This Week In Security: Filename Not Sanitized, MonikerLink, And Snap Attack!

February 16, 2024 by Jonathan Bennett 6 Comments

Reading through a vulnerability report about ClamAV, I came across a phrase that filled me with dread: “The file name is not sanitized”. It’s a feature, VirusEvent, that can be enabled in the ClamnAV config. And that configuration includes a string formatting function, where the string includes %v and %s, which gets replaced with a detected virus name and the file name from the email. And now you see the problem, I hope: The filename is attacker supplied input.

Where this really gets out of hand is what ClamAV does with this string. execle("/bin/sh", "sh", "-c", buffer_cmd, NULL, env). So let’s talk defensive program design for a minute. When it comes to running a secondary command, there are two general options, system() and the exec*() family of system calls. system() is very simple to use. It pauses execution of the main process and asks the operating system to run a string, just as if the user had typed that command into the shell. While this is very convenient to use, there is a security problem if any of that command string is user-supplied. All it takes is a semicolon or ampersand to break assumptions and inject a command.

To the rescue comes exec(). It’s a bit more complicated to use, requiring the programmer to manually call fork() and wait(). But it’s not running the command via the shell. exec() executes a program directly, totally eliminating the potential for command injection! Except… oops.

Yeah, exec() and related calls don’t offer any security protections when you use them to execute /bin/sh. I suspect the code was written this way to allow running a script without specifying /bin/sh in the config. The official fix was to disable the filename format character, and instead supply it as an environment variable. That certainly works, and that fix is available in 1.0.5, 1.2.2, and 1.3.0.

The real danger here is that we have another case where some hardware appliance manufacturer has used ClamAV for email filtering, and uses this configuration by default. That’s how we get orders from CISA to unplug your hardware, because it’s already compromised. Continue reading “This Week In Security: Filename Not Sanitized, MonikerLink, And Snap Attack!” →

Dear Ubuntu…

May 22, 2023 by Jenny List 280 Comments

Dear Ubuntu,

I hope this letter finds you well. I want to start by saying that our time together has been one of creativity and entertainment, a time in which you gave me the tools to develop a new career, to run a small electronics business, make fun things, and to write several thousand articles for Hackaday and other publications, but for all that it’s sadly time for our ways to part. The magic that once brought us together has faded, and what remains is in danger of becoming a frustration.

In our early days as an item you gave me for the first time a Linux distro that was complete, fast, and easy to use without spending too much time at the CLI or editing config files to make things happen; you gave me a desktop that was smooth and uncluttered, and you freed me from all those little utilities that were required to make Windows usable. You replaced the other distros I’d been using, you dual-booted with my Windows machines, and pretty soon you supplanted the Microsoft operating system entirely.

Ubuntu and me and a trusty Dell laptop, Oxford Hackspace, 2017. — Me and Ubuntu in 2017, good times.

We’ve been together for close to two decades now, and in that time we’ve looked each other in the eye across a variety of desktop and laptop computers. My trusty Dell Inspiron 640 ran you for over a decade through several RAM, HDD, and SSD upgrades, and provided Hackaday readers with the first few years of my writing. Even the Unity desktop couldn’t break our relationship, those Linux Mint people weren’t going to tear us asunder! You captured my text, edited my videos and images, created my PCBs and CAD projects, and did countless more computing tasks. Together we made a lot of people happy, and for that I will always be grateful. Continue reading “Dear Ubuntu…” →

Hackaday Links: November 21, 2021

November 21, 2021 by Dan Maloney 28 Comments

As the most spendiest time of the year rapidly approaches, it’s good to know that your hard-earned money doesn’t have to go towards gifts that are probably still sitting in the dank holds of container ships sitting at anchor off the coast of California. At least not if you shop the Tindie Cyber Sale that started yesterday and goes through December 5. There’s a lot of cool stuff on sale, so it shouldn’t be too hard to find something; to sweeten the deal, Jasmine tells us that there will be extra deals going live on Black Friday and Cyber Monday. But wait, there’s more — follow Tindie on Twitter for bonus discount codes.

Blue is the old black, which was the new blue? At least when it comes to “Screens of Death” it is, since Microsoft announced the Windows 11 BSOD will revert back from its recent black makeover to the more familiar blue theme. You’ll have to scroll down a bit, perhaps three-quarters of the way through the list of changes. Again, the change seems completely cosmetic and minor, but we’d still love to know what kind of research went into making a decision like this.

From the “One Man’s Trash” department, we have a request for help from reader Mike Drew who picked up a bunch — like, a thousand — old tablet computers. They originally ran Windows but they can run Linux Mint just fine, and while they lack batteries and the back cover, they’re otherwise complete and in usable condition, at least judging by the pictures he shared. These were destined for the landfill, but Mike is willing to send batches of 10 — no single units, please — to anyone who can cover the cost of packaging and shipping. Mike says he’ll be wiping the tablets and installing Mint, and will throw in a couple of battery cables and a simple instruction sheet to get you started. If you’re interested, Mike can be reached at michael.l.drew@gmail.com. Domestic shipping only, please. Here’s hoping you can help a fellow hacker reclaim a room in his house.

Answering the important questions: it turns out that Thanos couldn’t have snapped half of the universe out of existence after all. That conclusion comes from a scientific paper, appearing in the Journal of the Royal Society. While not setting out to answer if a nigh-invulnerable, giant purple supervillain could snap his fingers, it’s pretty intuitive that wearing any kind of gloves, let alone a jewel-encrusted metal gauntlet, makes it hard to snap one’s fingers. But the mechanics of snapping is actually pretty cool, and has implications beyond biomechanics. According to the paper, snapping is actually an example of latch-mediated spring actuation, with examples throughout the plant and animal kingdoms, including the vicious “one-inch punch” of the tiny mantis shrimp. It turns out that a properly executed human finger snap is pretty darn snappy — it takes about seven milliseconds to complete, compared to 150 milliseconds for an eye blink.

And finally, it seems like someone over at Id Software is a bit confused. The story began when a metal guitarist named Dustin Mitchell stumbled across the term “doomscroll” and decided that it would make a great name for a progressive thrash metal band. After diligently filing a trademark application with the US Patent and Trademark Office, he got an email from an attorney for Id saying they were going to challenge the trademark, apparently because they feel like it will cause confusion with their flagship DOOM franchise. It’s hard to see how anyone who lived through the doomscrolling years of 2020 and 2021 is going to be confused by a thrash metal band and a 30-year-old video game, but we suppose that’s not the point when you’re an attorney. Trademark trolls gonna troll, after all.

Ubuntu Update Hack Chat

July 20, 2020 by Dan Maloney 18 Comments

Join us on Wednesday, July 22 at noon Pacific for the Ubuntu Update Hack Chat with Rhys Davies and Alan Pope!

Everyone has their favorite brands, covering everything from the clothes they wear to the cars they drive. We see brand loyalty informing all sorts of acquisition decisions, not only in regular consumer life but in technology, too. Brand decisions sort people into broad categories like Mac versus PC, or iPhone versus Android, and can result in spirited discussions of the relative merits of one choice over the others. It’s generally well-intentioned, even if it gets a bit personal sometimes.

Perhaps no choice is more personal in hacker circles than which Linux distribution to use. There are tons to choose from, each with their various features and particular pros and cons. Ubuntu has become a very popular choice for Linux aficionados, attracting more than a third of the market. Canonical is the company behind the Debian-based distro, providing editions that run on the desktop, on servers, and on a variety of IoT devices, as well as support and services for large-scale users.

To fill us in on what’s new in the world of Ubuntu, Canonical product manager Rhys Davies and developer advocate Alan Pope will stop by the Hack Chat this week. They’ll be ready to answer all your questions about the interesting stuff that’s going on with Ubuntu, including the recently announced Ubuntu Appliances, easy to install, low maintenance images for Raspberry Pis and PCs that are built for security and simplicity. We’ll also talk about snaps, desktops, and whatever else crops up.

Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, July 22 at 12:00 PM Pacific time. If time zones have you down, we have a handy time zone converter.

Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about. Continue reading “Ubuntu Update Hack Chat” →

What’s The Deal With Snap Packages?

June 24, 2020 by Tom Nardi 150 Comments

Who would have thought that software packaging software would cause such a hubbub? But such is the case with snap. Developed by Canonical as a faster and easier way to get the latest versions of software installed on Ubuntu systems, the software has ended up starting a fiery debate in the larger Linux community. For the more casual user, snap is just a way to get the software they want as quickly as possible. But for users concerned with the ideology of free and open source software, it’s seen a dangerous step towards the types of proprietary “walled gardens” that may have drove them to Linux in the first place.

Perhaps the most vocal opponent of snap, and certainly the one that’s got the most media attention, is Linux Mint. In a June 1st post on the distribution’s official blog, Mint founder Clement Lefebvre made it very clear that the Ubuntu spin-off does not approve of the new package format and wouldn’t include it on base installs. Further, he announced that Mint 20 would actively block users from installing the snap framework through the package manager. It can still be installed manually, but this move is seen as a way to prevent it from being added to the system without the user’s explicit consent.

The short version of Clement’s complaint is that the snap packager installs from a proprietary Canonical-specific source. If you want to distribute snaps, you have to set up an account with Canonical and host it there. While the underlying software is still open source, the snap packager breaks with long tradition of having the distribution of the software also being open and free. This undoubtedly makes the install simple for naive users, and easier to maintain for Canonical maintainers, but it also takes away freedom of choice and diversity of package sources.

Continue reading “What’s The Deal With Snap Packages?” →

Wearable Breadboard

July 6, 2017 by Al Williams 12 Comments

We all know what a short circuit is, but [Clement Zheng] and [Manasvi Lalwani] want to introduce you to the shirt circuit. Their goal is to help children, teachers and parents explore and learn electronics. The vehicle is a shirt with a breadboard-like pattern of conductors attaching snaps. Circuit elements reside in stiff felt boxes with matching snaps. You can see it all in action in the video below.

We imagine you could cut the felt pieces out by hand with the included patterns. However, they used a laser cutter to produce the “breadboard” and the component containers. Conductive thread is a must, of course, as are some other craft supplies like glue and regular thread.

Continue reading “Wearable Breadboard” →

3D Printing Makes Electronics A Snap

January 26, 2017 by Al Williams 16 Comments

For just about as long as there have been electronics, there’s been a search for a way to let students and hobbyists build projects without a lot of effort. A board with Fahnestock clips was probably the first attempt. Today, it is more often the ubiquitous solderless breadboard. In between, we’ve seen copper pipe pieces and rubber bands, components mounted on magnets that hold them and make connections, and other even less probable schemes. A few years back, a new method appeared: Snap Circuits. The name almost says it all. A baseboard has mounting holes for different components. All the components make their electrical connections and mechanical connections through a common snap like you might find on clothing. Even the wires are little segments with snaps at both ends.

One problem with any system like this is how to integrate custom components. Of course, with the snaps, that’s not very hard, but [Chuck Hellebuyck] got creative with TinkerCad and worked out how to 3D print custom modules for the system. You can see his video, below.

Continue reading “3D Printing Makes Electronics A Snap” →