This Week In Security: The Rest Of The IPv6 Story, CVE Hunting, And Hacking The TSA

August 30, 2024 by 2 Comments

We finally have some answers about the Windows IPv6 vulnerability — and a Proof of Concept! The patch was a single change in the Windows TCP/IP driver’s Ipv6pProcessOptions(), now calling IppSendError() instead of IppSendErrorList(). That’s not very helpful on its own, which is why [Marcus Hutchins]’s analysis is so helpful here. And it’s not an easy task, since decompiling source code like this doesn’t give us variable names.

The first question that needs answered is what is the list in question? This code is handling the option field in incoming IPv6 packets. The object being manipulated is a linked list of packet structs. And that linked list is almost always a single member list. When calling IppSendErrorList() on a list with a single member, it’s functionally equivalent to the IppSendError() in the fixed code. The flaw must be in the handling of this list with multiple members. The only way to achieve that criteria is to send a lot of traffic at the machine in question, so it can’t quite keep up with processing packets one at a time. To handle the high throughput, Windows will assemble incoming packets into a linked list and process them in batch.

So what’s next? IppSendErrorList(), takes a boolean and passes it on to each call of IppSendError(). We don’t know what Microsoft’s variable name is, but [Marcus] is calling it always_send_icmp, because setting it to true means that each packet processed will generate an ICMP packet. The important detail is that IppSendError() can have side effects. There is a codepath where the packet gets reverted, and the processing pointer is set back to the beginning of the packet. That’s fine for the first packet in the list, but because the function processes errors on the entire list of packets, the state of the rest of those packets is now much different from what is expected.

This unexpected but of weirdness can be further abused through IPv6 packet fragmentation. With a bit of careful setup, the reversion can cause a length counter to underflow, resulting in data structure corruption, and finally jumping code execution into the packet data. That’s the Remote Code Execution (RCE). And the good news, beyond the IPv6-only nature of the flaw, is that so far it’s been difficult to actually pull the attack off, as it relies on this somewhat non-deterministic “packet coalescing” technique to trigger the flaw.

Continue reading “This Week In Security: The Rest Of The IPv6 Story, CVE Hunting, And Hacking The TSA”

New 2 GB Raspberry Pi 5 Has Smaller Die And 30% Lower Idle Power Usage

August 30, 2024 by 16 Comments

Recently Raspberry Pi released the 2GB version of the Raspberry Pi 5 with a new BCM2712 SoC featuring the D0 stepping. As expected, [Jeff Geerling] got his mitts on one of these boards and ran it through its paces, with positive results. Well, mostly positive results — as the Geekbench test took offence to the mere 2 GB of RAM on the board and consistently ran out of memory by the multi-core Photo Filter test, as feared when we originally reported on this new SBC. Although using swap is an option, this would not have made for a very realistic SoC benchmark, ergo [Jeff] resorted to using sysbench instead.

Naturally some overclocking was also performed, to truly push the SoC to its limits. This boosted the clock speed from 2.4 GHz all the way up to 3.5 GHz with the sysbench score increasing from 4155 to 6068. At 3.6 GHz the system wouldn’t boot any more, but [Jeff] figured that delidding the SoC could enable even faster speeds. This procedure also enabled taking a look at the bare D0 stepping die, revealing it to be 32.5% smaller than the previous C1 stepping on presumably the same 16 nm process.

Although 3.5 GHz turns out to be a hard limit for now, the power usage was interesting with idle power being 0.9 watts lower (at 2.4 W) for the D0 stepping and the power and temperatures under load also looked better than the C1 stepping. Even when taking the power savings of half the RAM versus the 4 GB version into account, the D0 stepping seems significantly more optimized. The main question now is when we can expect to see it appear on the 4 and 8 GB versions of the SBC, though the answer there is likely ‘when current C1 stocks run out’.

Two types of polymer clay hand warmers with a digital temperature controller.

Adjustable Electric Hand Warmers

August 30, 2024 by 7 Comments

It may be the last gasp of summer here in the Northern Hemisphere, but it’s always cold somewhere, whether it’s outdoors or inside. If you suffer from cold, stiff hands, you know how difficult it can be to work comfortably on a computer all day. Somehow, all that typing and mousing does little to warm things up. What you need are hand warmers, obviously, and they might as well be smart and made to fit your hands.

Using a heat gun to cure polymer clay. Fifteen-year-old [Printerforge] created these bad boys in an effort to learn how to code LCDs and control heat like Magneto controls ferrous metals. Thanks to digital control, they can heat up to specific temperatures, and they happen to run for a long time.

Power-wise, these warmers use a 18650 cell and a TP4056 charging module. Everything is controlled by an Arduino Nano, which reads from both a thermistor and a potentiometer to control the output.

[Printerforge] really thought this project through, as you’ll see in the Instructable. There’s everything from a table of design requirements to quick but thorough explanations of nichrome wire and basic electronic theory.

And then there’s the material consideration. [Printerforge] decided that polymer clay offers the best balance of heat conductivity and durability. They ended up with two styles — flat, and joystick grip. The best part is, everything can fit in a generous pocket.

Clay is good for a lot of things, like making the perfect custom mouse.

A Little Optical Magic Makes This Floating Display Pop

August 29, 2024 by 4 Comments

If there’s a reason that fancy holographic displays that respond to gestures are a science fiction staple, it’s probably because our current display technology is terrible. Oh sure, Retina displays and big curved gaming monitors are things of wonder, but they’re also things that occupy space even when they’re off — hence the yearning for a display that can appear and disappear at need.

Now, we’re not sure if [Maker Mac70]’s floating display is the answer to your sci-fi dreams, but it’s still pretty cool. And, as with the best of tricks, it’s all done with mirrors. The idea is to use a combination of a partially reflective mirror, a sheet of retroreflective material, and a bright LCD panel. These are set up in an equilateral triangle arrangement, with the partially reflective mirror at the top. Part of the light from the LCD bounces off the bottom surface of the mirror onto a retroreflector — [Mac] used a sheet of material similar to what’s used on traffic signs. True to its name, the retroreflector bounces the light directly back at the semi-transparent mirror, passing through it to focus on a point in space above the whole contraption. To make the display interactive, [Mac] used a trio of cheap time-of-flight (TOF) sensors to watch for fingers poking into the space into which the display is projected. It seemed to work well enough after some tweaking; you can check it out in the video below, which also has some great tips on greebling, if that’s your thing.

We suspect that the thumbnail for the video is a composite, but that’s understandable since the conditions for viewing such a display have to be just right in terms of ambient light level and the viewer’s position relative to the display. [Mac] even mentions the narrow acceptance angle of the display, touting it as a potential benefit for use cases where privacy is a concern. In any case, it’s very different from his last sci-fi-inspired volumetric display, which was pretty cool too.

Continue reading “A Little Optical Magic Makes This Floating Display Pop”

A mini Cyclone game consisting of an Arduino, an LED ring, and button, plus a scoreboard on a 16x2 LCD.

2024 Tiny Games Contest: Mini Cyclone Tests Reaction Time

August 29, 2024 by 3 Comments

Round and round goes the red LED, and if you can push the button when it overlaps the green LED, then you win. Cyclone is almost too simple of a game, and that’s probably part of why it’s so addictive.

The back side of the mini Cyclone game, showing the guts.Want to make one for your desk? All it takes is an Arduino Nano R3 or comparable microcontroller, an RGB LED ring with 12 LEDs, a 16×2 LCD, a buzzer, and a momentary push button switch.

Interestingly, there aren’t successive levels with increasing speed, but each round begins with a randomized speed value. Of course, this can all be easily changed in the code, which is modified from [Joern Weise]’s original.

This is a tinier version of [mircemk]’s original project, which uses a 60-LED ring and does contain levels. As usual with [mircemk]’s builds, this project is mounted on their trademark 3 mm PVC board and covered with peel-and-stick wallpaper. Be sure to check out the demo and build video after the break.

Don’t forget! You have until Tuesday, September 10th to enter the 2024 Tiny Games Contest, so get crackin’!

Continue reading “2024 Tiny Games Contest: Mini Cyclone Tests Reaction Time”

A tricked-out kids' Jeep in black and silver.

Driven To Over-Engineer A Kids’ Car

August 29, 2024 by 12 Comments

You know, it feels as though it’s getting more and more difficult to compete for Father of the Year around here. And [Jon Petter Skagmo] just laid down a new gauntlet — the incredibly overly-engineered kids car.

Close-up of the dash panel of an overly-engineered kids' car.While the original plan was to build the entire car from scratch, [Jon] eventually opted to use an off-the-shelf car that had a dead battery.

While the original architecture was quite simple, the new hardware has just about everything a kid could want in a tricked-out ride, most of which is accessible through the really cool dashboard.

We’re talking headlights, a music player, a siren, a selfie video cam that doubles as two-way communication with the driver, and even a garage door opener that uses an MQTT connection.

Under the cute little hood is where you’ll find most of the electronics. The car’s brain is a Raspberry Pi 3B, and there’s a custom daughter board that includes GPS/GNSS. This was originally meant to geofence [Baby Girl Skagmo] in, but Dad quickly realized that kids are gonna kid and disabled it pretty soon after.

This isn’t the first high-tech rebuild of a kiddie car that we’ve seen here at Hackaday. Makes us wish we were quite a bit smaller…

Continue reading “Driven To Over-Engineer A Kids’ Car”

The blind maze -- a box with three buttons and three light-up panels that indicate walls.

2024 Tiny Games Contest: Blind Maze Is Fun For All

August 29, 2024 by 5 Comments

If you think about it, even difficult mazes on paper are pretty easy. You can see all the places you can and can’t go, and if you use a pencil instead of a pen, well, that’s almost like cheating.

The innards of the blind maze.However, using a pencil is pretty much a necessity to play [penumbriel]’s Blind Maze. In this game, you can’t even see the maze, or where you are. Well, that’s not exactly true — you can “touch” the wall (or lack thereof) in front of you and to the sides, but that’s it. So you’re going to need that pencil to draw out a map as you go along.

This game runs on an Arduino Nano and a 18650 cell. There are three LEDs deep within the enclosure, which is meant to give the depth of walls. But, even the vision-impaired can play the Blind Maze, because there’s haptic feedback thanks to a small vibration motor.

If you want to play in hard mode, there’s a hidden paperclip-accessible switch that turns off the LEDs. This way, you have to rely on hitting the walls with your head. Be sure to check out the video below.

Continue reading “2024 Tiny Games Contest: Blind Maze Is Fun For All”