Day: August 30, 2024

This Week In Security: The Rest Of The IPv6 Story, CVE Hunting, And Hacking The TSA

August 30, 2024 by 1 Comment

We finally have some answers about the Windows IPv6 vulnerability — and a Proof of Concept! The patch was a single change in the Windows TCP/IP driver’s Ipv6pProcessOptions(), now calling IppSendError() instead of IppSendErrorList(). That’s not very helpful on its own, which is why [Marcus Hutchins]’s analysis is so helpful here. And it’s not an easy task, since decompiling source code like this doesn’t give us variable names.

The first question that needs answered is what is the list in question? This code is handling the option field in incoming IPv6 packets. The object being manipulated is a linked list of packet structs. And that linked list is almost always a single member list. When calling IppSendErrorList() on a list with a single member, it’s functionally equivalent to the IppSendError() in the fixed code. The flaw must be in the handling of this list with multiple members. The only way to achieve that criteria is to send a lot of traffic at the machine in question, so it can’t quite keep up with processing packets one at a time. To handle the high throughput, Windows will assemble incoming packets into a linked list and process them in batch.

So what’s next? IppSendErrorList(), takes a boolean and passes it on to each call of IppSendError(). We don’t know what Microsoft’s variable name is, but [Marcus] is calling it always_send_icmp, because setting it to true means that each packet processed will generate an ICMP packet. The important detail is that IppSendError() can have side effects. There is a codepath where the packet gets reverted, and the processing pointer is set back to the beginning of the packet. That’s fine for the first packet in the list, but because the function processes errors on the entire list of packets, the state of the rest of those packets is now much different from what is expected.

This unexpected but of weirdness can be further abused through IPv6 packet fragmentation. With a bit of careful setup, the reversion can cause a length counter to underflow, resulting in data structure corruption, and finally jumping code execution into the packet data. That’s the Remote Code Execution (RCE). And the good news, beyond the IPv6-only nature of the flaw, is that so far it’s been difficult to actually pull the attack off, as it relies on this somewhat non-deterministic “packet coalescing” technique to trigger the flaw.

Continue reading “This Week In Security: The Rest Of The IPv6 Story, CVE Hunting, And Hacking The TSA”

New 2 GB Raspberry Pi 5 Has Smaller Die And 30% Lower Idle Power Usage

August 30, 2024 by 16 Comments

Recently Raspberry Pi released the 2GB version of the Raspberry Pi 5 with a new BCM2712 SoC featuring the D0 stepping. As expected, [Jeff Geerling] got his mitts on one of these boards and ran it through its paces, with positive results. Well, mostly positive results — as the Geekbench test took offence to the mere 2 GB of RAM on the board and consistently ran out of memory by the multi-core Photo Filter test, as feared when we originally reported on this new SBC. Although using swap is an option, this would not have made for a very realistic SoC benchmark, ergo [Jeff] resorted to using sysbench instead.

Naturally some overclocking was also performed, to truly push the SoC to its limits. This boosted the clock speed from 2.4 GHz all the way up to 3.5 GHz with the sysbench score increasing from 4155 to 6068. At 3.6 GHz the system wouldn’t boot any more, but [Jeff] figured that delidding the SoC could enable even faster speeds. This procedure also enabled taking a look at the bare D0 stepping die, revealing it to be 32.5% smaller than the previous C1 stepping on presumably the same 16 nm process.

Although 3.5 GHz turns out to be a hard limit for now, the power usage was interesting with idle power being 0.9 watts lower (at 2.4 W) for the D0 stepping and the power and temperatures under load also looked better than the C1 stepping. Even when taking the power savings of half the RAM versus the 4 GB version into account, the D0 stepping seems significantly more optimized. The main question now is when we can expect to see it appear on the 4 and 8 GB versions of the SBC, though the answer there is likely ‘when current C1 stocks run out’.

Two types of polymer clay hand warmers with a digital temperature controller.

Adjustable Electric Hand Warmers

August 30, 2024 by 6 Comments

It may be the last gasp of summer here in the Northern Hemisphere, but it’s always cold somewhere, whether it’s outdoors or inside. If you suffer from cold, stiff hands, you know how difficult it can be to work comfortably on a computer all day. Somehow, all that typing and mousing does little to warm things up. What you need are hand warmers, obviously, and they might as well be smart and made to fit your hands.

Using a heat gun to cure polymer clay. Fifteen-year-old [Printerforge] created these bad boys in an effort to learn how to code LCDs and control heat like Magneto controls ferrous metals. Thanks to digital control, they can heat up to specific temperatures, and they happen to run for a long time.

Power-wise, these warmers use a 18650 cell and a TP4056 charging module. Everything is controlled by an Arduino Nano, which reads from both a thermistor and a potentiometer to control the output.

[Printerforge] really thought this project through, as you’ll see in the Instructable. There’s everything from a table of design requirements to quick but thorough explanations of nichrome wire and basic electronic theory.

And then there’s the material consideration. [Printerforge] decided that polymer clay offers the best balance of heat conductivity and durability. They ended up with two styles — flat, and joystick grip. The best part is, everything can fit in a generous pocket.

Clay is good for a lot of things, like making the perfect custom mouse.