fashion Maker, into a GBA (Gameboy Advance) emulator. During startup, the game would hit an endless loop waiting for a read from a non-existent memory location and thus wouldn’t start under the emulator. The problem is, the game works on real hardware even though that memory doesn’t exist there, either.

To further complicate things, a similar bug exists when loading a saved game under Sonic Pinball Party. Then a hack for Pokemon Emerald surfaced that helped break the case. The story is pretty interesting.

Continue reading “The Multiyear Hunt For A Gameboy Game’s Bug”

This Week In Security: OpenSMTPD, Kali Release, Scareware, Intel, And Unintended Consequences

January 31, 2020 by 15 Comments

If you run an OpenBSD server, or have OpenSMTPD running on a server, go update it right now. Version 6.6.2, released January 28th, fixes an exploit that can be launched locally or remotely, simply by connecting to the SMTP service. This was found by Qualys, who waited till the update was released to publish their findings.

It’s a simple logic flaw in the code that checks incoming messages. If an incoming message has either an invalid sender’s username, or invalid domain, the message is sent into error handling logic. That logic checks if the domain is an empty string, in which case, the mail is processed as a local message, sent to the localhost domain. Because the various parts of OpenSMTPD operate by executing commands, this logic flaw allows an attacker to inject unexpected symbols into those commands. The text of the email serves as the script to run, giving an attacker plenty of room to totally own a system as a result.

Browser Locker

“Your browser has been locked to prevent damage from a virus. Please call our Windows help desk immediately to prevent further damage.” Sound familiar? I can’t tell you how many calls I’ve gotten from freaked-out customers, who stumbled upon a scare-ware site that locked their browser. This sort of scam is called a browlock, and one particular campaign was pervasive enough to catch the attention of the researchers at Malwarebytes (Note, the picture at the top of their article says “404 error”, a reference to a technique used by the scam. Keep reading, the content should be below that.).

“WOOF”, Malwarebyte’s nickname for this campaign, was unusual both in its sophistication and the chutzpah of those running it. Browsers were hit via ads right on the MSN homepage and other popular sites. Several techniques were used to get the malicious ads onto legitimate sites. The most interesting part of the campaign is the techniques used to only deliver the scareware payload to target computers, and avoid detection by automated scanners.

It seems that around the time Malwarebytes published their report, the central command and control infrastructure behind WOOF was taken down. It’s unclear if this was a coincidence, or was a result of the scrutiny they were under from the security community. Hopefully WOOF is gone for good, and won’t simply show up at a different IP address in a few days.

Kali Linux

Kali Linux, the distribution focused on security and penetration testing, just shipped a shiny new release. A notable new addition to the Kali lineup is a rootless version of their Android app. Running an unrooted Android, and interested in having access to some security tools on the go? Kali now has your back.

Not all the tools will work without root, particularly those that require raw sockets, and sending malformed packets. It’s still a potentially useful tool to put into your toolbox.

Cacheout, VRD, and Intel iGPU Leaks

Intel can’t catch a break, with three separate problems to talk about. First up is cacheout, or more properly, CVE-2020-0549, also known as L1DES. It’s a familiar song and dance, just a slightly different way to get there. On a context switch, data in the Level 1 cache isn’t entirely cleared, and known side-channel attacks can be used to read that data from unprivileged execution.

VRD, Vector Register Sampling, is another Intel problem just announced. So far, it seems to be a less exploitable problem, and microcode updates are expected soon to fix the issue.

The third issue is a bit different. Instead of the CPU, this is a data leak via the integrated GPU. You may be familiar with the most basic form of this problem. Some video games will flash garbage on the screen for a few moments while loading. In some cases, rather than just garbage, images, video stills, and other graphics can appear. Why? GPUs don’t necessarily have the same strict separation of contexts that we expect from CPUs. A group of researchers realized that the old assumptions no longer apply, as nearly every application is video accelerated to some degree. They published a proof of concept, linked above, that demonstrates the flaw. Before any details were released, Phoronix covered the potential performance hit this would cause on Linux, and it’s not great.

Unintended Legal Consequences

Remember the ransomware attack that crippled Baltimore, MD? Apparently the Maryland legislature decided to step in and put an end to ransomware, by passing yet another law to make it illegal. I trust you’ll forgive my cynicism, but the law in question is a slow-moving disaster. Among other things, it could potentially make the public disclosure of vulnerabilities a crime, all while doing absolutely nothing to actually make a difference.

GE Medical Equipment Scores 10/10

While scoring a 10 out of 10 is impressive, it’s not something to be proud of, when we’re talking about a CVE score, where it’s the most critical rating. GE Healthcare, subsidiary of General Electric, managed five separate 10.0 CVEs in healthcare equipment that they manufacture, and an 8.5 for a sixth. Among the jewels are statements like:

In the case of the affected devices, the configuration also contains a private key. …. The same private key is universally shared across an entire line of devices in the CARESCAPE and GE Healthcare family of products.

The rest of the vulnerabilities are just as crazy. Hard-coded SMB passwords, a network KVM that has no credential checking, and ancient VNC versions. We’ve known for quite some time that some medical equipment is grossly insecure. It will apparently take a security themed repeat of the Therac-25 incident before changes take place.

Odds’n’ends

The Windows 7 saga continues, as Microsoft’s “last” update for the venerable OS broke many users’ desktop backgrounds. Microsoft plans to release a fix.

Firefox purged almost 200 extensions from their official portal over the last few weeks. It was found that over 100 extensions by 2Ring was secretly pulling and running code from a central server.

The Citrix problems we discussed last week has finally been addressed, and patches released, but not soon enough to prevent the installation of future-proof backdoors on devices in the wild. There are already plenty of reports of compromised devices. Apparently the exploitation has been so widespread, that Citrix has developed a scanning tool to check for the indicators of compromise (IoCs) on your devices. Apply patch, check for backdoors.

Sonic The Hedgehog Self-Balancing Robot Can Bend At The Knees

January 31, 2020 by 4 Comments

Building your own self-balancing robot is a rite of passage for anyone getting into the field of robotics. Master of robots, [James Bruton] has been there, done that, and collected a few T-shirts. Now he’s building a large Sonic the Hedgehog self balancing robot that can bend at the knees and hip, allowing it to lean while turning and handle uneven terrain. Check out the first video embedded after the break.

Standing about 1 m tall, the robot is inspired by Boston Dynamic’s box handling bot, Handle. It’s “skeleton” consists of 20×20 aluminium extrusions, bolted together using a bunch of 3D printed fittings in the signature blue and red of Sonic. The wheels and tyres are also 3D printed, and driven by brushless motor via a toothed belt. The knee/hip mechanism is actuated using a ball screw, also driven by a brushless motor.

[James] intends to implement an active shock absorption system into the leg mechanism, using the same technique he tried on his OpenDog robot. It works by bolting a load cell onto one of the leg extrusion to sense when it flexes under load, and then actuating the knee mechanism to absorb the force. His first version of the system on OpenDog used PWM signals to send the load cell data to the main controller, but the motors on the legs induced enough noise in the signal wires to make it unusable. He has since started experimenting with the CAN bus protocol, which was specifically designed to work reliably in noisy systems like modern automobiles. If he gets it working on the two legs of this Sonic robot, he plans to also implement it on the quadruped OpenDog.

Continue reading “Sonic The Hedgehog Self-Balancing Robot Can Bend At The Knees”

This Crossbow Fires Cannonballs!

January 31, 2020 by 9 Comments

The would-be invader of a mediaeval kingdom could expect to face some stern opposition from a variety of formidable weaponry. Making modern versions of these deadly curiosities seems to be a popular pursuit, and the bug has bitten [Turbo Conquering Mega Eagle], who’s created what he calls a “Stonebow”, a crossbow on steroids that fires stones or large ball bearings with considerable force.

It uses a couple of leaves from automotive springs, mounted in a welded steel riser with two strings and a pouch for the projectile. The barrel is an oak fencing post, and at its other end is a cocking lever which also forms a stock, and a cleverly designed trigger mechanism. The projectile is loaded, the bow is cocked, and it is fired at a scrap Land Rover radiator in which it places a satisfying impact mark.

Despite two successful firings it’s evident that so much force isn’t easy to contain. The crimps that secure the strings aren’t up to the job, and neither is the oak fence post, which has cracked at the end. We trust that our Essex hacker friend will return having fixed these flaws, and more defenceless scrap car parts will be sacrificed for our entertainment.

We’ve featured [Turbo Conquering Mega Eagle] before, most recently building a mini-bike for his youngsters. Meanwhile, enjoy the Stonebow in the video below the break.

Continue reading “This Crossbow Fires Cannonballs!”