This Week In Security: Peering Through The Wall, Apple’s GoFetch, And SHA-256

March 29, 2024 by Jonathan Bennett 1 Comment

The Linux command wall is a hold-over from the way Unix machines used to be used. It’s an abbreviation of Write to ALL, and it was first included in AT&T Unix, way back in 1975. wall is a tool that a sysadmin can use to send a message to the terminal session of all logged-in users. So far nothing too exciting from a security perspective. Where things get a bit more interesting is the consideration of ANSI escape codes. Those are the control codes that moves the cursor around on the screen, also inherited from the olden days of terminals.

The modern wall binary is actually part of util-linux, rather than being a continuation of the old Unix codebase. On many systems, wall runs as a setgid, so the behavior of the system binary really matters. It’s accepted that wall shouldn’t be able to send control codes, and when processing a message specified via standard input, those control codes get rejected by the fputs_careful() function. But when a message is passed in on the command line, as an argument, that function call is skipped.

This allows any user that can send wall messages to also send ANSI control codes. Is that really a security problem? There are two scenarios where it could be. The first is that some terminals support writing to the system clipboard via command codes. The other, more creative issue, is that the output from running a binary could be overwritten with arbitrary text. Text like:
Sorry, try again. [sudo] password for jbennett:

You may have questions. Like, how would an attacker know when such a command would be appropriate? And how would this attacker capture a password that has been entered this way? The simple answer is by watching the list of running processes and system log. Many systems have a command-not-found function, which will print the failing command to the system log. If that failing command is actually a password, then it’s right there for the taking. Now, you may think this is a very narrow attack surface that’s not going to be terribly useful in real-world usage. And that’s probably pretty accurate. It is a really fascinating idea to think through, and definitively worth getting fixed. Continue reading “This Week In Security: Peering Through The Wall, Apple’s GoFetch, And SHA-256” →

Grep By Example is also available as a PDF Minibook, and a Grep playground helps you learn quickly.

Galvanize Your Grip On Grep With This Great Grep Guide

March 26, 2024 by Ryan Flowers 11 Comments

These days, you can’t throw a USB stick without hitting something that’s running Linux. It might be a phone, an embedded device, or your TV. Either way, it’s running Linux, and somewhere along the line of the development of whatever your USB stick smacked into, somebody used the Global Regular Expression Print utility- better known as Grep. But what is Grep, and why do you need it? [Anton Zhiyanov] not only answers those questions but provides Grep by example: Interactive Guide to help you along.

To understand Linux, one must understand its commercial predecessor, Unix. One of the things that made Unix (and then Linux) unique was its philosophy: Write programs that work together, do one thing well, and handle text streams. This philosophy describes a huge number of programs, and one of these programs is Grep. It’s installed everywhere there’s a *nix installed, and once one becomes familiar with it, their command-line-fu reaches an all new level.

At its core, Grep is simply a bloodhound. It’s scent? A magical incantation called Regular Expressions. Regular Expressions (aka Regex) are simply a way of describing what a stream of text should look like. So when you feed Grep a bit of Regular Expression, it Prints only the text that matches that expression. Neat, right?

The trouble is that Regex can be kind of hard, and Grep has various versions and capabilities that need to be learned. And this is where the article shines- it covers both in an excellent interactive tutorial that’ll help you become a Grep Guru in no time. And if you want to do a deeper dive, check out what it takes to make your own Regex Engine from scratch!

This Week In Security: Loop DOS, Flipper Responds, And More!

March 22, 2024 by Jonathan Bennett 8 Comments

Here’s a fun thought experiment. UDP packets can be sent with an arbitrary source IP and port, so you can send a packet to one server, and could aim the response at another server. What happens if that response triggers another response? What if you could craft a packet that continues that cycle endlessly? That is essentially the idea behind Loop DoS (Denial of Service).

This unique avalanche of packets has been managed using specific implementations of several different network services, like TFTP, DNS, and NTP. There are several CVEs being used to track the issue, but CVE-2024-2169 is particularly odd, with the description that “Implementations of UDP application protocol are vulnerable to network loops.” This seems to be a blanket CVE for UDP, which is particularly inappropriate given that the first DoS of this sort was first reported in 2009 at the latest.

More details are available in a Google Doc. There some interesting tidbits there, like the existence of cross-protocol loops, and several legacy protocols that are vulnerable by design. The important thing to remember here is you have to have an accessible UDP port for this sort of attack to take place, so if you’re not using it, firewall it.

Flipper Flips Back

We’ve covered the saga of the Flipper Zero vs the Canadian government, in the context of car theft. The short version is that Canada has seen an uptick of car thefts from organized crime. Rather than meaningfully dealing with this problem, the Canadian government went looking for scapegoats, and found the Flipper Zero.

Well now, Flipper has responded, and put simply, the message is “stop the madness”. There has never been a confirmed case of using a flipper to steal a car, and it’s very unlikely it’s ever happened. On a modern car with proper rolling-code security, it’s not meaningfully possible to use the Flipper Zero for the theft. The two primary ways criminals actually steal cars are with dedicated keyfob repeaters and CAN bus hackers.

There is a petition to sign, and for Canadians, Flipper suggests contacting your local member of parliament. Continue reading “This Week In Security: Loop DOS, Flipper Responds, And More!” →

You Should Be Allowed To Fix McDonald’s Ice Cream Machines, Say Federal Regulators

March 20, 2024 by Lewin Day 23 Comments

Editors Note: According to our infallible record keeping, this is the 50,000th post published on Hackaday! We weren’t sure this was the kind of milestone that required any drawn out navel-gazing on our part, but it does seem significant enough to point out. We didn’t pick any specific post to go out in this slot, but the fact that it ended up being a story about the right to repair ice cream machines seems suitably hacky for the occasion.

The McDonald’s ice cream machine is one of the great marvels of the modern world. It’s a key part of our heavily-mechanized industrial economy, and it’s also known for breaking down as often as an old Italian automobile. It’s apparently illegal to repair the machines unless you’re doing so with the authority of Taylor, the manufacturer. However, as reported by The Verge, The FTC and DOJ may soon have something to say about that.

Things are coming to a head as the Copyright Office contemplates whether to carve out new exemptions in the Digital Millennium Copyright Act. The legislation is widely reviled by many for making it illegal to circumvent copy protection, an act that is often required to maintain or repair certain equipment. As a result customers are often locked into paying the original manufacturer to fix things for them.

Both the FTC and DOJ have have filed a comment with the Copyright Office on the matter. The language will warm the cockles of your heart if you’re backing the right-to-repair movement.

Changes in technology and the more prevalent use of software have created fresh opportunities for manufacturers to limit Americans’ ability to repair their own products. Manufacturers of software-enabled devices and vehicles frequently use a range of restrictive practices to cut off the ability to do a “DIY” or third-party repair, such as limiting the availability of parts and tools, imposing software “locks,” such as TPMs, on equipment that prevent thirdparty repairers from accessing the product, imposing restrictions on warranties, and using product designs that make independent repairs less available.

The agencies want new exceptions to Section 1201 of the DMCA to allow repair of “industrial and commercial equipment.” That would make it legal to tinker with McDonald’s ice cream machines, whoever you are. The hope is this would occur along with a renewal of exceptions for “computer programs that control devices designed primarily for use by consumers and computer programs that control motorized land vehicles, marine vessels, and mechanized agricultural vehicles.”

Brush up on the finer details of icecreamgate in our previous coverage. This could be a grand time for change. Enough is enough— McDonald’s ice cream machines have been down for too long! Video after the break.

Continue reading “You Should Be Allowed To Fix McDonald’s Ice Cream Machines, Say Federal Regulators” →

Artist rendition of the Chandra telescope system in deep space. (Credit: NASA / James Vaughn)

The Chandra X-Ray Observatory Faces Shutdown In FY2025 Budget

March 18, 2024 by Maya Posch 30 Comments

The Chandra X-ray Observatory started its mission back in 1999 when Space Shuttle Columbia released it from its payload bay. Originally, it was supposed to serve only a five-year mission, but it has managed twenty-four years so far and counting, providing invaluable science along with the other Great Observatory: the Hubble Space Telescope. Unfortunately, NASA’s FY2025 budget now looks to threaten all space telescopes and Chandra in particular. This comes as part of the larger FY2025 US budget, which sees total funding for NASA increase by 2%, but not enough to prevent cuts in NASA’s space telescope operations.

NASA already anticipated this cut in 2023, with funding shifting to the Nancy Grace Roman Space Telescope (infrared spectrum, scheduled for 2027). Since Hubble is a joint operation with ESA, any shortfalls might be caught this way, but Chandra’s budget will go from 68.3M USD in FY2023 to 41.4M USD in FY2025 and from there plummeting to 5.2M USD by FY2029, effectively winding down the project and ending NASA’s flagship X-ray astronomy mission. This doesn’t sit well with everyone, with a website called Save Chandra now launched to petition the US government to save the observatory, noting that it still has a decade of fuel for its thrusters remaining and it also has stable mission costs.

Continue reading “The Chandra X-Ray Observatory Faces Shutdown In FY2025 Budget” →

NASA Engineers Poke Voyager 1 And Receive Memory Dump

March 16, 2024 by Maya Posch 59 Comments

For months, there has been a rising fear that we may have to say farewell to the Voyager 1 spacecraft after it began to send back garbled data. Now, in a sudden twist, Voyager 1 sent back a read-out of the Flight Data Subsystem (FDS) memory after a “poke” command, which both gives some hope that the spacecraft is in a better condition than feared while also allows engineers to dig through the returned memory read-out for clues. Although this data was not sent in the format that the FDS is supposed to use when it’s working correctly, it’s nevertheless readable.

It was previously suspected that the issue lay with the telemetry modulation unit (TMU), but has since been nailed down to the FDS itself. This comes after NASA engineers have been updating the firmware on both spacecraft to extend their lifespan, but it’s too early to consider this as a possible reason. Now, as a result of the “poke” instruction – which commands the computer to try different sequences in its firmware in case part of it has been corrupted – engineers can compare it to previous downloads to hopefully figure out the cause behind the FDS problems and a possible solution.

Inspired by this news of the decoded memory download, Nadia Drake – daughter of Frank Drake – wrote about how it affects not only the engineers who have worked on the Voyager mission for the past decades but also her own thoughts about the two Voyager spacecraft. Not only do they form a lasting reminder of her father and so many of his colleagues, but the silence that would follow if we can no longer communicate with these spacecraft would be profound. Still, this new hope is better than the earlier news about this plucky little spaceship.

Thanks to [Mark Stevens] for the tip.

This Week In Security: Apple Backdoors Curl, Tor’s New Bridge, And GhostRace

March 15, 2024 by Jonathan Bennett 8 Comments

OK, that headline is a bit of a cheap shot. But if you run the curl binary that Apple ships, you’re in for a surprise if you happen to use the --cacert flag. That flag specifies that TLS verification is only to be done using the certificate file specified. That’s useful to solve certificate mysteries, or to make absolutely sure that you’re connecting to the server you expect.

What’s weird here is that on a MacOS, using the Apple provided curl binary, --cacert doesn’t limit the program to the single certificate file. On an Apple system, the verification falls back to the system’s certificate store. This is an intentional choice by Apple, but not one that’s aimed particularly at curl. The real magic is in Apple’s SSL library, which forces the use of the system keychain.

The current state of things is that this option is simply not going to do the right thing in the Apple provided binary. It’s documented with the note that “this option is supported for backward compatibility with other SSL engines, but it should not be set.” It’s an unfortunate situation, and we’re hopeful that a workaround can be found to restore the documented function of this option. Continue reading “This Week In Security: Apple Backdoors Curl, Tor’s New Bridge, And GhostRace” →