We’ll start with more Black Hat/DEFCON news. [Meh Chang] and [Orange Tsai] from Devcore took a look at Fortinet and Pulse Secure devices, and found multiple vulnerabilities. (PDF Slides) They are publishing summaries for that research, and the summary of the Fortinet research is now available.
It’s… not great. There are multiple pre-authentication vulnerabilities, as well as what appears to be an intentional backdoor.
CVE-2018-13379 abuses an snprintf call made when requesting a different language for the device login page. Snprintf is an alternative to sprintf, but intended to prevent buffer overflows by including the maximum string length to write to the target buffer, which sounds like a good idea but can lead to malicious truncation.
The code in question looks like snprintf(s, 0x40, "/migadmin/lang/%s.json", lang);.
When loading the login page, a request is made for a language file, and the file is sent to the user. At first look, it seems that this would indeed limit the file returned to a .json file from the specified folder. Unfortunately, there is no further input validation on the request, so a language of ../../arbitrary is considered perfectly legitimate, escaping the intended folder. This would leak arbitrary json files, but sincesnprintf doesn’t fail if it exceeds the specified length, sending a request for a lang that’s long enough results in the “.json” extension not being appended to the request either.
A metasploit module has been written to test for this vulnerability, and it requests a lang of /../../../..//////////dev/cmdb/sslvpn_websession. That’s just long enough to force the json extension to fall off the end of the string, and it is Unix convention is to ignore the extra slashes in a path. Just like that, the Fortigate is serving up any file on its filesystem just for asking nice.
More worrying than the snprintf bug is the magic value that appears to be an intentional backdoor. A simple 14 character string sent as an http query string bypasses authentication and allows changing any user’s password — without any authentication. This story is still young, it’s possible this was intended to have a benign purpose. If it’s an honest mistake, it’s a sign of incompetence. If it’s an intentional backdoor, it’s time to retire any and all Fortinet equipment you have.
Pulse Secure VPNs have a similar pre-auth arbitrary file read vulnerability. Once the full report is released, we’ll cover that as well.
Exploitation in the Wild
But wait, there’s more. Hide your kids, hide your wife. Webmin, Pulse Secure, and Fortigate are already being exploited actively in the wild, according to ZDNet. Based on reports from Bad Packets, the Webmin backdoor was being targeted in scans within a day of announcement, and exploited within three days of the announcement. There is already a botnet spreading via this backdoor. It’s estimated that there are around 29,000 vulnerable Internet-facing servers.
Both Pulse Secure and Fortinet’s Fortigate VPN appliances are also being actively targeted. Even though the vulnerabilities were reported first to the vendors, and patched well in advance of the public disclosure, thousands of vulnerable devices remain. Apparently routers and other network appliance hardware are fire-and-forget solutions, and often go without important security updates.
VLC is Actually Vulnerable This Time
The VLC media player has released a new update, fixing 11 CVEs. These CVEs are all cases of mishandling malformed media files, and are only exploitable by opening a malicious file with VLC. Be sure to go update VLC if you have it installed. Even though no arbitrary code execution has been demonstrated for any of these issues, it’s likely that it will eventually happen.
Gray Market IP Addresses
With the exhaustion of IPv4 addresses, many have begun using alternative methods to acquire address space, including the criminal element. Krebs on Security details his investigation into one such story: Residential Networking Solutions LLC (Resnet). It all started with an uptick in fraudulent transactions originating from Resnet residential IP addresses. Was this a real company, actually providing internet connectivity, or a criminal enterprise?
The wonderful folks at Paleotronic (previously) have rounded up scans of articles from 1980s-era computer magazines that advised new computer users on navigating the burgeoning world of dial-up BBSes.
Dial-ups were my introduction to networked computing. We had an acoustic coupler and teletype connected to a PDP at the University of Toronto in 1977 when I was 6, but it wasn't until we got an Apple ][+ and a Hayes modem card in 1979 that the world opened up for me. That system didn't have enough expansion slots to accommodate all the cards we had for it, so installing the modem meant swapping out the 80 column card, which meant that we lost access to lower-case characters when we were online. My modem days started out in ALL CAPS.
Within a couple years, my friends and I were inveigling our parents to drive us to one anothers' houses with our computers and modems for all-night dial-up runs through Toronto's BBSes. By the late 1980s, there were multiple local systems that bridged into Fidonet and then (through Tim Pozar and Tom Jennings's gateway) into Usenet. Then I started to dial The WELL in San Francisco after reading about it in Reality Hackers (the precursor to Mondo 2000), and rang up some gigantic long-distance bills, until the University of Toronto started offering paid dialup shells to its General Purpose Unix system, and telnet became an option. Right from the start, dial-up systems were a gateway to physical meetups: SCA nights making chainmail; hormonal teen mass get-togethers for the Free Access Network chat system; rollicking dinners with the denizens of the Pyroto Mountains; face-to-face meetups for Magic and TVOnline.
Paleotronic's roundup really brought all that back for me, especially the Data Communications' feature on the allure of becoming a sysop -- the most fervent of my unrealized dreams of that era.
High resolution digital cameras are built into half of the devices we own (whether we want them or not), so why is it still so hard to find good pictures of all the incredible projects our readers are working on? In the recently concluded Beautiful Hardware Contest, we challenged you to take your project photography to the next level. Rather than being an afterthought, this time the pictures would take center stage. Ranging from creative images of personal projects to new ways of looking at existing pieces of hardware, the 100+ entries we received for this contest proved that there’s more beauty in a hacker’s parts bin than most of them probably realize.
As always, it was a struggle to narrow down all the fantastic entries to just a handful of winners. But without further adieu, let’s take a look at the photos that we think truly blurred the line between workbench and work of art:
CRM200 MEMS Gyroscope
If you ever needed a reminder that beauty is all around you, look no further than the work Evilmonkeyz has done with these CRM200 MEMS gyroscopes. With the lids removed, the intricate internal features of these tiny gadgets become visible under the microscope. Most people have a MEMS gyroscope or two in their pocket courtesy of the modern smartphone, but even counting the technologically enthralled readers of Hackaday, we wager the vast majority have never seen the three dimensional nature of the device when viewed from an angle like this.
Evilmonkeyz says it only took a few minutes of manual labor with 400 grit sandpaper to ablate the encapsulation on these chips and uncover the incredible world underneath; something to keep in mind if you’re considering your own microscopic exploration. We also appreciate the fact that he gave the viewer some scale by stacking four of the CRM200s on a 100 yen coin in honor of their Japanese heritage.
City of Siliconia
If Alpha 1 Zero hadn’t included the “candid” shot of this incredible science-fiction skyline that showed the Arduino and tangle of wires that power it, we would have had a hard time believing it wasn’t computer-generated. Reminiscent of the misty, neon-drenched, cyberpunk worlds of Blade Runner or Altered Carbon, this electronic metropolis was created entirely from custom PCBs and addressable RGB LEDs.
City of Siliconia doesn’t just look the part, Alpha 1 Zero says it’s meant to be an exploration of futuristic city design that incorporates efficient vertical integration of transportation, power, and communication systems.
There’s an undeniable beauty in simplicity, and that principle is in ample display with Pixel Republic by ACROBOTIC Industries. On the surface, it seems little more than an admittedly well-framed photograph of a column of RGB LEDs doing what they’re designed to do. But upon closer examination, you realize that the photographer has captured the individual colored emitters glowing; clearly illustrating how one little device is able to generate so many colors.
Still, the name Pixel Republic hints at a deeper meaning. Is this the national flag of some hitherto unknown digital domain? Or perhaps its display of rainbow colors is meant to signify the creative diversity of the hacker culture? Pondering the true meaning, if any, remains an exercise for the reader.
There were so many fantastic entries into the Beautiful Hardware Contest that we couldn’t announce these winners without also calling out a few Honorable Mentions:
Back in the 80s, the inventor Cy Enfield created this fascinating device -- a six-button "Microwriter" where you'd chord combos of buttons to produce the entire alphabet, letting you jot down notes on the go.
“It occurred to me that ... it would be possible to combine a set of signals from separate keys, and therefore you could reduce the total number of keys. But, of course, this involved the learning of chords… difficult to memorize… But how do you make these chords memorable? And, one day, staring at a sheet of paper on which I was drawing a set of five keys in sort of the arch formed by the finger ends, it occurred to me, ah! if I press the thumb key, and the index finger key, anybody can do this just listening now, press your thumb key and your index finger down and you’ll see that a vertical line joins those two finger ends, a short vertical line. There is an equivalence between that short vertical line and one letter of the alphabet. It’s the letter “I.”
There are chording keyboards these days, most notably the Twiddler, and stenography tech. But I don't know of any full-on personal word processor that works this way any more; in the world of portable devices, we're all mostly typing on glass these days, or dictating to it.
It'd be an interesting project to recreate the Microwriter using a modern inexpensive microprocessor like the Arduino, and a one-line display.
Today, illegitimate, popular-vote-losing, manifestly unfit U.S. President Donald Trump did something extraordinarily stupid on Twitter, even for him.
Looks like the president may have just tweeted an image from a classified satellite or drone that shows the aftermath of an accident at an Iranian space facility.
Yeah, no big deal.
Security experts' jaws were on the floor Friday afternoon as the Trump tweet circulated.
Vladimir Putin's having fun with all of this, one presumes.
Here's the tweet.
"The United States of America was not involved in the catastrophic accident during final launch preparations for the Safir [Space Launch Vehicle] Launch at Semnan Launch Site One in Iran," the president's tweet with the image on Friday reads.
"I wish Iran best wishes and good luck in determining what happened at Site One."
NPR broke the news of the launch failure on Thursday, using images from commercial satellites that flew over Iran's Imam Khomeini Space Center. Those images showed smoke billowing from the pad. Iran has since acknowledged an accident occurred at the site.
Some of the highest-resolution imagery available commercially comes from the company Maxar, whose WorldView-2 satellite sports 46-centimeter resolution.
But the image shown in the president's tweet appears to be of far better quality, says Ankit Panda, an adjunct senior fellow at the Federation of American Scientists, who specializes in analyzing satellite imagery. "The resolution is amazingly high," says Panda. "I would think it's probably below well below 20 centimeters, which is much higher than anything I've ever seen."
Panda says that the tweet discloses "some pretty amazing capabilities that the public simply wasn't privy to before this."
“The Office of the Director of National Intelligence referred questions about the image to the White House, which declined to comment.”
It’s time once again for another installment in “Milspec Teardown”, where we get to see what Uncle Sam spends all those defense dollars on. Battle hardened pieces of kit are always a fascinating look at what can be accomplished if money is truly no object. When engineers are given a list of requirements and effectively a blank check, you know the results are going to be worth taking a closer look.
Today, we have quite a treat indeed. Not only is this ID-2124 Howitzer Deflection-Elevation Data Display unit relatively modern (this particular specimen appears to have been pulled from service in June of 1989), but unlike other military devices we’ve looked at in the past, there’s actually a fair bit of information about it available to us lowly civilians. In a first for this ongoing series of themed teardowns, we’ll be able to compare the genuine article with the extensive documentation afforded by the ever fastidious United States Armed Forces.
For example, rather than speculate wildly as to the purpose of said device, we can read the description directly from Field Manual 6-50 “TACTICS, TECHNIQUES, AND PROCEDURES FOR THE FIELD ARTILLERY CANNON BATTERY”:
The gun assembly provides instant identification of required deflection to the gunner or elevation to the assistant gunner. The display window shows quadrant elevation or deflection information. The tenths digit shows on the QE display only when the special instruction of GUNNER’S QUADRANT is received.
From this description we can surmise that the ID-2124 is used to display critical data to be used during the aiming and firing of the weapon. Further, the small size of the device and the use of binding posts seem to indicate that it would be used remotely or temporarily. Perhaps so the crew can put some distance between themselves and the artillery piece they’re controlling.
Now that we have an idea of what the ID-2124 is and how it would be used, let’s take a closer look at what’s going on inside that olive drab aluminum enclosure.
A Veritable Fortress
All of the military hardware we’ve looked at over the course of this series has been built to meet the most stringent quality and reliability standards. Heavyweight enclosures and aerospace rated components are a given. But even still, the ID-2124 is on another level. Designed for external use in what’s likely to be an inhospitable environment, the enclosure is easily the most robust of any piece of equipment that I’ve ever disassembled.
So robust, in fact, that it actually took me quite some time to open it. After removing the six screws around the perimeter, I found the front panel remained firmly in place. As it turns out, it was also held in place with a glued gasket. This made the device impermeable to the elements, and it also did a fantastic job of keeping me out. With no way to get leverage on the recessed panel, I wasn’t sure how to proceed. I didn’t want to use heat or do anything else that might mar the surface, so this device actually sat on a shelf for awhile until I came up with a solution.
In the end, I tapped the holes in the front panel so that it would grip on screws that are slightly larger than the original ones. Threaded into the 8 mm thick panel, these screws gave me something to put some leverage on. With considerable force, I eventually broke the seal that was holding the two pieces together. While I don’t like to make any permanent alterations to the military hardware out of respect for the history involved, once the original screws are back in place you can’t tell the holes have been enlarged.
Inner Beauty Revealed
When I finally cracked the seal on the ID-2124 case and lifted the cover, I’ll admit an audible gasp might have snuck out. The board is absolutely gorgeous, and between the conformal coating and the fact it’s spent the last 30-odd years in a hermetically sealed box, it’s in pristine condition. It was literally like opening up an electronics time capsule. Although from when might be debatable; while the date codes on various components point to it being manufactured around 1987, the overall design looks closer to something from late 1970s.
I was somewhat surprised to find that the single PCB was all that’s inside the ID-2124, the majority of the enclosure is empty space. It’s possible that an earlier version of this device required more electronics to operate, while this later version managed to pack everything into one board. Though I couldn’t find any obvious evidence of that, such as unused mounting holes in the case.
With the PCB removed, we can see the only components below it are the controls and wiring lugs, which are connected via a flexible flat cable terminated with a delightfully chunky plug. There’s also a handwritten notation that lists the Federal Supply Code for Manufacturer (FSCM), the part number for the case itself, and the current design revision.
Electronics from Another Age
The PCB of the ID-2124 is unquestionably beautiful, but also somewhat alien to the modern eye. It’s not just the nearly translucent substrate, or the unapologetic use of the dreaded square trace. Even some of the components are strange. We can identify the resistors and crystal well enough, they just look like larger versions of what we’re used to. But there’s some genuine oddities here as well.
Chief among them is, unquestionably, the huge device in the middle labeled B4010089. It’s clearly a microcontroller of some type (to use the modern parlance), but I’ve been unable to find any information on it. In the diagrams I’ve found, the device is simply referred to as “LOGIC AND DISPLAY”, which seems to indicate there’s a display driver living inside that sealed metal package as well. Also note that it and the two resistors on either side have been attached to the metal bar with what appears to be a thermally conductive material. It’s probably safe to assume that this component gets rather warm during operation.
The display itself is another relic, though at least this time we can get a bit more information on it. The technical manual refers to this as the “OPTO DISPLAY #B4010133”, and a bit of searching online uncovers Plessey as the manufacturer. Given the somewhat unusual nature of the display, it would seem the 16 pin device was custom made for this application. Or at the very least, for similar military hardware.
Flipping the board over, it’s interesting to note how few pins appear to be required to drive the display. Sniffing the data passing between it and the controller chip with a logic analyzer could yield some useful information, but the aforementioned conformal coating on the board does make that sort of thing difficult. As it is, I couldn’t even get my multimeter probes through the coating to try and follow the continuity of traces.
Just Read the Instructions
As mentioned previously, there’s actually a decent amount of information about the ID-2124 to be found in unclassified documents floating around online. Field Manual 6-50 mentions it briefly in regards to setting up the artillery piece for use, and even provides a sketch of how two of these devices connect up to the weapon’s primary “Gun Display Unit”, or GDU.
It was nice to have some context for how the ID-2124 would have been used, but unfortunately it didn’t really delve into what kind of data the unit is actually expecting to receive. Though admittedly, given the intended audience for the document, it would have been pretty surprising if it actually had that level of technical detail.
For our purposes, far more interesting information is to be found in Technical Manual 11-7440-283-40P, “GENERAL SUPPORT MAINTENANCE REPAIR PARTS AND SPECIAL TOOLS LIST FOR COMPUTER SYSTEM, GUN DIRECTION AN/GYK-29(V)”. In this document, we get a much closer look at the ID-2124, including detailed diagrams of the PCB and its components.
Unfortunately, even this document doesn’t provide any circuit schematics, and still no protocol information. Clearly the ID-2124 is a digital device, and the fact it’s connected to the GDU through just three wires helps narrow things down a bit in terms of communication methods. But without a Howitzer GDU to sniff the data from, there’s no way to know what kind of signals it’s actually waiting for.
While the ID-2124 Howitzer Deflection-Elevation Data Display is certainly built tough, I’ll admit to being surprised by how straightforward the internals really were. Especially when compared to the monstrous complexity of something like the AH-64A Apache Data Entry Keyboard, which packed an Intel 8085 computer and regulated power supply into a box not much larger than this. Here there’s just a display, a control module, and a handful of passive components.
On the other hand, that might actually bode well for potential reuse of this device. Generally, the military hardware we’ve looked at has had no practical application outside of being an interesting conversation piece. But in this case, reusing the ID-2124 as a general purpose numerical display is just a matter of figuring out how to talk to it. The answer may yet be found in some arcane military technical manual, or it might even be locked away in the mind of one of our illustrious readers .