News

3651 Articles

This Week In Security: Bitwarden, Reverse RDP, And Snake

January 5, 2024 by 10 Comments

This week, we finally get the inside scoops on some old stories, starting with the Bitwarden Windows Hello problem from last year. You may remember, Bitwarden has an option to use Windows Hello as a vault unlock option. Unfortunately, the Windows credential API doesn’t actually encrypt credentials in a way that requires an additional Windows Hello verification to unlock. So a derived key gets stored to the credential manager, and can be retrieved through a simple API call. No additional biometrics needed. Even with the Bitwarden vault locked and application closed.

There’s another danger, that doesn’t even require access to the the logged-in machine. On a machine that is joined to a domain, Windows backs up those encryption keys to the Domain Controller. The encrypted vault itself is available on a domain machine over SMB by default. A compromised domain controller could snag a bitwarden vault without ever even running code on the target machine. The good news is that this particular problem with Bitwarden and Windows Hello is now fixed, and has been since version 2023.10.1.

Reverse RDP Exploitation

We normally think about the Remote Desktop Protocol as dangerous to expose to the internet. And it is. Don’t put your RDP service online. But reverse RDP is the idea that it might also be dangerous to connect an RDP client to a malicious server. And of course, multiple RDP implementations have this problem. There’s rdesktop, FreeRDP, and Microsoft’s own mstsc that all have vulnerabilities relating to reverse RDP.

The technical details here aren’t terribly interesting. It’s all variations on the theme of not properly checking remote data from the server, and hence either reading or writing past internal buffers. This results in various forms of information leaks and code executions problems. What’s interesting is the different responses to the findings, and then [Eyal Itkin]’s takeaway about how security researchers should approach vulnerability disclosure.

So first up, Microsoft dismissed a vulnerability as unworthy of servicing. And then proceeded to research it internally, and present it as a novel attack without properly attributing [Eyal] for the original find. rdesktop contained quite a few of these issues, but were able to fix the problem in a handful of months. FreeRDP fixed some issues right away, in what could be described as a whack-a-mole style process, but a patch was cooked up that would actually address the problem at a deeper level: changing an API value from the unsigned size_t to a signed ssize_t. That change took a whopping 2 years to actually make it out to the world in a release. Why so long? Continue reading “This Week In Security: Bitwarden, Reverse RDP, And Snake”

Spying On The ESP32’s GPIO

January 1, 2024 by 8 Comments

The ESP32 has been a go-to microcontroller platform for a while now, thanks to its versatile capabilities, integrated Wi-Fi and Bluetooth connectivity, and low power consumption. It’s ideal for a wide range of projects especially those revolving around IoT, partially because of all of the libraries and tools available for it now. The latest tool from [The Last Outpost Workshop] adds a feature we didn’t know we wanted until now: a webserver showing real-time updates of what all of the GPIO pins are doing.

The live GPIO pin monitoring library sets up the ESP32 to stream information about what all of the pins are doing in real time to a webserver, which displays the information as a helpful graphic. The demonstration in the video below shows and example troubleshooting a situation where the code is correct but there’s a mistake in the wiring, helping to quickly identify the problem and hopefully eliminating a wild goose chase for a bug in the software. The library can be quickly installed using the Arduino IDE and only requires the use of one other library and a few lines of code to get everything up and running.

As far as a debugging tool goes, something like this could save a lot of us a significant amount of time, especially with how easy it is to set up. A real-time look into the pins and their behavior, including those set up for PWM, is invaluable for plenty of situations. Of course if you’re building something like a real-time operating system that needs responses within a very specific interval you may want to look at more in-depth strategies for probing the GPIO.

Thanks to [Bob] for the tip!

Continue reading “Spying On The ESP32’s GPIO”

Edgar Thomson Steel Works in the mid-1990s (Credit: David Rochberg - Own work, CC BY 2.5)

How US Steel Changed From World-Leading To Industry-Trailing

December 29, 2023 by 68 Comments

It was recently announced that US Steel will be acquired by Tokyo-based Nippon Steel for a measly $14.1 billion , ending the former’s 122 year history as a former US industrial powerhouse. Yet what happened to degrade what was once the number one steel maker in the world upon its formation out of two existing industrial giants in 1901 into a has-been? This is the topic that [Brian Potter] dives into in a recent article.

Most of the how and why can be condensed into a simple reluctance to follow industry innovations, often passing on new technologies. This went well until the post-WWII era, when foreign competition began to heat up, with this competition more than happy to embrace whatever new steel making technologies became available. Case in point was the replacement of open hearth furnaces with basic oxygen furnaces by the early 1950s, which US Steel only began to adopt in the 1960s. These were then themselves largely replaced by contemporary electric arc furnaces, in a constant renewal process that US Steel failed to adapt to, unlike its more nimble competitors.

By the early 1980s US Steel’s US market share had already dropped to around 20% as Japanese steel makers in particular were eating its lunch. As US Steel and other US steel makers kept falling behind on the competition, shedding plants and workers in an attempt to stay profitable, it should come as no surprise that this would be US Steel’s ultimate fate.

(top image: Edgar Thomson Steel Works in the mid-1990s (Credit: David Rochberg – Own work, CC BY 2.5) )

Gentoo Linux, Now A Bit Less For The 1337

December 29, 2023 by 37 Comments

Among users of Linux distributions there’s a curious one-upmanship, depending on how esoteric or hardcore  your distro is. Ubuntu users have little shame, while at the other end if you followed Linux From Scratch or better still hand-compiled the code and carved it onto the raw silicon with a tiny chisel, you’re at the top of the tree*. Jokes aside though, it’s fair to say that if you were running the Gentoo distribution you were something of a hardcore user, because its source-only nature meant that everything had to be compiled to your liking. We’re using the past tense here though, because in a surprise announcement, the distro has revealed that it will henceforth also be available as a set of precompiled binary packages.

There may be readers with long and flowing neckbeards who will decry this moment as the Beginning of the End, but while it does signal a major departure for the distro if it means that more people are spurred to take their Linux usage further and experiment with Gentoo, this can never be a bad thing. Gentoo has been on the list for a future Jenny’s Daily Drivers OS review piece, and while we’re probably going to stick with source-only when we do it, it’s undeniable that there will remain a temptation to simply download the binaries.

Meanwhile this has been written on a machine running Manjaro, or Arch-for-cowards as we like to call it, something that maybe confers middle-ranking bragging rights. Read a personal tale of taking off those Linux training wheels.

* Used a magnifying glass? You’re just not cutting it!

This Week In Security: Triangulation, ProxyCommand, And Barracuda

December 29, 2023 by 6 Comments

It’s not every day we get to take a good look inside a high-level exploit chain developed by an unnamed APT from the western world. But thanks to some particularly dedicated researchers at Kaspersky, which just happens to be headquartered in Moscow, that’s exactly what we have today. The name Operation Triangulation was picked, based off part of the device fingerprinting code that rendered a yellow triangle on an HTML canvas.

The entire talk is available, given this week at the 37th Chaos Communication Congress, 37c3. The exploit starts with an iMessage attachment, delivered silently, that exploits an undocumented TrueType font instruction. Looking at the source code implies that it was a copy-paste error where a programmer didn’t quite get the logic right for a pointer calculation. That vulnerability gives a memory write primitive that pivots into code execution. What’s particularly interesting is that Apple silently fixed this bug January 2023, and didn’t make any public statements. Presumably there were an uptick of crash logs that pointed to this problem, but didn’t conclusively show attempted exploitation.

The exploits then moves to using NSExpression as a next stage. NSExpression is an ugly way to write code, but it does allow the exploit chain to get to the next stage, running JavaScript as an application, without Just In Time compilation. The JS payload is quite a beast, weighing in at 11,000 lines of obfuscated code. It manages to call native APIs directly from JS, which then sets up a kernel exploit. This is multiple integer overflow flaws that result in essentially arbitrary system memory reads and writes. Continue reading “This Week In Security: Triangulation, ProxyCommand, And Barracuda”

Paged Out! Releases Long-Awaited Third Issue

December 27, 2023 by 4 Comments

We’re happy to pass along word that Paged Out! has finally released Issue #3. This online zine covers a wide array of technical topics, from software development to hardware hacking, computer security, and electronics.

It’s distributed as a PDF, and is notable for its somewhat experimental format that limits each article to a single page. The first two issues were released back in 2019, but between a global pandemic and some administrative shuffling, progress on the current release was slowed considerably.

Among the 50 articles that make up the third Paged Out! there are a number of pieces focusing on hardware, such as the serial communications “cheat sheet” from [Jay Greco], and a pair of articles covering the state-of-the-art in custom keyboards. But overall the zine does lean hard into programming topics, and is probably best suited for those with an interest in software development and infosec.

Still, the line between hardware and software is getting blurrier all the time, so we’re sure you can find something in Paged Out! that should interest you no matter which side of the fence you’re on. Here’s hoping the time between releases can be reduced a bit for Issue #4.

Veteran SpaceX Booster Lost Due To Rough Seas

December 27, 2023 by 44 Comments

With the notable exception of the now retired Space Shuttle orbiters, essentially every object humanity ever shot into space has been single-use only. But since December of 2015, SpaceX has been landing and refurbishing their Falcon 9 boosters, with the end goal of operating their rockets more like cargo aircraft. Today, while it might go unnoticed to those who aren’t closely following the space industry, the bulk of the company’s launches are performed with boosters that have already completed multiple flights.

This reuse campaign has been so successful these last few years that the recent announcement the company had lost B1058 (Nitter) came as quite a surprise. The 41 meter (134 foot) tall booster had just completed its 19th flight on December 23rd, and had made what appeared to be a perfect landing on the drone ship Just Read the Instructions. But sometime after the live stream ended, SpaceX says high winds and powerful waves caused the booster to topple over.

Continue reading “Veteran SpaceX Booster Lost Due To Rough Seas”