This Week In Security: Discord, Chromium, And WordPress Forced Updates

October 30, 2020 by 42 Comments

[Masato Kinugawa] found a series of bugs that, when strung together, allowed remote code execution in the Discord desktop app. Discord’s desktop application is an Electron powered app, meaning it’s a web page rendered on a bundled light-weight browser. Building your desktop apps on JavaScript certainly makes life easier for developers, but it also means that you inherit all the problems from running a browser and JS. There’s a joke in there about finally achieving full-stack JavaScript.

The big security problem with Electron is that a simple Cross Site Scripting (XSS) bug is suddenly running in the context of the desktop, instead of the browser. Yes, there is a sandboxing option, but that has to be manually enabled.

And that brings us to the first bug. Neither the sandbox nor the contextIsolation options were set, and so both defaulted to false. What does this setting allow an attacker to do? Because the front-end and back-end JavaScript runs in the same context, it’s possible for an XSS attack to override JS functions. If those functions are then called by the back-end, they have full access to Node.js functions, including exec(), at which point the escape is complete.

Now that we know how to escape Electron’s web browser, what can we use for an XSS attack? The answer is automatic iframe embeds. For an example, just take a look at the exploit demo below. On the back-end, all I have to do is paste in the YouTube link, and the WordPress editor does its magic, automatically embedding the video in an iframe. Discord does the same thing for a handful of different services, one being Sketchfab.

This brings us to vulnerability #2. Sketchfab embeds have an XSS vulnerability. A specially crafted sketchfab file can run some JS whenever a user interacts with the embedded player, which can be shoehorned into discord. We’re almost there, but there is still a problem remaining. This code is running in the context of an iframe, not the primary thread, so we still can’t override functions for a full escape. To actually get a full RCE, we need to trigger a navigation to a malicious URL in the primary pageview, and not just the iframe. There’s already code to prevent an iframe from redirecting the top page, so this RCE is a bust, right?

Enter bug #3. If the top page and the iframe are on different domains, the code preventing navigation never fires. In this case, JavaScript running in an iframe can redirect the top page to a malicious site, which can then override core JS functions, leading to a full escape to RCE.

It’s a very clever chaining of vulnerabilities, from the Discord app, to an XSS in Sketchfab, to a bug within Electron itself. While this particular example required interacting with the embedded iframe, it’s quite possible that another vulnerable service has an XSS bug that doesn’t require interaction. In any case, if you use Discord on the desktop, make sure the app is up to date. And then, enjoy the demo of the attack, embedded below.

Continue reading “This Week In Security: Discord, Chromium, And WordPress Forced Updates”

Color E-Ink Display Photo Frame Pranks [Mom]

October 30, 2020 by 34 Comments

As a general rule, it’s not nice to prank your mother. Moms have a way of exacting subtle revenge, generally in the form of guilt. That’s not to say it might not be worth the effort, especially when the prank is actually wrapped in a nice gesture, like this ever-changing e-paper family photo frame.

The idea the [CNLohr] had was made possible by a new generation of multicolor e-paper displays by Waveshare. The display [Charles] chose was a generous 5.65″ unit with a total of seven colors. A little hacking revealed an eighth color was possible, adding a little more depth to the images. The pictures need a little pre-processing first, of course — dithering to accommodate the limited palette — but look surprisingly good on the display. They have a sort of stylized look, as if they were printed on a textured paper with muted inks.

The prank idea was simple — present [Mrs. Lohr] with a cherished family photo to display, only to find out that it had changed to another photo overnight. The gaslighting attempt required a bit more hacking, including some neat tricks to keep the power consumption very low. It was also a bit of a squeeze to get it into a frame that was slim enough not to arouse suspicion. The video below details some of the challenges involved in this build.

In the end, [Mom] wasn’t tricked, but she still seemed pleased with the final product. These displays seem like they could be a lot of fun — perhaps a version of the very-slow-motion player but for color movies would be doable.

Continue reading “Color E-Ink Display Photo Frame Pranks [Mom]”

Crowd Funded Jumping Cubes

October 30, 2020 by 5 Comments

The Japan Aerospace Exploration Agency (JAXA) recently contributed their Int-Ball  technology to a Kickstarter campaign operated by the Japanese electronics manufacturer / distributor Bit Trade One (Japanese site). This technology is based on the Cubli project out of the Swiss Federal Institute of Technology in Zurich (ETH Zurich), which we covered back in 2013. The Cubli-based technology has been appearing in various projects since then, including the Nonlinear Mechatronic Cube in 2016.  Alas, the current JAXA-based “3-Axis Attitude Control Module” project doesn’t have a catchy name — yet.

One interesting application of these jumping cubes, presumably how JAXA got involved with these devices, is a floating video camera that was put to use on board the International Space Station (ISS) in 2017.  The version being offered by the Kickstarter campaign doesn’t include the cameras, and you will need to provide your own a gravity-free environment to duplicate that application.  Instead, they seem to be marketing this for educational uses.  You’d better dig deep in your wallet if you want one — a fully assembled unit requires a pledge of over $5000 ( there is a “some assembly required” kit that can save you about $1000 ).  Most of us won’t be backing this project for that reason alone, but it is nice to see the march of progress of such a cool technology:  from inception to space applications to becoming available to the general public.  Thanks to [Lincoln Uehara] for sending in this tip.

Continue reading “Crowd Funded Jumping Cubes”

N64 Power Adapter Works Around The World

October 29, 2020 by 6 Comments

Modern electronics such as phone and laptop chargers are pretty versatile no matter where you find yourself in the world. Capable of running off anything from 100-250V, all you need is a socket adaptor and you’re good to go. Video game consoles of the 1990s weren’t so flexible however. [MattKC] was tired of messing around with step down transformers to run his US market N64, and decided to rectify this, building a universal adapter to run the console instead.

It’s a proper hacked build, assembled out of a jumble of old parts. An broken N64 power adapter was harvested for its case and unique DC plug, which carries 12V and 3.3V to the console. Few compact power supplies exist delivering this pair of voltages, so [MattKC] got creative. An old router was sourced for its 12V 2A supply, and was combined with a 3.3V buck converter to supply both rails. With some creative bodging and plenty of mounting tape, the supplies were crammed inside the original case and wired up to the original jack and a figure 8 cable, allowing easy socket changes in different countries without the use of ugly adapters.

While few of us routinely travel with 25 year old Nintendo consoles, for those that do, the convenience of a single universal supply can’t be overstated. Fitting a step-down transformer into carry-on luggage simply isn’t practical, after all. We’ve featured similar hacks as far back as 2006, or more recently, a project seeking to rebuild a new PSU for the venerable Amiga 500. Video after the break.

Continue reading “N64 Power Adapter Works Around The World”

A Look Behind The “Big Boards” At Mission Control In The Golden Age Of NASA

October 29, 2020 by 18 Comments

Certified space-nerd and all-around retro-tech guru [Fran Blanche] has just outdone herself with a comprehensive look at how NASA ran the Mission Control “Big Boards” that provided flight data for controllers for Apollo and for the next 20 years of manned spaceflight.

We’ve got to admit, [Fran] surprised us with this one. We had always assumed that the graphs and plots displayed in front of the rows of mint-green consoles and their skinny-tie wearing engineers were video projections using eidophor projectors. And to be sure, an eidophor, the tech of which [Jenny] profiled a while back, was used on one of the screens to feed video into Mission Control, either live from the Moon or from coverage of the launch and recovery operations. But even a cursory glance at the other screens in front of “The Pit” shows projections of a crispness and clarity that was far beyond what 1960s video could achieve.

Instead, plots and diagrams were projected into the rear of the massive screens using a completely electromechanical system. Glass and metal stencils were used to project the icons, maps, and grids, building up images layer by layer. Colors for each layer were obtained by the use of dichroic filters, and icons were physically moved to achieve animations. Graphs and plots were created Etch-a-Sketch style, with a servo-controlled stylus cutting through slides made opaque with a thin layer of metal. The whole thing is wonderfully complex, completely hacky, and a great example of engineering around the limits of technology.

Hats off to [Fran] for digging into this forgotten bit of Space Race tech. Seeing something like this makes the Mission Control centers of today look downright boring by comparison.

Continue reading “A Look Behind The “Big Boards” At Mission Control In The Golden Age Of NASA”

Nightmare Robot Only Moves When You Look Away

October 29, 2020 by 7 Comments

What could be more terrifying than ghosts, goblins, or clowns? How about a shapeless pile of fright on your bedroom floor that only moves when you’re not looking at it? That’s the idea behind [Sciencish]’s nightmare robot, which is lurking after the break. The Minecraft spider outfit is just a Halloween costume.

In this case, “looking at it” equates to you shining a flashlight on it, trying to figure out what’s under the pile of clothes. But here’s the thing — it never moves when light is shining on it. It quickly figures out the direction of the light source and lies in wait. After you give up and turn out the flashlight, it spins around to where the light was and starts moving in that direction.

The brains of this operation is an Arduino Uno, four light-dependent resistors, and a little bit of trigonometry to find the direction of the light source. The robot itself uses two steppers and printed herringbone gears for locomotion. Its chassis has holes in it that accept filament or wire to make a cage that serves two purposes — it makes the robot into more of an amorphous blob under the clothes, and it helps keep clothes from getting twisted up in the wheels. Check out the demo and build video after the break, because this thing is freaky fast and completely creepy.

While we usually see a candy-dispensing machine or two every Halloween, this year has been more about remote delivery systems. Don’t just leave sandwich bags full of fun size candy bars all over your porch, build a candy cannon or a spooky slide instead.

Continue reading “Nightmare Robot Only Moves When You Look Away”

A Clock From An Electricity Meter

October 29, 2020 by 4 Comments

Electric utilities across the world have been transitioning their meters from the induction analog style with a distinctive spinning disc to digital “smart” meters which aren’t as aesthetically pleasing but do have a lot of benefits for utilities and customers alike. For one, meter readers don’t need to visit each meter every month because they are all networked together and can download usage data remotely. For another, it means a lot of analog meters are now available for projects such as this clock from [Monta].

The analog meters worked by passing any electricity used through a small induction motor which spun at a rate proportional to the amount of energy passing through it. This small motor spun a set of dials via gearing in order to keep track of the energy usage in the home or business. To run the clock, [Monta] connected a stepper motor with a custom transmission to those dials for the clock face because it wasn’t possible to spin the induction motor fast enough to drive the dials. An Arduino controls that stepper motor, but can’t simply drive the system in a linear fashion because it needs to skip a large portion of the “minutes” dials every hour. A similar problem arises for the “hours” dials, but a little bit of extra code solves this problem as well.

Once the actual clock is finished, [Monta] put some finishing touches on it such as backlighting in the glass cover and a second motor to spin the induction motor wheel to make the meter look like it’s running. It’s a well-polished build that makes excellent use of some antique hardware, much like one of his other builds we’ve seen which draws its power from a Stirling engine.

Continue reading “A Clock From An Electricity Meter”