This Week In Security: VPN Gateways, Attacks In The Wild, VLC, And An IP Address Caper

We’ll start with more Black Hat/DEFCON news. [Meh Chang] and [Orange Tsai] from Devcore took a look at Fortinet and Pulse Secure devices, and found multiple vulnerabilities. (PDF Slides) They are publishing summaries for that research, and the summary of the Fortinet research is now available.

It’s… not great. There are multiple pre-authentication vulnerabilities, as well as what appears to be an intentional backdoor.

CVE-2018-13379 abuses an snprintf call made when requesting a different language for the device login page. Snprintf is an alternative to sprintf, but intended to prevent buffer overflows by including the maximum string length to write to the target buffer, which sounds like a good idea but can lead to malicious truncation.

The code in question looks like snprintf(s, 0x40, "/migadmin/lang/%s.json", lang);.
When loading the login page, a request is made for a language file, and the file is sent to the user. At first look, it seems that this would indeed limit the file returned to a .json file from the specified folder. Unfortunately, there is no further input validation on the request, so a language of ../../arbitrary is considered perfectly legitimate, escaping the intended folder.  This would leak arbitrary json files, but sincesnprintf doesn’t fail if it exceeds the specified length, sending a request for a lang that’s long enough results in the “.json” extension not being appended to the request either.

A metasploit module has been written to test for this vulnerability, and it requests a lang of /../../../..//////////dev/cmdb/sslvpn_websession. That’s just long enough to force the json extension to fall off the end of the string, and it is Unix convention is to ignore the extra slashes in a path. Just like that, the Fortigate is serving up any file on its filesystem just for asking nice.

More worrying than the snprintf bug is the magic value that appears to be an intentional backdoor. A simple 14 character string sent as an http query string bypasses authentication and allows changing any user’s password — without any authentication. This story is still young, it’s possible this was intended to have a benign purpose. If it’s an honest mistake, it’s a sign of incompetence. If it’s an intentional backdoor, it’s time to retire any and all Fortinet equipment you have.

Pulse Secure VPNs have a similar pre-auth arbitrary file read vulnerability. Once the full report is released, we’ll cover that as well.

Exploitation in the Wild

But wait, there’s more. Hide your kids, hide your wife. Webmin, Pulse Secure, and Fortigate are already being exploited actively in the wild, according to ZDNet. Based on reports from Bad Packets, the Webmin backdoor was being targeted in scans within a day of announcement, and exploited within three days of the announcement. There is already a botnet spreading via this backdoor. It’s estimated that there are around 29,000 vulnerable Internet-facing servers.

Both Pulse Secure and Fortinet’s Fortigate VPN appliances are also being actively targeted. Even though the vulnerabilities were reported first to the vendors, and patched well in advance of the public disclosure, thousands of vulnerable devices remain. Apparently routers and other network appliance hardware are fire-and-forget solutions, and often go without important security updates.

VLC is Actually Vulnerable This Time

The VLC media player has released a new update, fixing 11 CVEs. These CVEs are all cases of mishandling malformed media files, and are only exploitable by opening a malicious file with VLC. Be sure to go update VLC if you have it installed. Even though no arbitrary code execution has been demonstrated for any of these issues, it’s likely that it will eventually happen.

Gray Market IP Addresses

With the exhaustion of IPv4 addresses, many have begun using alternative methods to acquire address space, including the criminal element. Krebs on Security details his investigation into one such story: Residential Networking Solutions LLC (Resnet). It all started with an uptick in fraudulent transactions originating from Resnet residential IP addresses. Was this a real company, actually providing internet connectivity, or a criminal enterprise?

Arduino On MBed

Sometimes it seems like Arduino is everywhere. However, with a new glut of IoT processors, it must be quite a task to keep the Arduino core on all of them. Writing on the Arduino blog, [Martino Facchin], Arduino’s chief of firmware development, talks about the problem they faced supporting two new boards from Nordic.

The boards, the Nano 33 BLE and Nano 33 BLE Sense are based on an ARM Cortex M4 CPU from Nordic. The obvious answer, of course, is to port the Arduino core over from scratch. However, the team didn’t want to spend the time for just a couple of boards. They considered using the Nordic libraries to interact with the hardware, but since that is closed source, it didn’t really fit with Arduino’s sensitivities. However, in the end, they took a third approach which could be a very interesting development: they ported the Arduino core to the Mbed OS. There’s even an example of loading a sketch on top of Mbed available from [Jan Jongboom].

Continue reading “Arduino On MBed”

Building A Robot Rover For Those Tough Indoor Missions

Making an outdoor rover is easy stuff, with lots of folk having them doing their roving activities on beaches and alien worlds. Clearly the new frontier is indoor environments, a frontier which is helpfully being conquered by [Andreas Hoelldorfer]’s Mantis Rover.

OK, we’re kidding. This project started out life as a base for [Andreas]’s exquisite 3D printable robotic arm, but it’s even capable of carrying people around, as the embedded video after the break makes abundantly clear. The most eye-catching feature of the Mantis Rover are its Mecanum wheels, which allow it to move in any direction, and is perfect for those tight spots where getting stuck would be really awkward.

The Mecanum wheels are 3D printed, making the motors and the associated controllers the more complicated part of this package. Plans for the wheels involve casting some kind of rubber, to make the wheels more gentle on the floors it has to drive on. The electronics include TMC 5160 motor drivers and an STM32F407VET6 MCU, as well as a W5500-equipped custom ‘Robot Shield’.

It seems that there are still a lot of tweaks underway to make the project even more interesting. Maybe it’s the perfect foundation for your next indoor roving sessions at the office or local hackerspace?

Continue reading “Building A Robot Rover For Those Tough Indoor Missions”

How To Play Doom – And More – On An NES

Doom was a breakthrough game for its time, and became so popular that now it’s essentially the “Banana For Scale” of hardware hacking. Doom has been ported to countless devices, most of which have enough processing ability to run the game natively. Recently, this lineup of Doom-compatible devices expanded to include the NES even though the system definitely doesn’t have enough capability to run it without special help. And if you want your own Doom NES cartridge, this video will show you how to build it.

We featured the original build from [TheRasteri] a while back which goes into details about how it’s possible to run such a resource-intensive game on a comparatively weak system. You just have to enter the cheat code “RASPI”. After all the heavy lifting is done, it’s time to put it into a realistic-looking cartridge.

To get everything to fit in the donor cartridge, first the ICs in the cartridge were removed (except the lockout IC) and replaced with custom ROM chips. Some modifications to the original board have to be soldered together as well, since the new chips’ pinouts don’t match perfectly. Then, most of the pin headers on the Raspberry Pi and the supporting hardware have to be removed and soldered together. Then, [TheRasteri] checks to make sure that all this extra hardware doesn’t draw too much power from the NES and overheat it.

The original project was impressive on its own, but with the Doom cartridge completed this really makes it the perfect NES hack, and also opens up the door for a lot of other custom games, including things like Mario64.

Continue reading “How To Play Doom – And More – On An NES”

This Heads Up Display Is All Wet

Athletes have a long history of using whatever they can find to enhance their performance or improve their training. While fitness tracker watches are nothing new, swimmers have used them to track their split times, distance, and other parameters. The problem with fitness trackers though is that you have to look at a watch. FORM has swim goggles that promise to address this, their smart goggles present the swimmer with a heads-up display of metrics. You can see a slick video about them below.

The screen is only on one eye, although you can switch it from left to right. The device has an inertial navigation system and is — of course — waterproof. It supposedly can withstand depths up to 32 feet and lasts 16 hours on a charge. It can use Bluetooth to send your data to your phone in addition to the display.

Continue reading “This Heads Up Display Is All Wet”

See If Someone Has Been In Your Drawers With This Simple Alarm

There’s a spy movie – probably from the [James Bond] franchise – in which our hero is staying in a fancy hotel. It’s crawling with enemies, naturally, and eager to see if one has been snooping in his room while he’s out for martinis, he sticks a hair across the gap in the door. When he comes back and finds the hair missing, he knows the game is afoot.

This hotel safe intrusion detector is what [Q] might have thought up for such a job if he’d had access to PIC microcontrollers and SMD LEDs. [Andy]’s “LightSafer” is a silent alarm for hotel safes, drawers, closets, or even the refrigerator – anywhere where the transition from dark to light indicates an unwanted visit. It’s tiny – only 33 x 21 mm – and is powered by a CR2032 coin cell. A Broadcom APDS-9300 light sensor watches for openings while the PIC monitors a joystick control for the correct PIN entry. There’s no audible alarm; rather, an LED blinks to indicate an unauthorized intrusion and blinks once for every 15 minutes since the event.

LightSafer is simple but effective, with a clever UI that keeps the current draw low and the battery life long. [Andy] used a similar technique for this low-draw cat tracking collar that we featured a while back.

Measuring Particulate Pollution With The ESP32

Air pollution isn’t just about the unsightly haze in major cities. It can also pose a major health risk, particularly to those with vulnerable respiratory systems. A major part of hazardous pollution is particulate matter, tiny solid particles suspended in the air. Particulate pollution levels are of great interest to health authorities worldwide, and [niriho] decided to build a monitoring rig of their own.

Particulate matter is measured by an SDS011 particulate matter sensor. This device contains a laser, and detects light scattered by airborne particles in order to determine the level of particulate pollution in PM2.5 and PM10 ranges. The build makes use of an ESP32 as the brains of the operation, chosen for its onboard networking hardware. This makes remotely monitoring the system easy. Data is then uploaded to a Cacti instance, which handles logging and graphing of the data.

For those concerned about air quality, or those who are distrustful of official government numbers, this build is a great way to get a clear read on pollution in the local area. You might even consider becoming a part of a wider monitoring network!