News

3659 Articles

This Week In Security: Broken Shims, LassPass, And Toothbrushes?

February 9, 2024 by 8 Comments

Linux has a shim problem. Which naturally leads to a reasonable question: What’s a shim, and why do we need it? The answer: Making Linux work wit Secure Boot, and an unintended quirk of the GPLv3.

Secure Boot is the verification scheme in modern machines that guarantees that only a trusted OS can boot. When Secure Boot was first introduced, many Linux fans suggested it was little more than an attempt to keep Linux distros off of consumer’s machines. That fear seems to have been unwarranted, as Microsoft has dutifully kept the Linux Shim signed, so we can all run Linux distros on our Secure Boot machines.

So the shim. It’s essentially a first-stage bootloader, that can boot a signed GRUB2 or other target. You might ask, why can’t we just ask Microsoft to sign GRUB2 directly? And that’s where the GPLv3 comes in. That license has an “anti-tivoization” section, which specifies “Installation Information” as part of what must be provided as part of GPLv3 compliance. And Microsoft’s legal team understands that requirement to apply to even this signing process. And it would totally defeat the point of Secure Boot to release the keys, so no GPLv3 code gets signed. Instead, we get the shim.

Now that we understand the shim, let’s cover how it’s broken. The most serious vulnerability is a buffer overflow in the HTTP file transfer code. The buffer is allocated based on the size in the HTTP header, but a malicious HTTP server can set that value incorrectly, and the shim code would happily write the real HTTP contents past the end of that buffer, leading to arbitrary code execution. You might ask, why in the world does the shim have HTTP code in it at all? The simple answer is to support UEFI HTTP Boot, a replacement for PXE boot.

The good news is that this vulnerability can only be triggered when using HTTP boot, and only by connecting to a malicious server or via a man-in-the-middle attack. With this in mind, it’s odd that this vulnerability is rated a 9.8. Specifically, it seems incorrect that this bug is rated low complexity, or a general network attack vector. In Red Hat’s own write-up of the vulnerability, they argue that the exploitation is high complexity, and is only possible from an adjacent network. There were a handful of lesser vulnerabilities found, and these were all fixed with shim 15.8. Continue reading “This Week In Security: Broken Shims, LassPass, And Toothbrushes?”

Flipped Bit Could Mark The End Of Voyager 1‘s Interstellar Mission

February 9, 2024 by 95 Comments

Sometimes it’s hard to read the tea leaves of what’s going on with high-profile space missions. Weighted down as they are with the need to be careful with taxpayer money and having so much national prestige on the line, space agencies are usually pretty cagey about what’s going on up there. But when project managers talk about needing a “miracle” to continue a project, you know things have gotten serious.

And so things now sit with Voyager 1, humanity’s most distant scientific outpost, currently careening away from Mother Earth at 17 kilometers every second and unable to transmit useful scientific or engineering data back to us across nearly a light-day of space. The problem with the 46-year-old spacecraft cropped up back in November, when Voyager started sending gibberish back to Earth. NASA publicly discussed the problem in December, initially blaming it on the telemetry modulation unit (TMU) that packages data from the remaining operable scientific instruments along with engineering data for transmission back to Earth. It appeared at the time that the TMU was not properly communicating with the flight data system (FDS), the main flight computer aboard the spacecraft.

Since then, flight controllers have determined that the problem lies within the one remaining FDS on board (the backup FDS failed back in 1981), most likely thanks to a single bit of corrupted memory. The Deep Space Network is still receiving carrier signals from Voyager, meaning its 3.7-meter high-gain antenna is still pointing back at Earth, so that’s encouraging. But with the corrupt memory, they’ve got no engineering data from the spacecraft to confirm their hypothesis.

The team has tried rebooting the FDS, to no avail. They’re currently evaluating a plan to send commands to put the spacecraft into a flight mode last used during its planetary fly-bys, in the hope that will yield some clues about where the memory is corrupted, if indeed it is. But without a simulator to test the changes, and with most of the engineers who originally built the spacecraft long gone now, the team is treading very carefully.

Voyager 1 is long past warranty, of course, and with an unparalleled record of discovery, it doesn’t owe us anything at this point. But we’re not quite ready to see it slip into its long interstellar sleep, and we wish the team good luck while it works through the issue.

3D Printed Pelvis And Femur Implants For Bone Cancer Treatment

February 5, 2024 by 6 Comments

On December 22nd of 2023, a Vietnamese patient underwent hours-long surgery in order to remove part of his pelvis and femur, as per the usual treatment for bone cancer. What was special here was that the bone was replaced with 3D-printed replicas, to restore the shape and function of the parts that were removed. A long time before this surgery, [Mr. Le Dinh Thuan] was diagnosed with lung cancer, for which he received surgery. Yet not long after this surgery it was discovered due to sudden hip pain that the cancer had spread to one hip joint, which is quite uncommon, but requires that the affected bone is removed. This replacement with a prosthetic was a first for cancer treatments in Vietnam. Continue reading “3D Printed Pelvis And Femur Implants For Bone Cancer Treatment”

Give Your Projects A Retro Tint With This 8051-based Arduino Uno

February 5, 2024 by 37 Comments

Most of us are familiar with the Arduino Uno, a starting place for electronics projects since 2010. But what if the Arduino Uno was released in 1980? You’d probably get something like [ElectroBoy]’s 8051-based Arduino Uno.

28-pin DIP integrated circuit with a window revealing the die
Close-up shot of the 87C752, an 8051 with EPROM

The Arduino Uno-compatible board has an MCS-51 (often called 8051 instead) instead of the usual ATmega328P/ATmega168. Specifically, [ElectroBoy] uses the AT89S52. Like the ATmega microcontrollers, the AT89S52 has an 8-bit CPU with a Harvard architecture and very similar GPIO capabilities. Unlike the ATmega, however, the original MCS-51 has a CISC CPU (as opposed to ATmega being RISC) and a release date about 36 years earlier.

The board itself also has some differences from the original Arduino Uno. First of all, it has a USB type-C port, which is definitely a bonus. Secondly, it’s simpler: No USB-UART (which also means no USB programming), a different pin layout (Arduino shields likely won’t fit) and more I/Os than the ATmegas have. Sure, it’s not as practical as an actual Arduino Uno, but it’s definitely cool for our retrocomputing nerds.

Hackaday Europe 2024 Is On, And We Want You!

February 5, 2024 by 21 Comments

Hackaday Europe is on again for 2024, and we couldn’t be more excited! If you’re a European hacker, and have always wanted to join us up for Supercon in the states, here’s your chance to do so without having to set sail across the oceans. It’s great to be able to get together with our continental crew.

Just like last time, we’ll be meeting up in Berlin at Motionlab, Bouchestrasse 12 for a weekend of talks and workshops. On paper, the event runs April 13th and 14th, but if you’re in town on Friday the 12th, we’ll be going out for drinks and socializing beforehand. Saturday starts up at 9 AM and is going to be full of presentations, with food throughout and our own mix of hacking and music running until 2 AM. Sunday starts up a little bit later with brunch and as many lightning talks as we can fit into the afternoon.

And as always, we want you to bring a project or two along to show and tell. Half the fun of an event like this, where everyone is on the same wavelength, is the mutual inspiration that lurks in nearly every random conversation. It’s like Hackaday, but in real life!

So without further ado: get your tickets right here! We have a limited number of early-bird tickets at $70, and then the remainder will go on sale for $142 (plus whatever fees).

Call for Participation

So who is going to be speaking at Hackaday Europe? You could be! We’re also opening up the Call for Participation right now, both for talks and for workshops. Whether you’ve presented your work live before or not, you’re not likely to find a more appreciative audience for epic hacks, creative constructions, or you own tales of hardware, firmware, or software derring-do.

Workshop space is limited, but if you want to teach a group of ten or so people your favorite techniques or build up a swarm of small robots, we’d love to hear from you.

All presenters get in free, of course, and we’ll give you an early-bird price even if we can’t fit you into the schedule. So firm up what you’d like to share, and get your proposal in before Feb 22.

The Badge

Part of the fun of an event like this is sharing what you’re working on with a rare like-minded crowd. True story: we came into last year’s Hackaday Berlin event with a raw idea for our own Superconference badge, that we needed to have done by November. Talks with [Schneider] about the lovely badge for the Chaos Communications Camp inspired us to use those sweet round screens, and a chat with [Stefan Holzapfel] convinced us of the possibility to run an audio DAC at DC.

So it’s fitting that we’ll be bringing the Vectorscope badge to Berlin, with some new graphics of course. If you didn’t catch it at Supercon, it’s a emulation of an old-timey X-Y mode oscilloscope and a DAC to drive it in software. Folks had a great time hacking it at Supercon, and you will too. It’s analog, it’s digital, and it’s got room for a lot of art. We’d love to see what you bring to it!

Thanks and See You Soon!

Of course, we can’t put on an event like this without help from our fantastic sponsors, so we’d like to say thanks to DigiKey for sponsoring not only the stateside Superconference, but also Hackaday Europe 2024. And as always, thanks to Supplyframe for making it all possible.

April is coming up fast, so get your proposals in and order your tickets now! We can’t wait to see you all.

Will There Be Any Pi Left For Us?

February 2, 2024 by 72 Comments

Our world has been abuzz with the news that Raspberry Pi are to float on the London Stock Exchange. It seems an obvious move for a successful and ambitious company, and as they seem to be in transition from a maker of small computers into a maker of chips which happen to also go on their small computers, they will no doubt be using the float to generate the required investment to complete that process.

New Silicon Needs Lots Of Cash

An RP1 chip on a Raspberry Pi 5.
The most important product Raspberry Pi have ever made.

When a tech startup with immense goodwill grows in this way, there’s always a worry that it could mark the start of the decline. You might for instance be concerned that a floated Raspberry Pi could bring in financial whiz-kids who let the hobbyist products wither on the vine as they license the brand here and there and perform all sorts of financial trickery in search of shareholder value and not much else. Fortunately we don’t think that this will be the case, and Eben Upton has gone to great lengths to reassure the world that his diminutive computers are safe. That is however not to say that there might be pitfalls ahead from a hobbyist Pi customer perspective, so it’s worth examining what this could mean.

As we remarked last year, the move into silicon is probably the most important part of the Pi strategy for the 2020s. The RP2040 microcontroller was the right chip with the right inventory to do well from the pandemic shortages, and on the SBCs the RP1 all-in-one peripheral gives them independence from a CPU house such as Broadcom. It’s not a difficult prediction that they will proceed further into silicon, and it wouldn’t surprise us to see a future RP chip containing a fully-fledged SoC and GPU. Compared to their many competitors who rely on phone and tablet SoCs, this would give the Pi boards a crucial edge in terms of supply chain, and control over the software.

Continue reading “Will There Be Any Pi Left For Us?”

This Week In Security: Glibc, Ivanti, Jenkins, And Runc

February 2, 2024 by 4 Comments

There’s a fun buffer overflow problem in the Glibc __vsyslog_internal() function. This one’s a real rollercoaster, because logging vulnerabilities are always scary, but at a first look, it seems nearly impossible to exploit. The vulnerability relies on a very long program name, which can overflow an internal buffer. No binaries are going to have a name longer than 1024 bytes, so there’s no problem, right?

Let’s talk about argv. That’s the list of arguments that gets passed into the main() function of every Linux binary when it launches. The first string in that list is the binary name — except that’s a convention, and not particularly enforced anywhere. What really happens is that the execve() system call sets that list of strings. The first argument can be anything, making this an attacker-controlled value. And it doesn’t matter what the program is trying to write to the log, because the vulnerability triggers simply by writing the process name to a buffer.

There is a one-liner to test for a vulnerable Glibc:

exec -a "`printf '%0128000x' 1`" /usr/bin/su < /dev/null

and the Qualys write-up indicates that it can be used for an escalation of privilege attack. The good news is this seems to be a local-only attack. And on top of that, a pair of other lesser severity issues were found and fixed in glibc while fixing this one.
Continue reading “This Week In Security: Glibc, Ivanti, Jenkins, And Runc”