Hackaday Links Column Banner

Hackaday Links: May 15, 2022

It may be blurry and blotchy, but it’s ours. The first images of the supermassive black hole at the center of the Milky Way galaxy were revealed this week, and they caused quite a stir. You may recall the first images of the supermassive black hole at the center of the M87 galaxy from a couple of years ago: spectacular images that captured exactly what all the theories said a black hole should look like, or more precisely, what the accretion disk and event horizon should look like, since black holes themselves aren’t much to look at. That black hole, dubbed M87*, is over 55 million light-years away, but is so huge and so active that it was relatively easy to image. The black hole at the center of our own galaxy, Sagittarius A*, is comparatively tiny — its event horizon would fit inside the orbit of Mercury — a much closer at only 26,000 light-years or so. But, our black hole is much less active and obscured by dust, so imaging it was far more difficult. It’s a stunning technical achievement, and the images are certainly worth checking out.

Another one from the “Why didn’t I think of that?” files — contactless haptic feedback using the mouth is now a thing. This comes from the Future Interfaces Group at Carnegie-Mellon and is intended to provide an alternative to what ends up being about the only practical haptic device for VR and AR applications — vibrations from off-balance motors. Instead, this uses an array of ultrasonic transducers positioned on a VR visor and directed at the user’s mouth. By properly driving the array, pressure waves can be directed at the lips, teeth, and tongue of the wearer, providing feedback for in-world events. The mock game demonstrated in the video below is a little creepy — not sure how many people enjoyed the feeling of cobwebs brushing against the face or the splatter of spider guts in the mouth. Still, it’s a pretty cool idea, and we’d like to see how far it can go.

Continue reading “Hackaday Links: May 15, 2022”

Who Is Thinking About Open Source Firmware?

Yesterday, we ran a post on NVIDIA’s announcement of open-source drivers for some of its most recent video cards. And Hackaday being huge proponents of open-source software and hardware, you’d think we’d be pouring the champagne. But it’s trickier than that.

Part of the reason that they are able to publish a completely new, open-source driver is that the secrets that they’d like to keep have moved into the firmware. So is the system as a whole more or less open? Yeah, maybe both.

With a more open interface between the hardware and the operating system, the jobs of people porting the drivers to different architectures are going to be easier. Bugs that are in what is now the driver layer should get found and fixed faster. All of the usual open-source arguments apply. But at the same time, the system as a whole isn’t all that much more transparent. The irony about the new NVIDIA drivers is that we’ve been pushing them to be more open for decades, and they’ve responded by pushing their secrets off into firmware.

Secrets that move from software to firmware are still secrets, and even those among us who are the most staunch proponents of open source have closed hardware and firmware paths in our computers. Take the Intel Management Engine, a small computer inside your computer that’s running all the time — even while the computer is “off”. You’d like to audit the code for that? Sorry. And it’s not like it hasn’t had its fair share of security relevant bugs.

And the rabbit hole goes deeper, of course. No modern X86 chips actually run the X86 machine language instructions — instead they have a microcode interpreter that reads the machine language and interprets it to what the chip really speaks. This is tremendously handy because it means that chip vendors can work around silicon bugs by simple pushing out a firmware update. But this also means that your CPU is running a secret firmware layer at core. This layer is of course not without bugs, some of which can have security relevant implications.

This goes double for your smartphone, which is chock-full of multiple processors that work more or less together to get the job done. So while Android users live in a more open environment than their iOS brethren, when you start to look down at the firmware layer, everything is the same. The top layer of the OS is open, but it’s swimming on top of an ocean of binary blobs.

How relevant any of this is to you might depend on what you intend to do with the device. If you’re into open source because you like to hack on software, having open drivers is a fantastic resource. If you’re looking toward openness for the security guarantees it offers, well, you’re out of luck because you still have to trust the firmware blindly. And if you’re into open source because the bugs tend to be found quicker, it’s a mix — while the top level drivers are made more inspectable, other parts of the code are pushed deeper into obscurity. Maybe it’s time to start paying attention to open source firmware?

Hackaday Podcast 168: Math Flattens Spheres, FPGAs Emulate Arcades, And We Can’t Shake Polaroid Pictures

Join Hackaday Editor-in-Chief Elliot Williams and Staff Writer Dan Maloney as they review the top hacks for the week. It was a real retro-fest this time, with a C64 built from (mostly) new parts, an Altoids Altair, and learning FPGAs via classic video games. We also looked at LCD sniffing to capture data from old devices, reimagined the resistor color code, revisited the magic of Polaroid instant cameras, and took a trip down television’s memory lane. But it wasn’t all old stuff — there’s flat-packing a sphere with math, spraying a fine finish on 3D printed parts, a DRM-free label printer, and a look at what’s inside that smartphone in your pocket — including some really weird optics.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments below!

Direct Download link.

Continue reading “Hackaday Podcast 168: Math Flattens Spheres, FPGAs Emulate Arcades, And We Can’t Shake Polaroid Pictures”

This Week In Security: F5 Twitter PoC, Certifried, And Cloudflare Pages Pwned

F5’s BIG-IP platform has a Remote Code Execution (RCE) vulnerability: CVE-2022-1388. This one is interesting, because a Proof of Concept (PoC) was quickly reverse engineered from the patch and released on Twitter, among other places.

HORIZON3.ai researcher [James Horseman] wrote an explainer that sums up the issue nicely. User authentication is handled by multiple layers, one being a Pluggable Authentication Modules (PAM) module, and the other internally in a Java class. In practice this means that if the PAM module sees an X-F5-Auth-Token, it passes the request on to the Java code, which then validates the token to confirm it as authentic. If a request arrives at the Java service without this header, and instead the X-Forwarded-Host header is set to localhost, the request is accepted without authentication. The F5 authentication scheme isn’t naive, and a request without the X-F5-Auth-Token header gets checked by PAM, and dropped if the authentication doesn’t check out.

So where is the wiggle room that allows for a bypass? Yet another HTTP header, the Connection header. Normally this one only comes in two varieties, Connection: close and Connection: keep-alive. Really, this header is a hint describing the connection between the client and the edge proxy, and the contents of the Connection header is the list of other headers to be removed by a proxy. It’s essentially the list of headers that only apply to the connection over the internet.

Now, this use is a bit obscure. Various proxies support it, but apparently not everyone is familiar with this behavior, because the F5 reverse proxy did indeed honor the Connection header, and stripped out the X-F5-Auth-Token. After the PAM module processed the request, of course. The last puzzle piece is the Host header, which is used by the proxy to build the X-Forwarded-Host header.

So PAM sees the Auth header, and passes the request to the Java service without doing authorization checking. The reverse proxy sees the Connection header, and strips it and the Auth header out. It then rewrites the Host header into X-Forwarded-Host. And finally, the back-end receives the request without an Auth header, coming from localhost according to X-Forwarded-Host, so it accepts it without authentication. Set three custom HTTP headers, and you can skip authentication. Ouch!

Active Directory Certifried

Ah, Active Directory. This time, it’s AD’s support for authenticating via public key certificates. AD can hand out certificates for users and machines that are on the domain. The difference between those two is that users have a User Principal Name (UPN), and machines have a dNSHostName name. The UPN has a strict uniqueness requirement, but dNSHostName strangely has no such requirement. So could you set a machine account to have the same dNSHostName as the domain controller, and what happens?

After making a couple tweaks to the account, yes, you can indeed rename a machine account to match the domain controller. Request a PKI certificate for this renamed account, and you’ve suddenly got a golden ticket — the rest of the domain thinks you’re the controller. This one was fixed in the May 2022 updates.

TLStorm 2

Are you running Aruba or Avaya hardware? Time to check for firmware updates, as Armis just released the TLStorm 2 disclosure. It’s similar to the earlier problems found in APC battery backups. Once again, the nanoSSL library is embedded in device firmware, and there are flaws both in the library and the integration. In both brands, the flaws allow for pre-auth RCE, but thankfully these interfaces aren’t normally exposed to the open internet.

Cloudflare Pages

Researchers at Assetnote took a look at Cloudflare Pages, a continuous deployment platform where Cloudflare pulls code from users’ Github/Gitlab repository, runs the code on the Cloudflare infrastructure, and then hosts the results by running arbitrary build commands — surely that could go wrong somehow.

Thankfully, pages lets us specify arbitrary build commands for running the build. So naturally, our website is going to build a reverse shell.

That reverse shell worked, giving the researchers a foot in the door. They describe the process as being very much like a Capture The Flag (CTF) competition. Their first flag captured was the ability to run arbitrary commands as root inside the build environment. The build script performs a mv command with the build path as its argument. That’s easy, the inclusion of a semicolon makes it easy to run a command: f;env>/tmp/bar.txt;echo

The only problem is that before running the build, the path is validated, to make sure the directory exists. Not really a problem, as the command is also a valid directory name: mkdir -p ‘f;env>/tmp/bar.txt;echo’ That dumped the environment variables from the build, and among the data was a GitHub private key. That key was used for all the builds, meaning that it gave access to all 18290 user repositories from other Cloudflare Pages users. There’s more “flags” described in the write-up, go check it out for the rest of the story.

Cloudflare responded to the bug reports admirably, finding evidence in their logs for the proof of concept exploitation of all the vulnerabilities reported. Once they had solid Indicators of Compromise (IoC) for each exploit, they scoured their logs for any signs of actual malicious exploitation. For all those bugs, the only hits were associated with the research. The last bug discovered, an open Kubernetes API port, didn’t have an accessible IoC, so Cloudflare sent a notification to customers that could have been exposed to the issue. Good job!

Bits and Bytes

Ransomware has claimed a novel victim, Lincoln College in Illinois. Just as the school was coming back after the pandemic, their systems were hit by a ransomware attack in December 2021. All essential systems were out of commission for about three months, and once restored, it became clear that the school was no longer financially sustainable. Ransomware killed a college. Let that sink in.

Trend Micro finally incorrectly classified Microsoft’s browser as malware. Multiple Trend Micro customers reported that a Microsoft Edge file, msedge_200_percent.pak was getting flagged as malware. The error has been corrected, and Trend Micro has published a script to help clean up potential damage from the false positive.

Cisco’s NFVIS virtualization platform has a collection of serious problems just announced and patched. The worst of which is a VM escape, allowing an attacker to get root access to the hypervisor. There’s also a pair of injection vulnerabilities, also quite serious. If NFVIS is part of your infrastructure, go forth and update!

Can You Help NASA Build A Mars Sim In VR?

No matter your project or field of endeavor, simulation is a useful tool for finding out what you don’t know. In many cases, problems or issues aren’t obvious until you try and do something. Where doing that thing is expensive or difficult, a simulation can be a low-stakes way to find out some problems without huge costs or undue risks.

Going to Mars is about as difficult and expensive as it gets. Thus, it’s unsurprising that NASA relies on simulations in planning its missions to the Red Planet. Now, the space agency is working to create a Mars sim in VR for training and assessment purposes. The best part is that you can help!

Continue reading “Can You Help NASA Build A Mars Sim In VR?”

Bare-Metal STM32: Using The I2C Bus In Master-Transceiver Mode

As one of the most popular buses today for on- and inter-board communication within systems, there’s a good chance you’ll end up using it with an embedded system. I2C offers a variety of speeds while requiring only two wires (clock and data), which makes it significantly easier to handle than alternatives, such as SPI. Within the STM32 family of MCUs, you will find at least one I2C peripheral on each device.

As a shared, half-duplex medium, I2C uses a rather straightforward call-and-response design, where one device controls the clock, and other devices simply wait and listen until their fixed address is sent on the I2C bus. While configuring an STM32 I2C peripheral entails a few steps, it is quite painless to use afterwards, as we will see in this article. Continue reading “Bare-Metal STM32: Using The I2C Bus In Master-Transceiver Mode”

Data Alignment Across Architectures: The Good, The Bad And The Ugly

Even though a computer’s memory map looks pretty smooth and very much byte-addressable at first glance, the same memory on a hardware level is a lot more bumpy. An essential term a developer may come across in this context is data alignment, which refers to how the hardware accesses the system’s random access memory (RAM). This and others are properties of the RAM and memory bus implementation of the system, with a variety of implications for software developers.

For a 32-bit memory bus, the optimal access type for some data would be a four bytes, aligned exactly on a four-byte border within memory. What happens when unaligned access is attempted – such as reading said four-byte value aligned halfway into a word – is implementation defined. Some hardware platforms have hardware support for unaligned access, others throw an exception that the operating system (OS) can catch and fallback to an unaligned routine in software. Other platforms will generally throw a bus error (SIGBUS in POSIX) if you attempt unaligned access.

Yet even if unaligned memory access is allowed, what is the true performance impact? Continue reading “Data Alignment Across Architectures: The Good, The Bad And The Ugly”