OptionsBleed – Apache bleeds in uncommon configuration

[Hanno Böck] recently uncovered a vulnerability in Apache webserver, affecting Apache HTTP Server 2.2.x through 2.2.34 and 2.4.x through 2.4.27. This bug only affects Apache servers with a certain configuration in .htaccess file. Dubbed Optionsbleed, this vulnerability is a use after free error in Apache HTTP that causes a corrupted Allow header to be replied by the webserver in response to HTTP OPTIONS requests. This can leak pieces of arbitrary memory from the server process that may contain sensitive information. The memory pieces change after multiple requests, so for a vulnerable host an arbitrary number of memory chunks can be leaked.

Unlike the famous Heartbleed bug in the past, Optionsbleed leaks only small chunks of memory and more importantly only affects a small number of hosts by default. Nevertheless, shared hosting environments that allow for .htaccess file changes can be quite sensitive to it, as a rogue .htaccess file from one user can potentially bleed info for the whole server. Scanning the Alexa Top 1 Million revealed 466 hosts with corrupted Allow headers, so it seems the impact is not huge so far.

The bug appears if a webmaster tries to use the “Limit” directive with an invalid HTTP method. We decided to test this behaviour with a simple .htaccess file like this:

Continue reading “OptionsBleed – Apache bleeds in uncommon configuration”

Bluetooth Vulnerability Affects All Major OS

Security researchers from Armis Labs recently published a whitepaper unveiling eight critical 0-day Bluetooth-related vulnerabilities, affecting Linux, Windows, Android and iOS operating systems. These vulnerabilities alone or combined can lead to privileged code execution on a target device. The only requirement is: Bluetooth turned on. No user interaction is necessary to successfully exploit the flaws, the attacker does not need to pair with a target device nor the target device must be paired with some other device.

The research paper, dubbed BlueBorne (what’s a vulnerability, or a bunch, without a cool name nowadays?), details each vulnerability and how it was exploited. BlueBorne is estimated to affect over five billion devices. Some vendors, like Microsoft, have already issued a patch while others, like Samsung, remain silent. Despite the patches, some devices will never receive a BlueBorne patch since they are outside of their support window. Armis estimates this accounts for around 40% of all Bluetooth enabled devices.

A self-replicating worm that would spread and hop from a device to other nearby devices with Bluetooth turned on was mentioned by the researchers as something that could be done with some more work. That immediately reminds us of the BroadPwn vulnerability, in which the researchers implemented what is most likely the first WiFi only worm. Although it is definitely a fun security exercise to code such worm, it’s really a bad, bad idea… Right?…

So who’s affected?

Continue reading “Bluetooth Vulnerability Affects All Major OS”

Broadpwn – All Your Mobiles are Belong to Us

Researchers from Exodus Intel recently published details on a flaw that exists on several Broadcom WiFi chipsets. It’s estimated to affect nearly 1 Billion devices, from Android to iPhone. Just to name a few in the top list:

  • Samsung Galaxy from S3 through S8, inclusive
  • All Samsung Notes3. Nexus 5, 6, 6X and 6P
  • All iPhones after iPhone 5

So how did this happen? And how does a bug affect so many different devices?

A smart phone nowadays is a very complicated mesh of interconnected chips. Besides the main processor, there are several other secondary processors handling specialized tasks which would otherwise clog up the main CPU. One of those is the WiFi chipset, which is responsible for WiFi radio communications — handling the PHY, MAC and MLME layers. When all the processing is complete, the radio chipset hands data packets over the kernel driver, which runs on the main CPU. This means that the radio chipset itself has to have some considerable data processing power to handle all this work. Alas, with great power comes great responsibility.

Continue reading “Broadpwn – All Your Mobiles are Belong to Us”

Hackaday Prize Entry: Water Level Station

All over the world, in particular in underdeveloped countries, people die every year by the thousands because of floods. The sudden rise of water levels often come unannounced and people have no time to react before they are caught in a bad spot. Modern countries commonly have measure equipment deployed around problematic areas but they are usually expensive for third world countries to afford.

[Benne] project devises a low-cost, cloud-connected, water level measuring station to allow remote and central water level monitoring for local authorities. He hopes that by being able to monitor water levels in a more precise and timely fashion, authorities can act sooner to warn potentially affected areas and increase the chance of saving lives in case of a natural disaster.

At the moment, the project is still in an early stage as they are testing with different sensors to figure out which would work best in different scenarios. Latest version consists essentially in an Arduino UNO, an ultrasonic distance sensor, and a DHT temperature/humidity sensor to provide calibration since these characteristics affect the speed of sound. Some years ago, we covered a simple water level monitoring using a Parallax Ping sensor, but back then the IoT and the ‘cloud’ weren’t nearly as fashionable. They also tested with infrared sensors and a rotary encoder.

They made a video of the rotary encoder, which we can see below:

Continue reading “Hackaday Prize Entry: Water Level Station”

Malduino Elite – First Impressions

A while back, I wrote an article about Malduino, an Arduino-based, open-source BadUSB device. I found the project interesting so I signed up for an Elite version and sure enough, the friendly postman dropped it off in my mail box last Friday, which means I got to play around with it over the weekend. For those who missed the article, Malduino is USB device which is able to emulate a keyboard and inject keystrokes, among other things. When in a proper casing, it will just look like a USB flash drive. It’s like those things you see in the movies where a guy plugs in a device and it auto hacks the computer. It ships in two versions, Lite and Elite, both based on the ATmega32U4.

The Lite version is really small, besides the USB connector it only contains a switch, which allows the user to choose between running and programming mode, and a LED, which indicates when the script has finished running.

Original Malduino Elite sketch and Lite prototype

The Elite version is bigger, comes with a Micro-SD card reader and four DIP switches, which allow the user to choose which script to run from the card. It also has the LED, which indicates when a script has finished to run. This allows the user to burn the firmware only once and then program the keystroke injection scripts that stored in the Micro-SD card, in contrast to the Lite version which needs to be flashed each time a user wants to run a different script.

These are the two Malduinos and because they are programmed straight from the Arduino IDE, every feature I just mentioned can be re-programmed, re-purposed or dropped all together. You can buy one and just choose to use it like a ‘normal’ Arduino, although there are not a lot of pins to play around with. This freedom was one the first things I liked about it and actually drove me to participate in the crowd-funding campaign. Read on for the full review.
Continue reading “Malduino Elite – First Impressions”

Nitro Powered Rotary Tool

We really don’t know if the world needs it but we’re sure glad [johnnyq90] took the time to build one. We’re talking about a nitro powered rotary tool. Based on a Kyosho GX-12 nitro engine, commonly used in R/C cars, [johnnyq90] machines almost all other parts in his shop to make a really cool ‘Nitro-Dremel’. But success didn’t come at the first try.

The first prototype was made using a COX 049 engine but the lack of proper lubrication cause damage to the crankshaft. Because of this setback, [johnnyq90] swaps it out with a O.S Max 10 Aero engine he had lying around in the shop. That didn’t work out so well as the engine was quite hard to start. On the third try he finally decided to use the 2.1 cc Kyosho GX-12 engine to power up his 20.000 rpm tool. As noisy as one would expect and, from the videos it seems quite powerful too as it easily pierces through an aluminium block, cuts steel like a breeze, and breezes through other less demanding feats.

But [johnnyq90] is no stranger to nitro engines nor to Hackaday. In the past he built, among other things, a nitro powered cordless drill and showed impressive feats of machining in a micro version of a Tesla turbine. We wonder what’s next…. a nitro powered tattoo gun perhaps?

In the 20 minute video after the break, we enjoy watching the construction of the ‘Nitro-Dremel’, as well as other parts from two previously failed prototypes:

Continue reading “Nitro Powered Rotary Tool”

Hackaday Prize Entry: LiFePO4wered/Pi+

For some of you the title might seem familiar, as [Patrick Van Oosterwijck] LiFePO4wered/Pi project is a quite successful Hackaday.io project. Now he’s designing from scratch the plus version to fill in some gaps and solve some of the challenges that affected the initial project. So what exactly is LiFePO4wered/Pi+ and what can it do?

In a nutshell, it’s a smart UPS for the Raspberry Pi. The standard version allows a Model A+ and Pi Zero to run on battery for over 2 hours, and the B+, B2 and B3 to run for at least an hour (it maybe less, depending on the system load, of course). It implements two-way communications between the power system and the Raspberry Pi (running the open-source daemon) over the I2C bus. This allows for continuous measurement of the battery voltage and load voltage, with user programmable thresholds for boot, clean shutdown and hard power down. There’s a touch pad that provides clean boot/shutdown capability even in a headless setup, a wake timer allowing the Raspberry Pi to be off for low duty cycle applications and an auto-boot feature to maximize uptime by making the Raspberry Pi run whenever there is sufficient battery power.

That’s the standard version, which we covered last year… what else could the plus version have?

Well, to start, it brings more current to run complete systems with LCD screen and hard drives, the previous version was limited when it came to current. It will provide the option for a wider range of input power sources, such as solar panels, which is pretty nice. The on/off button and the power led will no longer be soldered on the main board so they can ‘relocated’ elsewhere, for example, when making a custom enclosure. Detection of input power to trigger automatic boot and shutdown will be added and last, but not least, a real-time clock with absolute time wake up.

So there it is, the new LiFePO4wered/Pi+ version, with all bells and whistles for the Raspberry Pi enthusiast.