This Week In Security: Let’s Encrypt Revocation, Ghostcat, And The RIDLer

March 6, 2020 by 7 Comments

Let’s Encrypt recently celebrated their one billionth certificate. That’s over 190 million websites currently secured, and thirteen full-time staff. The annual budget for Lets Encrypt is an eye-watering $3.3+ million, covered by sponsors like Mozilla, Google, Facebook, and the EFF.

A cynic might ask if we need to rewind the counter by the three million certificates Let’s Encrypt recently announced they are revoking as a result of a temporary security bug. That bug was in the handling of the Certificate Authority Authorization (CAA) security extension. CAA is a recent addition to the X.509 standard. A domain owner opts in by setting a CAA field in their DNS records, specifying a particular CA that is authorized to issue certificates for their domain. It’s absolutely required that when a CA issues a new certificate, it checks for a CAA record, and must refuse to issue the certificate if a different authority is listed in the CAA record.

The CAA specification specifies eight hours as the maximum time to cache the CAA check. Let’s Encrypt uses a similar automated process to determine domain ownership, and considers those results to be valid for 30 days. There is a corner case where the Let’s Encrypt validation is still valid, but the CAA check needs to be re-performed. For certificates that cover multiple domains, that check would need to be performed for each domain before the certificate can be issued. Rather validating each domain’s CAA record, the Let’s Encrypt validation system was checking one of those domain names multiple times. The problem was caught and fixed on the 28th.

The original announcement gave administrators 36 hours to manually renew their affected certificates. While just over half of the three million target certificates have been revoked, an additional grace period has been extended for the over a million certs that are still in use. Just to be clear, there aren’t over a million bad certificates in the wild, and in fact, only 445 certificates were minted that should have been prevented by a proper CAA check.

Ghostcat

Apache Tomcat, the open source Java-based HTTP server, has had a vulnerability for something like 13 years. AJP, the Apache JServ Protocol, is a binary protocol designed for server-to-server communication. An example use case would be an Apache HTTP server running on the same host as Tomcat. Apache would serve static files, and use AJP to proxy dynamic requests to the Tomcat server.

Ghostcat, CVE-2020-1938, is essentially a default configuration issue. AJP was never designed to be exposed to untrusted clients, but the default Tomcat configuration enables the AJP connector and binds it to all interfaces. An attacker can craft an AJP request that allows them to read the raw contents of webapp files. This means database credentials, configuration files, and more. If the application is configured to allow file uploads, and that upload location is in the folder accessible to the attacker, the result is a full remote code execution exploit chain for any attacker.

The official recommendation is to disable AJP if you’re not using it, or bind it to localhost if you must use it. At this point, it’s negligence to leave ports exposed to the internet that aren’t being used.

Have I Been P0wned

You may remember our coverage of [Troy Hunt] over at haveibeenpwned.com. He had made the decision to sell HIBP, as a result of the strain of running the project solo for years. In a recent blog post, [Troy] reveals the one thing more exhausting that running HIBP: trying to sell it. After a potential buyer was chosen, and the deal was nearly sealed, the potential buyer went through a restructuring. At the end of the day, the purchase no longer made sense for either party, and they both walked away, leaving HIBP independent. It sounds like the process was stressful enough that HIBP will remain a independent entity for the foreseeable future.

You Were Warned

Remember the Microsoft Exchange vulnerability from last week? Attack tools have been written, and the internet-wide scans have begun.

Ridl Me This, Chrome

We’ve seen an abundance of speculative execution vulnerabilities over the last couple of years. While these problems are technically interesting, there has been a bit of a shortage of real-world attacks that leverage those vulnerabilities. Well, thanks to a post over at Google’s Project Zero, that dearth has come to an end. This attack is a sandbox escape, meaning it requires a vulnerability in the Chrome JS engine to be able to pull it off.

To understand how Ridl plays into this picture, we have to talk about how the Chrome sandbox works. Each renderer thread runs with essentially zero system privileges, and sends requests through Mojo, an inter-process communication system. Mojo uses a 128 bit numbering system to both identify and secure those IPC endpoints.

Once an attacker has taken over the unprivileged sandbox process, the next step is to figure out the port name of an un-sandboxed Mojo port. The trick is to get that privileged process to access its Mojo port name repeatedly, and then capture an access using Ridl. Once the port is known, the attacker has essentially escaped the sandbox.

The whole read is interesting, and serves as a great example of the sorts of attacks enabled by speculative execution leaks.

Farewell SETI@Home

March 6, 2020 by 59 Comments

It was about 21 years ago that Berkley started one of the first projects that would allow you to donate idle computing time to scientific research. In particular, your computer could help crunch data from radio telescopes looking for extraterrestrial life. Want to help? You may be too late. The project is going into hibernation while they focus on analyzing data already processed.

According to the home page:

We’re doing this for two reasons:

1) Scientifically, we’re at the point of diminishing returns; basically, we’ve analyzed all the data we need for now.

2) It’s a lot of work for us to manage the distributed processing of data. We need to focus on completing the back-end analysis of the results we already have, and writing this up in a scientific journal paper.

Continue reading “Farewell SETI@Home”

Dumpster Finds Combined Into 4K Desktop Monitor

March 6, 2020 by 31 Comments

Dumpster diving is a time honored tradition in the hacking community. You can find all sorts of interesting hardware in the trash, and sometimes it’s even fully functional. But even the broken gadgets are worth taking back to your lair to strip for parts. If you’re as lucky as [Jamz], you might be able to mash a few devices together and turn them into something usable.

In this case, [Jamz] scored a LG 27UK650 monitor with a cracked display and a Dell OptiPlex 7440 “All-in-One” computer that was DOA. Separately these two pieces of gear were little more than a pile of spare parts waiting to be liberated. But if the control board could be salvaged from the monitor, and the working LCD pulled from the Dell…

After taking everything apart, [Jamz] made a frame for this new Frankenstein monitor using pieces of aluminum channel from the hardware store and 3D printed side panels. With the Dell LCD mounted in the skeletal frame, the control board from the LG monitor was bolted to the back and wired in. Finally the center section of the LG monitor’s back panel was cut out and mounted to the new hybrid display with a 3D printed frame.

Admittedly, these were some pretty solid finds as far as trash goes. You won’t always be so lucky. But if you can keep an open mind, the curb is littered with possibilities. How about some impressive home lighting that started life as a cracked flat screen TV?

Pump Up The (Windows) Volume With Physical Sliders

March 5, 2020 by 20 Comments

For as long as we can remember, Windows has provided a mixer that breaks out the volume level of every applicable application into its own slider-controlled lane. But navigating to these controls is non-trivial, especially if you’re in a hurry to silence someone on team speak. You have to stop what you’re doing, click the speaker, go into the mixer, and then go find the appropriate slider. Windows won’t respect resizes between mixer visits, so you’ll almost always have some horizontal scrolling to do.

So why on Earth would you put yourself through all of this when you could be pushing physical sliders on the fly like a DJ? A slider is just a potentiometer in a straight line, after all.

These are wired up to an Arduino Nano, which sends the serial data to a Python script on the PC that changes the volume values accordingly for whatever five programs are in the config file. Thanks to a little bit of Visual Basic, the Python script can run in the background.

[Aithorn]’s got everything you need to replicate this, so slide on over and grab the STL files and code. If you get to point where these sliders are too small, just build some bigger ones.

Brute-Forced Copyrighting: Liberating All The Melodies

March 5, 2020 by 23 Comments

Bluntly stated, music is in the end just applied physics. Harmony follows — depending on the genre — a more or less fixed set of rules, and there  are a limited amount of variation possible within the space of music itself. So there are technically only so many melodies possible, making it essentially a question of time until a songwriter or composer would come up with a certain sequence of notes without knowing that they’re not the first one to do so until the cease and desist letters start rolling in.

You might well argue that there is more to a song than just the melody — and you are absolutely right. However, current copyright laws and past court rulings may not care much about that. Aiming to point out these flaws in the laws, musician tech guy with a law degree [Damien Riehl] and musician software developer [Noah Rubin] got together to simply create every possible melody as MIDI files, releasing them under the Creative Commons Zero license. While their current list is limited to a few scales of fixed length, with the code available on GitHub, it’s really just a matter of brute-forcing literally every single possible melody.

Admittedly, such a list of melodies might not have too much practical use, but for [Damien] and [Noah] it’s anyway more about the legal and philosophical aspects: musicians shouldn’t worry about getting sued over a few overlapping notes. So while the list serves as a “safe set of melodies” they put in the public domain, their bigger goal is to mathematically point out the finite space of music that shouldn’t be copyrightable in the first place. And they definitely have a point — just imagine where music would be today if you could copyright and sue over chord progressions.
Continue reading “Brute-Forced Copyrighting: Liberating All The Melodies”

Robotic Ball Bouncer Uses Machine Vision To Stay On Target

March 5, 2020 by 20 Comments

When we first caught a glimpse of this ball juggling platform, we were instantly hooked by its appearance. With its machined metal linkages and clear polycarbonate platform, its got an irresistibly industrial look. But as fetching as it may appear, it’s even cooler in action.

You may recognize the name [T-Kuhn] as well as sense the roots of the “Octo-Bouncer” from his previous juggling robot. That earlier version was especially impressive because it used microphones to listen to the pings and pongs of the ball bouncing off the platform and determine its location. This version went the optical feedback route, using a camera mounted under the platform to track the ball using OpenCV on a Windows machine. The platform linkages are made from 150 pieces of CNC’d aluminum, with each arm powered by a NEMA 17 stepper with a planetary gearbox. Motion control is via a Teensy, chosen for its blazing-fast clock speed which makes for smoother acceleration and deceleration profiles. Watch it in action from multiple angles in the video below.

Hats off to [T-Kuhn] for an excellent build and a mesmerizing device to watch. Both his jugglers do an excellent job of keeping the ball under control; his robotic ball-flinger is designed to throw the ball to the same spot every time.

Continue reading “Robotic Ball Bouncer Uses Machine Vision To Stay On Target”

144 7-Segment Displays Combine To Form A Mighty Clock

March 5, 2020 by 25 Comments

What do you do with 144 7-segment displays? If you’re [Frugha] you put them all together to create an epic clock. Each display has 8 individual LEDs — 7 segments, and a decimal point. Put that all together, and you’ve got 1152 individual LEDs to control. This presented a problem, as [Frugha] wanted to control the clock with a single Arduino Nano. Even charlieplexing won’t get you that many I/O lines.

The solution was a nifty little chip called the MAX7219. The ‘7219 speaks SPI and can control 64 individual LEDs. [Frugha] used 18 of them in the clock, giving him full control over all his LEDs. That’s pretty impressive, considering the last matrix 7-segment display we saw required 48 Arduinos!

Another problem is memory – 1152 “pixels” would quickly overrun the 2KB RAM in the ATmega328. This is a clock though — which means only digits 0-9 and a colon. [Frugha] picked a nice font and hand-coded lookup tables for each digit. The lookup tables are stored in ROM, saving precious RAM on the Arduino.

A clock wouldn’t be any good if it wasn’t accurate. A Tiny RTC supplies battery-backed time data. [Frugha] wrapped everything up with a neat layout on a custom PCB. Sure, you could put it in a case, but we think a clock this crazy deserves to be left open – so you can see it in all its glory.