Mysterious Files PH

As per a recent Bambu Lab blog post, its FDM printers in the X1 series will soon receive a firmware update that adds mandatory authentication for certain operations, starting with the firmware update on January 23rd for the aforementioned FDM printers. These operations include performing firmware upgrades, initiating a print job (LAN or cloud), remote video access and adjusting parameters on the printer. Using the printer directly and starting prints from an SD card are not affected.

As reasoning for this new feature Bambu Lab points to recent exploits that gave strangers access to people’s printers, though cheekily linking to an article on an Anycubic printer exploit. While admittedly a concern, this mostly affects internet-exposed printers, such as those that are tied into a ‘cloud’ account. Even so, LAN-based printing also falls under this new mandatory authentication system, with Bambu Lab offering a new tool called Bambu Connect for those who insist on using non-Bambu Lab branded software like OrcaSlicer. This allows for exported G-code files to be sent to a (property authenticated) Bambu Lab printer.

For those who do not wish to use this feature, not upgrading the firmware is currently the only recourse. Although this firmware update is only for X1-series printers, Bambu Lab promised that it’ll arrive for their other printers too in due time. While Bambu Lab printer owners consider installing the alternative X1 Plus firmware, the peanut gallery can discuss the potential security issues (or lack thereof) of an open Fluidd or similar UI on their LAN-connected, Klipper-based FDM printers.

Thanks to [mip] for the tip.

It’s podcast time again, and this week Dan sat down with Elliot for a look back at all the cool hacks we’ve written about. We started off talking about Hackaday Europe, which is coming up in March — seems unlikely that it’s just around the corner, but there it is. There’s also good news: the Hack Chat is back, and we started things off with a bang as Eben Upton stopped by to talk all things Pi. Separately, we talked about fault injection attacks, including how to find the hidden cup of  0xC0FFEE in an RP2350.

We saw a very cool piece of LED jewelry that does a fluid simulation, a direct conversion radio that’s all laid out in front of you, and the scrunchiest mechanical digital clock you’ll ever see. We saw blinkenlights for blinkenlights’ sake, all the ways to put threads in your prints, and how to ditch to coax and wire up your antennas with Cat 6 cable. Plus, it’s an Al Williams twofer in the Can’t-Miss Articles, with a look back at life before GPS and how you can tune into digital ham radio, no radio required.

Download the zero-calorie MP3.

Episode 304 Show Notes:

News:

• Hackaday Europe 2025 Tickets On Sale, and CFP Extended Until Friday
• Eben Upton Hack Chat Transcript

What’s that Sound?

• Congratulations to [Egon] for getting the Ross ice shelf, and not some sci-fi computer at all.

Interesting Hacks of the Week:

• All The Attacks On The RP2350
• A Direct Conversion Receiver Anyone Can Build
  • Amateur Radio Homebrewing Hack Chat
  • Make Your Own Variable Inductor
  • DIY Tuning Capacitors From Washers And 3D-Printed Parts
  • A Variable Capacitor For Not A Lot
• Fluid Simulation Pendant Teaches Lessons In Miniaturization
• Using The ESP8266 For Low-Cost Fault Injection
• Comparing Ways To Add Threads To Your 3D Prints
• Springs And Things Make For A Unique Timepiece
  • Unique Clock Finally Unites Hackers And Sequins

Quick Hacks:

• Elliot’s Picks
  • Avian-Inspired Drones: How Studying Birds Of Prey Brings More Efficient Drones Closer
  • Audio On A Shoestring: DIY Your Own Studio-Grade Mic
  • Second CNC Machine Is Twice As Nice
• Dan’s Picks:
  • Forget The Coax, Wire Up Your Antennas With Cat 6 Cable
  • Procedurally Generated Terrain In OpenSCAD
  • Blinkenlights-First Retrocomputer Design

Can’t-Miss Articles:

• Before GPS There Was LORAN
• No Ham License? Listen Anyway In Your Browser

Regular roller blades go way back, relying on a number of wheels mounted in a line and relying on regular bearings. [The Q] came up with an altogether more interesting design by handcrafting some tall skates with two hubless wheels apiece.

The build eliminates the hard work of creating the shoe part of the skates. Instead, an existing pair of roller blades was used, and modified to run the alternative hubless setup. The hubless wheels themselves were built by essentially wrapping a few large ball bearings with foam tires from an existing scooter wheel. The ball bearings have a large internal diameter, which creates the hubless look. They’re then mounted to a replacement steel frame that was mounted to the original skates.

Are there any benefits to hubless wheels in this application? Probably not, other than aesthetics. These skates are far heavier than before, and with poorer rolling resistance. However, we will note that the softer foam tires and large rolling diameter would probably offer some benefits on rougher surfaces. They even appear to work on hard-packed dirt, which is pretty impressive.

In any case, it’s always neat to see oddball designs that challenge our perception of what can and can’t be achieved on a mechanical level. These things don’t always have to make sense from an efficiency standpoint to be fun.

Up first, go check your machines for the rsync version, and your servers for an exposed rsync instance. While there are some security fixes for clients in release 3.4.0, the buffer overflow in the server-side rsync daemon is the definite standout. The disclosure text includes this bit of nightmare fuel: “an attacker only requires anonymous read access to a rsync server, such as a public mirror, to execute arbitrary code on the machine the server is running on.”

A naive search on Shodan shows a whopping 664,955 results for rsync servers on the Internet. Red Hat’s analysis gives us a bit more information. The checksum length is specified by the remote client, and an invalid length isn’t properly rejected by the server. The effect is that an attacker can write up to 48 bytes into the heap beyond the normal checksum buffer space. The particularly dangerous case is also the default: anonymous access for file retrieval. Red Hat has not identified a mitigation beyond blocking access.

If you run servers or forward ports, it’s time to look at ports 873 and 8873 for anything listening. And since that’s not the only problem fixed, it’s really just time to update to rsync 3.4.0 everywhere you can. While there aren’t any reports of this being exploited in the wild, it seems like attempts are inevitable. As rsync is sometimes used in embedded systems and shipped as part of appliances, this particular bug threatens to have quite the long tail.

My Gmail is My Passport, Verify Me

Here’s an interesting question. What happens to those “Log In With Google” accounts that we all have all over the Internet, when the domain changes hands? And no, we’re not talking about gmail.com. We’re talking about myfailedbusiness.biz, or any custom domain that has been integrated with a Google Workspace. The business fails, the domain reverts back to unclaimed, someone else purchases it, and re-adds the admin@myfailedbusiness.biz Google Workspace account. Surely that doesn’t register as the same account for the purpose of Google SSO, right?

The answer to this question is to look at what actually happens when a user uses Google Oauth to log in. The service sends a message to Google, asking Google to identify the user. Google asks the user for confirmation, and if granted will send an ID token to the service. That token contains three fields that are interesting for this purpose. The domain and email are straightforward, and importantly don’t make any distinction between the original and new users. So when the domain and email change hands, so does ownership of the token.

Oauth does provide a sub (subject) field, that is a unique token for a given user/service combination. Seems like that solves the issue, right? The problem is that while that identifier is guaranteed to be unique, it’s not guaranteed to be consistent, and thus isn’t widely used as a persistent user identifier. Google is aware of the issue, and while they initially closed it as a “Won’t fix” issue, the concept did eventually earn [Dylan Ayrey] a nifty $1337 bounty and a promise that Google is working on unspecified fixes. There is no immediate solution, and it’s not entirely clear that this is strictly a Google problem. Other SSO solutions may have the same quirk.

Fortigate Under Attack

Fortiguard has reported that a vulnerability in FortiOS and FortiProxy is under active exploitation. Fortiguard lists quite a few Indicators of Compromise (IoCs), but as far as the nature of the vulnerability, all we know is that it is an authentication bypass in an Node.js websocket module that allows a remote attacker to gain super-admin privileges. Yoiks.

Actic Wolf has more details on the exploit campaign, which was first found back in early December, but appears to have begun with widespread scanning for the vulnerability as early as November 16. Attackers moved slowly, with the goal of establishing VPN access into the networks protected behind the vulnerable devices. Arctic Wolf has provided additional IoCs, so time to go hunting.

Ivanti Connect, Too

There’s another security device under attack this week, as watchTowr labs has yet another fun romp through vendor mis-security. This time it’s a two-part series on Ivanti Connect Secure, and the two buffer overflows being used in the wild.

Ivanti has already released a patch, so the researchers ran a diff on the strings output for the patched and unpatched binary of interest. Three new error messages are in the new version, complaining about client data exceeding a size limit. The diaphora binary diffing tool found some interesting debbuging data, like Too late for IFT_PREAUTH_INIT. “IF-T” turns out to be an open VPN standard, and that term led to a statement about backwards compatibility in Ivanti code that had terrible “code smell”.

The IF-T protocol includes the optional clientCapabilities field, and Ivanti’s implementation used a fixed length buffer to store it when parsing incoming connections. The client code almost gets it right, using a strlen() check on the data, and strncpy() to ensure the right number of bytes are copied. Except both of those best-practices are completely useless when the result from strlen() is fed directly into strncpy() as the maximum byte count, without checking whether it overflows the buffer.

The second watchTowr article goes through the steps of turning the vulnerability into a real exploit, but doesn’t actually give away any exploit code. Which hasn’t really mattered, as Proof of Concepts (PoCs) are now available. The takeaway is that Ivanti still has security problems with their code, and this particular exploit is both fully known, and being used in the wild.

Pentesting Mushrooms

The folks at Silent Signal have an off-the-beaten-path write-up for us: How to get hired as a pentester. Or alternatively, the story of hacking Mushroom Inc. See, they built an intentionally vulnerable web application, and invited potential hires to find flaws. This application included cross-site scripting potential, SQL injection, and bad password handling, among other problems. The test was to take 72 hours, and find and document problems.

Part of the test was to present the findings, categorize each vulnerability’s severity, and even make recommendations for how the fictional business could roll out fixes. Along the way, we get insights on how to get your job application dismissed, and what they’re really looking for in a hire. Useful stuff.

Bits and Bytes

Secure Boot continues to be a bit of a problem. Microsoft signed a UEFI application that in turn doesn’t actually do any of the Secure Boot validation checks. This is only an issue after an attacker has admin access to a machine, but it does completely defeat the point of Secure Boot. Microsoft is finally rolling out fixes, revoking the signature on the application.

And if compromising Windows 11 is of interest to you, HN Security has just wrapped a four-part series that covers finding a vulnerability in an old Windows kernel driver, and turning it into a real read/write exploit that bypasses all of Microsoft’s modern security hardening.

Do you have a website, and are you interested in how your API is getting probed? Want to mess with attackers a bit? You might be interested in the new baitroute tool. Put simply, it’s a honeypot for web APIs.

And finally, the minds behind Top10VPN have released another vulnerability, this time in tunneling protocols like IPIP, GRE, and 6in4. The problem is a lack of validation on incoming tunnel packets. This allows for easy traffic injection, and using the tunnel servers as easy proxies. One of the worst cases is where this flaw allows accessing an internal network protected behind a consumer router.

Dumpster diving is one of those experiences that can net you some pretty cool gear for a reasonable price. Case in point the 24″ Samsung S24E650XW LCD monitor that [MisterHW] saved from being trashed. Apparently in very good condition with no visible external damage, the unit even powered up without issues. It seemed like a golden find until he got onto the Windows desktop and began to notice quaint red shimmering in darker areas and other issues that made it clear why the monitor had been tossed. Of course, the second best part about dumpster diving is seeing whether you can repair such issues.

Prior to disassembly it had been noted that percussive maintenance and bending of the frame changed the symptoms, suggesting that something was a bit loose inside. After taking the back cover and shielded enclosure off, a quick visual inspection of the boards and cables quickly revealed the likely suspect: broken traces on one of the cables.

Apparently somewhere during the assembly step in the factory the cable had been pushed against the PCB’s edge, causing the initial damage. Based on the listed assembly date the monitor had only been in use for a few years before it was tossed, so likely the symptoms would have begun and worsened as one after another of the traces gradually cracked and broke due to vibrations, thermal expansion, etc.

This issue made fixing the monitor very simple, however, assuming a suitable replacement cable could be found. The broken cable is a 30P 1.0 pitch PFC, with EBay throwing up a cable with similar specs for a Thomson brand TV. One purchase and anxious wait later, the replacement cable was installed as in the featured image alongside the old cable. Perhaps unsurprisingly it restored the monitor to full working order, demonstrating once again that dumpster diving is totally worth it.

The Strandbeest is a walking machine, a creation of the celebrated artist Theo Jansen. They can look intimidating in their complexity, but it’s quite possible to build your own. In fact, if you’ve got a 3D-printer, it can be remarkably straightforward, as [Maker 101] demonstrates.

The build relies on an Arduino Uno as the brains. It’s equipped with an L293D motor driver shield to run two DC gear motors which drive the walking assemblies. Power is courtesy of a 3-cell lithium-polymer battery. The chassis, legs, and joints are all 3D-printed, and rather attractively in complimentary colors, we might add.

Controlling this little Strandbeest is simple. [Maker 101] gave the Arduino an infrared sensor which can pick up signals from a simple IR remote control. It can be driven backwards and forwards or turned left and right. What’s more, it looks particularly elegant as it walks—a hallmark of a good Strandbeest design.

Design files are available online for the curious. We love a good Strandbeest build, and some can even be useful, too! Video after the break.

Officially, the term “taser” refers to a particular brand of projectile-firing electric stun gun. However, the word is also colloquially used to refer to just about any device intended for delivering electric shocks to an adversary. The taser ring from [Penguin DIY] definitely fits that description, though we’d strictly advise you not to consider building this at home.

The build is a hacky one. An arc generator circuit was pulled out from a jet cigarette lighter, and reconfigured to fit in a small ring-based form factor. It was hooked up with a power switch and a small bank of 30 mAh lithium polymer cell for power, and a compact USB-C charger board was installed to keep the batteries juiced. The electronics were then delicately assembled into a ring-shaped mold, which was injected with resin to produce the final ring. Once cast, a pair of small metal electrodes were installed on the outside. Activating the taser function is as simple as squeezing the ring—easy to do just by making a fist.

We’ve seen projects like these before; our advice is usually to avoid them unless you really know what you’re doing. Whether you end up shocking someone else or accidentally shocking yourself, the results tend to be bad. The latter seems particularly easy to do if you’re wearing this thing on your finger. Given it’s a ring, don’t expect to be able to pull it off in a hurry, either. It’s hard to see how that ends well.