Day: June 14, 2024

This Week In Security: Unicode Strikes Again, Trust No One (Redditor), And More

June 14, 2024 by 7 Comments

There’s a popular Sysadmin meme that system problems are “always DNS”. In the realm of security, it seems like “it’s always Unicode“. And it’s not hard to see why. Unicode is the attempt to represent all of Earth’s languages with a single character set, and that means there’s a lot of very similar characters. The two broad issues are that human users can’t always see the difference between similar characters, and that libraries and applications sometimes automatically convert exotic Unicode characters into more traditional text.

This week we see the resurrection of an ancient vulnerability in PHP-CGI, that allows injecting command line switches when a web server launches an instance of PHP-CGI. The solution was to block some characters in specific places in query strings, like a query string starting with a dash.

The bypass is due to a Windows feature, “Best-Fit”, an automatic down-convert from certain Unicode characters. This feature works on a per-locale basis, which means that not every system language behaves the same. The exact bypass that has been found is the conversion of a soft hyphen, which doesn’t get blocked by PHP, into a regular hyphen, which can trigger the command injection. This quirk only happens when the Windows locale is set to Chinese or Japanese. Combined with the relative rarity of running PHP-CGI, and PHP on Windows, this is a pretty narrow problem. The XAMPP install does use this arrangement, so those installs are vulnerable, again if the locale is set to one of these specific languages. The other thing to keep in mind is that the Unicode character set is huge, and it’s very likely that there are other special characters in other locales that behave similarly.

Downloader Beware

The ComfyUI project is a flowchart interface for doing AI image generation workflows. It’s an easy way to build complicated generation pipelines, and the community has stepped up to build custom plugins and nodes for generation. The thing is, it’s not always the best idea to download and run code from strangers on the Internet, as a group of ComfyUI users found out the hard way this week. The ComfyUI_LLMVISION node from u/AppleBotzz was malicious.

The node references a malicious Python package that grabs browser data and sends it all to a Discord or Pastebin. It appears that some additional malware gets installed, for continuing access to infected systems. It’s a rough way to learn. Continue reading “This Week In Security: Unicode Strikes Again, Trust No One (Redditor), And More”

A Super-Simple Standalone WSPR Beacon

June 14, 2024 by 26 Comments

We’ve said it before and we’ll say it again: being able to build your own radios is the best thing about being an amateur radio operator. Especially low-power transmitters; there’s just something about having the know-how to put something on the air that’ll reach across the planet on a power budget measured in milliwatts.

This standalone WSPR beacon is a perfect example. If you haven’t been following along, WSPR stands for “weak-signal propagation reporter,” and it’s a digital mode geared for exploring propagation that uses special DSP algorithms to decode signals that are far, far down into the weeds; signal-to-noise ratios of -28 dBm are possible with WSPR.

Because of the digital nature of WSPR encoding and the low-power nature of the mode, [IgrikXD] chose to build a standalone WSPR beacon around an ATMega328. The indispensable Si5351 programmable clock generator forms the RF oscillator, the output of which is amplified by a single JFET transistor. Because timing is everything in the WSPR protocol, the beacon also sports a GPS receiver, ensuring that signals are sent only and exactly on the even-numbered minutes. This is a nice touch and one that our similar but simpler WSPR beacon lacked.

This beacon had us beat on performance, too. [IgrikXD] managed to hit Texas and Colorado from the edge of the North Sea on several bands, which isn’t too shabby at all with a fraction of a watt.

Thanks to [STR-Alorman] for the tip.

[via r/amateurradio]

2024 Business Card Challenge: T-800’s 555 Brain

June 14, 2024 by 12 Comments

In Terminator 2: Judgment Day it’s revealed that Skynet becomes self-aware in August of 1997, and promptly launches a nuclear attack against Russia to draw humanity into a war which ultimately leaves the door open for the robots to take over. But as you might have noticed, we’re not currently engaged in a rebellion against advanced combat robots.

The later movies had to do some fiddling with the timeline to explain this discrepancy, but looking at this 2024 Business Card Challenge entry from [M. Bindhammer] we think there’s another explanation for the Judgement Day holdup — so long as the terminators are rocking 555 timers in their chrome skulls, we should be safe.

While the classic timer chip might not be any good for plotting world domination, it sure does make for a great way to illuminate this slick piece of PCB art when it’s plugged into a USB port. Exposed copper and red paint are used to recreate the T-800’s “Brain Chip” as it appeared in Terminator 2, so even when the board isn’t powered up, it looks fantastic on display. The handful of components are around the back side, which is a natural place to put some info about the designer. Remember, this is technically supposed to be a business card, after all.

Continue reading “2024 Business Card Challenge: T-800’s 555 Brain”