This Week In Security: Session Puzzling, Session Keys, And Speculation

April 28, 2023 by 7 Comments

Last week we briefly mentioned a vulnerability in the Papercut software, and more details and a proof of concept have been published. The vulnerability is one known as session puzzling. That’s essentially where a session variable is used for multiple purposes, or gets incorrectly set. In Papercut, it was possible to trigger the SetupCompleted class on a server that had already finished that initial setup process. And part of SetupCompleted validated the session of the current user. In a normal first-setup case, that might make sense, but as anyone could trigger that code, it allowed anonymous users to jump straight to admin.

The other half of the exploit leverages the “print script” feature, which lets admins write code that runs on printing. A simple java.lang.Runtime.getRuntime().exec('calc.exe'); does the trick to jump from web interface to remote code execution. The indicators of compromise are reasonable generic, including User "admin" logged into the administration interface. and Admin user "admin" modified the print script on printer "".. A Shodan search turns up around 1,700 Papercut servers accessible from the Internet, which prompts the painfully obvious observation that your internal print auditing solution’s web interface definitely should not be exposed online.

Apache Superset

Superset is a nifty data visualization tool for showing charts, graphs, and all sorts of pretty data sets on a dashboard. It also has some weirdness with using web sessions for user management. The session is stored on the user side in a cookie, signed with a secret key. This works great, unless the key used is particularly weak. And guess what, the default configuration of Superset uses a pre-populated secret key. thisismysecretkey is arguably a bad key to start with, but it turns out it’s also shared by more than 70% of the accessible Superset servers.

Continue reading “This Week In Security: Session Puzzling, Session Keys, And Speculation”

Checking Out And Reviving A Batch Of Used Floppy Disks

April 28, 2023 by 29 Comments

With the last manufacturer of 3.5″ floppy disks (FDs) having shut down in 2010, those who are still using this type of storage medium for production and/or retrocomputing purposes have to increasingly rely on a dwindling stack of new old stock, or the used market. With the purported unreliability of this type of magnetic media in mind, what are the chances of a box of used FDs — whether DD or HD format — still working in 2023? That’s the question which [VWestLife] set out to answer in a recent video when he bought a stash of these real-life save icons in 720 kB format from eBay.

To his delight, he found that he could read most of the disks without issues, revealing contents that had been on there since the 1990s. All but four also could be formatted without issues, the problematic disks reported bad sectors, which was a bit of a bummer. As a practical demonstration of how fun magnetic media is, he then proceeded to try and fix these four disks with a bulk eraser tool. This is a rather brute-force tool that uses a rapidly fluctuating electromagnetic field to scramble the bits on magnetic media.

As the cause of reported bad sectors and other issues can be due to sector alignment issues from years of constant writing by different drives, this may sometimes fix a disk. In this case one of the bad disks was fixed, while a second still showed bad sectors while the remaining two refused to format at all. Assuming one can get a box of old FDs for cheap and has a few hours to kill, it’s not a bad way to refill that stack of empty FDs.

Of course if you can’t fix that old floppy, you can always make an IR filter out of it.

Continue reading “Checking Out And Reviving A Batch Of Used Floppy Disks”

The Cheap And Available Microwave Playground

April 28, 2023 by 11 Comments

There’s something of a mystique about RF construction at the higher frequencies, it’s seen as a Black Art only practiced by elite wizards. In fact, UHF and microwave RF circuitry is surprisingly simple and easy to understand, and given the ready availability of low-noise block downconverters (LNBs) for satellite TV reception there’s even a handy source of devices to experiment on. It’s a subject on which [Polprog] has brought together a handy guide.

A modern LNB has some logic for selecting one of a pair of local oscillators and to use vertical or horizontal polarization, but remains otherwise a very simple device. There’s an oscillator, a mixer, and an RF amplifier, each of which uses microwave transistors that can with a little care be repurposed. The page demonstrates a simple transmitter, but it’s possible to create more powerful  devices by using the amplifier stage “in reverse”.

Meanwhile the oscillator can be moved by loading the dielectric resonators with PVC sleeving, and the stripline filters can even be modified with a fine eye for soldering and some thin wire. Keep an eye out in thrift stores and yard sales for old satellite dishes, and you can give it a go yourself. It’s a modern equivalent of the UHF tuner hacking enjoyed by a previous generation.

Using An Old Smartphone In Place Of A Raspberry Pi

April 27, 2023 by 63 Comments

The Raspberry Pi was a fairly revolutionary computing device when it came on the scene around a decade ago. Enough processing power to run a full Linux desktop and plenty of GPIO meant almost certain success. In the past year, though, they’ve run into some issues with their chip supplier and it’s been difficult to find new Pis, which has led to some looking for alternatives to these handy devices. [David] was hoping to build a music streaming server and built it on an old smartphone instead of the ubiquitous single-board computer.

Most smartphones are single-board computers though, and at least the Android devices are fully capable of running Linux just like the Pi. The only problem tends to be getting around the carrier or manufacturer restrictions like a locked bootloader or lack of root access. For [David]’s first try getting this to work, he tried to install Navidrome on a Samsung phone but had difficulties with the lack of memory and had to build the software somewhere else and then load it on the phone. It did work, but the stock operating system kept killing the process for consuming too much memory.

Without root access, [David] decided to try LineageOS, a version of Android which, among other benefits, is typically much more configurable than the stock version of Android that is shipped with smartphones. This allowed him to disable or uninstall anything not needed for his music server to free up enough memory. After some issues with transcoding the actual music files he planned on streaming, his music server was successfully up and running on a phone that would have otherwise been relegated to the junk drawer. The specific steps he took to get this working can be found on his GitHub page as well.

[David] also mentioned looking at PostmarketOS for this job which is certainly a viable option for some, but the Linux distribution for phones is only supported on a few devices. Another viable alternative for a project like this if no Raspberry Pis are available might be any of a number of Pine64 devices that might also be sitting around gathering dust, like the versatile Linux-based Pinephone.

El Caracol observatory at Chichen Itza.

Solving The Mystery Of The Mayan Calendar’s 819-Count Cycle

April 27, 2023 by 51 Comments
Mayan Calendar Round. (Source: Chichen Itza)
Mayan Calendar Round. (Source: Chichen Itza)

Despite the mysticism that often clouds the Mayan calendar in popular culture, fact remains that the calendar system in use by the Mayans was based on a system used throughout the pre-Columbian Mesoamerican societies, dating back to at least the 5th century BCE. Characteristic of this system is the cyclical nature, with the Mayan calendar featuring three common cycles: the Long Count, Tzolk’in (260-day) and the 365-day, solar-based Haab’. Combined, these three cycles formed what is known as the Calendar Round and which lasts for 52 haab’ (years).

What was less obvious here was the somewhat obscure 819-day count that was found in certain locations in Mayan constructions. Now researchers John H. Linden and Victoria R. Bricker figure that they have discovered how this new cycle matches up with the previously known Calendar Round. In previous reports by e.g. Barbara McLeod and Hutch Kinsman in 2012, they noted the ongoing debate on this 819-day count and its potential purpose. The new insight by Linden and Bricker is that by increasing the calendar length to 20 periods of 819 days, it matches up with all synodic periods of the visible planets, explaining it as a planetary astronomical cycle.

What is interesting here is that the Mayan counting system is base-20 (vigesimal). Whether coincidence or not when it comes to this part of the Mayan calendar, it is good to see that more secrets of the Classical Mayan society are being recovered. With modern day Maya still living where their ancestors once did, these discoveries help them to recover and reconnect to the parts of their history that were so brutally destroyed by the invading Europeans.

(Heading image: El Caracol observatory at Chichen Itza, Mexico)

Cheap Deburring Tool Is Game Changer For 3D Printing

April 27, 2023 by 54 Comments

3D printing’s real value is that you can whip up objects in all kinds of whacky geometries with a minimum of fuss. However, there’s almost always some post-processing to do. Like many manufactured plastic objects, there are burrs, strings, and rough edges to deal with. Fussing around with a knife to remove them is a poor way to go. As explained by [Adrian Kingsley-Hughes] on ZDNet, a deburring tool is the cheap and easy solution to the problem.

If you haven’t used one before, a deburring tool simply consists of a curved metal blade that swivels relative to its straight handle. You can drag the curved blade over the edge of a metal, wooden, or plastic object, and it neatly pulls away the burrs. There’s minimal risk of injury, unlike when pulling a regular blade towards yourself. The curved, swiveling blade is much less liable to slip or jump, and if it does, it’s far less likely to cut you.

For plastic use, just about any old deburring tool will do. They last a long time with minimal maintenance. They will wear out faster when used on metals, but you can get replacement blades cheap if you happen to need them. It’s a tool every workshop should have, particularly given they generally cost less than $20.

Given the ugly edges and rafts we’re always having to remove from our 3D prints, it’s almost egregious that printers don’t come with them bundled in the box. They’re just a bit obscure when it comes to tools; this may in fact be the first time Hackaday’s ever covered one. If you’ve got your own quality-of-life hacks for 3D printing, sound off below, or share them on the tipsline! We have able staff waiting for your email.

Smooth Animations, Slick Bar Graphs, But No Custom Characters On This 16×2 OLED

April 27, 2023 by 7 Comments

Sometimes, finding new ways to use old hardware requires awesome feats of reverse engineering, software sleight of hand, and a healthy dose of good fortune. Other times, though, it’s just as simple as reading the data sheet and paying attention to details.

Not that we’re knocking [upir]’s accomplishment with these tricked-out 16×2 OLED displays. Far from it, in fact — the smoothly animated bar graph displays alphanumerics look fantastic. What’s cool about this is that he accomplished all this without resorting to custom characters. We’ve seen him use this approach before; this time around, the hack involves carefully shopping for a 16×2 OLED display with the right driver chip — a US2066 chip. You’ll still need a few tricks to get things working, like extra pull-up resistors to get the I2C display talking to an Arduino, plus a little luck that you got a display with the right character ROM.

Once all that is taken care of, getting the display to do what you want is mainly a matter of coding. In the video below, [upir] does a great job of walking through the finer points, and the results look great. The bar graphs in particular look fantastic, with silky-smooth animations.

Continue reading “Smooth Animations, Slick Bar Graphs, But No Custom Characters On This 16×2 OLED”