This Week In Security: Curl Reveal, Rapid Reset DDoS, And Libcue

October 13, 2023 by Jonathan Bennett 17 Comments

Curl gave us all a big warning that a severe security problem had been found in that code-base. Given the staggering number of Curl installs around the world, we held our collective breath and waited for the bombshell to drop this Wednesday. It turns out, it’s not quite as bad as feared — so long as you don’t have a SOCKS proxy.

In hindsight, shipping a heap overflow in code installed in over twenty billion instances is not an experience I would recommend. — Daniel Stenberg

The trouble started when the SOCKS5 proxy support was converted to a non-blocking implementation. It’s a win for libcurl to work on requests asynchronously, but refactoring code and new features always runs a bit of risk. SOCKS5 proxying has some quirks, like allowing DNS resolution to happen locally or at the proxy. The new async code starts out with:

bool socks5_resolve_local = (proxytype == CURLPROXY_SOCKS5) ? TRUE : FALSE;

First off, unnecessary ternary is unnecessary. But note that this local variable gets set by the proxytype. If that’s CURLPROXY_SOCKS5_HOSTNAME, then it uses remote resolution. But inherited from old code is a check for a hostname that is too long for a SOCKS request (255 bytes). This code converts back to local resolution in this case.

The important detail here is that this function is now a state machine, that potentially runs multiple times for a single request, to achieve that asynchronous execution. The check for a too-long hostname only happens during the initialization state. Copying the hostname into the buffer happens in a different state. If setting up the connection takes enough time, the function will return and be executed again when something has changed. The ternary check runs again, but not the hostname-too-long. So if set to do remote resolution with a long enough host name, execution slips through this edge case, and the long hostname is copied into a too-small buffer.

It’s safe to assume that this heap overflow can result in arbitrary code execution. The fix has landed in 8.4.0, after being present for 1,315 days. [Daniel] goes ahead and gets ahead of the inevitable suggestion that Curl should be written in rust or another memory-safe language. Curl was started before those alternatives existed, and there is a very slow effort to move portions of the project to memory-safe languages. And you’re welcome to help out. Continue reading “This Week In Security: Curl Reveal, Rapid Reset DDoS, And Libcue” →

Escalating Privileges In Ubuntu 20.04 From User Account

November 11, 2020 by Bryan Cockfield 28 Comments

Ubuntu 20.04 is an incredibly popular operating system, perhaps the most popular among the Linux distributions due to its ease-of-use. In general, it’s a fairly trustworthy operating system too, especially since its source code is open. However, an update with the 20.04 revision has led to security researcher [Kevin Backhouse] finding a surprisingly easy way to escalate privileges on this OS, which we would like to note is not great.

The exploit involves two bugs, one in accountservice daemon which handles user accounts on the computer, and another in the GNOME Display Manager which handles the login screen. Ubuntu 20.04 added some code to the daemon which looks at a specific file on the computer, and with a simple symlink, it can be tricked into reading a different file which locks the process into an infinite loop. The daemon also drops its privileges at one point in this process, a normal security precaution, but this allows the user to crash the daemon.

The second bug for this exploit involves how the GNOME Display Manager (gdm3) handles privileges. Normally it would not have administrator privileges, but if the accountservice daemon isn’t running it escalates itself to administrator, where any changes made have administrator privileges. This provides an attacker with an opportunity to create a new user account with administrator privileges.

Of course, this being Ubuntu, we can assume that this vulnerability will be immediately patched. It’s also a good time to point out that the reason that open-source software is inherently more secure is that when anyone can see the source code, anyone can find and report issues like this which allow the software maintainer (or even the user themselves) to make effective changes more quickly.

Ubuntu Update Hack Chat

July 20, 2020 by Dan Maloney 18 Comments

Join us on Wednesday, July 22 at noon Pacific for the Ubuntu Update Hack Chat with Rhys Davies and Alan Pope!

Everyone has their favorite brands, covering everything from the clothes they wear to the cars they drive. We see brand loyalty informing all sorts of acquisition decisions, not only in regular consumer life but in technology, too. Brand decisions sort people into broad categories like Mac versus PC, or iPhone versus Android, and can result in spirited discussions of the relative merits of one choice over the others. It’s generally well-intentioned, even if it gets a bit personal sometimes.

Perhaps no choice is more personal in hacker circles than which Linux distribution to use. There are tons to choose from, each with their various features and particular pros and cons. Ubuntu has become a very popular choice for Linux aficionados, attracting more than a third of the market. Canonical is the company behind the Debian-based distro, providing editions that run on the desktop, on servers, and on a variety of IoT devices, as well as support and services for large-scale users.

To fill us in on what’s new in the world of Ubuntu, Canonical product manager Rhys Davies and developer advocate Alan Pope will stop by the Hack Chat this week. They’ll be ready to answer all your questions about the interesting stuff that’s going on with Ubuntu, including the recently announced Ubuntu Appliances, easy to install, low maintenance images for Raspberry Pis and PCs that are built for security and simplicity. We’ll also talk about snaps, desktops, and whatever else crops up.

Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, July 22 at 12:00 PM Pacific time. If time zones have you down, we have a handy time zone converter.

Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about. Continue reading “Ubuntu Update Hack Chat” →

Remanufacturing A Rotary Airplane Engine

April 13, 2019 by Jenny List 66 Comments

If someone tells you they have seen a rotary engine, the chances are that you will immediately think of a Wankel engine, as you might find in some of the more exotic Mazda sports cars. But there is another rotary engine that has a prior claim to the name, and it can be found as the power unit for many early-twentieth-century aircraft. In these rotary engines the cylinders are arranged radially around a stationary crankshaft, and it is the engine itself that rotates. They have the advantage of extreme simplicity, smooth power, and a low parts count, at the expense of total loss lubrication, a relatively large rotating mass, and some difficulty in controlling their power. These rotary engines were largely obsolete by the 1920s, but recent upsurge of interest in WW1-era aircraft has led to the creation of a small demand for them. New Zealand based Classic Aero Machining Service have stepped in to fill that gap and are remanufacturing the Gnome radial engine, the most numerous design of that era.

For anyone with an interest in internal combustion engines, the Gnome is a fascinating study. It’s a nine-cylinder design that runs a four-stroke Otto cycle, but instead of the two or more valves you might be familiar with from your motor vehicle it has only a single valve. The so-called Monosoupape design uses its valve for both fuel and exhaust, opening it on the inlet stroke as well as the exhaust stroke. The simplicity of a single valve and no carburetor is thus offset by a difficulty in varying its power , so rotary engines would frequently reduce the number of firing cylinders in lieu of throttling back.

The CAMS Gnome is a faithful copy of the original, but with modern metallurgy and the addition of an electronic ignition system. The original castor oil is still used — it seems classic aviation buffs like the smell — but becuase it is notorious for leaving sticky deposits in the engine they are evaluating modern alternatives. They have some technical details on their website, and there’s a good chance you my hear one of their engines one day at an air show near you.

Continue reading “Remanufacturing A Rotary Airplane Engine” →

Video – Turning Good Gnomes Evil

August 8, 2011 by Jack Buffington 23 Comments

Image of gnomes with glowing eyes

In this video [Jack] will show you how to take a garden gnome and a solar light to create a FrankenGnome that is sure to creep out your friends and neighbors. This Hackaday original video is the first in a new series of videos that we will now be posting on a weekly basis.

You’ll notice a few symbols at the beginning of these videos. These symbols are there to help you understand what the video is all about. In the upper left corner, we have the skill level. These will range from 1 for very basic projects to 4 for highly advanced projects. The upper right corner breaks the video into two categories. The first category is ‘feature adding’. In these videos we will be taking off-the-shelf items and modifying them to do something new. The other category is ‘skill building’. In these, we will be exploring different topics in depth. At first, the skill building videos will be mostly about electronics and software. In the future when we have excavated more room in Hackaday Headquarters, located deep beneath a mountain in remote [REDACTED], we will start doing videos showing you topics with a more mechanical nature. The other icons represent the major skills involved in the project.

Check out the video after the break.

Continue reading “Video – Turning Good Gnomes Evil” →