wanna get good at programming? check out lowlevel.academy and use code THREADS20 for 20% off lifetime access. or dont. im not a cop

@cerealpeer

7 күн бұрын

when?

@docbrown1157

6 күн бұрын

This is an Ad!!! Why are people "Thumbs UPing" an AD???? Huh, I guess the channel owner is getting a kick back from them...

@Serpsss

22 сағат бұрын

​​@@docbrown1157 If you're not interested you don't have to click but an upvote on an ad for the Creator's livelihood is a small sign of appreciation of the time & effort that goes into educational videos like this that have been made freely available. At least it's relevant and not some annoying sh*te like nordvpn or some sweepstakes scam.

I miss the days of jailbreaking my iPhone by just going to a website, but in hindsight, maybe that wasn't a good idea.

@ryangrogan6839

12 күн бұрын

Exploiting webkit has been a pretty popular way to jailbreak things. You can even do it on the PS3. I used to have to use an E3 flasher back in the day. I totally prefer webkit exploits any day over popping open something and attaching random shit to the onboard chips

@syrus3k

12 күн бұрын

There's been loads of very scary bugs in software that nobody ever seems to have cared about the potential risks. For example, you have no idea whether you've been hacked or not. Really.

@Relkond

12 күн бұрын

It was an ok idea. Buuut it revealed that the phones security was garbage.

@theairacobra

12 күн бұрын

@@ryangrogan6839 Yeah, i modded my PS3 with HEN all thanks to the browser

@potential900

12 күн бұрын

@@syrus3k Ah yes, if only there was a popup on the screen every time the PC got hacked, lol

The TIFF image format was used to hack the PSP early on.

@ST-actual

12 күн бұрын

Came here to say this!! Haha. The tiff overflow!

@mgancarzjr

12 күн бұрын

I still remember even somebody got a PSP back from being serviced with a magic battery in it that was immediately sent to the cracking scene.

@danielditlev

12 күн бұрын

It definitely was 😊

@memes_gbc674

12 күн бұрын

@@mgancarzjr yeah that was crazy

@ColdRacoons

11 күн бұрын

Also the iPhone/iPod Touch. 1.0 - 1.1.1. Was patched in 1.1.2.

Seem to recall a similar bug in Internet Explorer (IE 5.0.x) from nearly 20 years ago that allowed a carefully crafted JPEG file to exploit a Windows system.

@jsrodman

12 күн бұрын

Yeah, similar problems have existed in libjpeg and libpng, both exploitable in practice. Shows the value of both memory safe programming environments and simple data formats.

@Aplysia

12 күн бұрын

I seem to recall a similar bug in IE 5 once or twice a week, back in the day. 😂

@uranoxyd

12 күн бұрын

Jeah, i think the bug was in the GDI or GDI+ library, but maybe this was another bug.

@sanicswaghog5278

12 күн бұрын

There was a similar exploit in IE and Firefox involving animated mouse cursors.

@Juksemakeren

12 күн бұрын

the first iphone jailbreak was through a image parsing exploit

So....where is the payload then? A double free by itself will not hand over control to desired code, I like to see this explained.

@Omena0

12 күн бұрын

Fr

@MSheepdog

11 күн бұрын

I would assume either in the image data, or the table itself, but I also would have liked the video to cover it.

@jnharton

11 күн бұрын

That's an interesting question, yes. You have to somehow get the compiled form of the code you want to run into a region of memory that will be executed from.

@craigslist6988

11 күн бұрын

He made a previous video explaining exactly how the webp exploit works.

@bernard3992

9 күн бұрын

He explained the hardest part.

Exploits that target software used for handling media are so interesting to me because they're such an unintuitive way to hack something. The Car Hacking Village had a case study where a similar vulnerability was exploited against a tesla

@eanredur9920

7 күн бұрын

In this case, it was a bug. But especially with Machine Learning, there can be 100% correct code, but the AI is still vulnerable to image/video/data stream manipulation. Fascinating stuff! I don't know about the case with tesla, but it is (or was) possible to confuse many AIs used for street sign recognition in a way that made them completely useless (Stop signs to 50 signs and similar things). Luckily, as far as I know, it is near impossible outside of laboratory circumstances, as it relies on the specific learned topology of the target AI. It is very weakly transferrable and near impossible to generate without access to the AI. Do you maybe remember the paper? It sounds very interesting, but I could not pin it down with a quick google search. "Hacking Tesla with image" seems too generic.

thanks for making this awesome content LLL. I used to think cybersecurity and low level programming were really dry but the way you narrate how these major events unfolded makes it so engaging.

@LowLevelLearning

12 күн бұрын

its all so magical

@birdsocialtv

12 күн бұрын

I was thinking the same thing. I like the narration as well! Now I have to research more.

I'm so old that I think I remember something like this has also happened to JPEG images; maybe in the exif data. May be all the way back to the very early days of the interwebs. Edit: discovered in 2004 apparently.

3:34 He's trying say "matryoshka dolls".

@illiadenysenko7776

8 күн бұрын

maryastroyka dolls :D

@fcantil

5 күн бұрын

Mary Striker Dolls! 🤘

@Mackerdaymia

5 күн бұрын

ngl, Perestroika Dolls hit me hard. The idea of the dolls redesigning themselves so they no longer stack.

It’s kinda neat that after taking a data structures and algorithms class I now understand so much more in a lot of these types of videos.

@gangstaberry2496

9 күн бұрын

I've been feeling the same!! Enjoy, happy learning ♥️

@eanredur9920

7 күн бұрын

Did you do Huffman Trees or is it more about understanding trees, compression, and recursion? Just asking because I found our Algorithms and Data Structures lecture useless. We did basic stuff, but nothing one could not have learned to a reasonable degree by reading 2-3 hours a day for a week.

@andrewzelitt

7 күн бұрын

@@eanredur9920 we learned both. Had to do Huffman encoding for an exam question actually.

@eanredur9920

7 күн бұрын

@@andrewzelitt Cools stuff. I wish we did go a bit deeper.

Technically not the picture will render the picture, the picture will be used to render a picture.

@jnharton

11 күн бұрын

The "picture" is a file which contains binary data representing the red, green, and blue (RGB) components of the color to be used for each distinct subunit of a digital image. With a large enough set of colored pencils (or an image composed from a limited color palette) and some graph paper you could open up the "picture" in a hex editor and render it on your graph paper in colored pencil.

@paulstelian97

11 күн бұрын

@@jnharton That's only true of uncompressed formats.

@jnharton

10 күн бұрын

@@paulstelian97 The first and modt important part is technically still true, because unless the compression is lossy decompression restores the original. A different encoding of data doesn't mean you don't have the data.

@paulstelian97

10 күн бұрын

@@jnharton PNG is the only often encountered lossless encoding soooooooo… there’s others like jpg or webp

Quite a lot of evil has happened with a 1x1 image, over the years.

@2Fast4Mellow

11 күн бұрын

True, but you don't know it is a 1x1 pixel image unless you parse the image. Size is also misleading, because many image formats have many meta-data fields that allow me balloon the image to a point you no longer consider it suspicious. Browsers might be updates by now, but there is a lot of software that are embedding webbrowser components that might not be updated, like mail and chat applications. Linux users get most of their applications from the distro repository which will automatically update the applications. Under Windows this is much more messy and we all know that people don't like to upgrade their software because it is often asked when you want to use the application. VLC for example tells me when I'm want to watch a video that there is a newer version and I only have a yes or no option, why not a install on exit of application?

@voidkid420

11 күн бұрын

@@2Fast4Mellow Aye, the webview world is due a massive wake up ... I mentioned the webP thing a while ago, barely got a response ... till I started listing all the things that use it.

@JxH

4 күн бұрын

A company that I know... ...sends out emails that contain 1x1 tracking pixels. The reason I know this is that the same company has MS-Outlook policies that prevent the automatic downloading of images, instead marking the email's missing images with little squares on each corner. At the bottom of each email is a 1x1 pixel collection of four squares, that contains a link to an online (served) image that contains a lengthy and obviously unique identifier in the filename. In summary: 1) Company uses tracking pixels on all Corporate Communication emails, and 2) Company's MS-Outlook reveals this to anyone that knows about the general topic of 1x1 pixel images. SMH...

How is it possible that you can do so nice videos, in a very simple arrangement and good explanations, causing time to fly so fast!!! Never looks like it's an almost 10min video 😊 Thanks for the good quality material you have been donating to the internet

Reminds me of the discord videos that crash discord. also turns out WebM has an infinitely adjustable dynamic resolution that can change on the fly, the speed bottleneck is the player. you can change the resolution of a WebM videos 60 times a second even. discord didn't put a box limit so users were making videos that would seemingly disappear (turn into 1x1) the second you clicked on it, also videos that look like a game character dancing and it's bouncing the discord chat up and down with it. personally I think they should keep it but they removed it.

@jsrodman

12 күн бұрын

Meanwhile i would prefer a compile of discord that cannot render user content.

@jmvr

12 күн бұрын

I downloaded two videos using that. It was the Rick Roll that slowly shrunk, and a cat meowing where the video would change size when the cat meowed. It's pretty cool, and is even viewable in certain desktop media players.

@Fasteroid

12 күн бұрын

Remember that clip of the annoying orange coming through the TV that crashed your discord? I think it also used this tech.

@Mr_Yeah

12 күн бұрын

AFAIK, that behavior was not removed in Discord directly, but through a patch in Chromium

@henryfleischer404

12 күн бұрын

@@jsrodman What's the point of that? Wouldn't that just be the UI?

Nice, just in case WebP doesn’t get more hate

I think the researcher name was “Misty Mountain Cop”. Thanks for the informative video.

@Collif

3 күн бұрын

Yep, definitely a play on Misty Mountain Hop by Led Zeppelin

Thanks for validating my hatred for WEBP format.

@LightTheMars

12 күн бұрын

It's a good format. Very efficient encoding (small file size) and high image quality. A programming error in one implementation has nothing to do with that.

@pierrotA

11 күн бұрын

​@@LightTheMars​ I think the main reason people hate it is because it's annoying to work with. By default it will open in a browser, generaly speaking you cannot copy/paste it from a webpage, and a lot of softwares do not even know the format. It's efficient and the gain is obvious for big web companies that want to reduce servers cost, but for the simple mortals like us it's just an additionnal step to download/upload/modify an image.

@thesenamesaretaken

11 күн бұрын

​@@pierrotA it's annoying because big tech makes some software that doesn't support their own file format conspiracy? At least back in the day it felt like they didn't support .ogg files out of malice

@KordaMachala

4 күн бұрын

It's a PNG with a size of JPEG. I think it's annoying to work with, but useful.

@konayasai

3 күн бұрын

​@@pierrotAIt's not .webp's fault if the user has failed to install software that can handle a file format that's been around since before I suspect that kind of user must have been born.

Loved the explanation of this, short, sweet. Really interesting

that's just another reason why you never trust a webp user...

@csharpcoffee

11 күн бұрын

JPG has had worse exploits years ago. Webp is a good format, it's biggest flaw is being too young for widespread support yet. Give it 10 years and people might look at JPG like they look at AVI and FLV

@vylbird8014

8 күн бұрын

@@csharpcoffee Not any more. Every web browser supports it now, except the legacy IE that is only left in Windows for compatibility reasons. Given that there are only two rendering engines and they both support WebP, you can safely use WebP on websites. Same for AVIF. Application support other than browsers is a bit inconsistent, and strangely so at times. Telegram, for example, won't recognise WebP as an image file - even though it uses WebP internally as the format for sticker images.

New LLL vid == good day => true

@SlammerSimming

12 күн бұрын

#ifdef newlllvid bool goodday = true; #endif

@electrolyteorb

12 күн бұрын

​@@SlammerSimmingplease don't use macro for runtime checks...

@owlstock679

12 күн бұрын

@@SlammerSimming I'll do you one better. #ifndef newLLLvid *(char*)0 = 0; #endif // newLLLvid

@Kane0123

12 күн бұрын

This is some real strange dotnet syntax guys…

@Hellbending

12 күн бұрын

fn lllvid(new: Vid) { match new.is_ok() { true => true, false => Err(Error::Nonsensical) } }

at my work, we called these types of attacks compression bombs. that kind of terminology helped put my mind in the right frame of reference when i evaluate useful compression code.

This bug sounds well worth a deep dive into. I wonder if it is something that also bypasses other typical security protocols by rendering the image as unrenderable. It reminds me of something that could be easily exploited in captive WiFi login portals where the user has no ability to block the execution image files being loaded and rendered. A bad actor could setup a spoofed WiFi related to their target’s activity and just embed the exploited file when they login out of habit.

The sad part is that it doesn't even surprise me, CVE after CVE I see that complexity + interaction => exploit. Given the complexity stack of anything today, the only way to avoid exploits is to avoid interactions with untrusted data. i.e. no internet, no file sharing. Next best thing is to separate everything, but that is really hard without carrying 3 phones in your pocket. I'm going with option 3 which is eat popcorn while reading the news.

@erikkonstas

12 күн бұрын

Guess what, you're not safe even without Internet... and I don't mean your computer, I mean your physical body... the chance a sniper kills you is never zero.

When I started to play the video, I was wondering if it was on the UEFI spash image hack. Alas, it was not, but another interesting bug. I remember writing code and then setting up automated testing back on a Pr1me Mini back in the 1980's. Most of the programs were reasonable simple, and testing for invalid input didn't take long, until we got to the final project for the semester. And of course, final project time meant every class was in the lab trying to get their final project done. So, automating my testing was a big speed boost for my team. Rather than twenty minutes of entering something and waiting for our time slice to come around again, the mini took my scripts and gave us back a results file we could browse in about a minute.

Very informative! Thanks for the video details!

I remember a remote code execution available in the WMP and EMP image formats that affected Windows from version 3.0 to server 2003; that's twenty years' worth of Windows versions...

The Darknet Diaries podcast actually talked to one of the folks at Citizen Labs in a episode that is centered around NSO. Highly recommend it, as they go into more of the high-level overview of what NSO (and their clients) were doing.

Great video - excellent explanation! Thank you!

The storing of the Huffman table in the file does not occur in all Huffman use cases. I had to think about it for a moment, but unlike text compression, you can't assume a default starting point for images, so taking up space to store the table makes sense.

lmao, huffman encoding is one of the easiest compression algos, an undergrad came up with it

@johnc3403

12 күн бұрын

..and that makes you "laugh my ass off"? OK then. And what have you come up with?

@oncetwice6366

12 күн бұрын

​@@johnc3403it's funny because he constantly refers to it as this incredibly complex algorithm. I don't think he's trying to diminish the achievement in any way.

@dagomara8380

11 күн бұрын

@@johnc3403 In azertyq's defense, I did also chuckle when he called Huffman Encoding super complex, because it's taught in undergraduate CS programs. After laughing, though, I did realize that most of LLL's audience likely lacks a degree in the field.

@81milliontotallylegitimate10

11 күн бұрын

@@dagomara8380 just like anything else, its complicated unless you understand it

@vylbird8014

8 күн бұрын

Huffman? WebP uses Huffman? Ugh... I thought we'd move on from that. Huffman was fine in its day, but we can do better now.

Nice video! 🎉

crazy how primeagen is doing a huffman encoding stream soon and you're uploading this right now

@sb_dunk

12 күн бұрын

Dead internet theory

@opposite342

12 күн бұрын

@@EricPhillips89 it was scheduled but now it's gone. He's live right now on twitch though so maybe he changed plans/will be starting it later

Interesting timing for the hair overflow condition to occur at 6:30

literally just learned about huffman coding in my algorithms class when we went over greedy algorithms a week or so ago. pair that with the operating systems class im taking and im understanding a lot more in these videos.

@vylbird8014

8 күн бұрын

In your next lesson you learn that Huffman coding has been largely replaced by arithmetic coding, which is more complicated but can achieve better compression.

So, maybe find an initial table that unpacks to include one or more copies of the original table within it so that it results in a fractal unpack that can always be further unpacked into ever larger and larger tables.

Crazy stuff, I remember Wii Zelda bug where the char name could trigger a buffer overflow and it was used to exploit it

amazing exploit, subject, and video nice dude

The basics of computer security is treating data as data, and code as code. As soon as you treat data as code it will be exploited.

It always amazes me how far 'people' are willing to go just to make someone else's day miserable.

@aegoni6176

12 күн бұрын

It's a bit more than that. The NSO is an Israeli organisation that specialises in making malwares/spywares that they can sell to governments to allow them to spy on individuals, cyber warfare basically. And as you may guess, there is a lot, and I mean A LOT of money to make worth the effort

@no_name4796

12 күн бұрын

They really most do it for money. Others having a bad day is just a sideeffect. This is why capital- (no, i am not gonna do an essay on how capitalism is bad. It just is)

@BrunoVinicius-ix8wt

12 күн бұрын

@@no_name4796 I'd say it goes deeper than that. Right into human nature. History has proven that time and again, way before any ideology was born.

@zaper2904

12 күн бұрын

People like NSO don't do it for fun or just to be dicks they do it for absolute boatloads of government cash.

@nikolabegonja5490

10 күн бұрын

@@no_name4796 If you think people screwing over others for financial gain is a capitalist invention, you need to check out some more history.

Thanks, its amazing how ingenious some exploits are. I'd be interested to know if you think IoT devices are a significant risk to home networks - many of those devices don't get any attention after initial installation and have control servers located in foreign countries. Even if the vulnerability is unintended it may last for years before the device is updated or replaced

I remember there was exploit in browsers (or only in chrome) which gave access to webcam without prompt. Since then I always close webcam on my notebooks. So many people were caught naked and got laughed at.

@williamdrum9899

10 күн бұрын

But did the little light come on next to the camera

Amazing video ! I learned so many things... Thanks!

0:35 Bro's parents named this guy LowLevelLearning

These image conversion libraries feel like a great smallish project to begin re-writing (and optimizing) code that is very commonly used into a safe language.

This reminds me of the old PKZip bug from the 90s that caused PKZip to keep decompressing the same data over and over again. A ZIPBomb. It'd cause pkzip to "bomb" the harddrive and fill it up. Mind you the first version of that (that I remember) used pointers to make the pkzip file loop. It wasn't out of bounds as it stayed within bounds.

@stitchfinger7678

11 күн бұрын

People still make zipbombs today, if mostly for tinkering and not as much harm There's one that has a theoretical decompression size of like more than Google's entire infrastructure lol

I'm going through your pico videos now to learn C for the first time, thnx 4 the content bby.

I was very interested in Virus program when i was 20 (1996 - 1999), and i have used to use this technic to store some executable or calling executable by using html and two image bmp.

As for the images that could be used to hack somebody's pc, jpg lib in Windows had a bug like that. If I remember correctly, the lib was created for Windows 3.11 and got patched in Vista (or maybe 7?).

I love the how NSO exploited legacy scan compression to create virtual processor and then evaluate whatever code you do and eventually escape it's prison and eventually take over device. AND it's zero interaction from the user at all.

NSA just lost another one of their favourite toys

"I wont talk about this very complex algortihm." Procced to talk about this very complex algorithm

the people that make and catch these things are geniuses.

"Maristroka" dolls? Bruh.

@DaveBucklin

12 күн бұрын

Matroshka was how I learned it.

@williamdrum9899

10 күн бұрын

At least he didn't call it "Perestroika" 😂😂😂

"marystroika dolls" killed me 💀

Well, I can't stop thinking of you

it's crazy how google has been pushing webp so hard yet doesn't support the format in their apps (docs, slides, etc)

I remember the PSP had a .TIFF format image exploit, fun times.

This video reminds me of Richard describing about middle out to the judges in silicon valley. Pure classic.

great explanation. thank you!

This is insane, and what is more insane that to this day there's no containerization of user apps by default on desktop OS's. Think of docker and careful management of permissions between apps and system stuff like FS. Or like on mobile OS's. This would prevent many security issues. MacOS doesn't even support MacOS inside docker.

@mvwouden

12 күн бұрын

Flatpak sort of does this on Linux

@jnharton

11 күн бұрын

You don't need containerization to achieve a reasonable degree of security. Buffer overflows can only compromise memory that the executing program with the "bug" actually has access to write. If that isn't the case, your program would a segmentation fault and crash. So if you just don't give a program more permissions than it needs to do it's job that reduces the risk considerably. This is precisely why you almost never login as root (super user) on a Unix/Linux system and you don't run background processes as root unless absolutely necessary.

@capability-snob

11 күн бұрын

MacOS is a bit of a fun case. It does support isolation, but it's not obvious to the user which apps are running with the capability sandbox and which aren't. Add to that, they added some vulnerabilities to the sandbox configuration of some apps (notably, ms office) that can be exploited to achieve complete and persistent system takeover. There are operating systems that can provably isolate applications and safely delegate permissions to them; these are known as object-capability systems. SculptOS and Fuchsia are some attempts to explore this area, although there are a lot of mainframe operating systems that already meet this standard.

Decades ago I was told "we use Windows at this company because it's secure and stable. You cannot run Linux". So I sent out an email to the entire company with an urgent sounding headline. It contained an HTML IMG tag with the source set to C:\CON\CON There was absolute chaos as nobody could open Outlook after their computers blue-screened and restarted... Because it was the last message in their inbox, and it would display it before it got around to polling the exchange server for new messages. It would even crash if you went in through the web interface.

I'm just here to hang out. Happy to be here :D

Hi LowLevelLearning, how do you draw diagrams on the black screen, do you use a drawing tablet?

Back in the AOL days, we would boot people from chat rooms by sending them an empty jpeg file. You could boot everyone by making your user icon an empty jpeg file. It would cause the renderer to crash the chat program.

Huffman coding is one of the simplest (and also provable optimal) universal compression encoding though

Now THAT is an interesting use of a huffman coding tree.

The beginning of every coding book should be dedicated to buffer overflows.

bro salute to you from my coca lab. seems like may comes with good flavor for zero days.

Tbh you keep hearing about those buffer overflows and how dangerous they are but tbh other than crashing your browser, I haven't heard of any concrete exploit in recent times that managed to do a big intrusion thanks to such a bug

Great info! Thanks 🍷

"marystroyka dolls" made my head spin, jeez

man some people are so smart

Glad i found this channel

Well I did remember this but there was another image exploit. Some thing to do with one person finding the loop hole image data. I wonder if remember if there was emotion pack message infected.

So much nostalgia, This reminds me of the TIFF exploit that allowed users to downgrade their PSPs from 2.0+ to 1.50

did you mix up Matroyshka dolls with Perestroyka to make Merestroyka dolls? Lol

It's hard to find these issues but not hard to make them. The feds invest teams to find possibilities like this that are hard to detect, then pays them to put their bugs into open source libraries. Easiest way to get backdoors anywhere you want.

Yes I did know about this. I mean it's whole reason you could jailbreak the PSP using a TIFF buffer overflow and downgrade or put custom firmware on it back in 2005 or so.

Ah, this is why my Firefox update a while ago had an exclamation saying Security update

i have a really good question... how do you feel about adds? how about some web pages running crypto coin miners through legal means.

Interesting. We should all code in rust now.

@skoovee

11 күн бұрын

i love rust but i hate rust fans

@herpederpe4320

3 күн бұрын

Lets speak in a language where it is impossible to express certain ideas - 1984 newspeak

Pronounced Matryoshka dolls (/ˌmætriˈɒʃkə/ MAT-ree-OSH-kə; Russian: матрёшка, IPA: [mɐˈtrʲɵʂkə]

Pls start an advanced C course

long ago there also used to be a gdlib (i think that's what's named) remote code exec browser exploit

I can't even imagine a hacker that discovered this

Have you looked at the "Operation Triangulation" presentation the Kaspersky ppl did at 37c3? That I something that I can't stop thinking about..

How about just adding the stackprotector-strong to the compile options for gcc? Would it then be still vulnerable?

24 seconds ago is crazy

This is *joker* level bug. Outstanding !

This needs to be automatically understood without explanation

Wasn't there an iPhone zero day a few months ago that exploited fonts? Meaning you could compromise a phone with a SMS

merestroika dolls is a great portmanteau (matriyoshka + perestroika). no idea what it would mean but enjoyed it

@LowLevelLearning

12 күн бұрын

LOL oops

i was hearing about the 2017 LNK shortcut rendering RCE exploit recently, how similarly does that one work to this?

This is Skippy-The-Magnificent level of code.

hi bro, what Linux distro are you using?

Huffman coding was invented in 1952. I implemented a version of it in 1980 in a commercial product.

Dang, this makes me think of analytics tools that do tracking through a single pixel and what if they use an exploit like this to gain more information on the client side?

We should start running our OS exclusively through a debugger and check each assembly step before running it

@williamdrum9899

10 күн бұрын

Homer Simpson 5 seconds in: "BOOORING"

Check out the book snow crash, it goes over this bit image that caused people die in the meta verse and then be in a coma in real life or even die

clusterfuzz is my new favourite word