This Week In Security: Cacti RCE, VMs In The Browser, And SugarCRM

January 13, 2023 by 7 Comments

This week we start with a Remote Code Execution (RCE) vulnerability that has potential to be a real pain for sysadmins. Cacti, the system monitoring and graphing solution, has a pair of bugs that chain together to allow an attacker with unauthenticated access to the HTTP/S port to trivially execute bash commands. The first half of this attack is an authentication bypass, and it’s embarrassingly trivial. The Cacti authentication code trusts the Forwarded-For: header in the request. Set it to the server’s IP, and the authentication code treats it like a localhost request, bypassing any real authentication process.

The second half is found in the remote_agent.php endpoint, where the poller_id is set by the user and treated as a string. Then, if the right host_id and local_data_id item is triggered, that string is concatenated into a proc_open() function call. The string isn’t sanitized, so it’s trivial enough to include a second command to run, dropping a webshell, for instance.

Version 1.2.23 of Cacti contains the fix, and released on the 2nd. This one is likely to be exploited, and if automated exploitation hasn’t started already, it likely will soon. So if you have a Cacti install, go double-check that the interface isn’t exposed to the world.

JSON Web Token

Researchers at Unit 42 found an exploit that can be used to achieve an RCE in the JsonWebToken project. The issue is this library’s verify() function, which takes arguments of the token to check, the key to use, and options. If there aren’t any algorithms specified in the options object, then the key is processed as a PEM string. The toString() method of that key is called during the actual check, and the assumption is that it’s either a string or buffer. But what if the key passed in to the verify() function was actually a complex object, bringing it’s own toString() method along to play. At that point, we have arbitrary code execution. And if this code is running on the server-side under node.js, that means a popped server.

But wait, it’s not that simple, right? It’s not like a valid JWT can contain an arbitrary object — that would be a problem all on its own. So CVE-2022-23529 is a stepping-stone. It’s insecure code, but the rest of the application has to have another vulnerability for this one to be reachable. Continue reading “This Week In Security: Cacti RCE, VMs In The Browser, And SugarCRM”

Fixing An HP 54542C With An FPGA And VGA Display

January 13, 2023 by 11 Comments

Although the HP 54542C oscilloscope and its siblings are getting on in years, they’re still very useful today. Unfortunately, as some of the first oscilloscopes to switch from a CRT display to an LCD they are starting to suffer from degradation. This has led to otherwise perfectly functional examples being discarded or sold for cheap, when all they need is just an LCD swap. This is what happened to [Alexander Huemer] with an eBay-bought 54542C.

Although this was supposed to be a fully working unit, upon receiving it, the display just showed a bright white instead of the more oscilloscope-like picture. A short while later [Alexander] was left with a refund, an apology from the seller and an HP 54542C scope with a very dead LCD. This was when he stumbled over a similar repair by [Adil Malik], right here on Hackaday. The fix? Replace the LCD with an FPGA and VGA-input capable LCD.

While this may seem counter intuitive, the problem with LCD replacements is the lack of standardization. Finding an 8″, 640×480, 60 Hz color LCD with a compatible interface as the one found in this HP scope usually gets you salvaged LCDs from HP scopes, which as [Alexander] discovered can run up to $350 and beyond for second-hand ones. But it turns out that similar 8″ LCDs are found everywhere for use as portable displays, all they need is a VGA input.

Taking [Adil]’s project as the inspiration, [Alexander] used an UPduino v3.1 with ICE40UP5K FPGA as the core LCD-to-VGA translation component, creating a custom PCB for the voltage level translations and connectors. One cool aspect of the whole system is that it is fully reversible, with all of the original wiring on the scope and new LCD side left intact. One niggle was that the scope’s image was upside-down, but this was fixed by putting the new LCD upside-down as well.

After swapping the original cooling fan with a better one, this old HP 545452C is now [Alexander]’s daily scope.

Sensor Glove Translates Sign Language

January 13, 2023 by 17 Comments

Sign language is a language that uses the position and motion of the hands in place of sounds made by the vocal tract. If one could readily capture those hand positions and movements, one could theoretically digitize and translate that language. [ayooluwa98] built a set of sensor gloves to do just that.

The brains of the operation is an Arduino Nano. It’s hooked up to a series of flex sensors woven into the gloves, along with an accelerometer. The flex sensors detect the bending of the fingers and the gestures being made, while the accelerometer captures the movements of the hand. The Arduino then interprets these sensor signals in order to match the user’s movements up with a pre-stored list of valid signs. It can then transmit out the detected language via a Bluetooth module, where it is passed to an Android phone for translation via text-to-speech software.

The idea of capturing sign language via hand tracking is a compelling one; we’ve seen similar projects before, too. Meanwhile, if you’re working on your own accessibility projects, be sure to drop us a line!

Maxing Out Your MacIntosh With A 4 MB Memory Stick Kit

January 12, 2023 by 22 Comments

One fun aspect of retrocomputing is that you get to max out all aspects of these systems without having to take out a bank loan, as tended to be the case when these systems were new. Less fun is that decades after systems like the Apple MacIntosh SE/30 were last sold, the 30-pin SIMMs that form the expandable RAM for these systems has become rather scarce. This has led many to make their own SIMM PCBs, including [Kay Koba] with a PCB for 4 MB SIMMs along with information on which memory and parity ICs are suitable for these SIMMs.

For systems like the MacIntosh SE/30 with 8 30-pin memory slots, the maximum capacity is 128 MB, but this comes with many gotchas due to its ROM being ’32-bit dirty’. While this can be circumvented by swapping in a ROM from a later MacIntosh variant, the less invasive way is to enable the MODE32 system extension and install eight 4 MB SIMMs for a total of 32 MB RAM. RAM chips for such 30-pin SIMMs can be scavenged from the far more common 72-pin SIMMs, along with any old new stock one may come across.

These 4 MB SIMM PCBs are offered for sale by [Kay] with optionally the SMD components (capacitors, resistors and LED) included in the package. The original PCB card edge design is credited to work by [Zane Kaminski] whose GitHub profile also leads to e.g. this 30-pin SIMM project.

Have you modded your MacIntosh or other retro system yet to the maximum RAM and storage limits?

Robotic Acrobot Aces The Moves

January 12, 2023 by 8 Comments

[Daniel Simu] is a performance artist, among many other things, and does acrobatic shows, quite often with a partner “flyer”. Training for his acts gets interrupted if his flyer partner is not available due to travel, injury or other reasons. This prompted him to build Acrobotics — a robotic assistant to make sure he can continue training uninterrupted.

He has some electronics and coding chops, but had to teach himself CAD so that he could do all of the design, assembly and programming himself. Acrobotics was developed as part of a Summer Sessions residency at V2_ (Lab for the Unstable Media) at Rotterdam in 2022.

The design is built around a mannequin body and things are quite simple at the moment. There are only two rotational joints for the arms at the shoulder, and no other articulations. Two car wiper motors rotate the two arms 360 deg in either direction. Continuous rotation potentiometers attached to the motors provide position feedback.

An ESP32 controls the whole thing, and the motors get juice via a pair of BTS7960 motor drivers. All of this is housed in a cage built from 15 mm aluminium extrusion and embedded in the torso of the mannequin. [Daniel] doesn’t enlighten us how the motor movements are synchronized with the music, but we do see a trailing cable attached to the mannequin. It’s likely the cable could be for power delivery, as well as some form of data or timing signals.

He’s working on the next version of the prototype, so we hope to see improved performances soon. There’s definitely scope for adding a suite of sensors – an IMU would help a lot to determine spatial orientation, maybe some ultrasonic sensors, or a LiDAR for object detection or mapping, or additional articulated joints at the elbows and wrists. We gotta love “feature creep”, right ?

Check out the two videos after the break – in the first one, he does an overview of the Acrobotics, and the second one is the actual performance that he did. Robot or not, it’s quite an amazing project and performance.
CAVEAT : We know calling this a “robot” is stretching the definition, by a lot, but we’re going to let it slip through.

Continue reading “Robotic Acrobot Aces The Moves”

Making The One Ring By Electroplating Gold On A 3D Print

January 12, 2023 by 11 Comments

Electroplating is a great way to add strength or shine to a 3D print. However, we don’t see too many people trying it with gold. [HEN3DRIK] isn’t afraid to experiment, though, and pulled off some amazing, high-quality jewelry-grade plating!

The design for the project was the so-called Ring of Power from Lord of the Rings. The print was created on a resin printer at a high quality level, washed thoroughly to remove any remaining resin, and then cured. The print was then post-processed with sandpaper to make it as smooth as possible. Conductive paint was then applied, ready to take on the plating layers. [HEN3DRIK] first started by plating copper to build up a tough base layer, then nickel to prevent mixing between the copper and gold. The gold is then finally plated on top. Plating the copper is done with the ring constantly rotating to get as even a coat as possible. In contrast, the gold plating is done with a brush to avoid wasting the highly-expensive plating solution.

The final result is a gleaming gold ring that probably feels strangely light in the hand. The technique is time consuming, thanks to the need to plate multiple layers, but the results are to die for. We’ve seen [HEN3DRIK]’s fine work before, too. Video after the break.

Continue reading “Making The One Ring By Electroplating Gold On A 3D Print”

Celebrating A Decade Of Bootleg Hackaday Merch

January 12, 2023 by 9 Comments

A listener of the podcast recently wrote in to tell us that, in the process of trying to purchase a legitimate Hackaday t-shirt, they discovered this 2012 Instructable from [yeltrow] that covers how you can cheaply crank out your own Wrencher shirts via screen printing.

Now historically, as long as you’re not trying to make a buck off of our name, we’ve never felt the need to stop folks from putting our logo on their projects. So we’re not too concerned that somebody was making Wrencher shirts, especially since they were almost certainly for their own personal use. Though the fact that [yeltrow] apparently described the project as a “Hackster-Style shirt” to try and avoid using our name ended up being a prophetic 4D chess meta-joke that you couldn’t make up if you tried. Continue reading “Celebrating A Decade Of Bootleg Hackaday Merch”