Day: January 17, 2025

This Week In Security: Rsync, SSO, And Pentesting Mushrooms

January 17, 2025 by 14 Comments

Up first, go check your machines for the rsync version, and your servers for an exposed rsync instance. While there are some security fixes for clients in release 3.4.0, the buffer overflow in the server-side rsync daemon is the definite standout. The disclosure text includes this bit of nightmare fuel: “an attacker only requires anonymous read access to a rsync server, such as a public mirror, to execute arbitrary code on the machine the server is running on.”

A naive search on Shodan shows a whopping 664,955 results for rsync servers on the Internet. Red Hat’s analysis gives us a bit more information. The checksum length is specified by the remote client, and an invalid length isn’t properly rejected by the server. The effect is that an attacker can write up to 48 bytes into the heap beyond the normal checksum buffer space. The particularly dangerous case is also the default: anonymous access for file retrieval. Red Hat has not identified a mitigation beyond blocking access.

If you run servers or forward ports, it’s time to look at ports 873 and 8873 for anything listening. And since that’s not the only problem fixed, it’s really just time to update to rsync 3.4.0 everywhere you can. While there aren’t any reports of this being exploited in the wild, it seems like attempts are inevitable. As rsync is sometimes used in embedded systems and shipped as part of appliances, this particular bug threatens to have quite the long tail. Continue reading “This Week In Security: Rsync, SSO, And Pentesting Mushrooms”

Modding A Toddler’s Ride-On For More Grunt

January 17, 2025 by 6 Comments

Kids love their Power Wheels and other ride-on electric cars. Indeed, [Ashwin]’s son was digging his little ATV, but soon found that some care was needed on the pedal. It had no proper throttle control, instead turning the motor hard on or off and scaring the poor kid in the process. The solution? A bit of an upgrade from some off-the-shelf electronics.

Inspiration came from—where else—the /r/PowerWheelsMods subreddit. The main tweak was to install an off-the-shelf soft-start circuit to stop the motor banging hard on when the accelerator was pushed. Instead, when the accelerator is pushed, the module gradually ramps up its PWM output to the motor to smooth out the acceleration curve. This would make the ATV much easier to ride.

Implementing this off-the-shelf solution did take some doing, though. The first attempt ended with a short circuit and a blown fuse. However, [Ashwin] wasn’t deterred—a trip back online to do some research did the trick. With some careful wiring that took into account the crude forward and reverse circuit, [Ashwin] had a much smoother running ride-on for his son.

While most of the mods we see for these little ride-ons are all about power and speed, we do appreciate the occasional attempt to make the things a bit safer for younger drivers. If you’re brewing up your own fancy kidmobile at home—don’t hesitate to let us know!

Close up of a Sony FX-300 'Jackal' radio

Packing Even More Features Into A Classic Radio

January 17, 2025 by 11 Comments

When it comes to hacking niches, breathing new life into vintage devices is always an exciting challenge. [t0mg]’s recent project exemplifies this with his 1978 Sony FX-300 ‘Jackal’ radio. He’d already upgraded the radio in 2021 and turned it into a feature-packed marvel, but there’s always room for improvement.

[t0mg]’s initial 2021 build had its quirks: noisy sound, a subpar display, and a non-functional radio module. Determined to enhance these aspects, he sourced an IPS version of the original 3.2″ ILI9431 LCD, significantly improving viewing angles. To tackle the audio issues, he integrated an M5Stack Atom microcontroller, utilizing its Bluetooth A2DP capabilities to deliver cleaner digital sound via I2S to the Teensy audio board. The Teensy itself got a complete wire overhaul just for the sake of good craftmanship.

The new setup also enabled the display of song metadata. Additionally, [t0mg] incorporated a dedicated Arduino Nano clone to manage inputs, streamlining the overall design. The revamped ‘Jackal’ now boasts a bunch of impressive features such as displaying RDS data for FM stations, voice recording, and an NFC reader for personalized playlists.

If you’re into radio makeovers, look into this post for a real golden oldie, or start out with the basics. For [t0mg]’s earlier improved version of this Jackal, read our article on it here.

Continue reading “Packing Even More Features Into A Classic Radio”