This Week In Security: Npm Timing Leak, Siemens Universal Key, And PHP In PNG

October 14, 2022 by Jonathan Bennett 12 Comments

First up is some clever wizardry from the [Aqua Nautilus] research team, who discovered a timing attack that leaks information about private npm packages. The setup is this, npm hosts both public and private node.js packages. The public ones are available to everyone, but the private packages are “scoped”, meaning they live within a private namespace, “@owner/packagename” and are inaccessible to the general public. Trying to access the package results in an HTTP 404 error — the same error as trying to pull a package that doesn’t exist.

The clever bit is to keep trying, and really pay attention to the responses. Use npm’s API to request info on your target package, five times in a row. If the package name isn’t in use, all five requests will take the expected amount of time. That request lands at the service’s backend, a lookup is performed, and you get the response. On the flipside if your target package does exist, but is privately scoped, the first request returns with the expected delay, and the other four requests return immediately. It appears that npm has front-end that can cache a 404 response for a private package. That response time discrepancy means you can map out the private package names used by a given organization in their private scope.

Now this is all very interesting, but it turns into a plausible attack when combined with typosquatting and dependency confusion issues. Those attacks are two approaches to the same goal, get a node.js deployment to run a malicious package instead of the legitimate one the developer intended. One depends on typos, but dependency confusion just relies on a developer not explicitly defining the scope of a package.

Continue reading “This Week In Security: Npm Timing Leak, Siemens Universal Key, And PHP In PNG” →

Don’t Miss The Philadelphia Maker Faire This Weekend

October 11, 2022 by Tom Nardi 3 Comments

For readers in the American Northeast that are looking for something to do this weekend, may we humbly suggest a day trip to attend the 2022 Philadelphia Maker Faire on Saturday, October 15th. After taking the last two years off due to COVID-19, the event has moved to the Independence Seaport Museum for its grand return, and is sure to attract plenty of hackers and makers who are eager to show off their pandemic projects.

Of course, the nature of these events is that you never really know what you’re going to see until you actually get there. But just browsing the list of confirmed projects that will have dedicated tables set up, we can tell there’s some very interesting stuff on tap — from fighting robots and hologram printers, to plasma physics and electric hydrofoils. While the deadline to submit projects for official inclusion has long since passed, we can tell you from experience that’s not going to stop folks from showing up with their own gadgets to show off to the captive audience. Especially if they’re of the wearable variety; it’s not really a Maker Faire unless somebody is wearing something that’s blinking.

Naturally the Faire itself is obviously the main event, but don’t forget that the Independence Seaport Museum itself is worth checking out while you’re there. You can tour the 130-year-old USS Olympia, as well as the USS Becuna, one of the last surviving WWII Balao-class submarines.

While the community might never truly recover from the loss of the flagship Maker Faires in New York and California, we do take some comfort in knowing that smaller regional shows like this one have been growing over the last few several years. They’re not only a great way to connect with like-minded folks in your area, but can help you connect with maker-friendly vendors and organizations which you might otherwise be unaware of.

This Week In Security: PHP Attack Defused, Scoreboard Manipulation, And Tillitis

October 7, 2022 by Jonathan Bennett 1 Comment

If you use PHP, you likely use the Composer tool for managing dependencies, at least indirectly. And the good folks at SonarSource found a nasty, potential supply chain attack in this tool, when used in the Packagist repository. The problem is the support for arbitrary README filenames. When a package update shows up on Packagist, that service uses a Version Control Service (VCS) like Git or Mercurial to pull the specified readme location. That pull operation is subject to argument injection. Name your branch --help, and Git will happily run the help argument instead of doing the pull intended. In the case of Git commands, our intrepid researchers were unable to weaponize the issue to achieve code execution.

Composer also supports projects that use Mercurial as their VCS, and Mercurial has a --config option that has… interesting potential. It allows redefining a Mecurial command as a script snippet. So a project just has to contain a malicious payload.sh, and the readme set to --config=alias.cat=!hg cat -r : payload.sh|sh;,txt. For those keeping track at home, the vulnerability is that this cursed string of ugly is accepted by Composer as a valid filename. This uses the --config trick to redefine cat as a bit of script that executes the payload. It ends in .txt because that is a requirement of Composer.

So let’s talk about what this little hack could have been used for, or maybe still used for on an unpatched, private install of Packagist. This is an unattended attack that jumps straight to remote script execution — on an official package repository. If discovered and used for evil, this would have been a massive supply chain attack against PHP deployments. Instead, thanks to SonarSource, it was discovered and disclosed privately back in April. The official Packagist repo at packagist.org was fixed the day after disclosure, and a CVE and updated packages went out six days later. Great work all around.
Continue reading “This Week In Security: PHP Attack Defused, Scoreboard Manipulation, And Tillitis” →

Robot Blade Runner Turns In World Record Time

October 6, 2022 by Al Williams 23 Comments

While we wish colleges and universities competed more on academics, we can’t deny that more people are interested in their athletics programs. Oregon State, however, has done a little of both since their bipedal robot, Cassie, became the world’s fastest bipedal robot according to the Guinness Book of World Records. You can see a video of the 100 meter run below, but don’t blink. The robot turned in a time of around 25 seconds.

Impressive, but still not on par with Usan Bolt’s time of under 10 seconds for the same distance. If you want to see what that would be like, try running the long way across a football field and see how far you get in 25 seconds. There isn’t a lot of technical detail about the robot, but you can intuit some things from watching it go. You can also find a little more information on the robot and some of its siblings on the University’s website.

If you think robots won’t ever run as well as humans, we used to think the same thing about playing chess. This doesn’t look like we normally envision a bipedal robot. Then again, there isn’t any reason robots have to look, or move, like we do.

Continue reading “Robot Blade Runner Turns In World Record Time” →

Hackaday Wants You: Be A Supercon Volunteer

October 5, 2022 by Elliot Williams 4 Comments

Spot the volunteers! (Hint: red shirts. And you know what happens to the red shirts…)

The Supercon approaches! If you are thinking of attending, but the cost of admission is too steep, one way to get in for free is to volunteer. That’s three wonderful days of events, two nights of partying, lunch, dinner, and of course Supercon. All you have to do is help us run the show.

Volunteers help out all around, giving out schwag bags, hustling speakers here and there, and just generally working behind the scenes to make Supercon super. We’re looking for three four-hour shifts over the whole long weekend,

So if you’re interested in helping out, and you’d like to get in free and get super volunteer-only gear to boot, put in your application now. We’ll be accepting volunteers until October 20th and getting in touch by email on October 24th.

Of course, we just announced the first round of speakers, we’ve got the badge reveal coming up, and much, much more. Follow along here, or at Hackaday.io/superconference for more info.

East Coast RepRap Festival Returns This Weekend

October 5, 2022 by Tom Nardi 3 Comments

After laying low during the height of the pandemic, the East Coast RepRap Festival (ERRF) is just days away from making its triumphant return to Bel Air, Maryland. This two-day celebration of all things extruded is packed with talks, exhibits, and demonstrations that you won’t want to miss if you’ve got even a passing interest in 3D printing. You can purchase advance tickets now — adult admission for both days (Oct 8 & 9) will set you back just $10 USD, while anyone under 17 gets in for free.

ERRF 22 will honor Sanjay Mortimer with a bust printed by the community.

When we visited in 2019, ERRF was only in its second year, but it was already obvious that it was becoming a major event in the 3D printing world. The schedule included talks from 3D printing luminaries such as Adrian Bowyer, Josef Průša was on hand to personally unveil the Prusa Mini, and it seemed everyone who ever squirted out a bit of hot plastic on YouTube was there to stream live from the show floor. But then COVID-19 came around and jammed the extruder, as it were.

We’re glad to see that an event as young as ERRF managed to weather the pandemic and return to an in-person show. There was naturally a risk of loosing momentum, especially as the organizers opted not to go the virtual route these last two years — but with palpable online buzz about the event and a stacked lineup of speakers, vendors, and exhibitors, it seems like even a global pandemic couldn’t hold these hackers and makers down for long.

If you make the trip to Maryland this weekend and happen to run into a roving Hackaday writer, there just might be some special edition swag in it for you. But for those who can’t make it to ERRF in person, don’t worry. As always, we’ll make sure to bring you plenty of pictures and details from the show.

2022 Hackaday Supercon Speakers Will Inspire You

October 4, 2022 by Elliot Williams 10 Comments

The return of Supercon is taking place in just a month. We’ve got 45 fantastic talks and workshops planned for the three-day weekend, and they are as varied and inspiring as the Hackaday community itself. From molecules to military connectors, here’s an even dozen talks to whet your appetite.

Supercon is the Ultimate Hardware Conference and you need to be there! We’ll continue to announce speakers and workshops over the next couple weeks. Supercon will sell out so get your tickets now before it’s too late. And stay tuned for the next round of talk reveals next week! Continue reading “2022 Hackaday Supercon Speakers Will Inspire You” →