F5’s BIG-IP platform has a Remote Code Execution (RCE) vulnerability: CVE-2022-1388. This one is interesting, because a Proof of Concept (PoC) was quickly reverse engineered from the patch and released on Twitter, among other places.
HORIZON3.ai researcher [James Horseman] wrote an explainer that sums up the issue nicely. User authentication is handled by multiple layers, one being a Pluggable Authentication Modules (PAM) module, and the other internally in a Java class. In practice this means that if the PAM module sees an X-F5-Auth-Token, it passes the request on to the Java code, which then validates the token to confirm it as authentic. If a request arrives at the Java service without this header, and instead the X-Forwarded-Host header is set to localhost, the request is accepted without authentication. The F5 authentication scheme isn’t naive, and a request without the X-F5-Auth-Token header gets checked by PAM, and dropped if the authentication doesn’t check out.
So where is the wiggle room that allows for a bypass? Yet another HTTP header, the Connection header. Normally this one only comes in two varieties, Connection: close and Connection: keep-alive. Really, this header is a hint describing the connection between the client and the edge proxy, and the contents of the Connection header is the list of other headers to be removed by a proxy. It’s essentially the list of headers that only apply to the connection over the internet. Continue reading “This Week In Security: F5 Twitter PoC, Certifried, And Cloudflare Pages Pwned”→
It’s an interesting question: What does one do for a follow-up to building the world’s worst HDMI display? Simple — stick it in a cool steampunk-inspired case and call it a day.
That seems to have been [mitxela]’s solution, and please don’t take our assessment as a knock on either the original build or this follow-up. [mitxela] himself expresses a bit of wonder at the attention garnered by his “rather stupid project,” which used the I2C interface in an HDMI interface to drive a tiny monochrome OLED screen. Low refresh rate, poor resolution — it has everything you don’t want in a display, but was still a cool hack that deserved the attention it got.
The present work, which creates an enclosure for the dodgy display, is far heavier on metalworking than anything else, as the video below reveals. The display itself goes in a small box that’s machined from brass, while the HDMI plug gets a sturdy-looking brass housing that makes the more common molded plastic plug look unforgivably flimsy — hot glue notwithstanding. Connecting the two is a flexible stalk, allowing it to plug into a computer’s HDMI port and giving the user the flexibility to position the nearly useless display where it can be seen best.
But again, we may be too harsh in our judgment; while DOOM is basically unplayable on the tiny display, “Bad Apple!!” is quite watchable, especially when accompanied by [mitxela]’s servo-controlled MIDI music box. And since when has usability been a criterion for judging a hack’s coolness, anyway?
The web interface allows the various sound options to be easily configured.
The basic concept of the Tetris clock is that falling bricks stick together in the shape of numbers to display the time. In this case, the clock is based on the version created by [Brian Lough] which we featured previously. It relies on an RGB LED matrix as a display.
However, the build has had a few upgrades courtesy of [The Electronic Engineer]. With the help of an I2S audio breakout board, the clock can play sounds at various times of day. It’s currently set up with clips from various cartoons announcing lunch and coffee break times. There’s also a web interface added in for configuration purposes, and some text tickers too.
[Wenting Zhang] is clearly a fan of old school STN LCD displays, and was wondering how various older portable devices managed to drive monochrome LCDs panels with multiple grey levels. If the display controller supports multiple bits per pixel, it can use various techniques, such as PWM, in order to produce a pseudo-grayscale image. But, what if you have a monochrome-only display controller? With a sufficiently high pixel clock, can you use software on the application side of things to flip those pixels in such a manner as to give a reasonable looking grayscale image?
Simple dithering – don’t look too close!PDM greyscale approximation in a 1-bit display
[Wenting] goes through multiple techniques, showing the resulting image quality in a clear, systematic manner. The first idea is to use a traditional dithering technique. For each pixel, it is set to black if the grey value is below some threshold. The resulting error value, is then propagated to neighbouring pixels. This error diffusion process smears the error out over the whole display, so spatially speaking, on average the pixel values correspond roughly to the original gray values. But, the pixels themselves are still either on or off. This isn’t quite enough. The next idea is to PWM the individual pixels over multiple frames, to approximate different grey levels. But, that gives a worst case effective refresh rate of 8 Hz with a PWM period of 15 frames, at 120 fps, and that flickers. Badly. One way to mitigate that is to switch to PDM (pulse density modulation) which selects different length sequences to give the same duty cycle but at higher frequency, at least for some grey values. Slightly better, but there’s more that can be done. Continue reading “Monochrome LCD Video Hacks Galore!”→
With so many of us working from home over the last two years, it’s really become apparent that people generally dislike sitting all day with pants on. Until such a utopian time when all clothing is considered unisex, and just as many men as women are kicking it in loose, flowing skirts and dresses, you may want to remember to actually wear something on your lower half, uncomfortable though pants may be. But there is another way — you could build [Everything Is Hacked]’s pants filter and continue to be a chaos agent. Check out the video after the break.
These pants go as wide as you please.
That’s right, whether you forego or just forget to dress yourself below the equator, the pants filter has you covered. It works like you might expect — machine learning tracks body landmarks and posture to figure out where your NSFW region is and keep it under wraps.
By default, it blurs everything below the belt, or you can draw on pants if you’re inclined to be in revealing tighty-whities and prefer more coverage. You can adjust the width of the pants to cover the covid-19 you may have put on since 2020, and even change the pants to match your shirt.
We love that [Everything Is Hacked] had the um, gumption to test the pants filter in public at what appears to be a local taco joint. After the first few rounds of weird looks, he switched to a pants moustache to save face.
The EA Falcon took Ford’s popular Australian sedan line into the 1990s, even if it gave way to the EB Falcon by the end of 1991. Few would call it high tech, but it introduced several innovations to the platform that were very of its time. One hacker, however, has taken a humble EA Falcon and given it a set of homebrewed modern upgrades.
The maroon EA Falcon has scored a Barra heart transplant as well as some nifty digital upgrades.
The example in question is an EA Fairmont Ghia, which featured a handful of high-tech displays in the dash cluster, which was very on trend in the late 80s and early 90s. This dash has seen much revision, however, and now features a large TFT display and a smaller OLED unit, both of which show various vital statistics for the car. The screens have been neatly hacked in, one as part of the tachometer, the other replacing the original fuel and temperature gauges. With the data displayed on the screen instead, there’s no need for the original dials. Continue reading “’90s Ford Gets Shift Paddles And A Digital Dash Upgrade”→
Nine years ago, MakerBot was acquired by Stratasys in a deal worth slightly north of $600 million. At the time it was assumed that MakerBot’s line of relatively affordable desktop 3D printers would help Stratasys expand its reach into the hobbyist market, but in the end, the company all but disappeared from the hacker and maker scene. Not that many around these parts were sad to see them go — by abandoning the open source principles the company had been built on, MakerBot had already fallen out of the community’s favor by the time the buyout went through.
So today’s announcement that MakerBot and Ultimaker have agreed to merge into a new 3D printing company is a bit surprising, if for nothing else because it seemed MakerBot had transitioned into a so-called “zombie brand” some time ago. In a press conference this afternoon it was explained that the new company would actually be spun out of Stratasys, and though the American-Israeli manufacturer would still own a sizable chunk of the as of yet unnamed company, it would operate as its own independent entity.
MakerBot has been courting pro users for years.
In the press conference, MakerBot CEO Nadav Goshen and Ultimaker CEO Jürgen von Hollen explained that the plan was to maintain the company’s respective product lines, but at the same time, expand into what they referred to as an untapped “light industrial” market. By combining the technology and experience of their two companies, the merged entity would be uniquely positioned to deliver the high level of reliability and performance that customers would demand at what they estimated to be a $10,000 to $20,000 USD price point.
When MakerBot announced their new Method 3D printer would cost $6,500 back in 2018, it seemed clear they had their eyes on a different class of clientele. But now that the merged company is going to put their development efforts into machines with five-figure price tags, there’s no denying that the home-gamer market is officially in their rear-view mirror. That said, absolutely zero information was provided about the technology that would actually go into said printers, although given their combined commercial experience, it seems all but a given that these future machines will use some form of fused deposition modeling (FDM).
Now we’d hate to paint with too broad a brush, but we’re going to assume that the average Hackaday reader isn’t in the market for a 3D printer that costs as much as a decent used car. But there’s an excellent chance you’re interested in at least two properties that will fall under the umbrella of this new printing conglomerate: MakerBot’s Thingiverse, and Ultimaker’s Cura slicer. In the press conference it was made clear that everyone involved recognized both projects as vital outreach tools, and that part of the $62.4 million cash investment the new company is set to receive has been set aside specifically for their continued development and improvement.
