No matter your age or background, there’s an excellent chance you’ll recognize the Nintendo Entertainment System (NES) at first glance. The iconic 8-bit system not only revitalized the gaming industry, but helped to establish the “blueprint” of console gaming for decades to come. It’s a machine so legendary and transformative that even today, it enjoys a considerable following. Some appreciate the more austere approach to gaming from a bygone era, while others are fascinated with the functional aspects of console.
The NesHacker YouTube channel is an excellent example of that latter group. Host [Ryan] explores the ins and outs of the NES as a platform, with a leaning towards the software techniques used to push the system’s 6502 processor to the limits. Even if you aren’t terribly interested in gaming, the videos on assembly programming and optimization are well worth a watch for anyone writing code for vintage hardware.
In the days before computers usually used off-the-shelf CPU chips, people who needed a CPU often used something called “bitslice.” The idea was to have a building block chip that needed some surrounding logic and could cascade with other identical building block chips to form a CPU of any bit width that could do whatever you wanted to do. It was still harder than using a CPU chip, but not as hard as rolling your own CPU from scratch. [Usagi Electric] has a Centurion, which is a 1980s-vintage minicomputer based on a bitslice processor. He wanted to use it to write assembly language programs targeting the same system (or an identical one). You can see the video below.
Truthfully, unless you have a Centurion yourself, the details of this are probably not interesting. But if you have wondered what it was like to code on an old machine like this, you’ll enjoy the video. Even so, the process isn’t quite authentic since he uses a more modern editor written for the Centurion. Most editors from those days were more like CP/M ed or DOS edlin, which were painful, indeed.
The target program is a hard drive test, so part of it isn’t just knowing assembly but understanding how to interface with the machine. That was pretty common, too. You didn’t have a lot of help from canned routines in those days. For example, it was common to read an entire block from a hard drive, tape, or drum and have to figure out what part of it you were actually interested in instead of, say, opening a file and reading a stream of characters.
If nothing else, fast forward over to the 25-minute mark and see what a hard drive from that era looked like. Guess how much storage was on that monster? If you guessed more than 10 MB, you probably didn’t live through the 1980s. We won’t even guess what the price tag was, but you can bet it was spendy.
If you think entering programs like this is painful, try a front panel. That made paper tape seem like a great thing.
Researchers at Sonar took a crack at OpenEMR, the Open Source Electronic Medical Record solution, and they found problems. Tthe first one is a classic: the installer doesn’t get removed by default, and an attacker can potentially access it. And while this isn’t quite as bad as an exposed WordPress installer, there’s a clever trick that leads to data access. An attacker can walk through the first bits of the install process, and specify a malicious SQL server. Then by manipulating the installer state, any local file can be requested and sent to the remote server.
There’s a separate set of problems that can lead to arbitrary code execution. It starts with a reflected Cross Site Scripting (XSS) attack. That’s a bit different from the normal XSS issue, where one user puts JavaScript on the user page, and every user that views the page runs the code. In this case, the malicious bit is included as a parameter in a URL, and anyone that follows the link unknowingly runs the code.
And what code would an attacker want an authenticated user to run? A file upload, of course. OpenEMR has function for authenticated users to upload files with arbitrary extensions, even .php. The upload folder is inaccessible, so it’s not exploitable by itself, but there’s another issue, a PHP file inclusion. Part of the file name is arbitrary, and is vulnerable to path traversal, but the file must end in .plugin.php. The bit of wiggle room on the file name on both sides allow for a collision in the middle. Get an authenticated user to upload the malicious PHP file, and then access it for instant profit. The fixes have been available since the end of November, in version 7.0.0-patch-2.
Bing Chat Injection
Or maybe it’s AI freedom. So, the backstory here is that the various AI chat bots are built with rules. Don’t go off into political rants, don’t commit crimes, and definitely don’t try to scam the users. One of the more entertaining tricks clever users have discovered is to tell a chatbot to emulate a personality without any such rules. ChatGPT can’t comment on political hot button issues, but when speaking as DAN, anything goes.
Arrrrr
This becomes really interesting when Bing Chat ingests a website that has targeted prompts. It’s trivial to put text on a web page that’s machine readable and invisible to the human user. This work puts instructions for the chat assistant in that hidden data, and demonstrates a jailbreak that turns Bing Chat malicious. The fun demonstration convinces the AI to talk like a pirate — and then get the user to click on an arbitrary link. The spooky demo starts out by claiming that Bing Chat is down, and the user is talking to an actual Microsoft engineer.
LastPass Details — Plex?
Last time we talked about the LastPass breach, we had to make some educated guesses about how things went down. There’s been another release of details, and it’s something. Turns out that in one of the earlier attacks, an encrypted database was stolen, and the attackers chose to directly target LastPass Engineers in an attempt to recover the encryption key.
According to Ars Technica, the attack vector was a Plex server run by one of those engineers. Maybe related, at about the same time, the Plex infrastructure was also breached, exposing usernames and hashed passwords. From this access, attackers installed a keylogger on the developer’s home machine, and captured the engineer’s master password. This allowed access to the decryption keys. There is some disagreement about whether this was/is a 0-day vulnerability in the Plex software. Maybe make sure your Plex server isn’t internet accessible, just to be safe.
There’s one more bit of bad news, particularly if you use the LastPass Single Sign On (SSO) service. That’s because the SSO secrets are generated from an XOR of two keys, K1 and K2. K1 is a single secret for every user at an organization. K2 is the per-user secret stored by Lastpass. And with this latest hack, the entire database of K2 secrets were exposed. If K1 is still secret, all is well. But K1 isn’t well protected, and is easily accessed by any user in the organization. Ouch.
The Ring Alien
Turns out, just like a certain horror movie, there is a video that the very watching causes death. If you happen to be a Pixel phone, that is. And “death” might be a bit of an exaggeration. Though the video in question certainly nails the vibe. Playing a specific YouTube clip from Alien will instantly reboot any modern Pixel phone. A stealth update seems to have fixed the issue, but it will be interesting to see if we get any more details on this story in the future. After all, when data can cause a crash, it can often cause code execution, too.
In-The-Wild
The US Cybersecurity and Infrastructure Security Agency (CISA) maintains a list of bugs that are known to be under active exploitation, and that list just recently added a set of notches. CVE-2022-36537 is the most recent, a problem in the ZK Framework. That’s an AJAX framework used in many places, notable the ConnectWise software. Joining the party are CVE-2022-47986, a flaw in IBM Aspera Faspex, a file transfer suite, and CVE-2022-41223 and CVE-2022-40765, both problems in the Mitel MiVoice Business phone system.
Bits and Bytes
There’s yet another ongoing attack against the PyPI repository, but this one mixes things up a bit by dropping a Rust executable as one stage in a chain of exploitation. The other novel element is that this attack isn’t going after typos and misspellings, but seems to be a real-life dependency confusion attack.
The reference implementation of the Trusted Platform Module 2.0 was discovered to contain some particularly serious vulnerabilities. The issue is that a booted OS could read and write two bytes beyond it’s assigned data. It’s unclear weather that’s a static two bytes, making this not particularly useful in the real world, or if these reads could be chained together, slowly leaking larger chunks of internal TPM data.
And finally, one more thing to watch out for, beware of fake authenticator apps. This one is four years old, has a five star rating, and secretly uploads your scanned QR codes to Google Analytics, exposing your secret authenticator key. Yoiks.
Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy.
That multi-year campaign appears to goes back to at least October 2019, when an SSH file was accessed and altered, leading to 28,000 customer SSH usernames and passwords being exposed. There was also a 2021 breach of the GoDaddy WordPress environment, that has been linked to the same group.
Reading between the lines, there may be an implication here that the attackers had an ongoing presence in GoDaddy’s internal network for that entire multi-year period — note that the quote above refers to a single campaign, and not multiple campaigns from the same actor. That would be decidedly bad.
Joomla’s Force Persuasion
Joomla has a critical vulnerability, CVE-2023-23752, which is a trivial information leak from a web endpoint. This flaw is present in all of the 4.x releases, up to 4.2.8, which contains the fix. The issue is the Rest API, which gives access to pretty much everything about a given site. It has an authentication component, of course. The bypass is to simply append ?public=true. Yes, it’s a good old “You don’t need to see his identification” force suggestion.
There’s even a PoC script that runs the request and spits out the most interesting data: the username, password, and user id contained in the data. It’s not quite as disastrous as that sounds — the API isn’t actually leaking the administrative username and password, or even password hash. It’s leaking the SQL database information. Though if your database is accessible from the Internet, then that’s pretty much as bad as it could be. Continue reading “This Week In Security: GoDaddy, Joomla, And ClamAV”→
NASA’s been recruiting citizen scientists lately, and their latest call is looking for help from ham radio operators. They want you to make and report radio contacts during the 2023 and 2024 North American eclipses. From their website:
Communication is possible due to interactions between our Sun and the ionosphere, the ionized region of the Earth’s atmosphere located roughly 80 to 1000 km overhead. The upcoming eclipses (October 14, 2023, and April 8, 2024) provide unique opportunities to study these interactions. As you and other HamSCI members transmit, receive, and record signals across the radio spectrum during the eclipse, you will create valuable data to test computer models of the ionosphere.
The upcoming eclipses are in October of this year and in April 2024, so you have some time to get your station in order. According to NASA, “It will be a fun, friendly event with a competitive element.” So if you like science, space, or contesting, it sounds like you’ll be interested. Right now, the big event is the Solar Eclipse QSO Party. There will also be a signal spotting challenge and some measurements of WWV, CHU, AM broadcast stations, and measurements of the ionosphere height. There will also be some sort of very low-frequency event. Details on many of these events are still pending.
Hams, of course, have a long history of experimenting with space. They routinely bounce signals off the moon. They also let radio signals bounce off the trails of ionized gas behind meteors using special computer programs.
Every week the Hackaday editors gather online to discuss the tech stories of the moment, and among the topics this week was the balloons shot down over North America that are thought to be Chinese spying devices. Among the banter came the amusing thought that enterprising trolls on the Pacific rim could launch balloons to keep the fearless defenders of American skies firing off missiles into the beyond.
The balloon thought to have been shot down was launched by the Northern Illinois Bottlecap Balloon Brigade, a group of radio amateurs who launch small helium-filled Mylar balloons carrying the barest minimum for a solar-powered WSPR beacon. Its callsign was K9YO, and having circumnavigated the globe seven times since its launch on the 10th of October it was last seen off Alaska on February 11th. Its projected course and timing tallies with the craft reported shot down by the US Air Force, so it seems the military used hundreds of thousands of dollars-worth of high-tech weaponry to shoot down a few tens of dollars worth of hobby electronics they could have readily tracked online. We love the smell of napalm in the morning!
Their website has a host of technical information on the balloons and the beacons, providing a fascinating insight into this facet of amateur radio that is well worth a read in itself. The full technical details of the USAF missile system used to shoot them down, sadly remains classified.
The pandemic brought with it a need to maintain adequate ventilation in enclosed spaces, and thus, there’s been considerable interest in inexpensive C02 monitors. Unfortunately, there are unscrupulous actors out there that have seen this as a chance to make a quick profit.
Recently [bigclivedotcom] got one such low-cost CO2 sensor on his bench for a teardown, and confirms that it’s a fake. But in doing so he reveals a fascinating story of design decisions good and bad, from something which could almost have been a useful product.
Behind the slick color display is a PCB with an unidentified microcontroller, power supply circuitry, a DHT11 environmental sensor, and a further small module which purports to be the CO2 sensor. He quickly demonstrates with a SodaStream that it doesn’t respond to CO2 at all, and through further tests is able to identify it as an alcohol sensor.
Beyond the alcohol sensor he analyses the PSU circuitry. It has a place for a battery protection chip but it’s not fitted, and an error in the regulator circuitry leads to a slow drain of the unprotected cell. Most oddly there’s an entire 5 volt switching regulator circuit that’s fitted but unused, being in place to support a missing infra-red module. Finally the screen is an application-specific LCD part.
It’s clear some effort went in to the design of this unit, and we can’t help wondering whether it could have started life as a design for a higher-spec genuine unit. But as [Clive] says, it’s a party detector, and of little more use than as a project case and battery.
