Exploit The Stressed-out Package Maintainer, Exploit The Software Package

March 31, 2024 by 10 Comments

A recent security vulnerability — a potential ssh backdoor via the liblzma library in the xz package — is having a lot of analysis done on how the vulnerability was introduced, and [Rob Mensching] felt that it was important to highlight what he saw as step number zero of the whole process: exploit the fact that a stressed package maintainer has burned out. Apply pressure from multiple sources while the attacker is the only one stepping forward to help, then inherit the trust built up by the original maintainer. Sadly, [Rob] sees in these interactions a microcosm of what happens far too frequently in open source.

Maintaining open source projects can be a high stress activity. The pressure and expectations to continually provide timely interaction, support, and updates can easily end up being unhealthy. As [Rob] points out (and other developers have observed in different ways), this kind of behavior just seems more or less normal for some projects.

The xz/liblzma vulnerability itself is a developing story, read about it and find links to the relevant analyses in our earlier coverage here.

ESP-Drone: Building An ESP32-Based Quadcopter For Not Much Cash

March 31, 2024 by 12 Comments

What’s the cheapest quadcopter you can build? As [Circuit Digest] demonstrates with their variant of the ESP-Drone project by Espressif, you only need a minimum of parts: an ESP32 MCU, an inertial measurement unit (IMU) such as the MPU6050, and four MOSFETs to drive the brushless DC motors. As the PCB also forms the structural frame and landing struts for the quadcopter, not even a 3D printer is needed. All told, [Circuit Digest] figures the total BOM comes in at around 1,000 Indian Rupees, or about $12 USD.

The fully assembled ESP-Drone flying around. (Credit: Circuit Digest)
The fully assembled ESP-Drone flying around. (Credit: Circuit Digest)

While this [Circuit Digest] project provides basic IMU functionality, the Espressif project also has a few expansion boards detailed on its hardware page, depending on the base model of the mainboard you pick. The [Circuit Digest] project follows the ESPlane-V2-S2 version with no expansion boards, but the ESP32-S2-Drone V1.2 mainboard can be extended with position-hold, pressure and compass modules, as well as custom boards.

As a derivative of the Bitcraze Crazyflie project, the ESP-Drone firmware also supports the rather nifty cfclient software for remote monitoring, logging and control. This may also be in the [Circuit Digest] firmware, but wasn’t listed among the features.

Continue reading “ESP-Drone: Building An ESP32-Based Quadcopter For Not Much Cash”

A Practical Guide To Understanding How Radios Work

March 30, 2024 by 8 Comments

How may radios do you own? Forget the AM/FM, GMRS/FRS radios you listen to or communicate with. We’re talking about the multiple radios and antennas in your phone, your TV, your car, your garage door opener, every computing device you own- you get the idea. It’s doubtful that you can accurately count them even in your own home. But what principles of the electromagnetic spectrum allow radio to work, and how do antenna design, modulation, and mixing affect it? [Michał Zalewski] aka [lcamtuf] aims to inform you with his excellent article Radios, how do they work?

A simple illustration compares a capacitor to a dipole antenna.
A simple illustration compares a capacitor to a dipole antenna.

For those of you with a penchant for difficult maths, there’s some good old formulae published in the article that’ll help you understand the physics of radio. For the rest of us, there are a plethora of fantastic illustrations showing some of the less obvious principals, such as why a longer diploe is more directional than a shorter dipole.

The article opens with a thought experiment, explaining how two dipole antennas are like capacitors, but then also explains how they are different, and why a 1/4 wave dipole saves the day. Of course it doesn’t stop there. [lcamtuf]’s animations show the action of a sine wave on a 1/4 wave dipole, bringing a nearly imaginary concept right into the real world, helping us visualize one of the most basic concepts of radio.

Now that you’re got a basic understanding of how radios work, why not Listen to Jupiter with your own homebrew receiver?

This Week In Security: Peering Through The Wall, Apple’s GoFetch, And SHA-256

March 29, 2024 by 1 Comment

The Linux command wall is a hold-over from the way Unix machines used to be used. It’s an abbreviation of Write to ALL, and it was first included in AT&T Unix, way back in 1975. wall is a tool that a sysadmin can use to send a message to the terminal session of all logged-in users. So far nothing too exciting from a security perspective. Where things get a bit more interesting is the consideration of ANSI escape codes. Those are the control codes that moves the cursor around on the screen, also inherited from the olden days of terminals.

The modern wall binary is actually part of util-linux, rather than being a continuation of the old Unix codebase. On many systems, wall runs as a setgid, so the behavior of the system binary really matters. It’s accepted that wall shouldn’t be able to send control codes, and when processing a message specified via standard input, those control codes get rejected by the fputs_careful() function. But when a message is passed in on the command line, as an argument, that function call is skipped.

This allows any user that can send wall messages to also send ANSI control codes. Is that really a security problem? There are two scenarios where it could be. The first is that some terminals support writing to the system clipboard via command codes. The other, more creative issue, is that the output from running a binary could be overwritten with arbitrary text. Text like:
Sorry, try again.
[sudo] password for jbennett:

You may have questions. Like, how would an attacker know when such a command would be appropriate? And how would this attacker capture a password that has been entered this way? The simple answer is by watching the list of running processes and system log. Many systems have a command-not-found function, which will print the failing command to the system log. If that failing command is actually a password, then it’s right there for the taking. Now, you may think this is a very narrow attack surface that’s not going to be terribly useful in real-world usage. And that’s probably pretty accurate. It is a really fascinating idea to think through, and definitively worth getting fixed. Continue reading “This Week In Security: Peering Through The Wall, Apple’s GoFetch, And SHA-256”

Illustrated Kristina with an IBM Model M keyboard floating between her hands.

Keebin’ With Kristina: The One With The Pickle Pi

March 25, 2024 by 1 Comment

Image by [jefmer] via Hackaday.IO
The unstoppable [jefmer] wrote in to alert me to Pickle Pi, their latest Keebin’-friendly creation. Why “Pickle Pi”? Well, the Pi part should be obvious, but the rest comes from the Gherkin 30% ortholinear keyboard [jefmer] built with Gateron Yellows and, unfortunately, second-choice XDA keycaps, as the first batch were stolen off of the porch.

If you’re wondering where the rest of the keys are, they are accessible by holding various keys rather than tapping them. Shift is Shift when tapped held, but becomes Enter when tapped. [jefmer] wrote out their entire project description on the thing in order to break in the Gherkin.

The brains of this acrylic sandwich tablet is a Pi Zero 2, with a Pro Micro for the keyboard controller. Although programs like Ghostwriter and Thonny work fine, Chromium is “painfully slow” due to the RAM limitations of the Pi Zero 2. On the upside, battery life is 7-8 hours depending on usage. Even so, [jefmer] might replace it with a Pi 4 — the current battery pack won’t support a Pi 5.
Continue reading “Keebin’ With Kristina: The One With The Pickle Pi”

This Week In Security: Loop DOS, Flipper Responds, And More!

March 22, 2024 by 8 Comments

Here’s a fun thought experiment. UDP packets can be sent with an arbitrary source IP and port, so you can send a packet to one server, and could aim the response at another server. What happens if that response triggers another response? What if you could craft a packet that continues that cycle endlessly? That is essentially the idea behind Loop DoS (Denial of Service).

This unique avalanche of packets has been managed using specific implementations of several different network services, like TFTP, DNS, and NTP. There are several CVEs being used to track the issue, but CVE-2024-2169 is particularly odd, with the description that “Implementations of UDP application protocol are vulnerable to network loops.” This seems to be a blanket CVE for UDP, which is particularly inappropriate given that the first DoS of this sort was first reported in 2009 at the latest.

More details are available in a Google Doc. There some interesting tidbits there, like the existence of cross-protocol loops, and several legacy protocols that are vulnerable by design. The important thing to remember here is you have to have an accessible UDP port for this sort of attack to take place, so if you’re not using it, firewall it.

Flipper Flips Back

We’ve covered the saga of the Flipper Zero vs the Canadian government, in the context of car theft. The short version is that Canada has seen an uptick of car thefts from organized crime. Rather than meaningfully dealing with this problem, the Canadian government went looking for scapegoats, and found the Flipper Zero.

Well now, Flipper has responded, and put simply, the message is “stop the madness”. There has never been a confirmed case of using a flipper to steal a car, and it’s very unlikely it’s ever happened. On a modern car with proper rolling-code security, it’s not meaningfully possible to use the Flipper Zero for the theft. The two primary ways criminals actually steal cars are with dedicated keyfob repeaters and CAN bus hackers.

There is a petition to sign, and for Canadians, Flipper suggests contacting your local member of parliament. Continue reading “This Week In Security: Loop DOS, Flipper Responds, And More!”

Apple Vision Pro’s Secret To Smooth Visuals? Subtly Substandard Optics

March 21, 2024 by 32 Comments

The displays inside the Apple Vision Pro have 3660 × 3200 pixels per eye, but veteran engineer [Karl Guttag]’s analysis of its subtly blurred optics reminds us that “resolution” doesn’t always translate to resolution, and how this is especially true for things like near-eye displays.

The Apple Vision Pro lacks the usual visual artifacts (like the screen door effect) which result from viewing magnified pixelated screens though optics. But [Karl] shows how this effect is in fact hiding in plain sight: Apple seems to have simply made everything just a wee bit blurry thanks to subtly out-of-focus lenses.

The thing is, this approach of intentionally de-focusing actually works very well for consuming visual content like movies or looking at pictures, where detail and pixel-to-pixel contrast is limited anyway.

Clever loophole, or specification shenanigans? You be the judge of that, but this really is evidence of how especially when it comes to things like VR headsets, everything is a trade-off. Improving one thing typically worsens others. In fact, it’s one of the reasons why VR monitor replacements are actually a nontrivial challenge.