Author: Jonathan Bennett

544 Articles

Fulcrum Foils Finger Fatigue

February 4, 2023 by 10 Comments

It turns out that typing all day just might be bad for your hands and fingers. Repetitive Strain Injury, RSI, was a real problem for [David Schiller], particularly when coding. So, naturally, he started designing his own keyboard. And bless him, he’s shared the whole project on GitHub.

The solution is Fulcrum, a chording keyboard with keys that can be pressed with minimal movement. And one more clever trick is a thumb joystick, mounted in the thumb’s opposable orientation. It’s a 5-way switch, making for a bunch of combinations. The base model is a 20-key arrangement, and he’s also designed a larger, 40-key option.

The build is pretty simple, if you have access to a 3D printer. Print the STLs, add key switches, and wire it all up to a microcontroller. Use the supplied code, and all that’s left is to learn all the chord combos. And why stop with combos for single characters, when there are plenty of common words and plenty of key combinations. If you decide to build your own take on the Fulcrum, be sure to let us know about it!

This Week In Security: Github, Google, And Realtek

February 3, 2023 by 4 Comments

GitHub Desktop may have stopped working for you yesterday, Febuary 2nd. The reason was an unauthorized access to some decidedly non-public repositories. The most serious bit of information that escaped was code signing certificates, notably used for GitHub Desktop and Atom. Those certificates were password protected, so it’s unlikely they’ve been abused yet. Even so, Github is taking the proper steps of revoking those certificates.

The only active certificate that was revoked was used for signing the Mac releases of GitHub Desktop, so quite a few older versions of that software is no longer easily installed. If nothing else, it’s a reminder that even a project with a well run security team can have problems.

Sh1mmer-ing Chromebooks

There’s a new, clever attack on the Chromebook, specifically with the goal of unenrolling the device from an educational organization. And the “vulnerability” is a documented feature, the RMA Shim. That’s a special boot loader target that contains a valid signature, but allows the booting of other code, intended for troubleshooting and fixing devices in a repair center. Quite a few of those images have leaked, and Sh1mmer combines the appropriate image with a boot menu with some interesting options.

The first is unenrolling, so the device will act like a privately owned computer. This gets rid of content blocks and allows removing extensions. But wait, there’s more. Like rooting the device, a raw Bash terminal, and re-enabling developer mode. Now, as far as we can tell, this doesn’t *directly* break device encryption, but it’s likely that the RMA shim could be abused to tamper with the device’s filesystem. Meaning that the leak of a bunch of signed shims is a big problem for device security. If you use a Chromebook, it might be time to do some research on whether that model’s shim has been leaked. Continue reading “This Week In Security: Github, Google, And Realtek”

Wizards Get Creative, Maybe Save The World

January 30, 2023 by 12 Comments

While it’s not normal Hackaday fare, we’ve covered the Dungeons & Dragons licensing kerfuffle, partially because we’re all nerds at heart, and also because it’s worrying that an Open Source styled license could be “deauthorized”. I did touch base with the Open Source Initiative, and got a telling comment that this issue was outside their purview, as the OGL 1.0a didn’t rise to the definition of an OSI approved license, and the update looked to be a disaster.

Since our coverage was published, Wizards of the Coast released part of the Fifth Edition System reference Document (SRD) under a Creative Commons license, removed the profit sharing language from the OGL update, but notably left the language in place about deauthorizing the 1.0a version of the license. As you can imagine, fans were still unamused, and we informed WotC of our displeasure when they launched a survey, asking fans their thoughts on the new license.

And the outpouring was overwhelming, with over 15,000 survey responses in just over a week. The vast majority (90% for some questions) informed WotC that they had lost their collective minds. That response, combined with a plummeting subscription count on DND Beyond, Paizo’s explosion of popularity and new ORC license announcement, and the plethora of publishers jumping ship, has finally shone the light of reason upon management at WotC.

The latest announcement is a win in basically every regard. The OGL 1.0a will not be deauthorized, and the entire 5e SRD has been released under the Creative Commons 4.0 By Attribution license. That’s an interesting choice, as CC-BY-4.0 is a very permissive license. It’s not “viral”, as it does not place any licensing restrictions on derivative works, and there are no restrictions on commercial use. The only restriction is that attribution must be included. The latest SRD is now available under both licenses, you pick your preference. So as a reward for going through the trauma, we get a sizable chunk of the game under an even less restrictive license. Bravo.

Continue reading “Wizards Get Creative, Maybe Save The World”

This Week In Security: GTA, Apple And Android, And Insecure Boot

January 27, 2023 by 11 Comments

When we first saw tweets about a security issue in Grand Theft Auto V, it sounded a bit like a troll. “Press ‘alt and f4’ to unlock a cheat mode”, or the hacker that claims to be able to delete your character. [Tez2]’s warning tweet that you shouldn’t play GTA Online without a firewall sounds like another of these online urban legends. But this one actually seems legit. NIST is even in on the fun, assigning CVE-2023-24059 for the exploit.

When playing an online game, other users send a “join request” to join the active session. This packets can contain malformed data which has been observed to crash the game client remotely. It’s believed, though not publicly confirmed, that it’s also a Remote Code Execution (RCE) vulnerability. It seems likely that this aspect will be added to some of the various cheat panels that are already widely used for this 10-year-old game. So now, rather than just giving your own character infinite ammo and health, you can inflict some havoc on other players, possibly up to corrupting their character files and getting them banned.

But why stop there? If we have code execution inside the game, what stops another player from launching a real attack? A video game isn’t sandboxed like a browser, and there’s nothing preventing a disk wiper attack or even a worm from compromising a bunch of players. The worst part is that it’s an old game, and even though there’s a large playerbase, it’s not guaranteed to get a fix. There’s at least one project aiming to be a firewall to prevent the issue. Continue reading “This Week In Security: GTA, Apple And Android, And Insecure Boot”

This Week In Security: Git Deep Dive, Mailchimp, And SPF

January 20, 2023 by 10 Comments

First up, git has been audited. This was an effort sponsored by the Open Source Technology Improvement Fund (OSTIF), a non-profit working to improve the security of Open Source projects. The audit itself was done by researchers from X41 and GitLab, and two critical vulnerabilities were found, both caused by the same bad coding habit — using an int to hold buffer lengths.

On modern systems, a size_t is always unsigned, and the same bit length as the architecture bit-width. This is the proper data type for string and buffer lengths, as it is guaranteed not to overflow when handling lengths up to the maximum addressable memory on the system. On the other hand, an int is usually four bytes long and signed, with a maximum value of 2^31-1, or 2147483647 — about 2 GB. A big buffer, but not an unheard amount of data. Throw something that large at git, and it will break in unexpected ways.

Our first example is CVE-2022-23521, an out of bounds write caused by an int overflowing to negative. A .gitattributes file can be committed to a repository with a modified git client, and then checking out that repository will cause the num_attrs variable to overflow. Push the overflow all the way around to a small negative number, and git will then vastly under-allocate the attributes buffer, and write all that data past the end of the allocated buffer.

CVE-2022-41903 is another signed integer overflow, this time when a pretty print format gets abused to do something unexpected. Take a look at this block of code:

Continue reading “This Week In Security: Git Deep Dive, Mailchimp, And SPF”

This Week In Security: Cacti RCE, VMs In The Browser, And SugarCRM

January 13, 2023 by 7 Comments

This week we start with a Remote Code Execution (RCE) vulnerability that has potential to be a real pain for sysadmins. Cacti, the system monitoring and graphing solution, has a pair of bugs that chain together to allow an attacker with unauthenticated access to the HTTP/S port to trivially execute bash commands. The first half of this attack is an authentication bypass, and it’s embarrassingly trivial. The Cacti authentication code trusts the Forwarded-For: header in the request. Set it to the server’s IP, and the authentication code treats it like a localhost request, bypassing any real authentication process.

The second half is found in the remote_agent.php endpoint, where the poller_id is set by the user and treated as a string. Then, if the right host_id and local_data_id item is triggered, that string is concatenated into a proc_open() function call. The string isn’t sanitized, so it’s trivial enough to include a second command to run, dropping a webshell, for instance.

Version 1.2.23 of Cacti contains the fix, and released on the 2nd. This one is likely to be exploited, and if automated exploitation hasn’t started already, it likely will soon. So if you have a Cacti install, go double-check that the interface isn’t exposed to the world.

JSON Web Token

Researchers at Unit 42 found an exploit that can be used to achieve an RCE in the JsonWebToken project. The issue is this library’s verify() function, which takes arguments of the token to check, the key to use, and options. If there aren’t any algorithms specified in the options object, then the key is processed as a PEM string. The toString() method of that key is called during the actual check, and the assumption is that it’s either a string or buffer. But what if the key passed in to the verify() function was actually a complex object, bringing it’s own toString() method along to play. At that point, we have arbitrary code execution. And if this code is running on the server-side under node.js, that means a popped server.

But wait, it’s not that simple, right? It’s not like a valid JWT can contain an arbitrary object — that would be a problem all on its own. So CVE-2022-23529 is a stepping-stone. It’s insecure code, but the rest of the application has to have another vulnerability for this one to be reachable. Continue reading “This Week In Security: Cacti RCE, VMs In The Browser, And SugarCRM”

Wizards Slay The Dragon That Lays The Golden Egg

January 11, 2023 by 77 Comments

Hail, and well met adventurers! There’s rumors of dark dealings, and mysterious machinations from that group of Western mystics, Wizards of the Coast (WotC). If this pernicious plot is allowed to succeed, a wave of darkness will spread over this land of Open Source gaming, the vile legal fog sticking to and tainting everything it touches. Our quest today is to determine the truth of these words, and determine a defense for the world of open gaming, and indeed perhaps the entire free world! Beware, the following adventure will delve into the bleak magic of licensing, contract law, and litigation.

Ah, Dungeons and Dragons. The original creation of Gary Gygax, refined by countless others, this table-top role-playing game has brought entertainment and much more to millions of players for years. In 2000, WotC made a decision that opened the mechanics of that universe to everyone. The 3rd Edition of Dungeons and Dragons was released under the Open Gaming License, a very intentional port of Open Source licensing to table-top gaming — obviously inspired by the GNU Public License. Ryan Dancey was one of the drivers behind the new approach, and made this statement about it:

I think there’s a very, very strong business case that can be made for the idea of embracing the ideas at the heart of the Open Source movement and finding a place for them in gaming. […] One of my fundamental arguments is that by pursuing the Open Gaming concept, Wizards can establish a clear policy on what it will, and will not allow people to do with its copyrighted materials. Just that alone should spur a huge surge in independent content creation that will feed into the D&D network.

Continue reading “Wizards Slay The Dragon That Lays The Golden Egg”