We’ve been following the open, royalty-free RISC-V ISA for a while. At first we read the specs, and then we saw RISC-V cores in microcontrollers, but now there’s a new board that offers enough processing power at a low enough price point to really be interesting in a single board computer. The VisionFive 2 ran a successful Kickstarter back in September 2022, and I’ve finally received a unit with 8 GB of ram. And it works! The JH7110 won’t outperform a modern desktop, or even a Raspberry Pi 4, but it’s good enough to run a desktop environment, browse the web, and test software.
And that’s sort of a big deal, because the RISC-V architecture is starting to show up in lots of places. The challenge has been getting real hardware that’s powerful enough to run Linux and compile software on, that doesn’t cost an arm and a leg. If ARM is an alternative architecture, then RISC-V is still an experimental one, and that is an issue when trying to use the VF2. That’s a theme we’ll repeat a few times, but the thing to remember here is that getting more devices in the wild is the first step to fixing things. Continue reading “The Future Of RISC-V And The VisionFive 2 Single Board Computer”→
Those who hibernate in their workshops have a habit of re-imagining their relationship to tools. And [Marius Hornberger] is no exception, but the nine upgrades he’s added to his grandfather’s old drill press puts this machine on a whole other level.
In proper storytime fashion, [Marius] steps us through each upgrade, the rationale, and the time and effort that went into crafting the solution. Some of these upgrades, like a digital readout (DRO), add modern features to an old-school device. Others, like an oil mist cooling system and a compressed air chip blower, borrow from other machines with similar setups. Some, like the chip guard, are nice personal touches. And a few, like the motorized table with automatic clamp, transform the entire operator experience. On the whole, these upgrades follow a gentle theme of personalizing the machine to [Marius’] tastes, giving him a delightful, more personal operator experience that’s tuned through his everyday use. Amid the sheer volume of tweaks though, we’re convinced that you’ll find something that tickles your tinkering fancy.
It’s worth mentioning that the pneumatic table clamp alone (at 4:28) makes the entire video worth the watch. If you’ve ever had the mishap of pinching your finger or struggling to hold the table steady while clamping it in place, this little upgrade takes all of that away, replacing the swivel handle with a homebrew pneumatic cylinder made in the shop. With a single button press, a swoosh of compressed air either clamps or releases the table. Best of all, the setup still sports a hand clamp if [Marius] is operating without a compressed air source.
It’s also worth mentioning that a couple of [Marius’] upgrades completely skip the CAD step altogether. Instead, [Marius] creates templates directly off the drill press with tracing paper and then immediately transfers them onto stock materials. It’s a nice reminder that not every small project needs to start with a 3D model.
If all these upgrades are getting you ready to modify your machine, look no further than the video description where he’s courteously posted inks to key components behind these upgrades.
Researchers at Sonar took a crack at OpenEMR, the Open Source Electronic Medical Record solution, and they found problems. Tthe first one is a classic: the installer doesn’t get removed by default, and an attacker can potentially access it. And while this isn’t quite as bad as an exposed WordPress installer, there’s a clever trick that leads to data access. An attacker can walk through the first bits of the install process, and specify a malicious SQL server. Then by manipulating the installer state, any local file can be requested and sent to the remote server.
There’s a separate set of problems that can lead to arbitrary code execution. It starts with a reflected Cross Site Scripting (XSS) attack. That’s a bit different from the normal XSS issue, where one user puts JavaScript on the user page, and every user that views the page runs the code. In this case, the malicious bit is included as a parameter in a URL, and anyone that follows the link unknowingly runs the code.
And what code would an attacker want an authenticated user to run? A file upload, of course. OpenEMR has function for authenticated users to upload files with arbitrary extensions, even .php. The upload folder is inaccessible, so it’s not exploitable by itself, but there’s another issue, a PHP file inclusion. Part of the file name is arbitrary, and is vulnerable to path traversal, but the file must end in .plugin.php. The bit of wiggle room on the file name on both sides allow for a collision in the middle. Get an authenticated user to upload the malicious PHP file, and then access it for instant profit. The fixes have been available since the end of November, in version 7.0.0-patch-2.
Bing Chat Injection
Or maybe it’s AI freedom. So, the backstory here is that the various AI chat bots are built with rules. Don’t go off into political rants, don’t commit crimes, and definitely don’t try to scam the users. One of the more entertaining tricks clever users have discovered is to tell a chatbot to emulate a personality without any such rules. ChatGPT can’t comment on political hot button issues, but when speaking as DAN, anything goes.
Arrrrr
This becomes really interesting when Bing Chat ingests a website that has targeted prompts. It’s trivial to put text on a web page that’s machine readable and invisible to the human user. This work puts instructions for the chat assistant in that hidden data, and demonstrates a jailbreak that turns Bing Chat malicious. The fun demonstration convinces the AI to talk like a pirate — and then get the user to click on an arbitrary link. The spooky demo starts out by claiming that Bing Chat is down, and the user is talking to an actual Microsoft engineer.
LastPass Details — Plex?
Last time we talked about the LastPass breach, we had to make some educated guesses about how things went down. There’s been another release of details, and it’s something. Turns out that in one of the earlier attacks, an encrypted database was stolen, and the attackers chose to directly target LastPass Engineers in an attempt to recover the encryption key.
According to Ars Technica, the attack vector was a Plex server run by one of those engineers. Maybe related, at about the same time, the Plex infrastructure was also breached, exposing usernames and hashed passwords. From this access, attackers installed a keylogger on the developer’s home machine, and captured the engineer’s master password. This allowed access to the decryption keys. There is some disagreement about whether this was/is a 0-day vulnerability in the Plex software. Maybe make sure your Plex server isn’t internet accessible, just to be safe.
There’s one more bit of bad news, particularly if you use the LastPass Single Sign On (SSO) service. That’s because the SSO secrets are generated from an XOR of two keys, K1 and K2. K1 is a single secret for every user at an organization. K2 is the per-user secret stored by Lastpass. And with this latest hack, the entire database of K2 secrets were exposed. If K1 is still secret, all is well. But K1 isn’t well protected, and is easily accessed by any user in the organization. Ouch.
The Ring Alien
Turns out, just like a certain horror movie, there is a video that the very watching causes death. If you happen to be a Pixel phone, that is. And “death” might be a bit of an exaggeration. Though the video in question certainly nails the vibe. Playing a specific YouTube clip from Alien will instantly reboot any modern Pixel phone. A stealth update seems to have fixed the issue, but it will be interesting to see if we get any more details on this story in the future. After all, when data can cause a crash, it can often cause code execution, too.
In-The-Wild
The US Cybersecurity and Infrastructure Security Agency (CISA) maintains a list of bugs that are known to be under active exploitation, and that list just recently added a set of notches. CVE-2022-36537 is the most recent, a problem in the ZK Framework. That’s an AJAX framework used in many places, notable the ConnectWise software. Joining the party are CVE-2022-47986, a flaw in IBM Aspera Faspex, a file transfer suite, and CVE-2022-41223 and CVE-2022-40765, both problems in the Mitel MiVoice Business phone system.
Bits and Bytes
There’s yet another ongoing attack against the PyPI repository, but this one mixes things up a bit by dropping a Rust executable as one stage in a chain of exploitation. The other novel element is that this attack isn’t going after typos and misspellings, but seems to be a real-life dependency confusion attack.
The reference implementation of the Trusted Platform Module 2.0 was discovered to contain some particularly serious vulnerabilities. The issue is that a booted OS could read and write two bytes beyond it’s assigned data. It’s unclear weather that’s a static two bytes, making this not particularly useful in the real world, or if these reads could be chained together, slowly leaking larger chunks of internal TPM data.
And finally, one more thing to watch out for, beware of fake authenticator apps. This one is four years old, has a five star rating, and secretly uploads your scanned QR codes to Google Analytics, exposing your secret authenticator key. Yoiks.
As Tom quipped on the podcast this week, if you have an idea for a program you’d like to write, all you have to do is look around on GitHub and you’ll find it already coded up for you. (Or StackOverflow, or…) And that’s probably pretty close to true, at least for really trivial bits of code. But it hasn’t always been thus.
I was in college in the mid 90s, and we had a lab of networked workstations that the physics majors could use. That’s where I learned Unix, and where I had the idea for the simplest program ever. It took the background screen color, in the days before wallpapers, and slowly random-walked it around in RGB space. This was set to be slow enough that anyone watching it intently wouldn’t notice, but fast enough that others occasionally walking by my terminal would see a different color every time. I assure you, dear reader, this was the very height of wit at the time.
With the late 90s came the World Wide Web and the search engine, and the world got a lot smaller. For some reason, I was looking for how to set the X terminal background color again, this time searching the Internet instead of reading up in a reference book, and I stumbled on someone who wrote nearly exactly the same random-walk background color changer. My jaw dropped! I had found my long-lost identical twin brother! Of course, I e-mailed him to let him know. He was stoked, and we shot a couple funny e-mails back and forth riffing on the bizarre coincidence, and that was that.
Can you imagine this taking place today? It’s almost boringly obvious that if you search hard enough you’ll find another monkey on another typewriter writing exactly the same sentence as you. It doesn’t even bear mentioning. Heck, that’s the fundamental principle behind Codex / CoPilot – the code that you want to write has been already written so many times that it will emerge as the most statistically likely response from a giant pattern-matching, word-word completion neural net model.
Indeed, stop me if you’ve read this before.
This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter.
Want this type of article to hit your inbox every Friday morning? You should sign up!
Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy.
That multi-year campaign appears to goes back to at least October 2019, when an SSH file was accessed and altered, leading to 28,000 customer SSH usernames and passwords being exposed. There was also a 2021 breach of the GoDaddy WordPress environment, that has been linked to the same group.
Reading between the lines, there may be an implication here that the attackers had an ongoing presence in GoDaddy’s internal network for that entire multi-year period — note that the quote above refers to a single campaign, and not multiple campaigns from the same actor. That would be decidedly bad.
Joomla’s Force Persuasion
Joomla has a critical vulnerability, CVE-2023-23752, which is a trivial information leak from a web endpoint. This flaw is present in all of the 4.x releases, up to 4.2.8, which contains the fix. The issue is the Rest API, which gives access to pretty much everything about a given site. It has an authentication component, of course. The bypass is to simply append ?public=true. Yes, it’s a good old “You don’t need to see his identification” force suggestion.
There’s even a PoC script that runs the request and spits out the most interesting data: the username, password, and user id contained in the data. It’s not quite as disastrous as that sounds — the API isn’t actually leaking the administrative username and password, or even password hash. It’s leaking the SQL database information. Though if your database is accessible from the Internet, then that’s pretty much as bad as it could be. Continue reading “This Week In Security: GoDaddy, Joomla, And ClamAV”→
IBM — no stranger to anyone who works in the computing field — has launched a series of training modules on a site called skillsbuild.org. The site targets high school students, college students, and adult learners and offers tracks for jobs like cybersecurity analyst, IT support technician, Web developer, and data science. Several other companies are participating, such as Red Hat and Fortinet. The cost? The courses are free and you can earn digital credentials to show you’ve completed certain classes.
Even more interesting is that they have resources for schools and other organizations that want to leverage the material for students. There is even software that educators can download at no charge for classroom use. The material is available in a variety of languages, too. For more advanced topics, there’s also Cognitive class from IBM, also free and which also provides the same sort of credentials.
Apparently, the digital credentials are far more than just an electronic diploma. Employers you select can examine the credentials and see things like exams and results along with other information to help them understand your skill level.
Even though you’re reading Hackaday and probably already have a good roster of tech skills, this could be a nice way to get some documentation of what you know. If you work with kids or even adults that need tech skills, or you just want to add some to your resume, you can’t beat the cost. If you aren’t sure, there are some sample guest classes you can try without even registering.
We live in an amazing time when you can build your own college-level education. You can even “study” at MIT and other big institutions inexpensively or for free.
Back in the days of 16-bit home computers, the one to have if your interests extended to graphics was the Commodore Amiga. It had high resolutions for the time in an impressive number of colours, and thanks to its unique video circuitry, it could produce genlocked broadcast-quality video. Here in 2023 though, it’s all a little analogue. What’s needed is digital video, and in that, [c0pperdragon] has our backs with the latest in a line of Amiga video hacks. This one takes the 12-bit parallel digital colour that would normally go to the Amiga’s DAC, and brings it out into the world through rarely-used pins on the 23-pin video connector.
This follows on from a previous [c0pperdragon] project in which a Raspberry Pi Zero was used to transform the digital video into HDMI. This isn’t a hack for the faint-hearted though, as it involves extensive modification of your treasured Amiga board.
It is of course perfectly possible to generate HDMI from an Amiga by using an external converter box from the analogue video output, of the type which can be bought for a few dollars from online vendors. What this type of hack gives over the cheap approach is low latency, something highly prized by gamers. We’re not sure we’re ready to start hacking apart our Amigas, but we can see the appeal for some enthusiasts.
