javascript

131 Articles

This Week In Security: OpenWrt, ZOOM, And Systemd

April 3, 2020 by 21 Comments

OpenWrt announced a problem in opkg, their super-lightweight package manager. OpenWrt’s target hardware, routers, make for an interesting security challenge. A Linux install that fits in just 4 MB of flash memory is a minor miracle in itself, and many compromises had to be made. In this case, we’re interested in the lack of SSL: a 4 MB install just can’t include SSL support. As a result, the package manager can’t rely on HTTPS for secure downloads. Instead, opkg first downloads a pair of files: A list of packages, which contains a SHA256 of each package, and then a second file containing an Ed25519 signature. When an individual package is installed, the SHA256 hash of the downloaded package can be compared with the hash provided in the list of packages.


It’s a valid approach, but there was a bug, discovered by [Guido Vranken], in how opkg reads the hash values from the package list. The leading space triggers some questionable pointer arithmetic, and as a result, opkg believes the SHA256 hash is simply blank. Rather than fail the install, the hash verification is simply skipped. The result? Opkg is vulnerable to a rather simple man in the middle attack.

OpenWrt doesn’t do any automatic installs or automatic updates, so this vulnerability will likely not be widely abused, but it could be used for a targeted attack. An attacker would need to be in a position to MitM the router’s internet connection while software was being installed. Regardless, make sure you’re running the latest OpenWrt release to mitigate this issue. Via Ars Technica.

Wireguard V1.0

With the Linux Kernel version 5.6 being finally released, Wireguard has finally been christened as a stable release. An interesting aside, Google has enabled Wireguard in their Generic Kernel Image (GKI), which may signal more official support for Wireguard VPNs in Android. I’ve also heard reports that one of the larger Android ROM development communities is looking into better system-level Wireguard support as well.

Javascript in Disguise

Javascript makes the web work — and has been a constant thorn in the side of good security. For just an example, remember Samy, the worm that took over Myspace in ’05. That cross-site scripting (XSS) attack used a series of techniques to embed Javascript code in a user’s profile. Whenever that profile page was viewed, the embedded JS code would run, and then replicate itself on the page of whoever had the misfortune of falling into the trap.

Today we have much better protections against XSS attacks, and something like that could never happen again, right? Here’s the thing, for every mitigation like Content-Security-Policy, there is a guy like [theMiddle] who’s coming up with new ways to break it. In this case, he realized that a less-than-perfect CSP could be defeated by encoding Javascript inside a .png, and decoding it to deliver the payload.

Systemd

Ah, systemd. Nothing seems to bring passionate opinions out of the woodwork like a story about it. In this case, it’s a vulnerability found by [Tavis Ormandy] from Google Project Zero. The bug is a race condition, where a cached data structure can be called after it’s already been freed. It’s interesting, because this vulnerability is accessible using DBus, and could potentially be used to get root level access. It was fixed with systemd v220.

Mac Firmware

For those of you running MacOS on Apple hardware, you might want to check your firmware version. Not because there’s a particularly nasty vulnerability in there, but because firmware updates fail silently during OS updates. What’s worse, Apple isn’t publishing release notes, or even acknowledging the most recent firmware version. A crowd-sourced list of the latest firmware versions is available, and you can try to convince your machine to try again, and hope the firmware update works this time.

Anti-Rubber-Ducky

Google recently announced a new security tool, USB Keystroke Injection Protection. I assume the nickname, UKIP, isn’t an intentional reference to British politics. Regardless, this project is intended to help protect against the infamous USB Rubber Ducky attack, by trying to differentiate a real user’s typing cadence, as opposed to a malicious device that types implausibly quickly.

While the project is interesting, there are already examples of how to defeat it that amount to simply running the scripts with slight pauses between keystrokes. Time will tell if UKIP turns into a useful mitigation tool. (Get it?)

SMBGhost

Remember SMBGhost, the new wormable SMB flaw? Well, there is already a detailed explanation and PoC. This particular PoC is a local-only privilege escalation, but a remote code execution attack is like inevitable, so go make sure you’re patched!

What Does GitHub’s Npm Acquisition Mean For Developers?

March 26, 2020 by 33 Comments

Microsoft’s open-source shopping spree has claimed another victim: npm. [Nat Friedman], CEO of GitHub (owned by Microsoft), announced the move recently on the GitHub blog.

So what motivated the acquisition, and what changes are we likely to see as a result of it? There are some obvious upsides and integrations, but these will be accompanied by the usual dose of skepticism from the open-source community. The company history and working culture of npm has also had its moments in the news, which may well have contributed to the current situation. This post aims to explore some of the rationale behind the acquisition, and what it’s likely to mean for developers in the future.

Continue reading “What Does GitHub’s Npm Acquisition Mean For Developers?”

RasterCarve Converts Images To CNC

January 19, 2020 by 11 Comments

CNC machines are an essential part of the hacker’s toolset. These computer-controlled cutters of wood, metal and other materials can translate a design into a prototype in short order, making the process of iterating a project much easier. However, the software to create these designs can be expensive, so [Franklin Wei] decided to write his own. In particular, he decided to write his own program to engrave images, converting a photo into a toolpath that can be cut. The result is RasterCarve, a web app that converts an image into a GCode that can be fed into a CNC machine.

Continue reading “RasterCarve Converts Images To CNC”

New Part Day: Arduino Goes Pro With The Portenta H7

January 15, 2020 by 92 Comments

The Consumer Electronics Show in Las Vegas is traditionally where the big names in tech show off their upcoming products, and the 2020 show was no different. There were new smartphones, TVs, and home automation devices from all the usual suspects. Even a few electric vehicles snuck in there. But mixed in among flashy presentations from the electronics giants was a considerably more restrained announcement from a company near and dear to the readers of Hackaday: Arduino is going pro.

While Arduino has been focused on the DIY and educational market since their inception, the newly unveiled Portenta H7 is designed for professional users who want to rapidly develop robust hardware suitable for industrial applications. With built-in wireless hardware and the ability to run Python and JavaScript out of the box, the powerful dual-core board comes with a similarly professional price tag; currently for preorder at $99 USD a pop, the Portenta is priced well outside of the company’s traditional DIY and educational markets. With increased competition from other low-cost microcontrollers, it seems that Arduino is looking to expand out of its comfort zone and find new revenue streams.

Continue reading “New Part Day: Arduino Goes Pro With The Portenta H7”

WebAssembly: What Is It And Why Should You Care?

April 4, 2019 by 45 Comments

If you keep up with the field of web development, you may have heard of WebAssembly. A relatively new kid on the block, it was announced in 2015, and managed to garner standardised support from all major browsers by 2017 – an impressive feat. However, it’s only more recently that the developer community has started to catch up with adoption and support.

So, what is it? What use case is so compelling that causes such quick browser adoption? This post aims to explain the need for WebAssembly, a conceptual overview of the technical side, as well as a small hands-on example for context.

Continue reading “WebAssembly: What Is It And Why Should You Care?”

Death Generator Makes Game Over More Personal

February 21, 2019 by 11 Comments

“Game over”. In this day and age of complex games with storylines and career modes that last for tens of hours, it’s not really a concept that has a lot of relevance. However, in the golden age of the arcade, those two words made it very clear that your time was up and it was time to find another quarter. Home games of this era were similarly blunt, and if you couldn’t rise to the challenge, you’d be seeing the death screen more often than not.

[foone] was a fan of Sierra’s classic adventure games, and decided to create a tool to generate custom versions of these Game Over/YOU DIED screens. Aptly named Death Generator, the tool is programmed in JavaScript and quickly expanded to cover a wide realm of classic titles. There are King’s Quest IV and V, Gold Rush!, and even modern titles like Cave Story+ and Undertale. There’s plenty of fun to be had typing in completely ridiculous quotes for various screens; our personal favourite is Skate or Die, though Police Quest comes a close second.

[foone] continues to maintain the site, and adds new games from time to time. Animated GIF support has been a recent addition for screens like Metroid and Bad Dudes, and there are even character choices for Super Mario Bros. The code is available on Github if you feel the need to tinker yourself.

Arduino Enters The Cloud

February 7, 2019 by 61 Comments

Love it or hate it, for many people embedded systems means Arduino. Now Arduino is leveraging its more powerful MKR boards and introducing a cloud service, the Arduino IoT Cloud. The goal is to make it simple for Arduino programs to record data and control actions from the cloud.

The program is in beta and features a variety of both human and machine interaction styles. At the simple end, you can assemble a dashboard of controls and have the IoT Cloud generate your code and download it to your Arduino itself with no user programming required. More advanced users can use HTTP REST, MQTT, Javascript, Websockets, or a suite of command line tools.

Continue reading “Arduino Enters The Cloud”