This Week In Security: GoDaddy, Joomla, And ClamAV

February 24, 2023 by Jonathan Bennett 1 Comment

We’ve seen some rough security fails over the years, and GoDaddy’s recent news about a breach leading to rogue website redirects might make the highlight reel. The real juicy part is buried on page 30 of a PDF filing to the SEC.

Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy.

That multi-year campaign appears to goes back to at least October 2019, when an SSH file was accessed and altered, leading to 28,000 customer SSH usernames and passwords being exposed. There was also a 2021 breach of the GoDaddy WordPress environment, that has been linked to the same group.

Reading between the lines, there may be an implication here that the attackers had an ongoing presence in GoDaddy’s internal network for that entire multi-year period — note that the quote above refers to a single campaign, and not multiple campaigns from the same actor. That would be decidedly bad.

Joomla’s Force Persuasion

Joomla has a critical vulnerability, CVE-2023-23752, which is a trivial information leak from a web endpoint. This flaw is present in all of the 4.x releases, up to 4.2.8, which contains the fix. The issue is the Rest API, which gives access to pretty much everything about a given site. It has an authentication component, of course. The bypass is to simply append ?public=true. Yes, it’s a good old “You don’t need to see his identification” force suggestion.

There’s even a PoC script that runs the request and spits out the most interesting data: the username, password, and user id contained in the data. It’s not quite as disastrous as that sounds — the API isn’t actually leaking the administrative username and password, or even password hash. It’s leaking the SQL database information. Though if your database is accessible from the Internet, then that’s pretty much as bad as it could be. Continue reading “This Week In Security: GoDaddy, Joomla, And ClamAV” →

This Week In Security: USB Cable Kia, Reddit, And Microsoft RCEs

February 17, 2023 by Jonathan Bennett 14 Comments

There is vulnerability in many Hyundai and Kia vehicles, where the ignition switch can be bypassed with a USB cable. And it’s getting a patch rollout right now, but it’s not a USB vulnerability, in quite the way you might think. In most cars, the steering column is easily disassembled, but these vehicles have an extra-bad design problem. The ignition cylinder can be disassembled while locked, just by depressing a pin.

Physical security has some parallels to computer security, and one such parallel is that good security can often be bypassed by a simple mistake. When it comes to lock design, one such potential bypass is the ability to disassemble a lock while it’s still locked. And somehow, Kias after 2010, and Hyundais after 2015 were made with exactly this flaw. The lock could be disassembled, and the interface between the lock and the ignition switch just happens to be the right shape and size for USB A. Oh, and these cars don’t have an engine immobilizer — there isn’t a chip built into the keys for extra security.

The problem became widespread late last year when the flaw went viral on TikTok, and thousands of copycat crimes were inspired. Beyond the obvious problem, that teenagers were getting an early start on a life of crime with grand theft auto, there were at least 8 deaths directly attributed to the inane stunt. And this brings us back to this week’s news, that a software update is rolling out to address the issue.

Honestly, I have questions. A software update doesn’t add in-key security chips. At best, it could attempt to detect the key position, and sabotage the engine management control, in an ad-hoc immobilizer. That’s likely a paper clip-turned-jumper away from being bypassed. The other new feature, doubling the alarm time from 30 second to a minute, doesn’t inspire much confidence. Hopefully the changes are enough to kill the trend. Continue reading “This Week In Security: USB Cable Kia, Reddit, And Microsoft RCEs” →

How To Build Jenny’s Budget Mixing Desk

February 15, 2023 by Jonathan Bennett 35 Comments

Jenny did an Ask Hackaday article earlier this month, all about the quest for a cheap computer-based audio mixer. The first attempt didn’t go so well, with a problem that many of us are familiar with: Linux applications really doesn’t like using multiple audio devices at the same time. Jenny ran into this issue, and didn’t come across a way to merge the soundcards in a single application.

I’ve fought this problem for a while, probably 10 years now. My first collision with this was an attempt to record a piano with three mics, using a couple different USB pre-amps. And of course, just like Jenny, I was quickly frustrated by the problem that my recording software would only see one interface at a time. The easy solution is to buy an interface with more channels. The Tascam US-4x4HR is a great four channel input/output audio interface, and the Behringer U-PHORIA line goes all the way up to eight mic pre-amps, expandable to 16 with a second DAC that can send audio over ADAT. But those are semi-pro interfaces, with price tags to match.

But what about Jenny’s idea, of cobbling multiple super cheap interfaces together? Well yes, that’s possible too. I’ll show you how, but first, let’s talk about how we’re going to control this software mixer monster. Yes, you can just use a mouse or keyboard, but the challenge was to build a mixing desk, and to me, that means physical faders and mute buttons. Now, there are pre-built solutions, with the Behringer X-touch being a popular solution. But again, we’re way above the price-point Jenny set for this problem. So, let’s do what we do best here at Hackaday, and build our own. Continue reading “How To Build Jenny’s Budget Mixing Desk” →

This Week In Security: ImageMagick, VBulletin, And Dota 2

February 10, 2023 by Jonathan Bennett 3 Comments

There are a few binaries that wind up running in a bunch of places, silently do their jobs, and being easily forgotten about. ImageMagick is used on many servers for image conversion and resizing, and tends to run automatically on uploaded images. Easily forgotten, runs automatically, and with arbitrary inputs. Yep, perfect target for vulnerability hunting. And the good folks at Metabase found two of them.

First up is CVE-2022-44267, a Denial of Service, when ImageMagick tries to process a rigged PNG that contains a textual chunk. This data type is usually used for metadata, and can include a profile entry for something like EXIF data. If this tag is specified inside a text chunk, ImageMagick looks to the given value as a filename for finding that profile data. And notably, if that value is a dash -, it tries to read from standard input. If the server’s image processing flow doesn’t account for that quirk, and virtually none of them likely do, this means the ImageMagick process hangs forever, waiting for the end of input. So while that’s not usually a critical problem, it could be used for a resource exhaustion attack.

But the real problem is CVE-2022-44268. It’s the same trick, but instead of using - to indicate standard input, the processed image refers to a file on the server filesystem. If the file exists, and can be read, the contents are included in the image output. If the attacker has access to the image, it’s a slick data leak — and obviously a real security problem. If a server doesn’t have tight file permissions and isolation, there’s plenty of sensitive information to be found and abused.

The fix landed back in October 2022, and was part of the 7.1.0-52 release. There’s a bit of uncertainty about which versions are vulnerable, but I wouldn’t trust anything older than that version. It’s a pretty straightforward flaw to understand and exploit, so there’s a decent chance somebody figured it out before now. The file exfiltration attack is the one to watch out for. It looks like there’s an Indicator of Compromise (IoC) for those output PNGs: “Raw profile type”. Continue reading “This Week In Security: ImageMagick, VBulletin, And Dota 2” →

OG DOOM Shows Off The Origins Of Multi-Monitor

February 7, 2023 by Jonathan Bennett 13 Comments

We have a thing for DOOM, and we admit it. The source was released, and clever hackers have ported the engine to every system imaginable. It’s a right of passage, when hacking a machine, to run DOOM on it — be it a VoIP phone, or tractor. But the original 1993 release does have a few notable tricks, and there’s something to be said for recreating that experience on period hardware. And that’s what we’re covering today: [Tech Tangents] discovered DOOM’s multi-monitor support, and built a 4-computer cluster to show it off.

There is a catch, of course. DOOM 1.1 has the multi-monitor support, and under-the-hood, it works by running a copy of the game on individual computers, and controlling the drones over the network. As the game’s network code was updated for version 1.2, the multi-monitor feature was axed to make the network code easier to maintain. So, find a 1.1 shareware release, install it on a DOS machine with IPX drivers, and start each iteration with a -net flag. Use -left and -right to set the drones to the appropriate view. And that view is ninety degrees left and right.

Maybe not ideal, but at the time it was one of the first games to have any sort of multi-monitor support at all. Likely inspired by a commercial flight simulator setup. Either way, it’s a neat feature, and kudos to [Tech Tangents] for showing off this obscure feature of a beloved classic!

Continue reading “OG DOOM Shows Off The Origins Of Multi-Monitor” →

Surfing The Web Like It’s 1978 — Carbonyl

February 6, 2023 by Jonathan Bennett 29 Comments

[Fathy] gets a kick out of doing odd things with Chromium, and Carbonyl is a clever byproduct of that hobby. In this case, it’s what you get when you connect chrome’s renderer to an SVG output module and then convert that SVG to colored characters on a terminal. See, html2svg is an earlier project, taking Chromium’s Skia engine and plugging it into an SVG back-end. And once you have SVG, why not render it to the terminal?

And the results are actually pretty impressive. Imagery is rendered using Unicode 2584, a half-block character. The background and foreground color can be set per character, giving us two controllable pixels per character. Text is handled a bit differently, rendering using the normal text fonts, making for readable pages.

The source is very much a work in progress, but there are some neat ideas already coalescing around the project, like using sixels for better rendering. There’s already decent mouse support and audio output, making for an impressive terminal experience. This might be a project to keep an eye on.

Fulcrum Foils Finger Fatigue

February 4, 2023 by Jonathan Bennett 10 Comments

It turns out that typing all day just might be bad for your hands and fingers. Repetitive Strain Injury, RSI, was a real problem for [David Schiller], particularly when coding. So, naturally, he started designing his own keyboard. And bless him, he’s shared the whole project on GitHub.

The solution is Fulcrum, a chording keyboard with keys that can be pressed with minimal movement. And one more clever trick is a thumb joystick, mounted in the thumb’s opposable orientation. It’s a 5-way switch, making for a bunch of combinations. The base model is a 20-key arrangement, and he’s also designed a larger, 40-key option.

The build is pretty simple, if you have access to a 3D printer. Print the STLs, add key switches, and wire it all up to a microcontroller. Use the supplied code, and all that’s left is to learn all the chord combos. And why stop with combos for single characters, when there are plenty of common words and plenty of key combinations. If you decide to build your own take on the Fulcrum, be sure to let us know about it!