This Week In Security: Censoring Researchers, The Death Of OpenPGP, Dereferencing Nulls, And Zoom Is Watching You

July 12, 2019 by 24 Comments

Last week the schedule for our weekly security column collided with the Independence Day holiday. The upside is that we get a two-for-one deal this week, as we’re covering two weeks worth of news, and there is a lot to cover!

[Petko Petrov], a security researcher in Bulgaria, was arrested last week for demonstrating an weakness he discovered in a local government website. In the demonstration video, he stated that he attempted to disclose the vulnerability to both the software vendor and the local government. When his warnings were ignored, he took to Facebook to inform the world of the problem.

From the video, it appears that a validation step was performed on the browser side, easily manipulated by the end user. Once such a flaw is discovered, it becomes trivial to automate the process of scraping data from the vulnerable site. The vulnerability found isn’t particularly interesting, though the amount of data exposed is rather worrying. The bigger story is that as of the latest reports, the local government still intends to prosecute [Petko] for downloading data as part of demonstrating the attack.

Youtube Censorship

We made a video about launching fireworks over Wi-Fi for the 4th of July only to find out @YouTube gave us a strike because we teach about hacking, so we can't upload it. YouTube now bans: "Instructional hacking and phishing: Showing users how to bypass secure computer systems"

In related news, Google has begun cracking down on “Instructional Hacking and Phishing” videos. [Kody] from the Null Byte Youtube channel found himself locked out of his own channel, after receiving a strike for a video discussing a Wifi vulnerability.

The key to getting a video unblocked seems to be generating lots of social media attention. Enough outcry seems to trigger a manual review of the video in question, and usually results in the strike being rescinded.

Improved Zip Bomb

A zip bomb is a small zip file that unzips into a ridiculously large file or collection of files. While there are obvious nefarious uses for such a file, it has also become something of a competition, crafting the most extreme zip bomb. The previous champion was 42.zip, a recursive zip file that when fully extracted, weighs in at 42 petabytes. A new contender may have just taken the crown, and without using zip file recursion.

[David Fifield] discovered a pair of ZIP tricks. First being that multiple files can be constructed from a single “kernel” of compressed data. The second is that file headers could also be part of files to be decompressed. It’s clever work, and much easier to understand when looking at the graphics he put together. From those two points, the only task left is to optimize. Taking advantage of the zip64 format, the final compression ratio was approximately 98 million to one.

Breaking OpenPGP Keyservers

OpenPGP as we know it is on the ropes. OpenPGP is the technique that allows encryption and verification of emails through cryptographic signatures. It’s the grandaddy of modern secure communication, and still widely used today. One of the features of OpenPGP is that anyone can upload their public key to keyservers hosted around the world. Because of the political climate in the early 90’s when OpenPGP was first developed, it was decided that a baked-in feature of the keyserver was that uploaded keys could never be deleted.

Another feature of OpenPGP keys is that one user can use their key to sign another user’s key, formally attesting that it is valid. This creates what is known as a “web of trust”. When an OpenPGP instance validates a signature, it also validates all the attestations attached to that signature. Someone has spammed a pair of OpenPGP certificates with tens of thousands of signatures. If your OpenPGP client refreshes those signatures, and attempts to check the validations, it will grind to a halt under the load. Loading the updated certificate permanently poisons the offline key-store. In some cases, just the single certificate can be deleted, but some users have had to delete their entire key store.

It’s now apparent that parts of the OpenPGP infrastructure hasn’t been well maintained for quite some time. [Robert J. Hansen] has been spearheading the public response to this attack, not to mention one of the users directly targeted. In a follow-up post, he alluded to the need to re-write the keyserver component of OpenPGP, and the lack of resources to do so.

It’s unclear what will become of the OpenPGP infrastructure. It’s likely that the old keyserver network will have to be abandoned entirely. An experimental keyserver is available at keys.openpgp.org that has removed the spammed signatures.

Beware the QR Codes

Link shorteners are a useful way to avoid typing out a long URL, but have a downside — you don’t know what URL you’re going to ahead of time. Thankfully there are link unshorteners, like unshorten.it. Paste a shortlink and get the full URL, so you don’t accidentally visit a shady website because you clicked on a shortened link. [Nick Guarino] over at cofense.com raises a new alarm: QR codes can similarly lead to malicious or questionable websites, and are less easily examined before scanning. His focus is primarily how a QR code can be used to bypass security products, in order to launch a fishing attack.

Most QR scanners have an option to automatically navigate to the web page in the code. Turn this option off. Not only could scanning a QR code lead to a malicious web site, but URLs can also launch actions in other apps. This potential problem of QR codes is very similar to the problem of shortened links — the actual payload isn’t human readable prior to interacting with it, when it’s potentially too late.

Dereferencing Pointers for Fun and Profit

On the 10th, the Eset blog, [welivesecurity], covered a Windows local priveledge escalation 0-day being actively exploited in the wild. The exploit highlights several concepts, one of which we haven’t covered before, namely how to use a null pointer dereference in an exploit.

In C, a pointer is simply a variable that holds a memory location. In that memory location can be a data structure, a string, or even a callable function. By convention, when pointers aren’t referring to anything, they are set to NULL. This is a useful way to quickly check whether a pointer is pointing to live data. The process of interacting with a pointer’s data is known a dereferencing the pointer. A NULL pointer dereference, then, is accessing the data referred to by a pointer that is set to NULL. This puts us in the dangerous territory of undefined behavior.

Different compilers, architectures, and even operating systems will potentially demonstrate different behavior when doing something undefined. In the case of C code on 32-bit Windows 7, NULL is indistinguishable from zero, and memory location zero is a perfectly valid location. In this case, we’re not talking about the physical location zero, but logical address zero. In modern systems, each process has a dedicated pool of memory, and the OS manages the offset and memory mapping, allowing the process to use the simpler logical memory addressing.

Windows 7 has a function, “NtAllocateVirtualMemory”, that allows a process to request access to arbitrary memory locations. If a NULL, or zero, is passed to this function as the memory location, the OS simply picks a location to allocate that memory. What many consider a bug is that this function will effectively round down small memory locations. It’s quite possible to allocate memory at logical address 0/NULL, but is considered to be bad behavior. The important takeaway here is that in Windows 7, a program can allocate memory at a location referred to by a null pointer.

On to the vulnerability! The malicious program sets up a popup menu and submenu as part of its GUI. While this menu is still being initialized, the malicious program cancels the request to set up the menu. By timing the cancellation request precisely, it’s possible for the submenu to still be created, but to be a null pointer instead of the expected object. A second process can then trigger the system process to call a function expected to be part of the object. Because Windows allows the allocation of memory page zero, this effectively hands system level execution to the attacker. The full write-up is worth the time to check out.

Zoom Your Way to Vulnerability

Zoom is a popular web-meeting application, aimed at corporations, with the primary selling point being how easy it is to join a meeting. Apparently they worked a bit too hard on easy meeting joins, as loading a malicious webpage on a Mac causes an automatic meeting join with the mic and webcam enabled, so long as that machine has previous connected to a Zoom meeting. You would think that uninstalling the Zoom client would be enough to stop the madness, but installing Zoom also installs a local webserver. Astonishingly, uninstalling Zoom doesn’t remove the webserver, but it was designed to perpetually listen for a new Zoom meeting attempt. If that sounds like a Trojan to you, you’re not wrong.

The outcry over Zoom’s official response was enough to inform them of the error of their ways. They have pushed an update that removes the hidden server and adds a user interaction before joining a meeting. Additionally, Apple has pushed an update that removes the hidden server if present, and prompts before joining a Zoom meeting.

Wireless Keyboards Letting You Down

Have you ever typed your password using a wireless keyboard, and wondered if you just broadcast it in the clear to anyone listening? In theory, wireless keyboards and mice use encryption to keep eavesdroppers out, but at least Logitech devices have a number of problems in their encryption scheme.

Part of the problem seems to be Logitech’s “Unifying” wireless system, and the emphasis on compatibility. One receiver can support multiple devices, which is helpful when eliminating cable clutter, but also weakens the encryption scheme. An attacker only has to be able to monitor the radio signals during pairing, or even monitoring signals while also observing keypresses. Either way, a few moments of processing, and an attacker has both read and write access to the wireless gear.

Several even more serious problems have fixed with firmware updates in the past years, but [Marcus Mengs], the researcher in question, discovered that newly purchased hardware still doesn’t contain the updated firmware. Worse yet, some of the effected devices don’t have an officially supported firmware update tool.

Maybe wired peripherals are the way to go, after all!

Paint The Rainbow With This Skittle-Dropping Pixel Art Robot

July 12, 2019 by 7 Comments

We hackers just can’t get enough of sorters for confections like Skittles and M&Ms, the latter clearly being the superior candy in terms of both sorting and snackability. Sorting isn’t just about taking a hopper of every color and making neat monochromatic piles, though. [JohnO3] noticed that all those colorful candies would make dandy pixel art, so he built a bot to build up images a Skittle at a time.

Dubbed the “Pixel8R” after the eight colors in a regulation bag of Skittles, the machine is a largish affair with hoppers for each color up top and a “canvas” below with Skittle-sized channels and a clear acrylic cover. The hoppers each have a rotating disc with a hole to meter a single Skittle at a time into a funnel which is connected to a tube that moves along the top of the canvas one column at a time. [JohnO3] has developed a software toolchain to go from image files to Skittles using GIMP and a Python script, and the image builds up a row at a time until 2,760 Skittle-pixels have been placed.

The downside: sorting the Skittles into the hoppers. [JohnO3] does this manually now, but we’d love to see a sorter like this one sitting up above the hoppers. Or, he could switch to M&Ms and order single color bags. But where’s the fun in that?

[via r/arduino]

Preserving Precious Laptop Stickers

July 12, 2019 by 75 Comments

Stickers belong on laptops. That’s not just because all developers are issued a 2015 MacBook Pro at birth to zealously hold and cherish for the rest of their careers, and the vast uniformity of laptop models in the workplace makes each individual’s laptop indistinguishable from anyone else’s. No, stickers belong on laptops because that ‘RUN GCC’ sticker is justĀ so good. But how do you keep a laptop stickered up while not hurting the resale value or worrying about sticky residue left behind? That’s the question [Graham] answered, and the answer may surprise you.

The problem is such: there mus be a way to apply stickers to a MacBook that is invisible, removable, and leaves no trace after being removed, even after years of enjoying a bestickerd’ laptop. The first thought turned to old-style screen protectors for a phone, but this had problems: they’re glossy, and sourcing a large sheet of screen protectors proved difficult.

After some research, it turned out there was a market with similar requirements: car wraps. Yes, you can wrap your car in vinyl that’s any color you want, including whatever Apple is calling their plain aluminum finish these days. As far as a protector for an aluminum MacBook, it looks good: it doesn’t leave any residue behind, it’s strong enough to survive on a car, so it’s probably good enough for a laptop on a desk, and it’s easy to apply.

With some stickers applied to this larger sticker, everything looked good and lived up to a few months of abuse. Then came the real test: could this MacBook wrap be removed with all the other stickers intact? Yes, and you can frame the result. While this is only a test of the aluminum-colored MacBook, vehicle wraps come in nearly every color imaginable. There is apparently a vinyl that looks like Space Gray, and if you want Thinkpad Black, you can get that wrap, too.

Lessons Learned From An Art Installation Build

July 11, 2019 by 7 Comments

Art installations are an interesting business, which more and more often tend to include electronic or mechanical aspects to their creation. Compared to more mainstream engineering, things in this space are often done quite a bit differently. [Jan Enning-Kleinejan] worked on an installation called Prendre la parole, and shared the lessons learned from the experience.

The installation consisted of a series of individual statues, each with an LED light fitted. Additionally, each statue was fitted with a module that was to play a sound when it detected visitors in proximity. Initial designs used mains power, however for this particular install battery power would be required.

Arduinos, USB power banks and ultrasonic rangefinders were all thrown into the mix to get the job done. DFplayer modules were used to run sound, and Grove System parts were used to enable everything to be hooked up quickly and easily. While this would be a strange choice for a production design, it is common for art projects to lean heavily on rapid prototyping tools. They enable inexperienced users to quickly and effectively whip up a project that works well and at low cost.

[Jan] does a great job of explaining some of the pitfalls faced in the project, as well as reporting that the installation functioned near-flawlessly for 6 months, running 8 hours a day. We love to see a good art piece around these parts, and we’ve likely got something to your tastes – whether you’re into harmonicas, fungus, or Markov chains.

The Physics Behind Antennas

July 11, 2019 by 34 Comments

If you have done any sort of radio work you probably have a fair idea about what antennas do. It is pretty easy to have a cursory understanding of them, too. You probably know there’s something magic about antennas that are a quarter wave long or a half wave long and other multiples. But do you know why that matters? Do you understand the physics of why wire in a special configuration will cause signals to propagate through space? [Learn Engineering] does, and their new video is one of the best graphical explanations of what’s really going on in an antenna that we’ve seen. You can watch the video below.

If you tackle antennas using math, it is a long discussion. However, this video is about 8 minutes long and uses some great graphics to show how moving charges can produce a propagating electromagnetic field.

Continue reading “The Physics Behind Antennas”

Motorized Lens Controller Techs Up Your Webcam

July 11, 2019 by 13 Comments

If you’re familiar with the DSLR camera market, you’d know that modern lenses are works of technological art. Crammed full of motors and delicate electronic assemblies, they’re bursting with features such as autofocus, optical stabilization and zoom. [Saulius Lukse] has been experimenting with motorized lenses for webcam applications, and has built a controller to make working with them a snap.

The controller is capable of controlling up to 3 stepper motors, as well as a voice coil, which should be enough for the vast majority of lenses out there. Microstepping is supported, which is key for optical systems in which tiny adjustments can make a big difference. The controller speaks USB and I2C, and is now based on an STM32 chip, having been upgraded from an earlier version which used the venerable ATmega328. The board is designed to be as compact as possible, to enable it to neatly fit inside camera and lens assemblies.

The board has been used to successfully control an 18x zoom lens, among others. Combining such a lens with a webcam and a good pan and tilt mechanism would create a highly capable surveillance package, or an excellent vision system for a robot.

It’s not the first time we’ve seen work from [Kurokesu] in these parts – they’ve done work on pedestrian detection before, too.

This Nerf Gun Is Terrifyingly Huge

July 11, 2019 by 10 Comments

Gatling guns were an early attempt at creating a rapid-firing weapon, and were popular amongst armies in the 19th century. Today, the basic design remains in use as a heavy weapon for putting many rounds downrange very quickly. [Ivan Miranda] decided that the Nerf world was missing a piece of the action, and got started on his own design (Youtube link, embedded below).

As per most [Ivan] builds, this one is a glorious pile of 3D printed parts turned into something functional and fun. It’s an ingenious design that’s more a Gatling in spirit than reality as it lacks the multiple barrels of the original, and it uses smart ducting to allow a single electric fan to both fire the foam Nerf balls as well as suck them in to reload the next shot. In testing, it achieved a muzzle velocity of 60 mph, firing at a rate of approximately 10 rounds/second. The presentation is great too, with plenty of cable wrap, meaty switches, and glowing lights to add to the aesthetic. There are even a couple of bright LED lamps on the front to help dazzle your targets into submission.

Once again, [Ivan]’s work is a great example of what is achievable with a 3D printer and smart design. His water jet drive ain’t bad, either. Video after the break.

Continue reading “This Nerf Gun Is Terrifyingly Huge”