Ever recorded a college lecture and found the audio crystal clear, only to have your concert footage from that very day come out sounding like trash? This happened to me, and after some digging, I found the specific setting to blame—and why you shouldn't actually deactivate it completely.
It’s an incredible time to be a guitarist who doesn’t want to own a bunch of $2,000 amps and an expensive pedalboard of gear. Amp and pedal simulators, which have been around for decades, have in the last few years finally come into their own as nearly indistinguishable sonic replacements. Even John Mayer is now willing to ditch his beloved tube amps for digital models.
I certainly don’t have Mayer’s chops or gear budget, but I do love messing with this sort of tech and have purchased everything from NeuralDSP‘s Archetypes series to Amplitube and Guitar Rig. Last week, as part of an early Black Friday sale, I picked up two amp/effects suites from British developer Polychrome DSP—Nunchuck (Marshall amps) and Lumos (clean through mid-gain tones). They are both excellent.
Any reasonable person should be satisfied with this tech stack, which models gear that collectively costs as much as my house. After my Polychrome DSP purchases, I reminded myself that I am a reasonable person, and that I could therefore ignore any further amp sims that might tempt my wandering eye.
My Raspberry Pi 500+ has finally been delivered, but I kept the order brief so I could keep the cost down. In spite of my attempts at being frugal, I’d be lying if I said I hadn’t toyed with the idea of throwing a few more items on the order.
You may have noticed that large pieces of the Internet were down on Tuesday. It was a problem at Cloudflare, and for once, it wasn’t DNS. This time it was database management, combined with a safety limit that failed unsafe when exceeded.
Cloudflare’s blog post on the matter has the gritty details. It started with an update to how Cloudflare’s ClickHouse distributed database was responding to queries. A query of system columns was previously only returning data from the default database. As a part of related work, that system was changed so that this query now returned all the databases the given user had access to. In retrospect it seems obvious that this could cause problems, but it wasn’t predicted to cause problems. The result was that a database query to look up bot-management features returned the same features multiple times.
That featurelist is used to feed the Cloudflare bot classification system. That system uses some AI smarts, and runs in the core proxy system. There are actually two versions of the core proxy, and they behaved a bit differently when the featurelist exceeded the 200 item limit. When the older version failed, it classified all traffic as a bot. The real trouble was the newer Rust code. That version of the core proxy threw an error in response, leading to 5XX HTTP errors, and the Internet-wide fallout.
There’s a weird pitfall with cloud storage when a storage name is used and then abandoned. It’s very much like what happens when a domain name is used and then allowed to expire: Someone else can come along and register it. Microsoft Azure has its own variation on this, in the form of Azure blob storage. And the folks at Eye Security’s research team found one of these floating blobs in an unexpected place: In Microsoft’s own Update Health Service.
The 1.0 version of this tool was indeed exploitable. A simple payload hosted on one of these claimed blob endpoints could trigger an explorer.exe execution with an arbitrary parameter, meaning trivial code execution. The 1.1 version of the Update Health Service isn’t vulnerable by default, requiring a registry change before reaching out to the vulnerable blob locations. That said, there are thousands of machines looking to these endpoints that would be vulnerable to takeover. After the problem was reported, Microsoft took over the blob names to prevent any future misuse.
There’s a new malware strain from APT24, going by the name BADAUDIO. Though “new” is a bit of a misnomer here, as the first signs of this particular malware were seen back in 2022. What is new is that Google Threat Intelligence reporting on it. The campaign uses multiple techniques, like compromising existing websites to serve the malware in “watering hole” attacks, to spam and spearphishing.
Notable here is how obfuscated the BADAUDIO malware loader is, using control flow flattening to resist analysis. First consider how good code uses functions to group code into logical blocks. This technique does the opposite, putting code into blocks randomly. The primary mechanism for execution is DLL sideloading, where a legitimate application is run with a malicious DLL in its search path, again primarily to avoid detection. It’s an extraordinarily sneaky bit of malware.
There’s an RCE (Remote Code Execution) in the W3 Total Cache WordPress plugin. The vulnerability is an eval() that can be reached by putting code in a page to be cached. So if a WordPress site allows untrusted comments, and has caching enabled, there’s just one more hurdle to clear. And that is the W3TC_DYNAMIC_SECURITY value, which seems to be intended to stave off exactly this sort of weakness. So here’s the lesson, don’t leave this sort of security feature default.
We have a trio of stories that aren’t technically vulnerabilities. The first two are in the mPDF library, that takes HTML code and generates PDFs — great for packaging documentation. The first item of interest in mPDF is the handling of @import css rules. Interestingly, these statements seem to be evaluated even outside of valid CSS, and are handled by passing the URL off to curl to actually fetch the remote content. Those URLs must end in .css, but there’s no checking whether that is in a parameter or not. So evil.org/?.css is totally valid. The use of curl is interesting for another reason, that the Gopher protocol allows for essentially unrestricted TCP connections.
The next quirk in mPDF is in how .svg files are handled. Specifically, how an image xlink inside an svg behaves, when it uses the phar:// or php:// prefixes. These are PHP Archive links, or a raw php link, and the mPDF codebase already guards against such shenanigans, matching links starting with either prefix. The problem here is that there’s path mangling that happens after that guard code. To skip straight to the punchline, :/phar:// and :/php:// will bypass that filter, and potentially run code or leak information.
Now the big question: Why are neither of those vulnerabilities? Even when one is a bypass for a CVE fix from 2019? Because mPDF is only to be used with sanitized input, and does not do that sanitization as part of its processing. And that does check out. It’s probably the majority of tools and libraries that will do something malicious if fed malicious input.
There’s one more “vulnerable” library, esbuild, that has an XSS (Cross Site Scripting) potential. It comes down to the use of escapeForHTML(), and the fact that function doesn’t sanitize quotation marks. Feed that malicious text, and the unescaped quotation mark allows for plenty of havoc. So why isn’t this one a vulnerability? Because the text strings getting parsed are folder names. And if you can upload an arbitrary folder to the server where esbuild runs, you already have plenty of other ways to run code.
There’s another Fortinet bug being exploited in the wild, though this one was patched with FortiWeb 8.0.2. This one gets the WatchTowr treatment. It’s a path traversal that bypasses any real authentication. There are a couple of validation checks that are straightforward to meet, and then the cgi_process() API can be manipulated as any user without authentication. Ouch.
The Lite XL text editor seems pretty nifty, running on Windows, Linux, and macOS, and supporting lua plugins for extensibility. That Lua code support was quite a problem, as opening a project would automatically run the .lua configuration files, allowing direct use of os.execute(). Open a malicious project, run malicious code.
And finally, sometimes it’s the easy approach that works the best. [Eaton] discovered A Cracker Barrel administrative panel built in React JS, and all it took to bypass authentication was to set isAuthenticated = true in the local browser. [Eaton] started a disclosure process, and noticed the bug had already been fixed, apparently discovered independently.
Dogfooding is usually a good thing: That’s when a company uses their own code internally. It’s not so great when it’s a cloud company, and that code has problems. Oracle had this exact problem, running the Oracle Identity Governance Suite. It had a few authentication bypasses, like the presence of ?WSDL or ;.wadl at the end of a URL. Ah, Java is magical.
APT24 has been relying on various techniques to drop the BadAudio downloader and then deploy additional payloads.
The post Chinese Cyberspies Deploy ‘BadAudio’ Malware via Supply Chain Attacks appeared first on SecurityWeek.
In the days of 8-bit home computing, the more fancy machines had sound chips containing complete synthesizers, while budget machines made do with simple output ports connected to a speaker — if they had anything at all. [Normal User] appears to be chasing the later route, making PCM sound by abusing the serial port on a 6522 VIA chip.
A serial port is when you think about it, a special case of a one-bit output port. It’s designed for byte data communication but it can also carry a PCM data stream. We’ve seen this used with microcontrollers and peripherals such as the I2S port plenty of times here at Hackaday, to produce such things as NTSC video. The 1970s-spec equivalent might not be as fast as its modern equivalent, but it’s capable of delivering audio at some level. The machine in question is a Ben Eater breadboard 6502 with a World’s Worst Video Card, and as you can hear in the video below the break, it’s not doing a bad job for the era,
If you think this hack sounds a little familiar then in a sense you’re right, because Ben Eater himself made noises with a 6522. However it differs from that in that he used the on-board timers instead. After all, the “V” in “VIA” stands for “versatile”.
Scientists from the Ben-Gurion University of the Negev in Israel have developed malware that can eavesdrop on computers by using an air-gapped network. By manipulating the power supply, a specific audio signal is transmitted, which in turn is intercepted. That means even data stored on an offline computer is no longer safe.
The scientists named their malware Power-Supplay, referring to data leaks from an air-gapped computer. These are devices that are not connected to outgoing networks, such as the internet. The driving force behind Power-Supplay is a phenomenon called ´singing capacitator,´ which makes a capacitator transmit a sound with high frequency, as soon as different quantities of power are flowing through. The operators of the malware can manipulate the power supply very precisely and determine the audio signal of the capacitator.
Yes, the irrepressible Mordechai Guri has found another weird way to exfiltrate data from an #airgapped machine: using singing capacitors. I bet the CIA is quaking in its boots at his “POWER-SUPPLaY” scheme: https://t.co/Ts39RFMCoK
— @Richi Jennings (@RiCHi) May 6, 2020
2/
Subsequently, an operator nearby can intercept the acoustic signals and steal the binary data from the targeted computer. A smartphone is sufficient to receive and store the stolen data. It is possible to filter the data up to six meters, but it also depends on the ambient noise. In close proximity, the malware can generate up to 40 bits of data per second, and on more considerable distances 10 bits per second.
The group of scientists is lead by Mordechai Guri, an expert in the field of eavesdropping on air-gapped networks. Previously, Guri researched techniques to manipulate screen brightness, to read infrared lenses of security cameras, and to modify sound ports of computers. Hacking is generally considered an online affair. However, Guri takes retrieving data through unconventional means to a whole other level.
The video below roughly demonstrates how Power-Supplay works:
The post Israel to launch advanced malware eavesdropping on your computer appeared first on Rana News.
Login