What’s round, has what looks like a vacuum tube in the center, and was made in the 1950s by HP? We don’t know either, but [The Signal Path] restored one and shows us this mystery instrument in a recent video that you can see below. We aren’t going to spoil the surprise over what the device is, but we will share that he does reveal what it is very early in the video, so there’s not much of a tease.
We will, however, give you a few hints. Looking at it, you can guess that it is meant for high voltage use and, in fact, it is rated for up to 25 kV. We’ll also drop the hint that it is made for use with AC, not DC. The shape of the plug at the end of the wire is also a clue, we think.
There isn’t much inside the unusual round case (another clue, by the way), but there are some vintage parts we haven’t seen in quite awhile. One last clue: Why is there a metal rod and ball sticking out of one side of the device?
Honestly, the insides are a bit underwhelming so unlike some teardown videos we’ve seen, the real star of this video is the unusual device more so than its inner workings. If you have a hankering for a more sophisticated HP exploration, check out the HP3458A repair we covered earlier. Or go old school and peek inside an HP 150A.
The government of Argentina has a national ID card system, and as a result maintains a database containing data on every citizen in the country. What could possibly go wrong? Predictably, an attacker has managed to gain access to the database, and is offering the entire dataset for sale. The Argentinian government has claimed that this wasn’t a mass breach, and only a handful of credentials were accessed. This seems to be incorrect, as the seller was able to provide the details of an arbitrary citizen to the journalists investigating the story.
Patch Tuesday
Microsoft has released their monthly round of patches for October, and there are a couple doozies. CVE-2021-40486 is an RCE in Microsoft Word, and this flaw can trigger via the preview pane. CVE-2021-38672 and CVE-2021-40461 are both RCE vulnerabilities in Hyper-V. And finally, CVE-2021-40449 is a privilege upgrade actively being used in the wild, more on that in a moment. Oh, and you thought the Print Nightmare was over? CVE-2021-36970 is yet another print spooler vulnerability. The unfortunate thing about the list of Microsoft vulnerabilities is that there is hardly any information available about them.
On the other hand, Apple just patched CVE-2021-30883, a 0-day that’s being actively exploited in iOS. With the release of the fix, [Saar Amar] has put together a very nice explanation of the bug with PoC. It’s a simple integer overflow when allocating a buffer, leading to an arbitrary memory write. This one is particularly nasty, because it’s not gated behind any permissions, and can be triggered from within app sandboxes. It’s being used in the wild already, so go update your iOS devices now.
Kaspersky brings us a report on a CVE-2021-40449 being used in the wild. It’s part of an attack they’re calling MysterySnail, and seems to originate from IronHusky out of China. The vulnerability is a use-after-free, and is triggered by making a the ResetDC API call that calls its own callback. This layer of recursive execution results in an object being freed before the outer execution has finished with it.
Since the object can now be re-allocated and controlled by the attacker code, the malformed object allows the attacker to run their code in kernel space, achieving privilege escalation. This campaign then does some data gathering and installs a Remote Access Trojan. Several Indicators of Compromise are listed as part of the write-up.
Off to the Races
Google’s Project Zero is back with a clever Linux Kernel hack, an escalation of privilege triggered by a race condition in the pseudoterminal device. Usually abbreviated PTY, this kernel device can be connected to userspace applications on both ends, making for some interesting interactions. Each end has a struct that reflects the status of the connection. The problem is that TIOCSPGRP, used to set the process group that should be associated with the terminal, doesn’t properly lock the terminal’s internal state.
As a result, calling this function on both sides at the same time is a race condition, where the reference count can be corrupted. Once the reference count is untrustworthy, the whole object can be freed, with a dangling pointer left in the kernel. From there, it’s a typical use-after-free bug. The post has some useful thoughts about hardening a system against this style of attack, and the bug was fixed December 2020.
AI vs Pseudorandom Numbers
[Mostafa Hassan] of the NCC Group is doing some particularly fascinating research, using machine learning to test pseudorandom number generators. In the first installment, he managed to break the very simple xorshift128 algorithm. Part two tackles the Mersenne Twister, which also falls to the neural network. Do note that neither of these are considered cryptographic number generators, so it isn’t too surprising that a ML model can determine their internal state. What will be most interesting is the post to come, when he tackles other algorithms thought to be secure. Watch for that one in a future article.
L0phtcrack Becomes Open Source
In a surprise to me, the L0phtcrack tool has been released as open source. L0phtcrack is the password cracking/auditing tool created by [Mudge] and company at L0pht Heavy Industries, about a billion years ago. Ownership passed to @stake, which was purchased by Symantec in 2004. Due to export regulations, Symantec stopped selling the program, and it was reacquired by the original L0pht team.
In April 2020, Terahash announced that they had purchased rights to the program, and began selling and supporting it as a part of their offerings. Terahash primarily builds GPU based cracking hardware, and has been hit exceptionally hard by the chip shortage. As a result of Terahash entering bankruptcy protection, the L0phtcrack ownership has reverted back to L0pht, and version 7.2.0 has been released as Open Source.
Once launched, most spacecraft are out of reach of any upgrades or repairs. Mission critical problems must be solved with whatever’s still working on board, and sometimes there’s very little time. Recently ESA’s INTEGRAL team was confronted with a ruthlessly ticking three hour deadline to save the mission.
European Space Agency INTErnational Gamma-Ray Astrophysics Laboratory is one of many space telescopes currently in orbit. Launched in 2002, it has long surpassed its original designed lifespan of two or three years, but nothing lasts forever. A failed reaction wheel caused the spacecraft to tumble out of control and its automatic emergency recovery procedures didn’t work. Later it was determined those procedures were dependent on the thrusters, which themselves failed in the summer of 2020. (Another mission-saving hack which the team had shared earlier.)
With solar panels no longer pointed at the sun, battery power became the critical constraint. Hampering this time-critical recovery effort was the fact that antenna on a tumbling spacecraft could only make intermittent radio contact. But there was enough control to shut down additional systems for a few more hours on battery, and enough telemetry so the team could understand what had happened. Control was regained using remaining reaction wheels.
INTEGRAL has since returned to work, but this won’t be the last crisis to face an aging space telescope. In the near future, its automatic emergency recovery procedures will be updated to reflect what the team has learned. Long term, ESA did their part to minimize space debris. Before the big heavy telescope lost its thrusters, it had already been guided onto a path which will reenter the atmosphere sometime around 2029. Between now and then, a very capable and fast-reacting operations team will keep INTEGRAL doing science for as long as possible.
While we’ll admit seeing your Game Boy Camera shots come out on a little slip of thermal paper was pretty neat back in 1998, anyone who’s still using the Game Boy Printer these days is probably more interested in getting their images in digital form. Which is why the open source NeoGB Printer is so exciting.
A collaborative effort between [Rafael Zenaro], [Raphaël BOICHOT], and [Brian Khuu], the project combines an ESP32 development board and some common components with their GPLv3 firmware to fully emulate the Game Boy Printer hardware. Once plugged into your Game Boy, any of the 110 titles that support Nintendo’s paper-pushing peripheral will recognize the NeoGB Printer as the real deal and happily send along the image.
But rather than committing it to paper, the NeoGB Printer saves the image to an SD card. From there, you can put the card in your computer and do whatever you wish with the captured files. Incidentally, it turns out there’s already a commercial gadget on the market that does something very similar, but this DIY approach comes well under its $99 USD price tag. In fact, if you’ve got a Game Boy Link Cable you don’t mind cutting up, you’ve probably got everything you need to pull this off in the parts bin right now.
We particularly like how the team has went out of their way to support different hardware configurations for the NeoGB Printer. If you want to go all out and add status LEDs and an OLED display, go for it. But if you just plan on using the thing once to grab a copy of the Pokémon diploma you earned 20 years ago, then you can skip the bells and whistles.
If you’re only worried about getting your snaps out of the Game Boy Camera, we’ve covered projects that will extract them directly from the cartridge. But this approach certainly has its appeal, as works with a much wider variety of games. We’re glad this project exists, as it means a whole new generation can explore all the wacky ways developers came up with to utilize the Game Boy Printer back in the day.
In a surprise to me, 
