This Week In Security: Sharepoint, Initramfs, And More

July 25, 2025 by 12 Comments

There was a disturbance in the enterprise security world, and it started with a Pwn2Own Berlin. [Khoa Dinh] and the team at Viettel Cyber Security discovered a pair of vulnerabilities in Microsoft’s SharePoint. They were demonstrated at the Berlin competition in May, and patched by Microsoft in this month’s Patch Tuesday.

This original exploit chain is interesting in itself. It’s inside the SharePoint endpoint, /_layouts/15/ToolPane.aspx. The code backing this endpoint has a complex authentication and validation check. Namely, if the incoming request isn’t authenticated, the code checks for a flag, which is set true when the referrer header points to a sign-out page, which can be set arbitrarily by the requester. The DisplayMode value needs set to Edit, but that’s accessible via a simple URL parameter. The pagePath value, based on the URL used in the call, needs to start with /_layouts/ and end with /ToolPane.aspx. That particular check seems like a slam dunk, given that we’re working with the ToolPane.aspx endpoint. But to bypass the DisplayMode check, we added a parameter to the end of the URL, and hilariously, the pagePath string includes those parameters. The simple work-around is to append another parameter, foo=/ToolPane.aspx.

Putting it together, this means a POST of /_layouts/15/ToolPane.aspx?DisplayMode=Edit&foo=/ToolPane.aspx with the Referrer header set to /_layouts/SignOut.aspx. This approach bypasses authentication, and allows a form parameter MSOTlPn_DWP to be specified. These must be a valid file on the target’s filesystem, in the _controltemplates/ directory, ending with .iscx. But it grants access to all of the internal controls on the SafeControls list.

There’s an entire second half to [Khoa Dinh]’s write-up, detailing the discovery of a deserialization bug in one of those endpoints, that also uses a clever type-confusion sort of attack. The end result was remote code execution on the SharePoint target, with a single, rather simple request. Microsoft rolled out patches to fix the exploit chain. The problem is that Microsoft often opts to fix vulnerabilities with minimal code changes, often failing to fix the underlying code flaws. This apparently happened in this case, as the authentication bypass fix could be defeated simply by adding yet another parameter to the URL.

These bypasses were found in the wild on July 19th, and Microsoft quickly confirmed. The next day, the 20th, Microsoft issued an emergency patch to address the bypasses. The live exploitation appears to be coming from a set of Chinese threat actors, with a post-exploitation emphasis on stealing data and maintaining access. There seem to be more than 400 compromised systems worldwide, with some of those being rather high profile.

Continue reading “This Week In Security: Sharepoint, Initramfs, And More”

Transparent PCBs Trigger 90s Nostalgia

July 25, 2025 by 42 Comments

What color do you like your microcontroller boards? Blue? Red? Maybe white or black? Sadly, all of those are about to look old hat. Why? Well, as shared by [JLCPCB], this transparent Arduino looks amazing.

The board house produced this marvel using its transparent flexible printed circuit (FPC) material. Basically, the stuff they use for ribbon cables and flex PCBs, just made slightly differently to be see-through instead of vaguely brown.

The circuit in question is a Flexduino, an Arduino clone specifically designed to work on flexible substrates. It looks particularly good on this transparent material, with the LEDs glowing and the white silkscreen for contrast. If you like what you see, you can order your own circuits using this material directly from JLCPCB’s regular old order form.

Most of all, this project reminds us of the 1990s. Back then, you could get all kinds of games consoles and other electronics with transparent housings. There was the beloved PlayStation Crystal, while Nintendo did something similar with the N64 while adding a whole line of tinted color and charcoal versions too. Somehow seeing a bit of the inside of things is just cool. Even if, in some cases, it’s just to avoid smuggling in prisons.

It took decades before you could get custom PCBs quickly and easily. Now, board houses are competing for the enthusiast (consumer?) market, and competition is spurring development of crazy stuff like transparent and even glow in the dark PCBs. What next? We’re thinking edible, ROHS and WEEE be damned. Drop your thoughts in the comments.

Thanks to [George Graves] for the tip!

Reachy The Robot Gets A Mini (Kit) Version

July 25, 2025 by 13 Comments

Reachy Mini is a kit for a compact, open-source robot designed explicitly for AI experimentation and human interaction. The kit is available from Hugging Face, which is itself a repository and hosting service for machine learning models. Reachy seems to be one of their efforts at branching out from pure software.

Our guess is that some form of Stewart Platform handles the head movement.

Reachy Mini is intended as a development platform, allowing people to make and share models for different behaviors, hence the Hugging Face integration to make that easier. On the inside of the full version is a Raspberry Pi, and we suspect some form of Stewart Platform is responsible for the movement of the head. There’s also a cheaper (299 USD) “lite” version intended for tethered use, and a planned simulator to allow development and testing without access to a physical Reachy at all.

Reachy has a distinctive head and face, so if you’re thinking it looks familiar that’s probably because we first covered Reachy the humanoid robot as a project from Pollen Robotics (Hugging Face acquired Pollen Robotics in April 2025.)

The idea behind the smaller Reachy Mini seems to be to provide a platform to experiment with expressive human communication via cameras and audio, rather than to be the kind of robot that moves around and manipulates objects.

It’s still early in the project, so if you want to know more you can find a bit more information about Reachy Mini at Pollen’s site and you can see Reachy Mini move in a short video, embedded just below.

Continue reading “Reachy The Robot Gets A Mini (Kit) Version”

Not Repairing An Old Tape Recorder

July 24, 2025 by 13 Comments

When you think of a tape recorder, you might think of a cassette tape. However, [Michael Simpson] has an old Star-Lite small reel-to-reel tape machine. It isn’t a repair so much as a rework to make it work better. These cheap machines were never the best, although a $19 tape player back then was a luxury.

Part of the problem is that the design of the tape player wasn’t all that good to begin with. The motor runs off two C cells in parallel. When these were new in the 1960s, that would have meant conventional carbon-zinc batteries, so the voltage would have varied wildly. That didn’t matter, though, because the drive was directly to the tape reel, so the speed also varied based on how much tape was left on the reel.

The amplifier has four transistors. [Michael] decided to replace the capacitors on the unit. He noticed, too, that the volume control is in line with the microphone when recording, so even though the recording was supposedly in need of repair, it turned out to be simply a case of the volume control being turned down. Pretty impressive for a six-decade-old piece of consumer electronics.

The capacitor change-out was simple enough. Some cleaning and lubing was also in order. Did it help? You’ll have to listen and decide for yourself.

So, no real repair was in the works, but it is an interesting look back at an iconic piece of consumer tech. Tape recorders like this were an early form of social media. No kidding. If you’d rather not buy a tape recorder, you could roll your own.

Continue reading “Not Repairing An Old Tape Recorder”

When The UK’s Telephone Network Went Digital With System X

July 24, 2025 by 23 Comments

The switch from analog telephone exchanges to a purely digital network meant a revolution in just about any way imaginable. Gone were the bulky physical switches and associated system limitations. In the UK this change happened in the early 1980s, with what the Post Office Telecommunications (later British Telecom) and associated companies called System X. Along with the system’s rollout, promotional videos like this 1983 one were meant to educate the public and likely any investors on what a smashing idea the whole system was.

Although for the average person in the UK the introduction of the new digital telephone network probably didn’t mean a major change beyond a few new features like group calls, the same wasn’t true for the network operator whose exchanges and networks got much smaller and more efficient, as explained in the video. To this day System X remains the backbone of the telephone network in the UK.

To get an idea of the immense scale of the old analog system, this 1982 video (also embedded below) shows the system as it existed before System X began to replace it. The latter part of the video provides significant detail of System X and its implementation at the time, although when this video was produced much of the system was still being developed.

Thanks to [James Bowman] for the tip.

Continue reading “When The UK’s Telephone Network Went Digital With System X”

Comprehensive Test Set Released For The Intel 80286

July 24, 2025 by 23 Comments

Remember the 80286? It was the sequel to the 8086, the chip that started it all, and it powered a great number of machines in the early years of the personal computing revolution. It might not be as relevant today, but regardless, [Daniel Balsom] has now released a comprehensive test suite for the ancient chip. (via The Register)

The complete battery of tests are available on Github, and were produced using a Harris N80C286-12 from 1986. “The real mode test suite contains 326 instruction forms, containing nearly 1.5 million instruction executions with over 32 million cycle states captured,” Daniel explains. “This is fewer tests than the previous 8088 test suite, but test coverage is better overall due to improved instruction generation methods.” For now, the tests focus on the 286 running in real mode. There are no “unreal” or protected mode tests, but [Daniel] aims to deliver the in the future.

[Daniel] uses the tests with the ArduinoX86, a platform that uses the microcontroller to control and test old-school CPUs. The tests aid with development of emulators like [Daniel’s] own MartyPC, by verifying the CPU’s behavior in a cycle-accurate way.

We’ve explored some secrets of the 286 before, too. If you’ve been doing your own digging into Intel’s old processors, or anyone else’s for that matter, don’t hesitate to notify the tipsline.

[Thanks to Stephen Walters for the tip!]

The bed of a small CNC machine is shown. A plastic tub is on the bed, and in the tub is a sheet of metal under a pale green solution. In place of the spindle of the CNC, there is a rectangular orange tube extending down into the solution. A red wire runs to this tube, and a black wire runs to the sheet of metal in the tub.

Painting In Metal With Selective Electroplating

July 24, 2025 by 5 Comments

Most research on electroplating tries to find ways to make it plate parts more uniformly. [Ajc150] took the opposite direction, though, with his selective electroplating project, which uses an electrode mounted on a CNC motion system to electrochemically print images onto a metal sheet (GitHub repository).

Normally, selective electroplating would use a mask, but masks don’t allow gradients to be deposited. However, electroplating tends to occur most heavily at the point closest to the anode, and the effect gets stronger the closer the anode is. To take advantage of this effect, [ajc150] replaced the router of an inexpensive 3018 CNC machine with a nickel anode, mounted an electrolyte bath in the workspace, and laid a flat steel cathode in it. When the anode moves close to a certain point on the steel cathode, most of the plating takes place there.

To actually print an image with this setup, [ajc150] wrote a Python program to convert an image into set of G-code instructions for the CNC. The darker a pixel of the image was, the longer the electrode would spend over the corresponding part of the metal sheet. Since darkness wasn’t linearly proportional to plating time, the program used a gamma correction function to adjust times, though this did require [ajc150] to recalibrate the setup after each change. The system works well enough to print recognizable images, but still has room for improvement. In particular, [ajc150] would like to extend this to a faster multi-nozzle system, and have the algorithm take into account spillover between the pixel being plated and its neighbors.

This general technique is reminiscent of a metal 3D printing method we’ve seen before. We more frequently see this process run in reverse to cut metal.