This week, Jonathan Bennett and Jeff Massie talk with Julian Lam about NodeBB! It’s modern forum software that actually has some neat tricks up its proverbial sleeves. From forking of forum threads when conversations differ, to new integration with ActivityPub and Mastodon. It’s forums like you’ve never quite seen them.
Continue reading “FLOSS Weekly Episode 773: NodeBB — Don’t Do The Math”
Github is struggling to keep up with a malware campaign that’s a new twist on typosquatting. The play is straightforward: Clone popular repositories, add malware, and advertise the forks as the original. Some developers mistake the forks for the real projects, and unintentionally run the malware. The obvious naming choice is forksquatting, but the researchers at apiiro went with the safer name of “Repo Confusion”.
The campaign is automated, and GitHub is aware of it, with the vast majority of these malicious repositories getting removed right away. For whatever reason, the GitHub algorithm isn’t catching all of the new repos. The current campaign appears to publishing millions of forks, using code from over 100,000 legitimate projects. It’s beginning to seem that the squatting family of attacks are here to stay.
The RustDesk remote access software is interesting, as it’s open source, allows self-hosting, and written in Rust. I’ve had exploring RustDesk as a todo item for a long time, but a bit of concerning drama has just finished playing out. A user pointed out back in November that a test root certificate was installed as part of the RustDesk installation. That root cert is self-signed with SHA1. There is also concern that the RustDesk binaries are signed with a different certificate.
There have been new events since then. First, there was a Hacker News thread about the issue earlier this month. The next day, CVE-2024-25140 was registered with NIST, ranking an insane CVE 9.8 CVSS. Let’s cut through some FUD and talk about what’s really going on.
Continue reading “This Week In Security: Forksquatting, RustDesk, And M&Ms”
This week, Jonathan Bennett and Elliot Williams talk with Eben Upton about the Raspberry Pi! The conversation covers the new Pi 5, the upcoming CM5, the possible Pi500, and the Initial Public Offering (IPO) that may happen before too long. There’s also the PCIe port, the RP1, and the unexpected effects of using Broadcom chips. And then we ask the Billion Dollar question: What’s the money from an IPO going to fund? New hardware, software upgrades, better documentation? Nope, and the answer surprised us, too.
Continue reading “FLOSS Weekly Episode 772: Raspberry Pi From The Man Himself”
For a smart home company with an emphasis on cloud-connected cameras, what could possibly be worse than accidentally showing active cameras to the wrong users? Doing it again, to far more users, less than 6 months after the previous incident.
The setup for this breach was an AWS problem, that caused a Wyze system outage last Friday morning. As the system was restored, the load spiked and a caching library took the brunt of the unintentional DDoS. This library apparently has a fail state of serving images and videos to the wrong users. An official report from Wyze mentions that this library had been recently added, and that the number of thumbnails shown to unauthorized users was around 13,000. Eek. There’s a reason we recommend picking one of the Open Source NVR systems here at Hackaday.
A pair of vulnerabilities in ConnectWise ScreenConnect were announced this week, Proof of Concepts were released, and are already being used in active exploitation. The vulnerabilities are a CVSS 10.0 authentication bypass and a CVSS 8.4 path traversal bypass.
Huntress has a guide out, detailing how embarrassingly easy the vulnerabilities are to exploit. The authentication bypass is a result of a .Net quirk, that adding an additional directory on the end of a .aspx URL doesn’t actually change the destination, but is captured as PathInfo. This allows a bypass of the protections against re-running the initial setup wizard: hostname/SetupWizard.aspx/literallyanything
The second vulnerability triggers during extension unpack, as the unzipping process doesn’t prevent path traversal. The most interesting part is that the unzip happens before the extension installation finishes. So an attacker can compromise the box, cancel the install, and leave very little trace of exploitation. Continue reading “This Week In Security: Wyze, ScreenConnect, And Untrustworthy Job Postings”
This week, Jonathan Bennett and Dan Lynch talk with Shawn W Dunn about openSUSE Kalpa, the atomic version of openSUSE Tumbleweed, with a KDE twist. What exactly do we mean by an Atomic desktop? Is ALP going to replace openSUSE Tumbleweed? Are snaps coming to Kalpa?
Shawn gives us the rundown of all the above, and what’s holding back a stable release of Kalpa, what’s up with Project Greybeard, and why Kalpa really doesn’t need a firewall.
Continue reading “FLOSS Weekly Episode 771: Kalpa — Because Nobody Knows What Hysteresis Is”
When you find a portable TV from the 1980s, and it reminds you of the portable Commodore 64, there’s only one thing to be done. [Aaron Newcomb] brings us the story of taking an Emerson PC-6 and mating it to the guts of his THEC64 Mini. It’s a bit of a journey, as the process includes modding the TV to include a composite input and trimming some unused PCB off the TV’s mainboard. Then some USB ports and a three-and-a-half inch floppy drive were shoehorned into the chassis, with the rear battery compartment holding the parts from THEC64 Mini.
The build was not entirely without issue. It turns out the degaussing coil connector can plug perfectly into the service port, and Murphy’s law proved itself true again. But no harm was done, and the error was quickly discovered. All that was left was to button the chassis back up and add some paint and 3d-printed trim details. The build looks great! Come back after the break to watch the video from the [Retro Hack Shack] for yourself.
Reading through a vulnerability report about ClamAV, I came across a phrase that filled me with dread: “The file name is not sanitized”. It’s a feature, VirusEvent, that can be enabled in the ClamnAV config. And that configuration includes a string formatting function, where the string includes %v and %s, which gets replaced with a detected virus name and the file name from the email. And now you see the problem, I hope: The filename is attacker supplied input.
Where this really gets out of hand is what ClamAV does with this string. execle("/bin/sh", "sh", "-c", buffer_cmd, NULL, env). So let’s talk defensive program design for a minute. When it comes to running a secondary command, there are two general options, system() and the exec*() family of system calls. system() is very simple to use. It pauses execution of the main process and asks the operating system to run a string, just as if the user had typed that command into the shell. While this is very convenient to use, there is a security problem if any of that command string is user-supplied. All it takes is a semicolon or ampersand to break assumptions and inject a command.
To the rescue comes exec(). It’s a bit more complicated to use, requiring the programmer to manually call fork() and wait(). But it’s not running the command via the shell. exec() executes a program directly, totally eliminating the potential for command injection! Except… oops.
Yeah, exec() and related calls don’t offer any security protections when you use them to execute /bin/sh. I suspect the code was written this way to allow running a script without specifying /bin/sh in the config. The official fix was to disable the filename format character, and instead supply it as an environment variable. That certainly works, and that fix is available in 1.0.5, 1.2.2, and 1.3.0.
The real danger here is that we have another case where some hardware appliance manufacturer has used ClamAV for email filtering, and uses this configuration by default. That’s how we get orders from CISA to unplug your hardware, because it’s already compromised. Continue reading “This Week In Security: Filename Not Sanitized, MonikerLink, And Snap Attack!”
