This Week In Security: XCode Infections, Freepik, And Crypto Fails

August 28, 2020 by 8 Comments

There is a scenario that keep security gurus up at night: Malware that can detect software compilation and insert itself into the resulting binary. A new Mac malware, XCSSET (PDF), does just that, running whenever Xcode is used to build an application. Not only is there the danger of compiled apps being malicious, the malware also collects data from the developer’s machine. It seems that the malware spreads through infected Xcode projects.

WordPress Plugins

WordPress has a complicated security track record. The core project has had very few serious vulnerabilities over the years. On the other hand, WordPress sites are routinely compromised. How? Generally through vulnerable plugins. Case in point? Advanced Access Manager. It’s a third party WordPress plugin with an estimate 100,000 installations. The problem is that this plugin requires user levels, a deprecated and removed WordPress feature. The missing feature had some unexpected results, like allowing any user to request administrator privileges.

The issue has been fixed in 6.6.2 of the plugin, so if you happen to run the Advanced Access Manager plugin, make sure to get it updated. Beyond that, maybe it’s time to do an audit on your WordPress site. Uninstall unused plugins, and make sure the rest are up to date, along with the WordPress installation itself. Continue reading “This Week In Security: XCode Infections, Freepik, And Crypto Fails”

Linux-Fu: Your Own Dynamic DNS

August 25, 2020 by 14 Comments

It is a problem as old as the Internet. You want to access your computer remotely, but it is behind a router that randomly gets different IP addresses. Or maybe it is your laptop and it winds up in different locations with, again, different IP addresses. There are many ways to solve this problem and some of them are better than others.

A lot of routers can report their IP address to a dynamic DNS server. That used to be great, but now it seems like many of them hound you to upgrade or constantly renew so you can see their ads. Some of them disappear, too. If your router vendor supplies one, that might be a good choice, until you change routers, of course. OpenWRT supports many such services and there are many lists of common services.

However, if you have a single public accessible computer, for example a Web server or even a cloud instance, and you are running your own DNS server, you really don’t need one of those services. I’m going to show you how I do it with an accessible Linux server running Bind. This is a common setup, but if you have a different system you might have to adapt a bit.

There are many ways to set up dynamic DNS if you are willing to have a great deal of structure on both sides. Most of these depend on setting up a secret key to allow for DNS updates and some sort of script that calls nsupdate or having the DHCP server do it. The problem is, I have a lot of client computers and many are set up differently. I wanted a system where the only thing needed on the client side was ssh. All the infrastructure remains on the DNS server.

Continue reading “Linux-Fu: Your Own Dynamic DNS”

This Week In Security: Bluetooth Hacking, NEC Phones, And Malicious Tor Nodes

August 21, 2020 by 4 Comments

One of the fun things about vulnerability research is that there are so many places for bugs to hide. Modern devices have multiple processors, bits of radio hardware, and millions of lines of code. When [Veronica Kovah] of Dark Mentor LLC decided to start vulnerability research on the Bluetooth Low Energy protocol, she opted to target the link layer itself, rather than the code stack running as part of the main OS. What’s interesting is that the link layer has to process data before any authentication is performed, so if a vulnerability is found here, it’s guaranteed to be pre-authentication. Also of interest, many different devices are likely to share the same BLE chipset, meaning these vulnerabilities will show up on many different devices. [Veronica] shares some great info on how to get started, as well as the details on the vulnerabilities she found, in the PDF whitepaper. (Just a quick note, this link isn’t to the raw PDF, but pulls up a GitHub PDF viewer.) There is also a video presentation of the findings, if that’s more your speed.

The first vuln we’ll look at is CVE-2019-15948, which affects a handful of Texas Instruments BT/BLE chips. The problem is in how BLE advertisement packets are handled. An advertisement packet should always contain a data length of at least six bytes, which is reserved for the sending device address. Part of the packet parsing process is to subtract six from the packet length and do a memcpy using that value as the length. A malicious packet can have a length of less than six, and the result is that the copy length integer underflows, becoming a large value, and overwriting the current stack. To actually turn this into an exploit, a pair of data packets are sent repeatedly, to put malicious code in the place where program execution will jump to.

The second vulnerability of note, CVE-2020-15531 targets a Silicon Labs BLE chip, and uses malformed extended advertisement packets to trigger a buffer overflow. Specifically, the sent message is longer than the specification says it should be. Rather than drop this malformed message, the chip’s firmware processes it, which triggers a buffer overflow. Going a step further, this chip has non-volatile firmware, and it’s possible to modify that firmware permanently. [Veronica] points out that even embedded chips like these should have some sort of secure boot implementation, to prevent these sort of persistent attacks.
Continue reading “This Week In Security: Bluetooth Hacking, NEC Phones, And Malicious Tor Nodes”

Linux Fu: Remote Execution Made Easy

August 11, 2020 by 20 Comments

If you have SSH and a few other tools set up, it is pretty easy to log into another machine and run a few programs. This could be handy when you are using a machine that might not have a lot of memory or processing power and you have access to a bigger machine somewhere on the network. For example, suppose you want to reencode some video on a box you use as a media server but it would go much faster on your giant server with a dozen cores and 32 GB of RAM.

Remote Execution

However, there are a few problems with that scenario. First, you might not have the software on the remote machine. Even if you do, it might not be the version you expect or have all the same configuration as your local copy. Then there’s the file problem. the input file should come from your local file system and you’d like the output to wind up there, too. These aren’t insurmountable, of course. You could install the program on the remote box and copy your files back and forth manually. Or you can use Outrun.

There are a few limitations, though. You do need Outrun on both machines and both machines have to have the same CPU architecture. Sadly, that means you can’t use this to easily run jobs on your x86-64 PC from a Raspberry Pi. You’ll need root access to the remote machine, too. The system also depends on having the FUSE file system libraries set up.

Continue reading “Linux Fu: Remote Execution Made Easy”

3D Printing Latex Is Now Possible

July 27, 2020 by 14 Comments

For those getting started with 3D printers, thermoplastics such as ABS and PLA are the norm. For those looking to produce parts with some give, materials like Ninjaflex are most commonly chosen, using thermoplastic polyeurethane. Until recently, it hasn’t been possible to 3D print latex rubber. However, a team at Virginia Tech have managed the feat through the combination of advanced printer hardware and some serious chemistry.

Sample cubes printed with the new process. Note the clarity of the sample at the top right.

The work was primarily a collaboration between [Phil Scott] and [Viswanath Meenakshisundaram]. After initial experiments to formulate a custom liquid latex failed, [Scott] looked to modify a commercially available product to suit the project. Liquid latexes are difficult to work with, with even slight alterations to the formula leading the solution to become unstable. Through the use of a molecular scaffold, it became possible to modify the liquid latex to become photocurable, and thus 3D printable using UV exposure techniques.

The printer side of things took plenty of work, too. After creating a high-resolution UV printer, [Meenakshisundaram] had to contend with the liquid latex resin scattering light, causing parts to be misshapen. To solve this, a camera was added to the system, which visualises the exposure process and self-corrects the exposure patterns to account for the scattering.

It’s an incredibly advanced project that has produced latex rubber parts with advanced geometries and impressive mechanical properties. We suspect this technology could be developed quickly in the coming years to produce custom rubber parts with significant strength. In the meantime, replicating flexible parts is still possible with available filaments on the market.

[via phys.org]

Linux Fu: Keep In Sync

July 23, 2020 by 28 Comments

Once upon a time, computers were very expensive and you were lucky to have shared access to one computer. While that might seem to be a problem, it did have one big advantage: all of your files were on that computer.

Today, we all probably have at least a desktop and one laptop. Your phone is probably a pretty good computer by most standards. You might have multiple computers and a smattering of tablets. So what do you do to keep your files accessible everywhere? Why not run your own peer-to-peer synchronization service? Your files are always under your control and encrypted in motion. There’s no central point of failure. You can do it with one very slick piece of Open Source software called syncthing. It runs on Windows, Linux, Mac, BSD, and Solaris. There are also Android clients. We haven’t tested it, but one caveat is that the unofficial iOS support sounds a little spotty.

The joke about the cloud — that it’s just other people’s servers — is on point here. Some people don’t like their files sitting on a third-party server. Even if your files are encrypted or you don’t care, you still have the problem of what happens if you can’t reach the server — may be on an airplane with no WiFi — or the server goes down. Sure, Google and Microsoft don’t go dark very often, but they can and do. Even if you build your own cloud, it runs on your servers. Syncthing is serverless: it simply makes sure that all files are up-to-date on all your end devices. Continue reading “Linux Fu: Keep In Sync”

A Reason To Code

July 4, 2020 by 48 Comments

My son is just getting to the age that puts him in the crosshairs of all of the learn-to-code toys. And admittedly, we’ve been looking at some of those Logo-like toys where you can instruct a turtle-bot to make a few moves, and then to repeat them. After all, if breaking down a problem into sub-problems and automating the repetition isn’t the essence of programming, I don’t know what is.

But here’s the deal: I think drawing ‘bots are cooler than he does. If you ask a kid “hey, do you want a car that can draw?” that’s actually pretty low on the robot list. I’m not saying he won’t get into it once he’s got a little bit more coding under his belt and he can start to make it do fun things, but by itself, drawing just isn’t all that impressive. He can draw just fine, thank-you-very-much.

Meanwhile, I was making a robot arm. Or rather, I started up on yet another never-to-be-completed robot arm. (Frankly, I don’t know what I would do with a robot arm.) But at least I started with the gripper and wrist. Now that’s pretty cool for a kid, but the programming is waaaay too complicated. So I pulled the brains out and hooked up the servos to an RC plane remote. Just wiggling the thing around, duct-taped to the table, got him hooked. And this weekend, we’re building a remote controlled cherry-picker arm to put on a pole, because cherries are in season. His idea!

So no coding. He’s a little too young anyway, IMO. But silly little projects like these, stored deep in his subconscious, will give him a reason to program in the future, will make it plainly obvious that knowing how to program is useful. Now all I need is a reason to finish up a robot arm project…

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!