This Week In Security: Git Deep Dive, Mailchimp, And SPF

First up, git has been audited. This was an effort sponsored by the Open Source Technology Improvement Fund (OSTIF), a non-profit working to improve the security of Open Source projects. The audit itself was done by researchers from X41 and GitLab, and two critical vulnerabilities were found, both caused by the same bad coding habit — using an int to hold buffer lengths.

On modern systems, a size_t is always unsigned, and the same bit length as the architecture bit-width. This is the proper data type for string and buffer lengths, as it is guaranteed not to overflow when handling lengths up to the maximum addressable memory on the system. On the other hand, an int is usually four bytes long and signed, with a maximum value of 2^31-1, or 2147483647 — about 2 GB. A big buffer, but not an unheard amount of data. Throw something that large at git, and it will break in unexpected ways.

Our first example is CVE-2022-23521, an out of bounds write caused by an int overflowing to negative. A .gitattributes file can be committed to a repository with a modified git client, and then checking out that repository will cause the num_attrs variable to overflow. Push the overflow all the way around to a small negative number, and git will then vastly under-allocate the attributes buffer, and write all that data past the end of the allocated buffer.

CVE-2022-41903 is another signed integer overflow, this time when a pretty print format gets abused to do something unexpected. Take a look at this block of code:

Continue reading “This Week In Security: Git Deep Dive, Mailchimp, And SPF”

A man sits in a chair atop a hexagonal platform. From the platform there are six hydraulically-actuated legs supporting the hexapod above a grassy field. The field is filled with fog, giving the shot a mysterious, otherworldly look.

Megahex Will Give You Robo-Arachnophobia

Some projects start with a relatively simple idea that quickly turns into a bit of a nightmare when you get to the actual implementation. [Hacksmith Industries] found this to be the case when they decided to build a giant rideable hexapod, Megahex. [YouTube]

After seeing a video of a small excavator that could move itself small distances with its bucket, the team thought they could simply weld six of them together and hook them to a controller. What started as a three month project quickly spiraled into a year and a half of incremental improvements that gave them just enough hope to keep going forward. Given how many parts had to be swapped out before they got the mech walking, one might be tempted to call this Theseus’ Hexapod.

Despite all the issues getting to the final product, the Megahex is an impressive build. Forward motion and rotation on something with legs this massive is a truly impressive feat. Does the machine last long in this workable, epic state? Spoilers: no. But, the crew learned a lot and sometimes that’s still a good outcome from a project.

If you’re looking for more hexapod fun, checkout Stompy, another rideable hexapod, or Megapod, a significantly smaller 3D-printed machine.

Continue reading “Megahex Will Give You Robo-Arachnophobia”

Illuminated smart curtain in front of a window, beside a Christmas tree

Smart LED Curtain Brings Sprites To Your Windows

Mobile interface for LED smart curtain display
A mobile interface is a nice touch

Anybody who has ever seen a video wall (and who hasn’t?) will be familiar with the idea of making large-scale illuminated images from individual coloured lights. But how many of us have gone the extra mile and fitted such a display in our own homes? [vcch] has done just that with his Deluxe Smart Curtain that can be controlled with a phone or laptop.

The display itself is made up of a series of Neopixel strips, hung in vertical lines in front of the window.  There is a wide gap between each strip, lending a ghostly translucent look to the images and allowing the primary purpose of the window to remain intact.

The brains of the system are hosted on a low-cost M5stack atom ESP32 device. The data lines for the LEDs are wired in a zig-zag up and down pattern from left to right, which the driver software maps to the rectangular images. However, the 5V power is applied to the strips in parallel to avoid voltage drops along the chain.

If you’d like to build your own smart curtain, Arduino sketch files and PHP for the mobile interface are included on the project page. Be sure to check out the brief video of what the neighbors will enjoy at night after the break.

If video walls are your kind of thing, then how about this one that uses Ping Pong Balls as diffusers? Continue reading “Smart LED Curtain Brings Sprites To Your Windows”

This Week In Security: Cacti RCE, VMs In The Browser, And SugarCRM

This week we start with a Remote Code Execution (RCE) vulnerability that has potential to be a real pain for sysadmins. Cacti, the system monitoring and graphing solution, has a pair of bugs that chain together to allow an attacker with unauthenticated access to the HTTP/S port to trivially execute bash commands. The first half of this attack is an authentication bypass, and it’s embarrassingly trivial. The Cacti authentication code trusts the Forwarded-For: header in the request. Set it to the server’s IP, and the authentication code treats it like a localhost request, bypassing any real authentication process.

The second half is found in the remote_agent.php endpoint, where the poller_id is set by the user and treated as a string. Then, if the right host_id and local_data_id item is triggered, that string is concatenated into a proc_open() function call. The string isn’t sanitized, so it’s trivial enough to include a second command to run, dropping a webshell, for instance.

Version 1.2.23 of Cacti contains the fix, and released on the 2nd. This one is likely to be exploited, and if automated exploitation hasn’t started already, it likely will soon. So if you have a Cacti install, go double-check that the interface isn’t exposed to the world.

JSON Web Token

Researchers at Unit 42 found an exploit that can be used to achieve an RCE in the JsonWebToken project. The issue is this library’s verify() function, which takes arguments of the token to check, the key to use, and options. If there aren’t any algorithms specified in the options object, then the key is processed as a PEM string. The toString() method of that key is called during the actual check, and the assumption is that it’s either a string or buffer. But what if the key passed in to the verify() function was actually a complex object, bringing it’s own toString() method along to play. At that point, we have arbitrary code execution. And if this code is running on the server-side under node.js, that means a popped server.

But wait, it’s not that simple, right? It’s not like a valid JWT can contain an arbitrary object — that would be a problem all on its own. So CVE-2022-23529 is a stepping-stone. It’s insecure code, but the rest of the application has to have another vulnerability for this one to be reachable. Continue reading “This Week In Security: Cacti RCE, VMs In The Browser, And SugarCRM”

Lunar Rover Is No Toy

When you think of Tomy — more properly, Takara Tomy — you think of toys and models from Japan. After all, they have made models and toys as iconic as Transformers, Thomas, Jenga, Boggle, and Furby. They also made figures associated with Thunderbirds and Tron, two favorites in our circles. However, their recent design for SORA-Q is no toy. It is a tiny lunar rover designed at the request of JAXA, the Japanese space agency. The New Yorker recently posted about how this little rover came about.

The SORA-Q looks a bit like a modern Star Wars drone or — if it could fly — a training drone from some of the older movies. The rover caught a lift from a SpaceX Falcon 9 towards the moon with the Hakuto-R M1 lander. Another SORA-Q is scheduled to touch down later this year.

Continue reading “Lunar Rover Is No Toy”

Wizards Slay The Dragon That Lays The Golden Egg

Hail, and well met adventurers! There’s rumors of dark dealings, and mysterious machinations from that group of Western mystics, Wizards of the Coast (WotC). If this pernicious plot is allowed to succeed, a wave of darkness will spread over this land of Open Source gaming, the vile legal fog sticking to and tainting everything it touches. Our quest today is to determine the truth of these words, and determine a defense for the world of open gaming, and indeed perhaps the entire free world! Beware, the following adventure will delve into the bleak magic of licensing, contract law, and litigation.

Ah, Dungeons and Dragons. The original creation of Gary Gygax, refined by countless others, this table-top role-playing game has brought entertainment and much more to millions of players for years. In 2000, WotC made a decision that opened the mechanics of that universe to everyone. The 3rd Edition of Dungeons and Dragons was released under the Open Gaming License, a very intentional port of Open Source licensing to table-top gaming — obviously inspired by the GNU Public License. Ryan Dancey was one of the drivers behind the new approach, and made this statement about it:

I think there’s a very, very strong business case that can be made for the idea of embracing the ideas at the heart of the Open Source movement and finding a place for them in gaming. […] One of my fundamental arguments is that by pursuing the Open Gaming concept, Wizards can establish a clear policy on what it will, and will not allow people to do with its copyrighted materials. Just that alone should spur a huge surge in independent content creation that will feed into the D&D network.

Continue reading “Wizards Slay The Dragon That Lays The Golden Egg”

Virgin Not-Quite-Orbit-Yet

A country’s first orbital satellite launch from home soil is a proud moment, even when as is the case with Virgin Orbit, it’s not from the soil itself but from a Boeing 747 in the stratosphere over the sea. The first launch of the under-wing rocket took place yesterday evening, and pretty much every British space enthusiast gathered round the stream to watch history being made somewhere over the Atlantic south of Ireland. Sadly for all of us, though the launch itself went well and the rocket reached space, it suffered an anomaly in its second stage and failed to reach orbit.

No doubt we will hear more over the coming days as we’re sure they have a ton of telemetry data to work through before they find a definitive answer as to what happened. Meanwhile it’s worth remembering that the first launch of a new platform is a test of a hugely complex set of systems, and this one is certainly not the first to experience problems. It’s the under-wing launch that’s the interesting bit here, and in that we’re glad to see that part of the mission as a success. We know there will be a secomd launch and then many more, as not just the UK’s but Europe’s first launch platform from native soil becomes a viable and hopefully lower-cost launch option than its competitors.

People with very long memories will remember that this wasn’t the first time a British satellite launch attempt failed at the second stage and then went on to launch successfully, but Black Arrow launched Prospero back in 1971 from the Australian outback rather than the chilly North Atlantic.

Header: Österreichisches Weltraum Forum, CC BY-SA 4.0.