This Week In Security: Unicode Strikes Again, Trust No One (Redditor), And More

June 14, 2024 by 7 Comments

There’s a popular Sysadmin meme that system problems are “always DNS”. In the realm of security, it seems like “it’s always Unicode“. And it’s not hard to see why. Unicode is the attempt to represent all of Earth’s languages with a single character set, and that means there’s a lot of very similar characters. The two broad issues are that human users can’t always see the difference between similar characters, and that libraries and applications sometimes automatically convert exotic Unicode characters into more traditional text.

This week we see the resurrection of an ancient vulnerability in PHP-CGI, that allows injecting command line switches when a web server launches an instance of PHP-CGI. The solution was to block some characters in specific places in query strings, like a query string starting with a dash.

The bypass is due to a Windows feature, “Best-Fit”, an automatic down-convert from certain Unicode characters. This feature works on a per-locale basis, which means that not every system language behaves the same. The exact bypass that has been found is the conversion of a soft hyphen, which doesn’t get blocked by PHP, into a regular hyphen, which can trigger the command injection. This quirk only happens when the Windows locale is set to Chinese or Japanese. Combined with the relative rarity of running PHP-CGI, and PHP on Windows, this is a pretty narrow problem. The XAMPP install does use this arrangement, so those installs are vulnerable, again if the locale is set to one of these specific languages. The other thing to keep in mind is that the Unicode character set is huge, and it’s very likely that there are other special characters in other locales that behave similarly.

Downloader Beware

The ComfyUI project is a flowchart interface for doing AI image generation workflows. It’s an easy way to build complicated generation pipelines, and the community has stepped up to build custom plugins and nodes for generation. The thing is, it’s not always the best idea to download and run code from strangers on the Internet, as a group of ComfyUI users found out the hard way this week. The ComfyUI_LLMVISION node from u/AppleBotzz was malicious.

The node references a malicious Python package that grabs browser data and sends it all to a Discord or Pastebin. It appears that some additional malware gets installed, for continuing access to infected systems. It’s a rough way to learn. Continue reading “This Week In Security: Unicode Strikes Again, Trust No One (Redditor), And More”

This Week In Security: Recall, Modem Mysteries, And Flipping Pages

June 7, 2024 by 6 Comments

Microsoft is racing to get into the AI game as part of Windows 11 on ARM, calling it Copilot+. It’s an odd decision, but clearly aimed at competing with the Apple M series of MacBooks. Our focus of interest today is Recall, a Copilot+ feature that not only has some security problems, but also triggers a sort of visceral response from regular people: My computer is spying on me? Eww.

Yes, it really sort of is. Recall is a scheme to take screen shots of the computer display every few seconds, run them through character recognition, and store the screenshots and results in a database on the local machine hard drive. There are ways this could be useful. Can’t remember what website had that recipe you saw? Want to revisit a now-deleted tweet? Is your Google-fu failing you to find a news story you read last week? Recall saw it, and Recall remembers. But what else did Recall see? Every video you watched, ever website you visited, and probably some passwords and usernames you typed in.

Continue reading “This Week In Security: Recall, Modem Mysteries, And Flipping Pages”

Displays We Like Hacking: HDMI

June 5, 2024 by 26 Comments

I don’t like HDMI. Despite it being a pretty popular interface, I find crucial parts of it to be alien to what hackers stand for. The way I see it, it manages to be proprietary while bringing a lot of the old cruft in. It doesn’t have a native alternative like DisplayPort, so portable implementations tend to suffer power-wise; the connector situation is interesting, and the HDMI Foundation has been doing some weird stuff; in particular, they are pretty hostile to open-source technology.

This article is not the place for such feelings, however, especially since I’ve expressed them enough in the DisplayPort article. We the hackers deserve to be able to handle the interfaces we stumble upon, and I firmly believe in that way more than in my right to animosity towards HDMI.

The HDMI interface is seriously prominent wherever you look, in part because it’s the interface created by the multimedia-involved companies for the multimedia-involved companies. Over the years we’ve had it, it’s been more than sufficient for basically everything we do video-wise, save for the highest resolutions.

It’s also reasonably simple to wire up, hack on, and even bitbang. Let’s go through what makes it tick.

The Core

HDMI is, at its core, three differential pairs for data, plus one pair to clock them and in the darkness bind them. It’s a digital interface, though it is a fun one. This makes it way more suitable for higher-distance video transmissions than interfaces like VGA, and as long as you stick to relatively low resolutions, HDMI won’t have as many asks in terms of PCB layout as DisplayPort might, thanks to HDMI link speeds scaling proportionally with the display resolution.

Continue reading “Displays We Like Hacking: HDMI”

Mining And Refining: Fracking

June 5, 2024 by 52 Comments

Normally on “Mining and Refining,” we concentrate on the actual material that’s mined and refined. We’ve covered everything from copper to tungsten, with side trips to more unusual materials like sulfur and helium. The idea is to shine a spotlight on the geology and chemistry of the material while concentrating on the different technologies needed to exploit often very rare or low-concentration deposits and bring them to market.

This time, though, we’re going to take a look at not a specific resource, but a technique: fracking. Hydraulic fracturing is very much in the news lately for its potential environmental impact, both in terms of its immediate effects on groundwater quality and for its perpetuation of our dependence on fossil fuels. Understanding what fracking is and how it works is key to being able to assess the risks and benefits of its use. There’s also the fact that like many engineering processes carried out on a massive scale, there are a lot of interesting things going on with fracking that are worth exploring in their own right.
Continue reading “Mining And Refining: Fracking”

Hackaday Links Column Banner

Hackaday Links: June 2, 2024

June 2, 2024 by 6 Comments

So you say you missed the Great Solar Storm of 2024 along with its attendant aurora? We feel you on that; the light pollution here was too much for decent viewing, and it had been too long a day to make a drive into the deep dark of the countryside survivable. But fear not — the sunspot that raised all the ruckus back at the beginning of May has survived the trip across the far side of the sun and will reappear in early June, mostly intact and ready for business. At least sunspot AR3664 seems like it’s still a force to be reckoned with, having cooked off an X-class flare last Tuesday just as it was coming around from the other side of the Sun. Whether 3664 will be able to stir up another G5 geomagnetic storm remains to be seen, but since it fired off an X-12 flare while it was around the backside, you never know. Your best bet to stay informed in these trying times is the indispensable Dr. Tamitha Skov.

Continue reading “Hackaday Links: June 2, 2024”

An amber on black interface on a green reproduction Game Boy screen. It has the FM station 88.9 in large letters in the middle of the display and "Ice Cream (Pay Phone) by Black Pumas" displayed in a box below. A volume indicator is on the left side of the tuner numbers and various status icons are along the top of the screen. A paper cutout of an orange is next to the Game Boy on a piece of paper with the words "Orange FM Prototype" written underneath.

Orange FM Brings Radio To The GameBoy

May 23, 2024 by 11 Comments

We’ve all been there. You left your Walkman at home and only have your trusty Game Boy. You want to take a break and just listen to some tunes. What to do? [orangeglo] has the answer now with the Orange FM cartridge.

This prototype cart features an onboard antenna or can also use the 3.5 mm headphone/antenna port on the cartridge to boost reception with either a dedicated antenna or a set of headphones. Frequencies supported are 64 – 108 Mhz, and spacing can be set for 100 or 200 kHz to accomodate most FM broadcasts setups around the world.

Older Game Boys can support audio through the device itself, but Advances will need to use the audio port on the cartridge. The Super Game Boy can pipe audio to your TV though, which seems like a delightfully Rube Goldberg-ian way to listen to the radio. Did we mention it also supports RDS, so you’ll know what that catchy tune is? Try that FM Walkman!

Can’t decide between this and your other carts? Try this revolving multi-cart solution. Have a Game Boy that needs some restoration? If it’s due to electrolyte damage, maybe start here?

Continue reading “Orange FM Brings Radio To The GameBoy”

Hackaday Podcast Episode 271: Audio Delay In A Hose, Ribbon Cable Repair, And DIY Hacker Metrology

May 17, 2024 by No comments

What did Hackaday Editors Elliot Williams and Al Williams find interesting on Hackaday this week? Well, honestly, all the posts, but they had to pick some to share with you in the podcast below. There’s news about SuperCon 2024, and failing insulin pumps. After a mystery sound, the guys jump into reverbing garden hoses, Z80s, and even ribbon cable repair.

Adaptive tech was big this week, with a braille reader for smartphones and an assistive knife handle. The quick hacks ranged from a typewriter that writes on toast to a professional-looking but homemade ham radio transceiver.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Download a file chock full of podcast here.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast Episode 271: Audio Delay In A Hose, Ribbon Cable Repair, And DIY Hacker Metrology”