This Week In Security: Zimbra RCE, Routers Under Attack, And Old Tricks In WebAssembly

July 1, 2022 by 8 Comments

There’s a problem in the unrar utility, and as a result, the Zimbra mail server was vulnerable to Remote Code Execution by simply sending an email. So first, unrar is a source-available command-line application made by RarLab, the same folks behind WinRAR. CVE-2022-30333 is the vulnerability there, and it’s a classic path traversal on archive extraction. One of the ways this attack is normally pulled off is by extracting a symlink to the intended destination, which then points to a location that should be restricted. unrar has code hardening against this attack, but is sabotaged by its cross-platform support. On a Unix machine, the archive is checked for any symbolic links containing the ../ pattern. After this check is completed, a function runs to convert any Windows paths to Unix notation. As such, the simply bypass is to include symlinks using ..\ traversal, which don’t get caught by the check, and then are converted to working directories.

That was bad enough, but Zimbra made it worse by automatically extracting .rar attachments on incoming emails, in order to run a virus and spam check. That extraction isn’t sandboxed, so an attacker’s files are written anywhere on the filesystem the zimbra user can write. It’s not hard to imagine how this turns into a full RCE very quickly. If you have an unrar binary based on RarLab code, check for version 6.1.7 or 6.12 of their binary release. While Zimbra was the application specifically called out, there are likely to be other cases where this could be used for exploitation.
Continue reading “This Week In Security: Zimbra RCE, Routers Under Attack, And Old Tricks In WebAssembly”

render of the MNT Pocket Reform on a desk

MNT Reform Goodness, Now Even Smaller With Pocket Reform

July 1, 2022 by 12 Comments

You might have already seen the pretty pictures in pastel colors online — a small netbook-like computer with a full-size keyboard. This, while a render, is what the MNT Pocket Reform is going to look like. Reminiscent of the netbook aesthetic in all the right ways, it’s a small device with a mechanical keyboard taking as much space as possible, trackball for navigation, and we assume, exactly the kind of screen that’d be comfortable to use.

We’ve reviewed the MNT Reform a year ago, and this device inherits a lot of its good parts. The motherboard’s connectivity is likely subject to change, but on the motherboard renders, we can spot three USB-C ports, a Micro HDMI port, a microSD card slot, ix Industrial Ethernet, and M.2 B-key and M-key slots for WWAN and SSD cards respectively.

If you expected computational specs, there isn’t really a specific CPU+RAM configuration announced – for a good reason. The Pocket Reform takes advantage of the CPU card concept designed into the MNT Reform – able to take a card with an NXP i.MX8M CPU, Raspberry Pi CM4, Pine SOQuartz, a Kintex-7 FPGA, or any of the cards yet to be developed. The design files are open-source, the prototype motherboards have been ordered, mechanical usability aspects have been worked through. This is a very compelling project, and we can’t wait to see it bear fruit!

Full Printing Path Control Without Writing GCode

July 1, 2022 by 28 Comments

User-friendly slicing software is arguably the key software component that makes 3D printing approachable for most users. Without it going from a CAD design to a printing part would take hours, not seconds. As a trade-off you give up a lot of control over the exact path of the hotend, but most of the time it’s worth it. However, for some niche use-cases, having complete control over the tool path is necessary. Enter FullControl GCode Designer, a tool that gives you all the control without resorting to writing GCode directly.

FullControl takes an approach similar to OpenSCAD, where you define path geometries line by line. Need an array of circles? Choose the circle feature, define its origin, radius, starting position, and extrusion height, and define the spacing and axes (including Z) of the copies. Need a mathematically defined lamp shade? Define the functions, and FullControl generates the GCode. Non-planar printing, where your print head moves along all three axes simultaneously instead of staying at a constant Z-height is also possible. In the video after the break, [Thomas Sanladerer] demonstrates how he used FullControl to reduce the print time of a functionally identical part from two hours to 30 minutes.

FullControl is built on Microsoft Excel using Visual Basic scripting, which comes at the cost of long GCode generation times. It also doesn’t show the defined tool paths graphically, so the generated code needs to be pasted into a viewer like Repetier Host to see what it’s doing. Fortunately, a Python version is coming to should hopefully elevate many of these shortcomings.

We also featured some other GCode hacks in the last few months that bend existing GCode along a spline path, and a Blender plugin allows the surface textures of sliced objects to be modified.

Continue reading “Full Printing Path Control Without Writing GCode”

LCD Screen Windows Are This Summer’s Hottest Case Mod

June 30, 2022 by 21 Comments

Case modding took off in the late 90s, and taught us all that computers could (and should!) look awesome. Much of the aesthetic went mainstream, and now tons of computer cases come with lights and windows and all the rest. [WysWyg_Protogen] realized those simple case windows could be way cooler with a neat LCD hack, and set to work.

The concept is simple. Take an old LCD monitor, remove the backlight and extraneous hardware, and then install it to the window in a computer case. When lit from behind via LEDs in the case, the screen creates a ghostly display through which the computer’s internals can still partially be seen. It’s a really compelling effect, and in theory, quite easy to achieve. All one need do is mount the stripped-down screen to the case and pipe it video from the graphics card.

In practice, it’s a little tricky. Disassembling the screen and removing things like the anti-glare coating can be tough to do without damaging the delicate panel inside. The windows typically used on computer cases can dull the effect, too. However, [WysWyg_Protogen] is continuing to tinker with the project and the results are getting increasingly impressive with each iteration. It doesn’t photograph too well, but it looks truly amazing in motion.

We often forget LCDs are transparent in their basic form, as we generally only use them with backlights or reflective backers. They really do look great when used in this transmissive way, though. Video after the break.

Continue reading “LCD Screen Windows Are This Summer’s Hottest Case Mod”

DIY Airless Tires Work Surprisingly Well

June 30, 2022 by 47 Comments

Airless tires have been “a few years away” from production for decades now. They’re one of the automotive version of vaporware (at least those meant for passenger vehicles), always on the cusp of being produced but somehow never materializing. They have a number of perks over traditional air-filled tires in that they are immune to flats and punctures, and since there aren’t any airless tires available at the local tire shop, [Driven Media] decided to make and test their own.

The tires are surprisingly inexpensive to make. A few pieces of drainage tubing of varying diameters, cut to short lengths, and then bolted together with off-the-shelf hardware is all it takes, although they note that there was a tremendous amount of hardware needed to fasten all the pipe lengths together. With the structure in place they simply cut a tread off of a traditional tire and wrapped it around each of the four assemblies, then bolted them up to their Caterham street-legal race car for testing.

While the ride quality was notoriously (and unsurprisingly) rough and bumpy, the tires perform admirably under the circumstances and survive being driven fairly aggressively on a closed-circuit race course. For such a low price and simple parts list it’s shocking that a major tire manufacturer like Michelin hasn’t figured out how to successfully bring one to a light passenger car yet.

Thanks to [Itay] for the tip!

Continue reading “DIY Airless Tires Work Surprisingly Well”

The Mystery Of Automatic Lubricators Is Revealed

June 30, 2022 by 14 Comments

Industrial machines have all kinds of moving parts that require regular lubrication in order to prevent wear and damage. Historically, these would require regular visits from maintenance personnel to keep them greased up and slippery. Automatic lubricators eliminate that job by regularly dosing machines with fresh grease, and [Big Clive] decided to see what makes them tick.

The device can be set to deliver a full load of grease over a period of 1-12 months.

The simplest models merely use a spring to slowly force grease out over time. Changing the spring changes the rate at which grease is dispensed. Chemical versions exist too. A chemical pill is selected and inserted into a chamber with liquid, which releases gas over time. As gas is released, it creates pressure which forces a plunger down, dispensing grease over time.

Perhaps the fanciest versions are the electronic models, however, which have a dial on the back for selecting the rate of grease delivery. Turning the dial changes a resistance that is connected across two zinc-air cells which are sealed. Apparently, when current is forced through these cells and they’re excluded from oxygen, the cells liberate hydrogen gas, according to a patent [Big Clive] found. This then forces down the plunger, dispensing the grease. Turning the dial changes the resistance, changing the rate at which grease is dispensed.

The quest for labor saving in industry has produced multiple designs of automated lubricator, all of which are fantastically simple and optimised for purpose. It shows just how much can be achieved with a few components and some creative thinking, where one’s first impulse might be to reach for a timer or microcontroller to do the job.

Lubrication is incredibly important – don’t forget it when building your CNC machines! Video after the break.

Continue reading “The Mystery Of Automatic Lubricators Is Revealed”

ESP32 Camera Slider Build Keeps Things In Perspective

June 30, 2022 by 2 Comments

We’ve seen a lot of camera slider builds here at Hackaday, and for good reason: having one really lets you take your project documentation, especially videos, to the next level. It’s one of those force multiplier builds — after you’ve completed it, it can help you make all your future projects just that much better. But we’re also no strangers to seeing these projects become overly complex, which can often make it difficult for others to replicate.

But that’s not the case here. The motorized camera slider that [Sasa Karanovic] recently sent our way does exactly what you’d expect, and little else. That’s not meant as a dig — sometimes the best approach is to keep it simple. Unless you’re a professional photographer or videographer, it’s unlikely you need a complicated motion rig. This design is perfect for the hacker or maker who wants to spruce up their project videos, but doesn’t want to spend months fiddling with the design. Continue reading “ESP32 Camera Slider Build Keeps Things In Perspective”