News

3612 Articles

This Week In Security: QueueJumper, JS VM2 Escape, And CAN Hacking

April 14, 2023 by 9 Comments

You may not be familiar with the Microsoft Message Queuing (MSMQ) service, a store and forward sort of inter-process and inter-system communication service. MSMQ has become something of a legacy product, but is still available as an optional component in Windows. And in addition to other enterprise software solutions, Microsoft Exchange turns the service on by default. That’s why it’s a bit spooky that there’s a one packet Remote Code Execution (RCE) vulnerability that was just patched in the service.

CVE-2023-21554, also known as QueueJumper, is this unauthenticated RCE with a CVSS score of 9.8. It requires sending a packet to the service on TCP port 1801. The Check Point Research team scanned for listening MSMQ endpoints on the public Internet, and found approximately 360,000 of them. And no doubt far more are listening on internal networks. A one packet exploit is a prime example of a wormable problem, and now that the story has broken, and the patch is available, expect a rapid reverse engineering. Beware, the queue jumpers are coming.

JavaScript VM Escape

The VM2 library is a rather important JavaScript package that sandboxes code, letting a project run untrusted code securely. Or, that’s the idea. CVE-2023-29017 is an example of how hard sandboxing is to get right. It’s another CVSS 9.8 vulnerability, and this one allows a sandbox escape and code execution.

This one now has public Proof of Concept code, and this package has over 16 million monthly installs, so the attack surface is potentially pretty wide. The flaw is fixed in version 3.9.15. Continue reading “This Week In Security: QueueJumper, JS VM2 Escape, And CAN Hacking”

Congratulations Low-Power Winners

April 13, 2023 by 13 Comments

Congratulations to the winners of the 2023 Hackaday.io Low Power Contest! We challenged you to show us how much you could do with how little, and you did not disappoint. Our judges have put their heads together, and thanks to Digi-Key, our contest sponsor, the top three entries will be taking home a $150 gift certificate for yet more hacking supplies.

We saw a great diversity of ideas here, all on the low-power theme. So without further ado…

The Prize Winners

[Christoph]’s Ultra Low Power RF-Sensor arose out of necessity. Having just repaired a shower drain, he couldn’t be sure that it wouldn’t start leaking again at some point in the future, but couldn’t go ripping up the floor under the shower tray every week to check. He needed a remote moisture sensor that would do the job for a long time with no intervention.

This superb solution combines an Atmel ATmega328P, an HDC1080 humidity sensor, a 433 MHz radio transmitter, and an RTC to keep power consumption super-low when everything else is shut down. Idling at 600 nA total most of the time, taking a reading every 15 minutes, this device should last for 12 years, and it’s been installed and running for five so far, so we’d say that it’s already proven itself very worthy of taking home the prize here.

[BleakyTex]’s Compact, low-power Geiger counter is absolutely the lowest power Geiger counter we’ve ever seen and maybe also the cutest. With the ambitious goal of running up to two years on two tiny LR44 batteries and a proven runtime of about six months by now, this is the radiation detector you can take with you every day, should you need to. The key is a custom HV section that’s designed for efficiency and the screen – even today, it’s still hard to beat the low power consumption of the humble LCD screen. All this, and it still makes those satisfying clicks when it’s enabled. [BleakyTex] says he might make a kit from this, and we absolutely hope he does!

[mircemk]’s Microwatt Pulse Motor took one of our suggestions in the announcement of the contest and ran with it. This eight-pole handmade electric motor doesn’t actually do anything other than spin, but it does that when hooked up to a literal potato. Pulling around 40 mA at 600 mV, it can easily run on solar power with enough power left over to charge up a battery for when the sun doesn’t shine. All of this is made with extremely simple circuitry and parts scavenged from old relays with a sewing needle held up by a magnet for the bearing. This is pure ingenuity and a sweet low-power demo.

Continue reading “Congratulations Low-Power Winners”

This Week In Security: Cookie Monster, CyberGhost, NEXX, And Dead Angles

April 7, 2023 by 5 Comments

“Operation Cookie Monster” ranks as one of the best code names in recent memory. And it’s apropo, given what exactly went down. Genesis Market was one of those marketplaces where criminals could buy and sell stolen credentials. This one was a bit extra special.

Websites and services are getting better about detecting logins from unexpected computers. Your Google account suddenly logs in from a new computer, and a two-factor authentication challenge launches. Why? Your browser is missing a cookie indicating you’ve logged in before. But there’s more. Providers have started rolling out smart analytics that check for IP address changes and browser fingerprints. Your mix of time zone, user string, installed fonts, and selected language make a pretty unique identifier. So sites like Genesis offer Impersonation-as-a-Service (IMPaaS), which is session hijacking for the modern age.

A victim computer gets owned, and credentials are collected. But so are cookies and a browser fingerprint. Then a criminal buyer logs in, and runs a virtual browser with all that collected data. Run through a proxy to get a IP that is geolocated close enough to the victim, and Mr. Bad Guy has a cloned machine with all accounts intact.

And now back to Operation Cookie Monster, a multi-organization takedown of Genesis. It’s apparently a partial takedown, as the latest word is that the site is still online on the Tor network. But the conventional domains are down, and something like eight million credentials have been captured and added to the Have I Been Pwned database.

Another researcher team, Sector 7, has been working the case with Dutch authorities, and has some interesting details. The vector they cover was a fake activation crack for an antivirus product. Ironic. There are several extensions that get installed on the victim computer, and one of the most pernicious is disguised as Google Drive. This extension looks for a Command and Control server, using Bitcoin as DNS. A hardcoded Bitcoin address is polled for its latest transaction, and the receiving address is actually an encoded domain name, you-rabbit[.]com as of the latest check.

This extension will look for and rewrite emails that might be warning the victim about compromise. Get an email warning about a cryptocurrency withdrawal? It modifies it in the browser to be a sign-in warning. It also allows Genesis customers to proxy connections through the victim’s browser, bypassing IP address security measures. Continue reading “This Week In Security: Cookie Monster, CyberGhost, NEXX, And Dead Angles”

a flexible film with a matrix of illuminated color LEDs being stretched

Truly Flexible Circuits Are A Bit Of A Stretch

April 3, 2023 by 5 Comments

Flexible PCBs have become increasingly common in both commercial devices and DIY projects, but Panasonic’s new stretchable, clear substrate for electrical circuits called Beyolex takes things a step further. The material is superior to existing stretchable films like silicone, TPU, or PDMS due to its high heat tolerance (over 160° C) for the purposes of sintering printable circuit traces.

But, a flexible substrate isn’t very useful for electronics without some conductive traces. Copper and silver inks make for good electrical circuits on stretchable films, and are even solderable, but increase resistance each time they are stretched. Recently, a team out of the University of Coimbra in Portugal has developed a liquid metal ink that can stretch without the resistance issues of existing inks, making it a promising pair with Panasonic’s substrate. There’s also certain environmental benefits of printing circuits in this manner over traditional etching and even milling, as you’re only putting conductive materials where needed.

a flexible film with a strip of LEDs connected by a novel liquid metal ink circuit

After the break, check out Panasonic’s earlier videos showing some of their demo circuits that include a stretchable NFC antenna harvesting electricity even while submerged in water and an LED matrix performing while being, bent, rolled, and stretched. We’re excited to see where this technology leads and when we hackers will be able to create our own stretchable projects.

A great many flexible PCB projects have graced Hackaday, from early experiments to sophisticated flexible PCB projects. Heck, we had a whole Flexible PCB Contest with some awesome flexible projects.

Continue reading “Truly Flexible Circuits Are A Bit Of A Stretch”

Visual Ear Demonstrates How The Cochlea Works

April 2, 2023 by 13 Comments

The cochlea is key to human hearing, and it plays an important role in our understanding of complex frequency content. The Visual Ear project aims to illustrate the cochlear mechanism as an educational tool.

The cochlea itself is the part of the ear that converts the pressure waves of sound into electrical signals for the brain. Different auditory frequencies excite different parts of the cochlea. The cells in the different parts of the cochlea then send signals to the brain corresponding to the sound it has picked up.

The Visual Ear demonstrates similar behavior on a strip of addressable LEDs. Lower LEDs coded in the red part of the color spectrum respond to low frequency audio. Higher LEDs step through yellow, green, and up to blue, and respond to the higher frequencies in turn. This is achieved at a high response rate with the use of a Teensy 4.0 running a Fast Fourier Transform on incoming audio, and then outputting signals to run a string of WS2812B LEDs. The result is a visual band display of 104 bands spanning 43 Hz up to 16,744 Hz, which covers most but not all of the human range of hearing.

It’s an impressive display, and one that makes a great music visualizer, too. When teaching the physics of human hearing and the cochlea, we can imagine such a tool would be quite useful.

Continue reading “Visual Ear Demonstrates How The Cochlea Works”

This Week In Security: Macstealer, 3CX Carnage, And Github’s Lost Key

March 31, 2023 by 6 Comments

There’s a naming overload here, as two bits of security news this week are using the “MacStealer” moniker. We’re first going to talk about the WiFi vulnerability, also known as Framing Frames (pdf). The WPA encryption schemes introduced pairwise encryption, ensuring that not even other authenticated users can sniff each others’ traffic. At least that’s the idea, but this attack finds a couple techniques to bypass that protection.

A bit more background, there are a couple ways that packets can be delayed at the sender side. One of those is the power-save message, that signals the access point that the given client is going into a low power state. “Hold my calls, I’m going to sleep.” That message is a single bit in a frame header. And notably, that bit isn’t covered by WPA encryption or verification. An attacker can send a message, spoof a victim’s MAC address, and the access point marks that client as being in power-save mode.

This observation leads to a question: What happens when the encryption details change between the packet joining the queue, and actually transmitting? Turns out, the specifications on WiFi encryption don’t spell it out, and some implementations do the last thing you’d want, like sending the packets in the clear. Whoops. This behavior was the case in the Linux kernel through version 5.5.0, but starting with 5.6.0, the buffered packets were simply dropped when the encryption key was unavailable. Continue reading “This Week In Security: Macstealer, 3CX Carnage, And Github’s Lost Key”

Archiving The Entirety Of DPReview Before It’s Gone

March 31, 2023 by 28 Comments

Despite the popular adage about everything on the internet being there forever, every day pages of information and sometimes entire websites are lost to the sands of time. With the imminent shutdown of the DPReview website, nearly 25 years of reviews and specifications of cameras and related content are at risk of vanishing. Also lost will be the content of forum posts, which can still be requested from DPReview staff until April 6th. All because the owner of the site, Amazon, is looking to cut costs.

As announced on r/photography, the Archive.org team is busy trying to download as much of the site as possible, but due to bottlenecks may not finish in time. One way around these bottlenecks is what is called the Archive Team Warrior, which involves either a virtual machine or Docker image that runs on distributed systems. In early April an archiving run using these distributed systems is planned, in a last-ditch attempt to retain as much of the  decades of content.

The thus archived content will be made available in the WARC (Web ARChive) format, in order to retain as much information as possible, including meta data and different versions of content.