This Week In Security: ImageMagick, VBulletin, And Dota 2

February 10, 2023 by Jonathan Bennett 3 Comments

There are a few binaries that wind up running in a bunch of places, silently do their jobs, and being easily forgotten about. ImageMagick is used on many servers for image conversion and resizing, and tends to run automatically on uploaded images. Easily forgotten, runs automatically, and with arbitrary inputs. Yep, perfect target for vulnerability hunting. And the good folks at Metabase found two of them.

First up is CVE-2022-44267, a Denial of Service, when ImageMagick tries to process a rigged PNG that contains a textual chunk. This data type is usually used for metadata, and can include a profile entry for something like EXIF data. If this tag is specified inside a text chunk, ImageMagick looks to the given value as a filename for finding that profile data. And notably, if that value is a dash -, it tries to read from standard input. If the server’s image processing flow doesn’t account for that quirk, and virtually none of them likely do, this means the ImageMagick process hangs forever, waiting for the end of input. So while that’s not usually a critical problem, it could be used for a resource exhaustion attack.

But the real problem is CVE-2022-44268. It’s the same trick, but instead of using - to indicate standard input, the processed image refers to a file on the server filesystem. If the file exists, and can be read, the contents are included in the image output. If the attacker has access to the image, it’s a slick data leak — and obviously a real security problem. If a server doesn’t have tight file permissions and isolation, there’s plenty of sensitive information to be found and abused.

The fix landed back in October 2022, and was part of the 7.1.0-52 release. There’s a bit of uncertainty about which versions are vulnerable, but I wouldn’t trust anything older than that version. It’s a pretty straightforward flaw to understand and exploit, so there’s a decent chance somebody figured it out before now. The file exfiltration attack is the one to watch out for. It looks like there’s an Indicator of Compromise (IoC) for those output PNGs: “Raw profile type”. Continue reading “This Week In Security: ImageMagick, VBulletin, And Dota 2” →

OG DOOM Shows Off The Origins Of Multi-Monitor

February 7, 2023 by Jonathan Bennett 13 Comments

We have a thing for DOOM, and we admit it. The source was released, and clever hackers have ported the engine to every system imaginable. It’s a right of passage, when hacking a machine, to run DOOM on it — be it a VoIP phone, or tractor. But the original 1993 release does have a few notable tricks, and there’s something to be said for recreating that experience on period hardware. And that’s what we’re covering today: [Tech Tangents] discovered DOOM’s multi-monitor support, and built a 4-computer cluster to show it off.

There is a catch, of course. DOOM 1.1 has the multi-monitor support, and under-the-hood, it works by running a copy of the game on individual computers, and controlling the drones over the network. As the game’s network code was updated for version 1.2, the multi-monitor feature was axed to make the network code easier to maintain. So, find a 1.1 shareware release, install it on a DOS machine with IPX drivers, and start each iteration with a -net flag. Use -left and -right to set the drones to the appropriate view. And that view is ninety degrees left and right.

Maybe not ideal, but at the time it was one of the first games to have any sort of multi-monitor support at all. Likely inspired by a commercial flight simulator setup. Either way, it’s a neat feature, and kudos to [Tech Tangents] for showing off this obscure feature of a beloved classic!

Continue reading “OG DOOM Shows Off The Origins Of Multi-Monitor” →

Surfing The Web Like It’s 1978 — Carbonyl

February 6, 2023 by Jonathan Bennett 29 Comments

[Fathy] gets a kick out of doing odd things with Chromium, and Carbonyl is a clever byproduct of that hobby. In this case, it’s what you get when you connect chrome’s renderer to an SVG output module and then convert that SVG to colored characters on a terminal. See, html2svg is an earlier project, taking Chromium’s Skia engine and plugging it into an SVG back-end. And once you have SVG, why not render it to the terminal?

And the results are actually pretty impressive. Imagery is rendered using Unicode 2584, a half-block character. The background and foreground color can be set per character, giving us two controllable pixels per character. Text is handled a bit differently, rendering using the normal text fonts, making for readable pages.

The source is very much a work in progress, but there are some neat ideas already coalescing around the project, like using sixels for better rendering. There’s already decent mouse support and audio output, making for an impressive terminal experience. This might be a project to keep an eye on.

Fulcrum Foils Finger Fatigue

February 4, 2023 by Jonathan Bennett 10 Comments

It turns out that typing all day just might be bad for your hands and fingers. Repetitive Strain Injury, RSI, was a real problem for [David Schiller], particularly when coding. So, naturally, he started designing his own keyboard. And bless him, he’s shared the whole project on GitHub.

The solution is Fulcrum, a chording keyboard with keys that can be pressed with minimal movement. And one more clever trick is a thumb joystick, mounted in the thumb’s opposable orientation. It’s a 5-way switch, making for a bunch of combinations. The base model is a 20-key arrangement, and he’s also designed a larger, 40-key option.

The build is pretty simple, if you have access to a 3D printer. Print the STLs, add key switches, and wire it all up to a microcontroller. Use the supplied code, and all that’s left is to learn all the chord combos. And why stop with combos for single characters, when there are plenty of common words and plenty of key combinations. If you decide to build your own take on the Fulcrum, be sure to let us know about it!

This Week In Security: Github, Google, And Realtek

February 3, 2023 by Jonathan Bennett 4 Comments

GitHub Desktop may have stopped working for you yesterday, Febuary 2nd. The reason was an unauthorized access to some decidedly non-public repositories. The most serious bit of information that escaped was code signing certificates, notably used for GitHub Desktop and Atom. Those certificates were password protected, so it’s unlikely they’ve been abused yet. Even so, Github is taking the proper steps of revoking those certificates.

The only active certificate that was revoked was used for signing the Mac releases of GitHub Desktop, so quite a few older versions of that software is no longer easily installed. If nothing else, it’s a reminder that even a project with a well run security team can have problems.

Sh1mmer-ing Chromebooks

There’s a new, clever attack on the Chromebook, specifically with the goal of unenrolling the device from an educational organization. And the “vulnerability” is a documented feature, the RMA Shim. That’s a special boot loader target that contains a valid signature, but allows the booting of other code, intended for troubleshooting and fixing devices in a repair center. Quite a few of those images have leaked, and Sh1mmer combines the appropriate image with a boot menu with some interesting options.

The first is unenrolling, so the device will act like a privately owned computer. This gets rid of content blocks and allows removing extensions. But wait, there’s more. Like rooting the device, a raw Bash terminal, and re-enabling developer mode. Now, as far as we can tell, this doesn’t *directly* break device encryption, but it’s likely that the RMA shim could be abused to tamper with the device’s filesystem. Meaning that the leak of a bunch of signed shims is a big problem for device security. If you use a Chromebook, it might be time to do some research on whether that model’s shim has been leaked. Continue reading “This Week In Security: Github, Google, And Realtek” →

Wizards Get Creative, Maybe Save The World

January 30, 2023 by Jonathan Bennett 12 Comments

While it’s not normal Hackaday fare, we’ve covered the Dungeons & Dragons licensing kerfuffle, partially because we’re all nerds at heart, and also because it’s worrying that an Open Source styled license could be “deauthorized”. I did touch base with the Open Source Initiative, and got a telling comment that this issue was outside their purview, as the OGL 1.0a didn’t rise to the definition of an OSI approved license, and the update looked to be a disaster.

Since our coverage was published, Wizards of the Coast released part of the Fifth Edition System reference Document (SRD) under a Creative Commons license, removed the profit sharing language from the OGL update, but notably left the language in place about deauthorizing the 1.0a version of the license. As you can imagine, fans were still unamused, and we informed WotC of our displeasure when they launched a survey, asking fans their thoughts on the new license.

And the outpouring was overwhelming, with over 15,000 survey responses in just over a week. The vast majority (90% for some questions) informed WotC that they had lost their collective minds. That response, combined with a plummeting subscription count on DND Beyond, Paizo’s explosion of popularity and new ORC license announcement, and the plethora of publishers jumping ship, has finally shone the light of reason upon management at WotC.

The latest announcement is a win in basically every regard. The OGL 1.0a will not be deauthorized, and the entire 5e SRD has been released under the Creative Commons 4.0 By Attribution license. That’s an interesting choice, as CC-BY-4.0 is a very permissive license. It’s not “viral”, as it does not place any licensing restrictions on derivative works, and there are no restrictions on commercial use. The only restriction is that attribution must be included. The latest SRD is now available under both licenses, you pick your preference. So as a reward for going through the trauma, we get a sizable chunk of the game under an even less restrictive license. Bravo.

Continue reading “Wizards Get Creative, Maybe Save The World” →

This Week In Security: GTA, Apple And Android, And Insecure Boot

January 27, 2023 by Jonathan Bennett 11 Comments

When we first saw tweets about a security issue in Grand Theft Auto V, it sounded a bit like a troll. “Press ‘alt and f4’ to unlock a cheat mode”, or the hacker that claims to be able to delete your character. [Tez2]’s warning tweet that you shouldn’t play GTA Online without a firewall sounds like another of these online urban legends. But this one actually seems legit. NIST is even in on the fun, assigning CVE-2023-24059 for the exploit.

When playing an online game, other users send a “join request” to join the active session. This packets can contain malformed data which has been observed to crash the game client remotely. It’s believed, though not publicly confirmed, that it’s also a Remote Code Execution (RCE) vulnerability. It seems likely that this aspect will be added to some of the various cheat panels that are already widely used for this 10-year-old game. So now, rather than just giving your own character infinite ammo and health, you can inflict some havoc on other players, possibly up to corrupting their character files and getting them banned.

But why stop there? If we have code execution inside the game, what stops another player from launching a real attack? A video game isn’t sandboxed like a browser, and there’s nothing preventing a disk wiper attack or even a worm from compromising a bunch of players. The worst part is that it’s an old game, and even though there’s a large playerbase, it’s not guaranteed to get a fix. There’s at least one project aiming to be a firewall to prevent the issue. Continue reading “This Week In Security: GTA, Apple And Android, And Insecure Boot” →