Color Us Impressed: Redbean Runs A Web Server On Six Operating Systems

July 22, 2022 by 20 Comments

The holy grail of computing is to have some way to distribute a program to any computer. This is one of those totally unachievable goals, but many have tried with varying degrees of success.  People naturally think of Java, but even before that there was UCSD’s P-code and many other attempts to pull off the same trick. We were impressed, though, with Redbean 2.0 which uses a single executable file to run a webserver — or possibly other things — on six different operating systems. If the six operating systems were all flavors of Linux or Windows that wouldn’t be very interesting. But thanks to APE — the Actually Portable Executable — format, you can run under Windows, Linux, MacOS, OpenBSD, NetBSD, and FreeBSD.

This is quite a feat when you realize that most of these take wildly different file formats. There is one small problem: you can’t use much of anything on the host operating system. However, if you look at Redbean, you’ll see there is quite a lot you can do.

Continue reading “Color Us Impressed: Redbean Runs A Web Server On Six Operating Systems”

SATAn Turns Hard Drive Cable Into Antenna To Defeat Air-Gapped Security

July 22, 2022 by 18 Comments

It seems like [Mordechai Guri]’s lab at Ben-Gurion University is the place where air-gapped computers go to die, or at least to give up their secrets. And this hack using a computer’s SATA cable as an antenna to exfiltrate data is another example of just how many side-channel attacks the typical PC makes available.

The exploit, deliciously designated “SATAn,” relies on the fact that the SATA 3.0 interface used in many computers has a bandwidth of 6.0 Gb/s, meaning that manipulating the computer’s IO would make it possible to transmit data from an air-gapped machine at around 6 GHz. It’s a complicated exploit, of course, and involves placing a transmitting program on the target machine using the usual methods, such as phishing or zero-day exploits. Once in place, the transmitting program uses a combination of read and write operations on the SATA disk to generate RF signals that encode the data to be exfiltrated, with the data lines inside the SATA cable acting as antennae.

SATAn is shown in action in the video below. It takes a while to transmit just a few bytes of data, and the range is less than a meter, but that could be enough for the exploit to succeed. The test setup uses an SDR — specifically, an ADALM PLUTO — and a laptop, but you can easily imagine a much smaller package being built for a stealthy walk-by style attack. [Mordechai] also offers a potential countermeasure for SATAn, which basically thrashes the hard drive to generate RF noise to mask any generated signals.

While probably limited in its practical applications, SATAn is an interesting side-channel attack to add to [Dr. Guri]’s list of exploits. From optical exfiltration using security cameras to turning power supplies into speakers, the vulnerabilities just keep piling up.

Continue reading “SATAn Turns Hard Drive Cable Into Antenna To Defeat Air-Gapped Security”

Watering The Garden With A Solar-Powered System

July 22, 2022 by 18 Comments

Watering the garden is important to do regularly if you want your plants to thrive. [Nikodem Bartnik] built a system to handle it for him, keeping his garden on the grow.

The system has an Arduino commanding an irrigation system based around a pump delivering water from a reservoir. It’s paired with a water level sensor to keep an eye on the water available to the system. Moisture sensors are also used to monitor the prevailing soil conditions, to ensure the plants aren’t over- or under-watered. In this case, [Nikodem] designed his own resistive moisture sensors, which proved difficult but taught him a lot along the way. verything was then wrapped up in a food container to make it waterproof for installation outside. A solar panel and charging system was also installed to power the whole setup without requiring a mains connection.

While this system worked, the moisture sensors were a bit unreliable and there was a lot of cabling involved. A second revision got rid of the sensors and used a Pi Pico to implement a simple timer-based irrigation scheme.

Either way, both systems worked and helped keep the vital water flowing to the garden bed. Automatic plant watering is a bit of a popular theme around here, and we’ve seen some nifty hacks in that realm of late. Video after the break.

Continue reading “Watering The Garden With A Solar-Powered System”

ESP32 Gets A Nifty Serial Console Library

July 22, 2022 by 8 Comments

Sometimes you need to get a project to talk to you, so you can see what’s going on inside. The ESP32 console Arduino library from [jbtronics] promises just that.

The library adds a simple serial console to the ESP32, and is compatible with the Arduino ecosystem to boot. It’s set up to allow the easy addition of custom commands so you can tweak the console to suit your own projects. It’s remarkably complete with nifty features, too. There’s autocomplete as well as a navigable command history – the sorts of features you only expect from a modern OS terminal. A bunch of system commands are built-in, too, for checking the status of things like the memory, network interface, and so on.

The tool is available via the Arduino library manager or the PlatformIO registry. You’ll want to use it with a VT-100 compatible terminal like PuTTY or similar, which lets you use all the fancy features including color output. [jbtronics] hopes to port it to the ESP8266 soon, too!

We’ve seen some other great serial tools of late, too. If you’re brewing up your own nifty console hacks, be sure to drop us a line!

 

 

Hackaday Podcast 178: The Return Of Supercon, Victory For Open Source, Exquisite Timepieces, And Documentation To Die For

July 22, 2022 by 2 Comments

Hackaday Editor-in-Chief Elliot Williams and Managing Editor Tom Nardi start this week’s podcast off with an announcement the community has been waiting years for: the return of the Hackaday Supercon! While there’s still some logistical details to hammer out, we’re all extremely excited to return to a live con and can’t wait to share more as we get closer to November. Of course you can’t have Supercon without the Hackaday Prize, which just so happens to be wrapping up its Hack it Back challenge this weekend.

In other news, we’ll talk about the developing situation regarding the GPLv3 firmware running on Ortur’s laser engravers (don’t worry, it’s good news for a change), and a particularly impressive fix that kept a high-end industrial 3D printer out of the scrapheap. We’ll also fawn over a pair of fantastically documented projects, learn about the fascinating origins of the lowly fire hydrant, and speculate wildly about the tidal wave of dead solar panels looming menacingly in the distance.

Or download the fresh bitstream yourself.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast 178: The Return Of Supercon, Victory For Open Source, Exquisite Timepieces, And Documentation To Die For”

Homebrew Curve Tracer Competes With The Big Guns

July 22, 2022 by 21 Comments

When we first saw the VBA curve tracer, we thought it might have something to do with Visual Basic for Applications. But it turns out it is a mash up of the names of the creators: [Paul Versteeg], [Bud Bennett], and [Mark Allie]. [Paul] designed an original prototype back in 2017. Since then, the project has grown and lessons were learned. The final curve tracer is pretty impressive in more ways than one.

If you’ve never used a curve tracer, they allow you to characterize components using their characteristic curve of voltage versus current. You use an oscilloscope as an output device. This instrument is often used by engineers trying to understand or match devices like diodes, transistors, or — in some cases — even tubes. So if you want to measure the collector-emitter breakdown voltage, for example, or the collector cutoff current, this is your go-to device. You can also match gains in circuits where that matters (for example, a push-pull circuit where two transistors amplify different parts of the same signal).

If you want to understand more about how it works, there are a series of blog posts covering the evolution of the device. You can also find the design files on GitHub. There is also a handy post showing many types of measurements you might want to make.

This is a good-looking project. We’ve seen it done on the cheap, but slowly. Or spend $15 and do better. We doubt any of these have high enough voltages to do most tubes, but they made the same basic instrument for tubes back in the 1950s.

This Week In Security: Asterisk, TikTok, Gitlab, And Finally A Spam Solution

July 22, 2022 by 14 Comments

There’s an ongoing campaign that’s compromising FreePBX systems around the world. It seems to be aimed specifically at Elastix systems, using CVE-2021-45461, a really nasty Remote Code Execution (RCE) from December of last year. This flaw was a 0-day, as it was discovered by analyzing a compromised FreePBX system. It’s unclear if the campaign described in last week’s report was using the 0-day back in December, or if it was launched as a result of the public disclosure of the bug.

Regardless, the CVE is a URL parameter sent to the Rest Phone Apps service. This module is intended to run right on the screen of VoIP phones, and allow end users to set features like Do Not Disturb without having to punch in star codes, or visit a web page. Because of the use case, any FreePBX deployment that supports VoIP phones connecting from outside the network, that use this feature, would need these ports open. The best way to secure that would be to enforce connections over a VPN, which only some phones natively support.

Upon finding a vulnerable endpoint, the campaign starts by dropping a webshell in several locations, all obfuscated slightly differently. It then creates multiple root-level user accounts, and adds a Cron job to maintain access. There is a surprising amount of obfuscation and stealth features in this family of malware, making it difficult to point to a single Indicator Of Compromise. If you run a FreePBX system that may have the Phone Apps module running, it’s time to go through it with a fine-toothed comb.

What’s The Deal with TikTok?

The FCC has once again called for TikTok to be de-listed from the Google Play Store and the Apple App store. What is going on with TikTok? It’s just an app for filming and sharing silly videos, right? There are essentially two potential problems with TikTok, and both of them trace back to the app’s parent company residing in China.

Here in the US we have National Security Letters, and China seems to have a more straightforward system, where “everything is seen in China,” as said by a member of TikTok’s Trust and Safety Department. TikTok uses quite a few permissions, some of which seem a bit overzealous. If you’re a person of interest to the Chinese government, could those permissions be used to surveil you? Absolutely. Just like a US based app could, as a result of a National Security Letter.

The second problem is a bit more subtle, and may stray towards a conspiracy theory, but is worth considering. TikTok has videos about every subject imaginable, from every possible viewpoint. What if the Chinese Communist Party (CCP) wanted a specific rumor to gain traction in the US? Just a little pressure on the video recommendation algorithm would make videos about that topic trend. Instant public opinion lever.

There’s likely a missing piece of the story here, in the form of some classified intel. Until enough time goes by that a Freedom of Information Act request can unlock the rest of the story, it’s going to be unclear how much of the TikTok threat is legitimate, and how much is geo-political wrangling.

Oh, and if you thought you could just go open up the Google Play Store and see the exact permissions the TikTok app uses, Google has made the unfortunate decision to hide permissions until you actually do the install. That sounds like a terrible decision and, after a brief outcry, it seems like Google agrees. Just before this article went to the presses, Google announced that they were walking back this decision.

Gitlab RCE

Gitlab fixed a very serious problem in its 4th of July round of minor version releases, and [Nguyễn Tiến Giang (Jang)] really wanted to understand what was going on with this one. So much so, that he set up a debuggable install of Gitlab and recreated the issue, bringing us along for the ride. The flaw is in importing an existing Gitlab project, where the archive name is appended directly to a command string. If you can manipulate the value given for the archive name, and avoid tripping on any of the checks intended to prevent it, you can trivially insert shell code that will be run on the underlying server. Avoiding the traps is a big part of the work to actually make this into an real PoC. Read the post for full details on the debugging journey.

Calendar Spam Finally Fixed

Consider yourself lucky if you’ve missed out on the scourge that is Calendar spam. Google Calendar is great, because anyone can send you an email with an invite, and the event automatically shows up on your calendar. In retrospect, it seems obvious that this would be used for spam. Regardless, after multiple years of the spam problem, Google is finally rolling out a feature, to only add invitations to your calendar from known senders. Now if you get asked, or suffer from spam yourself, you know to look under event settings, and make the setting change. Finally!