Apple Kernel Code Vulnerability Affected All Devices

November 1, 2018 by 81 Comments

Another day, another vulnerability. Discovered by [Kevin Backhouse], CVE-2018-4407 is a particularly serious problem because it is present all throughout Apple’s product line, from the Macbook to the Apple Watch. The flaw is in the XNU kernel shared by all of these products.

This is a buffer overflow issue in the error handling for network packets. The kernel is expecting a fixed length of those packets but doesn’t check to prevent writing past the end of the buffer. The fact Apple’s XNU kernel powers all their products is remarkable, but issues like this are a reminder of the potential downside to that approach. Thanks to responsible disclosure, a patch was pushed out in September.

Anatomy of a Buffer Overflow

Buffer overflows aren’t new, but a reminder on what exactly is going on might be in order. In low level languages like C, the software designer is responsible for managing computer memory manually. They allocate memory, tagging a certain number of bytes for a given use. A buffer overflow is when the program writes more bytes into the memory location than are allocated, writing past the intended limit into parts of memory that are likely being used for a different purpose. In short, this overflow is written into memory that can contain other data or even executable code.

With a buffer overflow vulnerability, an attacker can write whatever code they wish to that out-of-bounds memory space, then manipulate the program to jump into that newly written code. This is referred to as arbitrary code execution. [Computerphile] has a great walk-through on buffer overflows and how they lead to code execution.

This Overflow Vulnerabilty Strikes Apple’s XNU Kernel

[Kevin] took the time to explain the issue he found in further depth. The vulnerability stems from the kernel code making an assumption about incoming packets. ICMP error messages are sent automatically in response to various network events. We’re probably most familiar with the “connection refused’ message, indicating a port closed by the firewall. These ICMP packets include the IP header of the packet that triggered the error. The XNU implementation of this process makes the assumption that the incoming packet will always have a header of the correct length, and copies that header into a buffer without first checking the length. A specially crafted packet can have a longer header, and this is the data that overflows the buffer.

Because of the role ICMP plays in communicating network status, a closed firewall isn’t enough to mitigate the attack. Even when sent to a closed port, the vulnerability can still trigger. Aside from updating to a patched OS release, the only mitigation is to run the macOS firewall in what it calls “stealth mode”. This mode doesn’t respond to pings, and more importantly, silently drops packets rather than sending ICMP error responses. This mitigation isn’t possible for watchOS and iOS devices.

The good news about the vulnerability is that a packet, malformed in this way, has little chance of being passed through a router at all. An attacker must be on the same physical network in order to send the malicious packet. The most likely attack vector, then, is the public WiFi at the local coffee shop.

Come back after the break for a demonstration of this attack in action.

Continue reading “Apple Kernel Code Vulnerability Affected All Devices”

Corporate Badgelife: Oracle’s Code Card

October 31, 2018 by 30 Comments

We tend to think of elaborate electronic conference badges as something limited to the hacker scene, but it looks like the badgelife movement is starting to hit the big time. Now even the “big boys” are getting into the act, and pretty soon you won’t be able to go to a stuffy professional conference without seeing a sea of RGB LEDs firing off. We’ll let the good readers of Hackaday determine if this means it’s officially post-cool or not.

[Noel Portugal] writes in to tell us about how he created the “Code Card” during his tenure with the Oracle Groundbreakers Team. Featuring an ESP8266 and an e-ink screen, the Code Card serves not only as swanky way of identifying yourself, but as a real-world demonstration of physical devices pulling content from Oracle’s Cloud. Gotta keep those corporate overlords happy.

The Code Card is a fairly simple piece of hardware as far as badges go these days, but then the goal was never to be flashy. It does feature dual four-pin Grove System connectors on the backside though, so you can plug in additional sensors and gadgets for the customary badge hacking sessions.

To maximize runtime on the rechargeable coin cell battery, the Code Card only turns on the ESP after the user has pressed one of the buttons on the front. Once the ESP has finished performing whatever task the user requested, its powered back off completely rather than put into standby. Combined with the e-ink screen, power consumption while the device isn’t actively updating the display or pulling down new content is negligible.

[Noel] really went all-out on the software side, going as far as developing a web application which let conference attendees configure their Code Cards from their smartphones. Different functions could be assigned to short and long presses on the badge’s two buttons, and users could even select icons for the various functions from a list of images included in the firmware. A feature where attendees could upload their own images didn’t make the cut, but that surely won’t stop people from hacking around in the published Arduino source code and figuring out how to do it manually.

If you think the Code Card looks a bit familiar, it’s perhaps because it was designed in conjunction with Squarofumi, creators of the Badgy. So even if you aren’t hitting up any of Oracle’s upcoming conferences, you’re not completely out of luck if you want an e-ink badge to play with.

The Modern Analog Soldering Station

October 31, 2018 by 7 Comments

There is a certain sense of accomplishment one gets when building their own tools. This is what [Alejandro Velazquez] was going for when he built his own soldering station. Sure you can get a decent station for a pittance on Amazon, or eBay. You can even build your own microprocessor controlled station. [Alejandro] is currently interested in analog electronics, so he went that route to build his own closed-loop station.

The handle is a 50 watt, 24-volt affair with a thermocouple. You can find this handle on many Hakko 907 clone soldering stations, often referred to as the 907A. The station itself is completely analog. A triac switches the current going to the heater. The triac is controlled by a PWM signal. The PWM itself is generated and regulated by an LM324 quad op-amp, which is the heart of the station. The op-amp compares the setpoint with the current temperature read from the soldering handle’s thermocouple, then adjusts the duty cycle of the PWM signal to raise, or lower the temperature.

It’s a classic control system, and the schematic is definitely worth checking out if you want to understand how op-amps can be used to create complex operations.

You can find plenty more information on analog electronics right here on Hackaday — we’ve covered thermocouple amplifiers, as well as instrumentation amps. If you’re more of a digital man, check out this Arduino controlled soldering station!

7 Segment Clockwork Display Made From Cardboard

October 31, 2018 by 25 Comments

We’ve seen a variety of oddball 7-segment displays in the past, but this one uses a new material: both for the display and the mechanical mechanism that drives it; cardboard. Yup, the whole thing is made from cardboard, wood and a few rubber bands. [The Q] shows how he put together in this nice video, starting from first principles that show how the segments are made: simple pieces of cardboard painted on one side with fluorescent paint. A piece of wood pushes the element out to blank it, and each element is connected to a cam wheel that pushes the wood in or out.

The really clever bit is that [The Q] mapped digits 0 – 9 onto a matrix for which of the 7 segments is “on” or “off”. He then used this information to create a stack of 7 cams on a central axle. As you rotate the axle, the cams turn, moving the wooding arms. The arms then cause the elements to flip as they count up through the digits. In essence, he engineered a physical decimal to 7 segment decoder, much like the electronic one inside the SN74LS47. The whole assembly is capped by a knob that indicates which digit is currently displayed. If mechanical displays like this are your thing, check out this one made from LEGO parts, or this awesome 3D printed creation.

Continue reading “7 Segment Clockwork Display Made From Cardboard”

Speak Your WiFi

October 31, 2018 by 6 Comments

When you create a Thing for the Internet of Things, you’ve made a little computer that does a simple job and which probably has a minimal interface. But minimal interfaces leave little room for configuration, such as entering WiFi details. Perhaps if you made the Thing yourself you’ve hard-coded your WiFi credentials in your code, but that hardly translates to multiple instances. So, how to put end-user WiFi credentials easily on more than one Thing? Perhaps [Rob Dobson] has the answer with his technique of sending them as a sequence of audible tones.

There is a piece of Javascript code in a browser into which you enter your WiFi credentials, which are then expressed through the speaker as a set of FSK tones to be picked up by a microphone on the Thing. They can then be decoded into the credentials, and the Thing can connect. All the code is available, on GitHub, should you fancy it yourself.

Of course, this is nothing new, as any owner of an 8-bit machine that had a cassette interface will tell you. And on the face of it it’s much easier than those awkward impromptu hotspots with a web interface to which you connect and pass on your credentials. But while we quite like the convenience, we can’t help wondering whether expressing the credentials in audible free space might be a bit too insecure for many readers. The technique however remains valid, and we’re sure that other less sensitive applications might be found for it. Meanwhile we hope he hasn’t inadvertently shared his WiFi password in the video below the break.

Continue reading “Speak Your WiFi”

This Weekend: The Greatest Hardware Conference

October 31, 2018 by 4 Comments

The Hackaday Superconference is this weekend and it’s the greatest hardware con on the planet. Tickets are completely sold out, but you can still get in on the fun by watching the livestream and joining Supercon chat.

For everyone who will be here in person, the entire Hackaday crew is busy as beavers preparing for your arrival. We’re assembling badges, rigging AV for the talks, stuffing goodie bags, calling caterers, and taping cables to the floor. This is by far the biggest Superconference yet.

Doors open at 9 am Friday at the Supplyframe HQ. This is your first chance to get your hands on the fantastic Supercon Badge that’s a freakin’ computer. The day is filled with badge hacking, workshops, badge talks, and a launch party. [Rich Hogben] and [Andrew Bakhit] will be doing live IDM sets on Friday night, as we celebrate into the wee hours of the morning.

Saturday, doors open at 9 am over at the Supplyframe Design Lab as we turn on the livestream and get the main event under way with over 50 speakers and workshops. Badge hacking continues throughout the weekend, and this year we’ve added the SMD Soldering Challenge to the fun. There will be meetups during Supercon; the Tindie meetup and the amateur radio meetup are both Saturday at 1 pm.

Subscribe to Hackaday on YouTube and follow us on Facebook to keep up with everything going on.

The Swiss Army Knife Of Audio Synthesis

October 31, 2018 by 42 Comments

Thirty years ago, we would be lucky if a computer could play audio. Take a computer from twenty years ago, and you’ll be lucky if it can play an MP3 in real-time. Now, computers can handle hundreds of tracks of CD-quality audio, and microcontrollers are several times more powerful than a desktop computer of the mid-90s. This means, of course, that microcontrollers can do audio very, very well. For his entry to the Hackaday Prize, [Fabien] is capitalizing on this power to create a Swiss Army knife of audio synthesis. It’s called the Noise Nugget, and it’s just what you need when you want to put audio in anything.

The microcontroller in question is an ARM Cortex-M4 running at 180MHz, with a quality DAC. There’s connectivity in the form of USB, two audio outs, one audio in, I2C, UART, and GPIOs. With this, you’ve got a digital synthesizer with a MIDI interface, audio effects for guitar pedal tomfoolery, an audio effect trigger board for playing pre-recorded sounds, a digital recorder, and a USB sound interface.

So, with all that processing power, what can the Noise Nugget actually do? Well, first of all, it’s a sampler. [Fabien] has a video demo of the Noise Nugget set up in sampler mode, where it can play a lute-ish sample and a cat sound. All of this is controlled over MIDI and played through a cheap speaker. The results — except for the cat sample — sound great. You can check that video out below.

Continue reading “The Swiss Army Knife Of Audio Synthesis”