News

3649 Articles

3D Printing Gets Small In A Big Way

October 26, 2022 by 8 Comments

If you have a 3D printer in your workshop, you probably fret more about how to get bigger objects out of it. However, the University of Amsterdam has a new technique that allows for fast large-scale printing with sub-micron resolution. The technique is a hybrid of photolithography and stereolithography.

One of the problems with printing with fine detail is that print times become very long. However, the new technique claims to have “acceptable production time.” Apparently, bioprinting applications are very much of interest to the technology’s first licensee. There is talk of printing, for example, a kidney scaffold in several hours or a full-sized heart scaffold in less than a day.

Another example application is the production of a chromatography instrument with 200 micron channels and 20 micron restrictions. This requires a printer capable of very fine detail. There are also applications in semiconductors and mechanical metamaterials. Of course, we always take note of photolithography processes because we use them to make PC boards and even integrated circuits. A desktop printer that could do photolithography might open up new ideas for producing electronic circuitry.

If you want to play with photolithography today, [Ben Krasnow] has some advice. Of course, there are several ways to produce PC boards, even with a garden-variety 3D printer.

This Week In Security: Linux WiFi, Fortinet, Text4Shell, And Predictable GUIDs

October 21, 2022 by 18 Comments

Up first this week is a quintet of vulnerabilities in the Linux kernel’s wireless code. It started with [Soenke Huster] from TU Darmstadt, who found a buffer overwrite in mac80211 code. The private disclosure to SUSE kernel engineers led to a security once-over of this wireless framework in the kernel, and some other nasty bugs were found. A couple result in Denial-of-Service (DOS), but CVE-2022-41674, CVE-2022-42719, and CVE-2022-42720 are Remote Code Execution vulnerabilities. The unfortunate bit is that these vulnerabilities are triggered on processing beacon frames — the wireless packets that announce the presence of a wireless network. A machine doesn’t have to be connected or trying to connect to a network, but simply scanning for networks can lead to compromise.

The flaws were announced on the 13th, and were officially fixed in the mainline kernel on the 15th. Many distros shipped updates on the 14th, so the turnaround was quite quick on this one. The flaws were all memory-management problems, which has prompted a few calls for the newly-merged Rust framework to get some real-world use sooner rather than later.

Fortinet

Much of Fortinet’s lineup, most notable their Fortigate firewalls, has a pre-auth authentication bypass on the administrative HTTP/S interface. Or plainly, if you can get to the login page, you can break in without a password. That’s bad, but at this point, you *really* shouldn’t have any administrative interfaces world-accessible on any hardware. Updated firmware is available.

More than just a couple days have passed, so we have some idea of the root problem and how it was fixed. It’s a simple one — the Forwarded HTTP headers on an incoming request are unintentionally trusted. So just send a request with Forwarded:for and Forwarded:by set to 127.0.0.1, and it falls through into code logic intended for internal API calls. Add a trusted SSH key, and pop, you’re in. Whoops. Continue reading “This Week In Security: Linux WiFi, Fortinet, Text4Shell, And Predictable GUIDs”

2022 Hackaday Supercon: Final Talks Announced

October 20, 2022 by 2 Comments

The third and final round of the 2022 Supercon talks announcements brings us closer to a complete picture of the full spectrum of hacking awesomeness taking the stage in just a few weeks. (And we haven’t even announced the keynote yet!)

Supercon is the Ultimate Hardware Conference and you need to be there! We’ll continue to announce speakers and workshops over the next couple weeks. Supercon will sell out so get your tickets now before it’s too late. And stay tuned for the next round of talk reveals next week! Continue reading “2022 Hackaday Supercon: Final Talks Announced”

This Week In Security: Npm Timing Leak, Siemens Universal Key, And PHP In PNG

October 14, 2022 by 12 Comments

First up is some clever wizardry from the [Aqua Nautilus] research team, who discovered a timing attack that leaks information about private npm packages. The setup is this, npm hosts both public and private node.js packages. The public ones are available to everyone, but the private packages are “scoped”, meaning they live within a private namespace, “@owner/packagename” and are inaccessible to the general public. Trying to access the package results in an HTTP 404 error — the same error as trying to pull a package that doesn’t exist.


The clever bit is to keep trying, and really pay attention to the responses. Use npm’s API to request info on your target package, five times in a row. If the package name isn’t in use, all five requests will take the expected amount of time. That request lands at the service’s backend, a lookup is performed, and you get the response. On the flipside if your target package does exist, but is privately scoped, the first request returns with the expected delay, and the other four requests return immediately. It appears that npm has front-end that can cache a 404 response for a private package. That response time discrepancy means you can map out the private package names used by a given organization in their private scope.

Now this is all very interesting, but it turns into a plausible attack when combined with typosquatting and dependency confusion issues. Those attacks are two approaches to the same goal, get a node.js deployment to run a malicious package instead of the legitimate one the developer intended. One depends on typos, but dependency confusion just relies on a developer not explicitly defining the scope of a package.

Continue reading “This Week In Security: Npm Timing Leak, Siemens Universal Key, And PHP In PNG”

Don’t Miss The Philadelphia Maker Faire This Weekend

October 11, 2022 by 3 Comments

For readers in the American Northeast that are looking for something to do this weekend, may we humbly suggest a day trip to attend the 2022 Philadelphia Maker Faire on Saturday, October 15th. After taking the last two years off due to COVID-19, the event has moved to the Independence Seaport Museum for its grand return, and is sure to attract plenty of hackers and makers who are eager to show off their pandemic projects.

Of course, the nature of these events is that you neverĀ really know what you’re going to see until you actually get there. But just browsing the list of confirmed projects that will have dedicated tables set up, we can tell there’s some very interesting stuff on tap — from fighting robots and hologram printers, to plasma physics and electric hydrofoils. While the deadline to submit projects for official inclusion has long since passed, we can tell you from experience that’s not going to stop folks from showing up with their own gadgets to show off to the captive audience. Especially if they’re of the wearable variety; it’s not really a Maker Faire unless somebody is wearing something that’s blinking.

Olympia and Becuna

Naturally the Faire itself is obviously the main event, but don’t forget that the Independence Seaport Museum itself is worth checking out while you’re there. You can tour the 130-year-old USS Olympia, as well as the USS Becuna, one of the last surviving WWII Balao-class submarines.

While the community might never truly recover from the loss of the flagship Maker Faires in New York and California, we do take some comfort in knowing that smaller regional shows like this one have been growing over the last few several years. They’re not only a great way to connect with like-minded folks in your area, but can help you connect with maker-friendly vendors and organizations which you might otherwise be unaware of.

This Week In Security: PHP Attack Defused, Scoreboard Manipulation, And Tillitis

October 7, 2022 by 1 Comment

If you use PHP, you likely use the Composer tool for managing dependencies, at least indirectly. And the good folks at SonarSource found a nasty, potential supply chain attack in this tool, when used in the Packagist repository. The problem is the support for arbitrary README filenames. When a package update shows up on Packagist, that service uses a Version Control Service (VCS) like Git or Mercurial to pull the specified readme location. That pull operation is subject to argument injection. Name your branch --help, and Git will happily run the help argument instead of doing the pull intended. In the case of Git commands, our intrepid researchers were unable to weaponize the issue to achieve code execution.

Composer also supports projects that use Mercurial as their VCS, and Mercurial has a --config option that has… interesting potential. It allows redefining a Mecurial command as a script snippet. So a project just has to contain a malicious payload.sh, and the readme set to --config=alias.cat=!hg cat -r : payload.sh|sh;,txt. For those keeping track at home, the vulnerability is that this cursed string of ugly is accepted by Composer as a valid filename. This uses the --config trick to redefine cat as a bit of script that executes the payload. It ends in .txt because that is a requirement of Composer.

So let’s talk about what this little hack could have been used for, or maybe still used for on an unpatched, private install of Packagist. This is an unattended attack that jumps straight to remote script execution — on an official package repository. If discovered and used for evil, this would have been a massive supply chain attack against PHP deployments. Instead, thanks to SonarSource, it was discovered and disclosed privately back in April. The official Packagist repo at packagist.org was fixed the day after disclosure, and a CVE and updated packages went out six days later. Great work all around.
Continue reading “This Week In Security: PHP Attack Defused, Scoreboard Manipulation, And Tillitis”

Robot Blade Runner Turns In World Record Time

October 6, 2022 by 23 Comments

While we wish colleges and universities competed more on academics, we can’t deny that more people are interested in their athletics programs. Oregon State, however, has done a little of both since their bipedal robot, Cassie, became the world’s fastest bipedal robot according to the Guinness Book of World Records. You can see a video of the 100 meter run below, but don’t blink. The robot turned in a time of around 25 seconds.

Impressive, but still not on par with Usan Bolt’s time of under 10 seconds for the same distance. If you want to see what that would be like, try running the long way across a football field and see how far you get in 25 seconds. There isn’t a lot of technical detail about the robot, but you can intuit some things from watching it go. You can also find a little more information on the robot and some of its siblings on the University’s website.

If you think robots won’t ever run as well as humans, we used to think the same thing about playing chess. This doesn’t look like we normally envision a bipedal robot. Then again, there isn’t any reason robots have to look, or move, like we do.

Continue reading “Robot Blade Runner Turns In World Record Time”