This Week In Security: Cacti RCE, VMs In The Browser, And SugarCRM

January 13, 2023 by 7 Comments

This week we start with a Remote Code Execution (RCE) vulnerability that has potential to be a real pain for sysadmins. Cacti, the system monitoring and graphing solution, has a pair of bugs that chain together to allow an attacker with unauthenticated access to the HTTP/S port to trivially execute bash commands. The first half of this attack is an authentication bypass, and it’s embarrassingly trivial. The Cacti authentication code trusts the Forwarded-For: header in the request. Set it to the server’s IP, and the authentication code treats it like a localhost request, bypassing any real authentication process.

The second half is found in the remote_agent.php endpoint, where the poller_id is set by the user and treated as a string. Then, if the right host_id and local_data_id item is triggered, that string is concatenated into a proc_open() function call. The string isn’t sanitized, so it’s trivial enough to include a second command to run, dropping a webshell, for instance.

Version 1.2.23 of Cacti contains the fix, and released on the 2nd. This one is likely to be exploited, and if automated exploitation hasn’t started already, it likely will soon. So if you have a Cacti install, go double-check that the interface isn’t exposed to the world.

JSON Web Token

Researchers at Unit 42 found an exploit that can be used to achieve an RCE in the JsonWebToken project. The issue is this library’s verify() function, which takes arguments of the token to check, the key to use, and options. If there aren’t any algorithms specified in the options object, then the key is processed as a PEM string. The toString() method of that key is called during the actual check, and the assumption is that it’s either a string or buffer. But what if the key passed in to the verify() function was actually a complex object, bringing it’s own toString() method along to play. At that point, we have arbitrary code execution. And if this code is running on the server-side under node.js, that means a popped server.

But wait, it’s not that simple, right? It’s not like a valid JWT can contain an arbitrary object — that would be a problem all on its own. So CVE-2022-23529 is a stepping-stone. It’s insecure code, but the rest of the application has to have another vulnerability for this one to be reachable. Continue reading “This Week In Security: Cacti RCE, VMs In The Browser, And SugarCRM”

2022: As The Hardware World Turns

January 3, 2023 by 30 Comments

Well folks, we made it through another one. While it would be a stretch to call 2022 a good year for those of us in the hacking and making community, the light at the end of the tunnel does seem decidedly brighter now than it did this time 365 days ago. It might even be safe to show some legitimate optimism for the year ahead, but then again I was counting on my Tesla stocks to be a long-term investment, so what the hell do I know about predicting the future.

Eh, my kids probably weren’t going to college anyway.

Thankfully hindsight always affords us a bit of wisdom, deservedly or otherwise. Now that 2022 is officially in the rearview mirror, it’s a good time to look back on the highs (and lows) of the last twelve months. Good or bad, these are the stories that will stick out in our collective minds when we think back on this period of our lives.

Oh sure, some might wish they could take the Men in Black route and forget these last few years ever happened, but it doesn’t work that way. In fact, given the tumultuous times we’re currently living in, it seems more likely than not that at some point we’ll find ourselves having to explain the whole thing to some future generation as they stare up at us wide-eyed around a roaring fire. Though with the way this timeline is going, the source of said fire might be the smoldering remains of an overturned urban assault robot that you just destroyed.

So while it’s still fresh in our minds, and before 2023 has a chance to impose any new disasters on us, let’s take a trip back through some of the biggest stories and themes of the last year.

Continue reading “2022: As The Hardware World Turns”

Hackaday Podcast 199: Ferrofluid Follies, Decentralized Chaos, And NTSC For You And Me

December 30, 2022 by 5 Comments

This week, Editor-in-Chief Elliot Williams and Assignments Editor Kristina Panos decided against using one of Kristina’s tin can microphones to record the podcast, though that might be a cool optional thing to do once (and then probably never again).

After a brief foray into the news that the Chaos Communications Congress will be decentralized once again this year, as COVID restrictions make planning this huge event a complete headache (among other notable symptoms), we discuss the news that the EU is demanding replaceable batteries in phones going forward.

After that, it’s time for another What’s That Sound results show, and despite repeated listens, Kristina fails to guess the thing. Even if she’d had an inkling as to what it was, she probably would have said ‘split-flap display’ instead of the proper answer, which is ‘flip-dot display’, as a few people responded. Finally, it’s on to the hacks, where we talk about uses for ferrofluid and decide that it’s one of those things that’s just for fun and should not be applied to the world as some sort of all-purpose whacking device.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

And/or download it and listen offline.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast 199: Ferrofluid Follies, Decentralized Chaos, And NTSC For You And Me”

A Modern Tribute To The Classic HP-16C Calculator

December 21, 2022 by 19 Comments

The HP-16C Computer Scientist is much beloved as the only dedicated programmer’s calculator that Hewlett-Packard ever made. Most surviving examples in the world are well-used, and you haven’t been able to order one from HP since 1989. Thus, [K Johansen] set about building a tribute to the HP-16C using modern hardware.

The build relies on a Raspberry Pi Pico as the brains of the operation. As with so many classic HP calculators, it operates in Reverse Polish Notation, and includes the customary stack operations. To serve a programmer well, it’s set up to accept entry in hexadecimal, octal, decimal, and binary formats, and can readily convert between them. Beyond that, it’s equipped with the usual arithmetic operators, as well as bitwise operations like NOT, AND, and so on.

Perhaps what we love most, though, is the keypad. It was all put together with a combination of cheap AliExpress keypads, a label maker, and a laser printer. It’s a wholly DIY job, and a little rough around the edges, but it makes the calculator far easier to use.

It’s not an exact replica of the HP-16C, but the differences in operation are minor.Those wishing to build their own can grab the required files from the project’s Github page. We’ve seen replicas of other classic HP calculators before, too. If you’ve got your own mathematical projects brewing up in the lab, don’t hesitate to send them in to the tipsline!

 

The Story Behind The TVGuardian Curse Catcher

December 14, 2022 by 23 Comments

The recent flurry of videos and posts about the TVGuardian foul language filter brought back some fond memories. I was the chief engineer on this project for most of its lifespan. You’ve watched the teardowns, you’ve seen the reverse engineering, now here’s the inside scoop.

Gumby is Born

TVG Model 101 Gumby (Technology Connections)

Back in 1999, my company took on a redesign project for the TVG product, a box that replaced curse words in closed-captioning with sanitized equivalents. Our first task was to take an existing design that had been produced in limited volumes and improve it to be more easily manufactured.

The original PCB used all thru-hole components and didn’t scale well to large quantity production. Replacing the parts with their surface mount equivalents resulted in Model 101, internally named Gumby for reasons long lost. If you have a sharp eye, you will have noticed something odd about two parts on the board as shown in [Ben Eater]’s video. The Microchip PIC and the Zilog OSD chip had two overlapping footprints, one for thru-hole and one for SMD. Even though we preferred SMD parts, sometimes there were supply issues. This was a technique we used on several designs in our company to hedge our bets. It also allowed us to use a socketed ICs for testing and development. Continue reading “The Story Behind The TVGuardian Curse Catcher”

CGA Competitors From The 1980s

December 12, 2022 by 25 Comments

[David Murray], aka The 8-Bit Guy, did an interesting video (embedded below the break) on the time line of PC graphics cards from CGA through to EGA. Not only does he explain the different offerings of the day, but also proceeds to demonstrate most of them.

It’s interesting to learn about some of the video modes that went basically unused in these cards. Even if board designers include high resolution modes and better color palettes, if software programmers don’t use them they are forgotten.

We were particularly impressed by a couple of examples he had that were full-sized, double-stacked ISA cards — those were beasts. Both CGA and EGA sort of withered when the 1990s arrived.

According to [David]’s research, CGA monitors continued to be used for some time even after EGA was introduced — primarily because of cost. It might cost you $400 to get an ATI EGA Wonder card, and that or more for an EGA monitor. Many folks just upgraded the card first, and took advantage of the fact that the EGA Wonder could drive CGA monitors.

If you are interested in the history and technology of these old cards, check out our coverage from 2016 where [David] does a deep dive into CGA cards and discusses, among other things, the CGA composite video mode.

Continue reading “CGA Competitors From The 1980s”

An RGB laser projector opened up on a workbench

Laser Projector Needs Hardware Hack After Software Mod

December 11, 2022 by 13 Comments

You probably recognize that dreadful feeling when you reboot a gadget after updating its firmware, only to be greeted by a blank screen and an unresponsive device. This apparently happened to the previous owner of a bricked RGB laser projector that [Buy It Fix It] got his hands on: it briefly flashed its laser on power-up but otherwise remained completely dead.

A thorough inspection of the major components didn’t reveal any physical damage, so the issue had to be in software. [Buy It Fix It] managed to connect his Segger J-link programmer to the STM32 main processor and downloaded the contents of its firmware, only to find the remains of a PDF file which seemed to have been accidentally flashed into the chip’s program space. Fixing the device should then just be a matter of restoring the proper firmware, but [Buy It Fix It] wasn’t able to find a copy of it anywhere.

A PCB with a few mod wires on itWhat he did find was Maximus64’s GitHub repository that contained a software mod for a different projector model, as well as its original firmware. Flashing that version didn’t fix [Buy It Fix It]’s projector either, although it did now start to actuate its galvos.

A bit of reverse engineering revealed that the two projectors were very similar from a hardware point of view, but had their laser drivers hooked up to different I/O pins: simply cutting the board traces and soldering some wires to re-route the signals was enough to bring the projector back into a working state.

Having to modify hardware in order to make it fit a piece of software is unfortunate, but sometimes you just have to make do with what you’ve got. If you’ve got no firmware to begin with, then you might even have to write your own from scratch.

Continue reading “Laser Projector Needs Hardware Hack After Software Mod”