This Week In Security: ImageMagick, VBulletin, And Dota 2

February 10, 2023 by 3 Comments

There are a few binaries that wind up running in a bunch of places, silently do their jobs, and being easily forgotten about. ImageMagick is used on many servers for image conversion and resizing, and tends to run automatically on uploaded images. Easily forgotten, runs automatically, and with arbitrary inputs. Yep, perfect target for vulnerability hunting. And the good folks at Metabase found two of them.

First up is CVE-2022-44267, a Denial of Service, when ImageMagick tries to process a rigged PNG that contains a textual chunk. This data type is usually used for metadata, and can include a profile entry for something like EXIF data. If this tag is specified inside a text chunk, ImageMagick looks to the given value as a filename for finding that profile data. And notably, if that value is a dash -, it tries to read from standard input. If the server’s image processing flow doesn’t account for that quirk, and virtually none of them likely do, this means the ImageMagick process hangs forever, waiting for the end of input. So while that’s not usually a critical problem, it could be used for a resource exhaustion attack.

But the real problem is CVE-2022-44268. It’s the same trick, but instead of using - to indicate standard input, the processed image refers to a file on the server filesystem. If the file exists, and can be read, the contents are included in the image output. If the attacker has access to the image, it’s a slick data leak — and obviously a real security problem. If a server doesn’t have tight file permissions and isolation, there’s plenty of sensitive information to be found and abused.

The fix landed back in October 2022, and was part of the 7.1.0-52 release. There’s a bit of uncertainty about which versions are vulnerable, but I wouldn’t trust anything older than that version. It’s a pretty straightforward flaw to understand and exploit, so there’s a decent chance somebody figured it out before now. The file exfiltration attack is the one to watch out for. It looks like there’s an Indicator of Compromise (IoC) for those output PNGs: “Raw profile type”. Continue reading “This Week In Security: ImageMagick, VBulletin, And Dota 2”

Modernizing C Arrays For Greater Memory Safety

February 10, 2023 by 75 Comments

Lately, there has been a push for people to stop using programming languages that don’t promote memory safety. But as we still haven’t seen the death of some languages that were born in the early 1960s, we don’t think there will be much success in replacing the tremendous amount of software that uses said “unsafe” languages.

That doesn’t mean it’s a hopeless cause, though. [Kees Cook] recently posted how modern C99 compilers offer features to help create safer arrays, and he outlines how you can take advantage of these features. Turns out, it is generally easy to do, and if you get errors, they probably point out unexpected behavior in your original code, so that’s a plus.

We don’t think there’s anything wrong with C and C++ if you use them as you should. Electrical outlets are useful until you stick a fork in one. So don’t stick a fork in one. We really liked the recent headline we saw from [Sarah Butcher]: “If you can’t write safe C++ code, it’s because you can’t write C++.” [Cook’s] post makes a similar argument.  C has advanced quite a bit and the fact that 30-year-old code doesn’t use these new features isn’t a good excuse to give up on C.

Continue reading “Modernizing C Arrays For Greater Memory Safety”

Homebrew Ball Drop Machine Rings In The New Year

February 10, 2023 by No comments

The New Year’s Ball Drop in New York City stems from an old English naval tradition. These days, it’s more of a celebratory thing, and [Jon Gonzalez] wanted to bring a bit of that joy to his own celebrations. Thus enter the Ball-Drop-O-Matic 3000.

The ball itself consists of two 3D printed halves assembled together with a linear bearing in the middle. It’s loaded up with a ton of addressable LEDs to give it plenty of flash, pomp, and circumstance as it rides down the flagpole. Animations are coded in to the K-1000C display controller using LEDEdit2014, an older piece of software which can turn Flash animations into commands to run WS2812B LED strips.

Lowering the ball is handled by a motorized winch. The winch is mounted at the base of the flagpole for aesthetic reasons, with the cable travelling up to the top of the pole, over a pulley, and back down to the ball. The descent speed is set to countdown the last minute of the year, with numbers animated on the ball itself.

The build was clearly a great addition to [Jon’s] New Years celebrations, even if it wasn’t quite finished until 9:35 PM on the big night. We’ve seen other fun ball drop builds before, too.

Continue reading “Homebrew Ball Drop Machine Rings In The New Year”

Domino Ring Machine Tips Tiles In A Never-ending Wave

February 9, 2023 by 9 Comments

Like to see dominoes fall? [JK Brickworks] has got what you need, in the form of a never-ending ring of falling and resetting tiles. LEGO pieces are the star in this assembly, which uses a circular track and moving ramp to reset tiles after they have fallen. Timed just right, it’s like watching a kinetic sculpture harmoniously generating a soliton wave as tiles fall only to be endlessly reset in time to fall again.

A Mindstorms IR sensor monitors a tile’s state for timing.

It’s true that these chunky tiles aren’t actually dominoes — not only are they made from LEGO pieces and hinged to their bases, they have a small peg to assist with the reset mechanism. [JK Brickworks] acknowledges that this does stretch the definition of “dominos”, but if you’re willing to look past that, it’s sure fun to see the whole assembly in action.

The central hub in particular is a thing of beauty. For speed control, an IR sensor monitors a single domino’s up/down state and a LEGO Mindstorms EV3 with two large motors takes care of automation.

The video does a great job of showing the whole design process, especially the refinements and tweaks, that demonstrate the truly fun part of prototyping. [JK Brickworks] suggests turning on subtitles for some added details and technical commentary, but if you’re in a hurry skip directly to 4:55 to see it in action.

Want to see more automated domino action? This domino-laying robot sets them up for you to knock down at your leisure, and this entirely different robot lays out big (and we do mean BIG) domino art displays.

Continue reading “Domino Ring Machine Tips Tiles In A Never-ending Wave”

Getty Images Is Suing An AI Image Generator For Using Its Images

February 9, 2023 by 43 Comments
As per the Getty Images legal complaint, the Stable Diffusion AI seems to reproduce gooey versions of the Getty Images watermark in some of its output. Credit: Getty Images

Many AI systems require huge training datasets in order to achieve their impressive feats. This applies whether or not you’re talking about an AI that works with images, natural language, or just about anything else. AI developers are starting to come under scrutiny for where they’re sourcing their datasets. Unsurprisingly, stock photo site Getty Images is at the forefront of this, and is now suing the creators of Stable Diffusion over the matter, as reported by The Verge.

Stability AI, the company behind Stable Diffusion, is the target of the lawsuit for one good reason: there’s compelling evidence the company used Getty Images content without permission. The Stable Diffusion AI has been seen to generate output images that actually include blurry approximations of the Getty Images watermark. This is somewhat of a smoking gun to suggest that Stability AI may have scraped Getty Images content for use as training material.

The copyright implications are unclear, but using any imagery from a stock photo database without permission is always asking for trouble. Various arguments will likely play out in court. Stability AI may make claims that their activity falls under fair use guidelines, while Getty Images may claim that the appearance of perverted versions of their watermark may break trademark rules. The lawsuit could have serious implications for AI image generators worldwide, and is sure to be watched closely by the nascent AI industry. As with any legal matter, just don’t expect a quick answer from the courts.

[Thanks to Dan for the tip!]

Two goniometers sit on a table. One is an open wooden box with a long piece of plywood along the bottom. A laser distance finder rests on the front edge and a printed angle scale has been attached to the back side of the box. To the right of this box is a much smaller goniometer made from an orange pipe cap with a small strip of paper serving as the angle scale inside the interior edge. It is attached to a wooden handle that looks vaguely like a V. A laser pointer can be inserted from the bottom where a hole has been drilled through the wood.

Goniometer Gives You An Edge At Knife Sharpening

February 9, 2023 by 11 Comments

Sometimes you absolutely, positively need to know the angle of the cutting edge on a knife. When you do, the best tool for the job is a laser goniometer, and [Felix Immler] shows us three different ways to build one. (YouTube)

The underlying principle of all three of these builds is to project reflected laser light off a knife blade onto a scale going from 0-45˚. [Immler] shows a basic demonstration of this concept with a hinge toward the beginning of the video (after the break). Blades with multiple bevels will reflect light to each of the appropriate points on the scale.

The simplest version of the tool is a printed PDF scale attached to a wooden box with a hole for the blade to pass through. The next uses a large pipe end cap and a drilled-out piece of wood to create a more manageable measuring tool. Finally, [Immler] worked with a friend to design a 3D printed goniometer with differently-sized adapters to fit a variety of laser pointers.

Now that you’re ready to precisely sharpen your blades, why not sharpen this guacamole bot or try making your own knife from raw ore?

Continue reading “Goniometer Gives You An Edge At Knife Sharpening”

Decorative Clock Uses LED Strips To Beautiful Effect

February 9, 2023 by 19 Comments

Clocks used to be dowdy old things with mechanical hands and sometimes even little cuckoo birds that would pop out to chime the hour. [David] built something altogether more modern that uses shifting colors on LED strips to tell the time.

The core of the build is an ESP8266, which queries an NTP time server to keep itself synced up with the current time as accurately as possible. It then controls a WS2812B LED strip to display the time. The strip itself is hidden in a 3D-printed housing behind an opaque wooden ring, with the light from the LEDs diffusing out nicely on to the wall upon which the clock is mounted.

The display shows three “hands” in the colors it projects on the wall. The red second hand is projected inside and outside the ring. The minute hand is green, and projects outside the ring. Meanwhile, the hour hand is blue, and projects inside the ring. Without any numerical markings, you won’t get an exact reading of the time, but you can figure it out closely enough. As a bonus, the clock looks like a stylish light-based wall sculpture and your guests may not even realizes it tells the time.

We’ve featured [David’s] work before too, in the form of the handy ESP8266 breadboard socket. Video after the break.

Continue reading “Decorative Clock Uses LED Strips To Beautiful Effect”