This Week In Security: OpenWrt, ZOOM, And Systemd

OpenWrt announced a problem in opkg, their super-lightweight package manager. OpenWrt’s target hardware, routers, make for an interesting security challenge. A Linux install that fits in just 4 MB of flash memory is a minor miracle in itself, and many compromises had to be made. In this case, we’re interested in the lack of SSL: a 4 MB install just can’t include SSL support. As a result, the package manager can’t rely on HTTPS for secure downloads. Instead, opkg first downloads a pair of files: A list of packages, which contains a SHA256 of each package, and then a second file containing an Ed25519 signature. When an individual package is installed, the SHA256 hash of the downloaded package can be compared with the hash provided in the list of packages.


It’s a valid approach, but there was a bug, discovered by [Guido Vranken], in how opkg reads the hash values from the package list. The leading space triggers some questionable pointer arithmetic, and as a result, opkg believes the SHA256 hash is simply blank. Rather than fail the install, the hash verification is simply skipped. The result? Opkg is vulnerable to a rather simple man in the middle attack.

OpenWrt doesn’t do any automatic installs or automatic updates, so this vulnerability will likely not be widely abused, but it could be used for a targeted attack. An attacker would need to be in a position to MitM the router’s internet connection while software was being installed. Regardless, make sure you’re running the latest OpenWrt release to mitigate this issue. Via Ars Technica.

Wireguard V1.0

With the Linux Kernel version 5.6 being finally released, Wireguard has finally been christened as a stable release. An interesting aside, Google has enabled Wireguard in their Generic Kernel Image (GKI), which may signal more official support for Wireguard VPNs in Android. I’ve also heard reports that one of the larger Android ROM development communities is looking into better system-level Wireguard support as well.

Javascript in Disguise

Javascript makes the web work — and has been a constant thorn in the side of good security. For just an example, remember Samy, the worm that took over Myspace in ’05. That cross-site scripting (XSS) attack used a series of techniques to embed Javascript code in a user’s profile. Whenever that profile page was viewed, the embedded JS code would run, and then replicate itself on the page of whoever had the misfortune of falling into the trap.

Today we have much better protections against XSS attacks, and something like that could never happen again, right? Here’s the thing, for every mitigation like Content-Security-Policy, there is a guy like [theMiddle] who’s coming up with new ways to break it. In this case, he realized that a less-than-perfect CSP could be defeated by encoding Javascript inside a .png, and decoding it to deliver the payload.

Systemd

Ah, systemd. Nothing seems to bring passionate opinions out of the woodwork like a story about it. In this case, it’s a vulnerability found by [Tavis Ormandy] from Google Project Zero. The bug is a race condition, where a cached data structure can be called after it’s already been freed. It’s interesting, because this vulnerability is accessible using DBus, and could potentially be used to get root level access. It was fixed with systemd v220.

Mac Firmware

For those of you running MacOS on Apple hardware, you might want to check your firmware version. Not because there’s a particularly nasty vulnerability in there, but because firmware updates fail silently during OS updates. What’s worse, Apple isn’t publishing release notes, or even acknowledging the most recent firmware version. A crowd-sourced list of the latest firmware versions is available, and you can try to convince your machine to try again, and hope the firmware update works this time.

Anti-Rubber-Ducky

Google recently announced a new security tool, USB Keystroke Injection Protection. I assume the nickname, UKIP, isn’t an intentional reference to British politics. Regardless, this project is intended to help protect against the infamous USB Rubber Ducky attack, by trying to differentiate a real user’s typing cadence, as opposed to a malicious device that types implausibly quickly.

While the project is interesting, there are already examples of how to defeat it that amount to simply running the scripts with slight pauses between keystrokes. Time will tell if UKIP turns into a useful mitigation tool. (Get it?)

SMBGhost

Remember SMBGhost, the new wormable SMB flaw? Well, there is already a detailed explanation and PoC. This particular PoC is a local-only privilege escalation, but a remote code execution attack is like inevitable, so go make sure you’re patched!

An Open Hardware Rubber Ducky

No it’s not an open source version of Bert’s favorite bathtime toy (though seriously, let us know if you see one), the PocketAdmin by [Radik Bechmetov] is intended to be an alternative to the well-known “USB Rubber Ducky” penetration testing tool from Hak5. It might look like a standard USB flash drive, but underneath that black plastic enclosure is a whole lot of digital mischief waiting to spill out.

The general idea is that the PocketAdmin appears to the host computer as either a USB Human Interface Device (keyboard, mouse, etc) or a USB Mass Storage Device. In either event, the user has the ability to craft custom payloads which can exploit the operating system’s inherent trust in locally connected devices. The most common example is mimicking a USB keyboard that starts “typing” once connected to the computer.

You can even configure what vendor and product IDs the PocketAdmin advertises, allowing you to more accurately spoof various devices. [Radik] has included some other interesting features, such as the ability to launch different payloads depending on the detected operating system. That way it won’t waste time trying to bang out Windows commands when it’s connected to a Linux box.

The hardware is designed to be as easy and cheap to replicate as possible. The heavy lifting is done by a STM32F072C8T6 microcontroller, coupled with a W25Q256FVFG 32MiB flash chip to store the payloads. Beyond that, the BOM consists mainly of passives and a few obvious bits like the male USB connector. [Radik] has even provided a link to where you can buy the convincing looking USB “flash drive” enclosure.

We’ve seen low-cost DIY versions of the USB Rubber Ducky in the past, but PocketAdmin is interesting in that it seems like [Radik] is looking to break new ground with this project rather than just copy what’s already been done. This will definitely be one to watch as the 2019 Hackaday Prize heats up.

A Malicious WiFi Backdoor In A Keyboard’s Clothing

The USB Rubber Ducky burst onto the scene a few years ago, and invented a new attack vector – keystroke injection. The malicious USB device presents itself as a keyboard to the target system, blurting out keystrokes at up to 1000 words per minute. The device is typically used to open a phishing site or otherwise enter commands to exfiltrate data from the victim. Now things have stepped up a notch, with ESPloitV2 – a WiFi-enabled take on the same concept.

Running on the Cactus WHID platform, the device is so named for the ESP12 WiFi microcontroller it employs, along with an Atmega 32u4 for USB HID device emulation. By virtue of its wireless connection, no longer does the aspiring hacker have to rely on pre-cooked routines. Various exploits can be stored in the ESP12’s spacious 4 megabytes of flash, and there’s even the potential to live type your attack if you’re feeling bold.

It goes to show that the trust we implicitly place in foreign USB devices is potentially our future downfall. BadUSB is another great example, and the USB Wrapper is a great way to get a charge if you’re stuck using an untrusted port.

 

Launchpad MIDI Controller Put To Work With Python

For Hackaday readers who might not spend their free time spinning electronic beats at raves, the Launchpad by Novation is a popular peripheral for creating digital music with tools such as Ableton Live. It’s 8×8 grid of RGB LED backlit buttons are used to trigger different beats and clips by sending MIDI commands to the computer over USB. While not a strict requirement for performing digital music, it also helps that it looks like you’re flying a spaceship when using it.

It’s definitely a slick piece of gear, but the limited stock functionality means you’re unlikely to see one outside of the Beat Laboratory. Though that might change soon thanks to LPHK, created by [Ella Jameson]. She’s created a program in Python that allows you to use the Novation Launchpad as a general purpose input device. But rather than taking the easy way out by just turning the hardware into a USB HID device or something along those lines, LPHK implements an impressive set of features including its own internal scripting language.

In the video after the break, [Ella] walks us through some basic use cases, such as launching programs or controlling the system volume with individual buttons. LPKH has a GUI which provides a virtual representation of the Launchpad, and allows configuring each button’s color and function as well as saving and loading complete layouts.

For more advanced functionality, LPHK utilizes a scripting language that was inspired by the Hak5 USB Rubber Ducky. Scripts are written with plain English commands and very simple syntax, meaning you don’t need to have any programming experience to create your own functions. There’s also a script scheduling system with visual feedback right on the board: if a button is pulsing red it means it has a script waiting for its turn to execute. When the key is rapidly flashing the script is actively running. A second tap of the button will either remove it from the queue or kill the running script, depending on what the status was when you hit it.

[Ella] makes it clear this software is still a work in progress; it’s not as polished as she’d like and still has bugs, but it’s definitely functional for anyone who’s looking to wring a bit more functionality out of their $150 Launchpad. She’s actively looking for beta testers and feedback, so if you’ve already got one of these boards give it a shot and let her know what you think.

In the past we’ve seen hackers fiddling with the open source API Novation released for their Launchpad controllers, but overall there hasn’t been a lot of work done with these devices. Perhaps that will soon change with powerful software like this in development.

Continue reading “Launchpad MIDI Controller Put To Work With Python”

DIY Rubber Ducky Is As Cheap As Its Namesake

The “Rubber Ducky” by Hak5 is a very powerful tool that lets the user perform rapid keystroke injection attacks, which is basically a fancy way of saying the device can type fast. Capable of entering text at over 1000 WPM, Mavis Beacon’s got nothing on this $45 gadget. Within just a few seconds of plugging it in, a properly programmed script can do all sorts of damage. Just think of all the havoc that can be caused by an attacker typing in commands on the local machine, and now image they are also the Flash.

But unless you’re a professional pentester, $45 might be a bit more than you’re looking to spend. Luckily for the budget conscious hackers out there, [Tomas C] has posted a guide on using open source software to create a DIY version of Hak5’s tool for $3 a pop. At that cost, you don’t even have to bother recovering the things when you deploy them; just hold on tight to your balaclava and make a run for it.

The hardware side of this hack is the Attiny85-based Digispark, clones of which can be had for as low as $1.50 USD depending on how long your willing to wait on the shipping from China. Even the official ones are only $8, though as of the time of this writing are not currently available. Encapsulating the thing in black shrink tubing prevents it from shorting out, and as an added bonus, gives it that legit hacker look. Of course, it wouldn’t be much of a hack if you could just buy one of these little guys and install the Rubber Ducky firmware on it.

In an effort to make it easier to use, the official Rubber Ducky runs scripts written in a BASIC-like scripting language. [Tomas C] used a tool called duck2spark by [Marcus Mengs], which lets you take a Rubber Ducky script (which have been released by Hak5 as open source) and compile it into a binary for flashing to the Digispark.

Not quite as convenient as just copying the script to the original Ducky’s microSD card, but what do you want for less than 1/10th the original’s price? Like we’ve seen in previous DIY builds inspired by Hak5 products, the trade-off is often cost for ease of use.

[Thanks to Javier for the tip.]

A Sneak Preview Of The Hacker Warehouse Badge

We were lucky enough to get our hands on a hand-soldered prototype of the new Hacker Warehouse badge, and boy is this one a treat. It’s fashionable, it’s blinky, and most impressively, it’s a very useful tool. This badge can replace the Google Authenticator two factor authentication app on your phone, and it’s a USB Rubber Ducky. It’s also a badge. Is this the year badges become useful? Check out the video below to find out more.

This is the time of year when hardware hackers from all across North America are busy working on the demoscene of hardware and manufacturing. This is badgelife, the celebration of manufacturing custom wearable electronics for one special weekend in Las Vegas. In just about a month from now, there will be thousands of independent badges flooding Caesar’s Palace in Vegas, complete with blinkies, custom chips, innovative manufacturing processes, and so many memes rendered in fiberglass and soldermask.

Continue reading “A Sneak Preview Of The Hacker Warehouse Badge”

Brute Forcing Passwords With A 3D Printer

Many of us use a 4 digit pin code to lock our phones. [David Randolph] over at Hak5 has come up a simple way to use a 3D printer to brute force these passwords. Just about every 3D printer out there speaks the same language, G-code. The same language used in CAD and CNC machines for decades.

[David] placed a numeric keypad on the bed of his printer. He then mapped out the height and positions of each key. Once he knew the absolute positions of the keys, it was easy to tell the printer to move to a key, then press and release. He even created a G-code file which would press every one of the 10,000 4 key pin combinations.

A file this large was a bit unwieldy though, so [David] also created a python script which will do the same thing — outputting the G-code and coordinates to brute force any 4 pin keypad. While a printer is quite a bit slower than Hak5’s own USB Rubber Ducky device (which acts as an automated keyboard), it will successfully brute force a password. Although most phones these days do limit the number of password attempts a user gets.

[David] admits this is probably useless in a clandestine/hacking application, but the video is still a great introduction to G-code and using 3D printers for non-printing functions.

Continue reading “Brute Forcing Passwords With A 3D Printer”