This Week In Security: Barracuda, Zyxel, And The Backdoor

June 2, 2023 by 12 Comments

Barracuda’s Email Security Gateway (ESG) has had a vulnerability in it for years. Tracked as CVE-2023-2868, this one was introduced back in version 5.1.3.001, and only got patched during the 9.2 development cycle. Specific build information on patched firmware has not been made available, but a firmware build containing the patch was deployed on May 20.

The flaw was a command injection bug triggered by .tar files attached to incoming emails. The appliance scans attachments automatically, and the file names could trigger the qx operator in a Perl script. It’s a nasty one, ranking a 9.4 on the CVSS scale. But the really bad news is that Barracuda found the vulnerability in the wild, and they have found evidence of exploitation as far back as October 2022.

There have been three malware modules identified on the compromised appliances. SALTWATER is a backdoor trojan, with the ability to transfer files, execute commands, and host network tunnels. SEASPY is a stealthier module, that looks like a legitimate service, and uses PCAP to monitor traffic and receive commands. And SEASIDE is a Lua module for the Barracuda SMTP monitor, and it exists to host a reverse shell on command. Indicators of Compromise (IOCs) have been published, and Barracuda recommends the unplug-and-remove approach to cleaning up an infection. The saving grace is that this campaign seems to have been targeted, and wasn’t launched against every ESG on the Internet, so maybe you’re OK.

Moxa, Too

And speaking of security software that has problems, the Moxa MXsecurity appliance has a pair of problems that could be leveraged together to lead to a complete device takeover. The most serious problem is a hard coded credential, that allows authentication bypass for the web-API. Then the second issue is a command-line escape, where an attacker with access to the device’s Command Line Interface (CLI) can break out and run arbitrary commands. Continue reading “This Week In Security: Barracuda, Zyxel, And The Backdoor”

Is MINIX Dead? And Does It Matter?

June 2, 2023 by 51 Comments

Is MINIX dead? OSnews is sounding its death-knell, citing evidence from the operating system’s git log that its last updates happened as long ago as 2018. Given that the last news story on the MINIX website is from 2016 and the last release version, 3.3, came out in 2014, it appears they they may have a point. But perhaps it’s more appropriate to ask not whether or not MINIX is dead, but whether indeed it matters that the venerable OS appears no longer in development. It started as an example to teach OS theory before becoming popular in an era when there were no other inexpensive UNIX-like operating systems for 16-bit microcomputers, but given that its successors such as Linux-based operating systems have taken its torch and raced ahead, perhaps its day has passed.

No doubt many of you will now be about to point out that MINIX lives on unexpectedly baked into the management engine core on Intel microprocessors, and while there’s some debate as to whether that’s still the case, you may have a point. But the more important thing for us isn’t whether MINIX is still with us or even whether it’s a contender, but what it influenced and thus what it was responsible for. This is being written on a GNU/Linux operating system, which has its roots in [Linus Torvalds]’ desire to improve on… MINIX.

Read more about the tangled web of UNIX-like operating systems here.

A white Wii console sits on a grey table in the vertical orientation with its front facing the camera and its back away from the camera at a slight angle to the right. Next to it is a 2x sized replica which dwarfs the diminutive console. A purple light runs across the back edge of the table.

Wii XL Is Twice As Nice

June 2, 2023 by 17 Comments

The Wii was a relatively small console when it released, but it packed a big punch when it came to its game library and the impact it had on the industry. [Bringus Studios] wanted a Wii that physically matched the grandeur of one of Nintendo’s greatest successes, and built the Wii XL.

Basing the scale of this console around an 80 mm case fan, the final product has twelve times the volume of the original Wii. This leaves plenty of room for an unmodified original Wii, its power brick, and all the various cables and adapters necessary to bring the ports to the exterior of the case. To power the fan, [Bringus Studios] designed his first PCB to leach power off one of the USB connectors while still allowing data to pass through.The inside of a 3D printed and melamine case designed as a 2x copy of a Wii console. It is sitting flat on a grey table with the side removed so you can see the actual Wii console and power adapter mounted inside the case.

Given the size constraints of his 3D printers, he used melamine MDF for the sides and had to print the other panels in multiple pieces, resulting in some gapping in the front panel where the prints peeled off the print bed. We really love the use of a modular design that leaves room for future improvements, since no project is ever truly done.

Power is routed through a figure eight power connector on the outside to a female two prong plug on the inside while USB and HDMI are routed out the back via a combination panel connector intended for RV and boat use. If you don’t remember the Wii having HDMI out, that’s because it didn’t, but HDMI adapters are easy to come by for the machine.

In case you want to see more supersized projects checkout this giant XBox Series X or ponder if it would’ve been better with an enormous 555.

Continue reading “Wii XL Is Twice As Nice”

Commodore 64 Web Server Brings 8-Bit Into The Future

June 1, 2023 by 28 Comments

These days, most webservers are big hefty rackmount rigs with roaring fans in giant datacenters. [naDDan]’s webserver is altogether more humble, as it runs on a single Commodore 64. 

The C64 is running Contiki OS, an operating system for 6502-based computers. It’s built with an eye to networking, requiring ethernet hardware for full functionality. In [naDDan]’s case, he’s outfitted his C64 with an ETFE network adapter in the cartridge port to get it online. It serves up the HTML file off a 1541C floppy drive, with the drive buzzing away every time someone loads up the page.

The page itself is simple, showing some basic information on a simple blue background. There is some scrolling text though, as is befitting the 8-bit era. It’s also available in four languages.

[naDDan’s] server can be found here, according to his video, but at the time of writing, it was down for the count. Whether that’s due to a dynamic DNS issue or the simple fact that an 8-bit 6502 isn’t up to heavy traffic is up for debate. Regardless, try for yourself and see how you go. Video after the break.

Watch Out SiC, Diamond Power Semiconductors Are Coming For You!

June 1, 2023 by 24 Comments

The vast majority of semiconductors products we use every day are primarily constructed on a silicon process, using wafers of pure silicon. But whilst the economics are known, and processes mature, there are still some weaknesses. Especially for power applications. gallium nitride (GaN) and silicon carbide (SiC) are materials that have seen an explosion in uses in the power space, driven especially by an increase in electric vehicle sales and other high-power/high-voltage systems such as solar arrays. But, SiC is expensive and very energy intensive. It looks like diamond substrates could become much more common if the work by Diamfab takes off.

Diamond, specifically thin films of synthetic diamond formed on a suitable substrate, exhibits many desirable properties, such as a vastly superior maximum electric field compared with silicon, and a thermal conductivity five times better than copper. Such properties give diamond structures a big power and voltage advantage over SiC, which is in turn a lot better the pure silicon. This also means that diamond-based transistors are more energy efficient, making them smaller and cheaper, as well as better performing. Without the high formation temperatures needed for SiC, diamond could well be their downfall, especially once you factor in the reduced environmental impact. There is even some talk about solid-state, high-voltage diamond insulator capacitors becoming possible. It certainly is an interesting time to be alive!

We do cover news about future semiconductors from time to time, like this piece about cubic boron arsenide. We’ve also seen diamond being used as a battery, albeit a very weak radiative one.

[via EETimes]

IR Camera Is Excellent Hacking Platform

June 1, 2023 by 14 Comments

While there have been hiccups here and there, the general trend of electronics is to decrease in cost or increase in performance. This can be seen in fairly obvious ways like more powerful and affordable computers but it also often means that more powerful software can be used in other devices without needing expensive hardware to support it. [Manawyrm] and [Toble_Miner] found this was true of a particular inexpensive thermal camera that ships with Linux installed on it, and found that this platform was nearly perfect for tinkering with and adding plenty of other features to turn it into a much more capable tool.

The duo have been working on a SC240N variant of the InfiRay C200 infrared camera, which ships with a Hisilicon SoC. The display is capable of displaying 25 frames per second, making this platform an excellent candidate for modifying. A few ports were added to the device, including USB and MicroSD, and which also allows the internal serial port to be accessed easily. From there the device can be equipped with the uboot bootloader in order to run essentially anything that could be found on any other Linux machine such as supporting a webcam interface (and including a port of DOOM, of course). The duo doesn’t stop at software modifications though. They also equipped the camera with a lens, attached magnetically, which changes the camera’s focal length to give it improved imaging capabilities at closer ranges.

While the internal machinations of this device are interesting, it actually turns out to be a fairly capable infrared camera on its own as well. The hardware and software requirements for these devices certainly don’t need a full Linux environment to work, and while we have seen thermal cameras that easily fit in a pocket that are based on nothing any more powerful than an ESP32, it does tend to simplify the development process dramatically to include Linux and a little more processing power if you can.

Continue reading “IR Camera Is Excellent Hacking Platform”

Flexible Actuator Flaps For 100,000,000 Cycles Without Failure

June 1, 2023 by 23 Comments

Flexible PCBs are super-useful things, but they can have a limited fatigue life. [Carl Bugeja] has been using them to create flexible actuators, though, and he’s getting an amazing 100,000,000 cycles out of them after some rigorous development.

[Carl] explores all manner of optimizations to his flippy actuators in the video. He tried making them oscillate faster by putting a hole in the middle to reduce drag. Other tricks include getting the arm thickness just right, and experimenting with rigidity through adding or removing sections of soldermask.

Fundamentally, though, he learned the key to longevity laid in the copper traces on the flex PCBs themselves. After enough flexural cycles, the traces would fail, killing the actuator. He experimented with a variety of solutions, eventually devleoping a ruggedized two-arm version of his actuator. Twenty samples were put to the test, oscillating at 25 Hz for two weeks straight. All samples survived the test, in which they were put through around 107,820,000 cycles.

[Carl] has put in plenty of hard work on this project, and his actuators have come a long way since we saw them last. He hopes to use the better actuators to improve his FlexLED display. Video after the break.

Continue reading “Flexible Actuator Flaps For 100,000,000 Cycles Without Failure”