learn to code in C correctly so this stops happening lowlevel.academy theres a sale 😥

@jongxina3595

Ай бұрын

actually the white house said C is unsafe so I will use Rust 🤓

@soundspark

Ай бұрын

UTF-8 and UTF-16 are actually full Unicode.

@xunjin8897

Ай бұрын

Any course on programming Rust safe? While interoperability with other languages like C/C++

@twofeetcat7694

Ай бұрын

Have “PHP” in the title Open cve link A glibc bug If this is not a bad faith argument and clickbaiting I don't know what it is. Unsubbed, disliked, and blocked this 🤡 from ever showing up on my feed again. I suggest you all do the same.

@lattakia3812

Ай бұрын

@@jongxina3595 I don't trust the White House. Rust is probably a trojan created by the FBI

1:25 “may overflow the output buffer” Everybody drink!

@mayday8413

Ай бұрын

"...that basically lives on every Linux distribution" and another!

@jim0_o

Ай бұрын

*whiny voice* You guys... drinking this much is how these C programming bugs happen...

@SeekingTheLoveThatGodMeans7648

Ай бұрын

@@jim0_o vicious circle eh?

@monad_tcp

Ай бұрын

php = personal heap overflow program

@GreyDeathVaccine

Ай бұрын

@@monad_tcp more like phop :P

Is it me, KZread's algorithm, or have there been quite a few big vulnerabilities lately? Don't get me wrong, it's good we're catching them, but they're a good reason for good update/patch management.

@LowLevelLearning

Ай бұрын

its a little bit of both. ive been making videos about bugs im hearing about, so you're definitely seeing more because of me. but also my feeds have been blowing up with articles about bugs recently.

@rbgtk

Ай бұрын

@@LowLevelLearning And thanks for that! I've been enjoying the breakdowns you've been making

@saturn9199

Ай бұрын

Someone commented that April is month of exploits

@pluto8404

Ай бұрын

it is recursive. Articles about bugs drives people to find bugs to create more articles, which drives people to find bugs to create articles.

@tacosombreroffs

Ай бұрын

@@LowLevelLearning Where do you get these news?

Bro the NSA is getting all of their exploits leaked 💀

@tanza3d

Ай бұрын

proot

@eng3d

Ай бұрын

yes, the NSA and their international ally. In the case of xz, they tried to blame the Chineses.

@tacticalcenter8658

Ай бұрын

​​@@eng3dMossad, aka 'is real'

@synkstar9921

Ай бұрын

Proot

@xaxfixho

Ай бұрын

The ain't using php anymore, they switched to Asp

UTF-8 and UTF-16 are NOT just the english character sets. They're literally all character sets, cause it's you know...unicode. English characters would be ASCII which UTF-8 is backwards compatible with.

@j3pl

Ай бұрын

Came here to say the same thing.

This title is so misleading. The vulnerability is not in PHP and it can only be exploited if you use user supplied inputs when calling the iconv-function and not filtering on allowed values for the conversion.

@learnfocus4685

22 күн бұрын

You clearly clicked off early 🙄

@AwwdLabs

20 күн бұрын

3.49

@j2simpso

19 күн бұрын

Watch the video. PHP abused the function so poorly that the kernel can be exploited with this bug. So yes you are technically correct that other apps could be vulnerable but few of them have used this function and few of them have made so huge of a blunder calling the function that the technology can be brought to its knees. It’s sort of like saying we shouldn’t single out the Tacoma Narrows Bridge collapse because bridges can be vulnerable to high winds. Yes they could but we don’t see them collapsing everyday like the narrows did

@robertodupoteyb.1002

15 күн бұрын

Totally agree. A total clickbait.

@AlainPaulikevitch

14 күн бұрын

not completely unjustified to make it about php as the exploit that is being claimed is said to apply to php servers why and how i still have no idea after trying to find a bit more about it to no avail. However you are right in the sense that this video is indeed being needlessly alarmist and more importantly it does not address the issues that would have been of interest such as is the character set in question installed by default on an out of the box apache? does it affect nginx? does it happen on both phpmod and fpm? updating glibc is not always an option (debian here), it would have been nice to have more practically useful information on the context in which the exploit is available and how to prevent it. My current understanding is that the exploit can happen when php processes any request that is made using the specific character set. Restricting this on the web server level should be an option and it might not even be needed if this character set has to manually installed. Most importantly going from an exploit that will kill one apache process to one that allows an attacker to do something (gain control or run something else) is extremely far fetched and unlikely to be real threat.

sending chills down my spine with "SET THE CHARSET TO RCE" 💀🔥🔥

@jdietz224

Ай бұрын

It sounds like some Star Trek technobabble that some writer came up with

@TheJackal917

Ай бұрын

What is charset and what is RCE?

@jameslando1

Ай бұрын

@@TheJackal917 Charset: character set, think ASCII or UTF-8 RCE: Remote code execution, where an attacker can execute arbitrary code on a system

@TheJackal917

Ай бұрын

@@jameslando1 thamks.

@gentlemanbirdlake

Ай бұрын

that phrase rolls like an epic dis from a nerd rap track

As a php dev, this does not surprise me at all. *Continues to code in php 5.6*

@Betacak3

Ай бұрын

Man, I wish I could upgrade all my clients to 5.6.

@gg-gn3re

Ай бұрын

@@Betacak3 feels good to be the admin too. I switched all that stuff to 7 and then 8 years ago lol

@prima_ballerina

Ай бұрын

*lol* To be fair: update politics have changed to the better with webspace providers / managed servers. In fact were making a lot of money atm migrating systems to PHP 8.2/8.3 because many providers are charging extra money for "legacy" 7.4 support.

@youtubey-gz7yg

Ай бұрын

Rip 😂😂

@alsjourney

Ай бұрын

@@prima_ballerina my current projects: upgrade two websites from php 5.6 to 8.3. Easiest money for my boss in the world

Wow, another vulnerability

@MrYerak5

Ай бұрын

Someone left the nsa lately? 🤔

@-Ld

Ай бұрын

Availability bias, KZreadrs saw that the XZ vulnerability (yes an actual crucial and scary one) did well among viewers, so now every vulnerability under the sun is being posted about. I would bet on it being a trend in posting, rather than a trend in actual vulnerabilities. Just something I see, I could easily be wrong

@plaintext7288

Ай бұрын

​@@-Ldcould also relate to more people being sceptical of the software they use and thus looking for vulnerabilities

@-Ld

Ай бұрын

@@plaintext7288 the most insane vulnerability I've ever seen in my life (look up operation triangulation) came shortly before (what I consider) this recent trend, and it was not well known. The best documentation was by the firm who found it themselves, which had around 1k views. Basically the attacker could send a text to someone (unopened), and instantly get kernel access to their iPhone, so if you have an iPhone, you were 100% compromised unless iMessages were disabled. If this happened a week ago, I would speculate that it would be more well known

@iMagUdspEllr

Ай бұрын

@-Ld I don't know why vulnerabilities wouldn't always be posted because a lot of people want to be hackers and the well-paying cybersecurity field is continuing to grow massively. There could be an uptick in vulnerabilities because people were inspired to look for more of them. The collective power of humanity is wild.

"Update glibc" could use some clarification. If a distribution has an official update available (and many distros will incorporate the patch into their supported versions), then by all means, but be prepared for serious complications when installing a version of glibc your distribution doesn't support.

@hawk_7000

Ай бұрын

Hopefully people already know their systems well enough to know how to install updates, but yes, realistically in most cases it'll be a backported fix to whatever glibc version you already had.

@joejavacavalier2001

Ай бұрын

If all the dependent packages are not ready for an updated glib and it’s not listed by your package manager when you check for updates AND you force an update on glib, couldn’t that essentially break your disto?

brb, writing a middleware that removes the charset header from the requests LOL

@Rudxain

Ай бұрын

Heros don't always wear capes

Why it is reported as php bug? It is glibc bug, but I get it more now... it is just php bad luck... or unfortaunte decision of placing buffer

@videocommenter235

Ай бұрын

For the same reason xz was tried to get attributed to systemd: People, rightly or wrongly, dislike PHP and any reason to attack it is valid.

@whannabi

Ай бұрын

​@@videocommenter235And despite their attacks, it ain't going anywhere

@jdahern

Ай бұрын

No kidding, glibc is used by a lot of other languages too. It’s good to point out that php is impacted, but to say it’s a php bug is weird

@x-user3462

Ай бұрын

It's same as eval in exiftool that lead to an rce in gitlab.

@rj7250a

Ай бұрын

Looks like because it is easier to exploit the bug on PHP.

0:43 you should say "most Linux distributions". for example alpine runs on musl and also gentoo has a musl option.

@tripplefives1402

Ай бұрын

However, the code for the exploited function is most likely the same in musl.

@shrootskyi815

Ай бұрын

@@tripplefives1402 No, the code in musl isn't most likely the exact same. glibc includes many non-standard optimisations and extensions, while the principles of the musl codebase are simplicity, correctness, standards compliance, and security. musl has had only six CVEs to date, while glibc has had over one hundred. This vulnerability is due to a logic error in glibc's implementation, and it would be unlikely the exact same logic error exists in musl. I would be quite surprised if musl's iconv() implementation was affected by this.

@brentsaner

Ай бұрын

@@shrootskyi815musl has had 8, not 6, CVEs. Check MITRE. How much of musl's CVE track record is due to its limited visibility and exposure? Younger age? Going simply by the number of CVEs is misleading. I recommend examining the fixes made to address this in glibc commit e1135387deded5d73924f6ca20c72a35dc8e1bda and comparing to musl libc's iconv rather than operating off of assumptions.

@andrewdunbar828

Ай бұрын

@@tripplefives1402 Nope. Musl says "The iconv implementation musl is very small and oriented towards being unobtrusive to static link. Its character set/encoding coverage is very strong for its size, but not comprehensive like glibc’s." plus a few more paragraphs with details.

@andrewdunbar828

Ай бұрын

@@shrootskyi815 6 cve's in 13 years : 100 cve's in 37 years is pretty damn good. Glibc is almost 5 times worse even taking into account how much older it is.

this should affect every web request system, not just php that can accept and react to that http header, including node , it uses glibc too , and does accept http headers

@JeremyAndersonBoise

Ай бұрын

That’s my understanding too, this does not seem isolated to PHP whatsoever.

@shrootskyi815

Ай бұрын

That all depends on how those other systems implement functionality for character sets and HTTP headers. The bug in PHP is specifically related to PHP's use of glibc's iconv() function. While it's possible that other systems use iconv() in a similar manner, and have similar vulnerabilities, it isn't guaranteed that a web request sytem that depends on glibc is vulnerable. Other systems could be using character encoding conversion mechanisms other than iconv().

@catcatcatcatcatcatcatcatcatca

Ай бұрын

This affects every binary that links to the iconv() function. However not all implementations will have an RCE exploit, just a possibility of one. So they fall under the lower rating of 8.8 until one is found. Also I would guess this exploit makes heavy use of the way PHP makes use of path-variables for passing data. Not all request systems are as liberal nor straightforward in the way they do this.

@andrewdunbar828

Ай бұрын

I think the point is that in the case of PHP the researchers managed to find an exploit chain that started with this bug. Until their research is published we don't know where else they tried or how hard they tried.

"Hellow my name is Oliverlearning" is what my brain heard for some reason xD

@abdirahmann

Ай бұрын

i cant unhear it now! 🤣💀

@MrFluteboy1980

Ай бұрын

I had to watch this video with closed captions and no sound. The captions printed Oliv Learning, so it heard that too! 😂

@dunar1005

Ай бұрын

Me too. Before reading comments

@PravinDahal

Ай бұрын

00:25 Oliver Earning

@Mohr4787

Ай бұрын

It's weird name, tbh

so happy I never really did much complicated stuff with PHP in all projects I still have out there. I essentially just went `php index.php => index.html` and replaced the files on the production server for every project still using PHP and that basically saved me from having to look into 99% of CVEs for php. I mean I am still running PHP on an apache host, but since it's managed by the hosting provider it's their job to fix what's left.

A tech talker explaining that UTF-8 is English encoded, is like a car mechanic explaining that oil goes into the inlet for the heating system.

@b33thr33kay

Ай бұрын

Also utf-8 is not just 8 bits, but 8 to 32.

These videos are a great way to be notified of things like this, and appreciate you taking the time to explain the bugs too! I work for a web hosting company as a developer, not as security - but I alerted our security team to this thanks to you.

Fake news, they just want to take our lambos!

@Jeddacoder

Ай бұрын

😂

@everyhandletaken

Ай бұрын

😂

@fhsoecane-em7rq

Ай бұрын

🤣🤣🤣🤣🤣🤣

@kyliefire5008

Ай бұрын

Lol 😂

Two notes, this isn't a Linux only bug, GCC is used for windows PHP deployments as well. Chinese uses double or even quad byte characters depending on the encoding. Since it seems to require installation of Chinese support and requires chaining that limits the vulnerability substantially.

This impacts basically everything, not just php lol

@Knirin

Ай бұрын

Only if they use glibc’s iconv implementation. There are at least two functional replacements for iconv if I don’t count wholesale alternatives to glibc.

In ancient times burned once by external library wich theoretically has versioning but forgot about it i started round external structures or buffers with 256 or 512 bytes of "spares", which saved me ours of debugging strange errors or showed very beneficial to stability (additionaly i zeroed those spares before and after call)

april be a crazy month

@Relkond

Ай бұрын

This, putty... was the apple sidechannel key extraction (gofetch) this month? I'm honestly having trouble keeping up. What have I missed? What have I forgotten that I'll still need to act on (or at least discuss with IT) when I go back in to work?

@itswilliamanimate

Ай бұрын

@Relkond the few I can recall of the top of my head are as follows: linux (networking code?) giving ring 0 access xz & liblzma backdoor poorly escaped strings in windows allowing for "script execution" (shouldnt be a 10.0/10 exploit) firewall having exploit putty (as you mentioned) this and others I forgotten about

Hi ! I have a few sites in PHP and now I code in Go. Do you think Go is better itself in regards to security and buffer-overflow proof choice or this is rather skill issue? Cheers!

Anyone else think it's weird when a KZreadr says, "Hi, my name is ..."

@leobogouslavski5237

Ай бұрын

I personally don't. With these depth and quality of content he can call himself a talking teapot if he pleases. I'd still watch every single video he releases.

@joeltucci1916

Ай бұрын

His mother just had a premonition of what he would become

@CarlosXPhone

14 күн бұрын

No, its not. You need to lay the groundwork for what your page is.

@mister_ed

14 күн бұрын

@@CarlosXPhone Yeah, but it would be more logical to say, "This is "Super Tech News" instead of "I'm Super Tech News". Even better, "I'm Bob and this is Super Tech News". Maybe you don't want to say your real name? Make up a stage name. Hollywood does it all the time.

Yes, major vulnerability. Everyone zip your projects hide them and start running.

could this cause a glibc error when attempting a shutdown? Could that be a result of or indicative of an overflowed buffer?

Saying rust would have fixed that bug is kinda misleading since any language that employs bounds checking would have

@antoniong4380

Ай бұрын

Yeah, I guess... If you also embed the whole GC just to run that code module. Only Rust could be used to write something that could be embedded without forcing you to run a GC

@jsrodman

Ай бұрын

The reason this is always asked rust and not other memory safe languages is that rust has the right features to replace c, while most others do not.

@SuperSmashDolls

Ай бұрын

If you were to rewrite iconv in Rust, no other software would even notice. If you rewrote it in (insert GC language here) a lot of software would have new and interesting performance problems from having GC heaps stuck in them

@atijohn8135

Ай бұрын

@@antoniong4380 you have bounds checking in C++. if you write an inline function/macro e.g. array_get_checked(), then you also have bounds checking in C

@user-uf4rx5ih3v

Ай бұрын

Most other languages that do bounds checking are garbage collected and not suitable for tasks like this as a result. C++ does not do bounds checking, that's a common misconception. I do know that Ada does however. There's also ATS, although that's a research language. I can't really think of anything else, perhaps D-lang might do it?

I wonder if it has been used previously and how many times.

Bro, for PHP this is so specific, that only applies to 3 webpages in the whole world if not -1. For anything else only applies if you mess with that exact specific Chinese character set in HTTP headers a very specific way. OMG quick we f.n need to panic coz another mind blowing huge bug is here... What do you think why does this one was discovered after 24 years? Because it is so frequently used technique? No, because that one person who found it was trying to break a system. This concept was the example he came up with, but in reality nobody is coding like that, if so, than they deserve a good hacking.

@CarlosXPhone

14 күн бұрын

Actually, I disagree. This is not exclusive to just websites, blogs, but many people forget forums. Yeah, those exist. Most forum software TODAY are stuck on legacy php. I'm not kidding. And, even if you're an admin that run forums, you might still have 5.6 still installed. Eeek. Fortunately, I keep up with the latest versions of forums every update released.

how can you take over a device with 4 bytes?

Could this bug be used as a basis for an SQL injection attack? If you have complex Chinese characters that decompose into quotes, wouldn’t that be bad to put into text fields of a web page that expect western languages? I suppose in the software that I write, I use prepared queries! Also, could this be used to write and execute code with the same privileges as Apache (depending on how the memory immediately following the buffer is treated)?

Would disabling the iconv extension for php be another way to mitigate the bug?

@autohmae

Ай бұрын

Maybe, but only if your application doesn't depend on it.

Seems weird not to comment on php on musl in this context. Is running on musl an effective mitigation?

@JeremyAndersonBoise

Ай бұрын

Yes

the glibc website says "The current development version of glibc is 2.40, releasing on or around August 1st, 2024." so it's not something that we can do about upgrading it

@kallesamuelsson8052

Ай бұрын

Yeah, this part stuck with me to. Most youtubers casually says "just upgrade you glibc or linux distro" but glibc 2.40 is not released and current LTS distros are don't have a patch for this. Is there an actual viable fix for this?

You're most likely won't encounter such vulv anyway if you're not dealing with encoding conversion. Most likely you're using mbstring because of its multibyte-safe character encoding. Even then it's best to check the requirements or soft deps your packages might be using.

@erikkonstas

Ай бұрын

So that's how I find good vulv... 😂😂😂

So really dumb question incoming. If I have a fresh install of Linux mint, with nothing extra installed except for steam and discord. Is my system in the clear or do I need to do something? Im sort of new to this whole thing.

If you're running Ubuntu LTS with unattended-upgrades your system was updated last Friday (19th).

If I don't use ICONV to translate to that character set, should I worry too? I use it specially to convert between and from UTF-8 to WINDOWS-1252.

@autohmae

Ай бұрын

We don't know yet....

@ThomPorter74

Ай бұрын

@@autohmae how about if I don't use iconv() at all?

@autohmae

Ай бұрын

@@ThomPorter74 We do NOT know YET.

@ThomPorter74

Ай бұрын

@@autohmae ok, I WASN'T sure.

@autohmae

Ай бұрын

@@ThomPorter74 we got to wait till May 10

It doesn't affect my Lamborghini, won't fix.

What's up with all the kinds of vulnerabilities suddenly appearing this month?

wordpress is typing.......

Will this affect my InfinityFree website?

He got his hairs cut! Really wanna see you try out Go, just seems like such a good fit for how you operate

For your own PHP project, disable Iconv in the PHP settings (or .htaccess) and run the project again. If it's not throwing any error, I would say, your PHP installation is fine of this particular issue.

A few weeks ago I played a CTF with a challenge that had this kind of bug. It was written in rust, but it was all wrapped in an unsafe block

do you have to have the chinese char set installed ? would you by default

@cameron1729

Ай бұрын

It's actually about encodings. iconv converts between encodings (i.e., representations of characters in memory). It doesn't have anything to do with what's installed on the system because knowledge about the different encoding schemes is built in to iconv (the glibc implementation of it in this video) directly.

I love these kinds of videos! I have hardly any experience or knowledge with security and am unsure how to start. These videos make the concepts more understandable. Thank you!

@LowLevelLearning

Ай бұрын

Go for it!

It would be great to have an in depth video on why just 4 extra bytes are such a thread. I never dealt with low level code so I have no idea, it’s a complete mystery to me.

@crism8868

Ай бұрын

I probably don't understand it well enough to explain it but basically a program allocates a very specific amount of bytes for a task, if said task overflows it overwrites memory allocated for something else, even if it's 4 bytes that can do a lot of harm and escalate to arbitrary code execution

@jeffspaulding9834

Ай бұрын

Simply put, the compiler doesn't waste memory if it can avoid it. If you have a bunch of variables, it usually puts them right next to each other. Now imagine that you've got a variable that's supposed to be 20 bytes long. Right after it in memory is another variable - let's say it's the address the code should jump to at the end of the current function. If you write 24 bytes into that first variable, you're really writing 20 bytes into the first variable and 4 bytes into the second. You've just changed where the program jumps to at the end of the function. Normally that sort of thing would cause a hard-to-debug crash in the best case and memory corruption in the worst. However, if things are arranged just right, you might be able to use something like this to intentionally specify the jump location to something that invokes a shell or otherwise opens the program up to more manipulation. This sort of thing works because the computer doesn't really understand the concept of a "variable." It just sees memory addresses. It's up to the compiler and the programmer to make sure that the correct memory addresses are used and that you don't write to addresses you aren't supposed to. Languages like C don't give the compiler enough information to pick up on this sort of thing, so it's up to the programmer to make sure it doesn't happen. They're only concerned with the raw mechanics of what the computer should be doing, so if the programmer wants to copy bytes from one location to another they have to write out exactly how that happens. Programmers make mistakes. Well-written libraries help a lot, but C will happily let you shoot yourself in the foot if you tell it to. Languages like Rust and Ada require the programmer to provide more information about the intent of the program, so the compiler is able to do more checks to find programmer mistakes. There's a cost though - either in runtime (bounds checking) or loss of flexibility (i.e. sometimes you really do want to shoot yourself in the foot). Good languages offer the programmer usable tools to overcome the loss of flexibility, and bad languages are just a pain to use. I've never written any Rust or Ada, but from what I hear they're pretty good languages.

@erikkonstas

Ай бұрын

4 bytes can easily be a return address...

@user-uf4rx5ih3v

Ай бұрын

The operating system gives certain access to memory. When memory is in use, that space is protected from being read and wrote. When you overflow without crashing the program, you are essentially corrupting this entire model. Often times, this simply leads to data corrupting which usually results in a runtime crash. The way this can be exploited however is somewhat program dependent. If you overflow in just the right place at the right time, you may call a system function or server function with arbitrary arguments. Note that attackers are often smart and patient. They will do this for months and even years to get access to a system and exploit it.

With a lot of these vulnerabilities require a particular level of access to be exploited which he noted but didn’t really expand upon. Also a lot of php frameworks probably have expanded or limited access to request methods. Also these vulnerabilities would probably be more in development projects where people are not putting security infront of requests or not whitelist ips, or blacklisting IPs. Also this would probably only apply to public facing php apps, websites .. with very little security or poorly written code. So your local environment or a docker container is outside of this ..

Wouldn’t python Django be vulnerable as well?

How exactly would you create a back door with a 4 bytes buffer overflow?

@erikkonstas

Ай бұрын

4 bytes can easily be a return address...

@YourMom-rg5jk

Ай бұрын

​@@erikkonstasspecific to 32 bit architectures?

I know I’m asking you for content that the algorithm is not kind to, but could you make some more videos that hit hard in the bare metal embedded world? I’d love to see you do some stuff with RTOS, sensors, sensor fusion, bootloaders and other nifty. Even just building some neat little project would be great. Cheers!

The feeling when you switched to static html after a wordpress plugin allowed attacker to do their things (for example: delete all on-site backups). Since that there has been at least 10 more plugins that are vulnerable and now this sort of thing pops up.

Watching this while running many instances of wordpress on Linux Server🤒 [Edit] is this the same as GHOST vulnerability that came out in 2015?

Which PHP version are we talking about here?

Huh, what about php linked with musl libc ?

Another alternative fix would be to run on Alpine Linux, which uses musl instead of glibc. If you're using a container just add -alpine to the base image.

I am forcing UTF8 in headers, and in php itself in my applications so I doubt in my case users can spoof to the Chinese char set on page submissions.

We have to be scratching world record territory st this point. How are all of these massive vulnerabilities being found just days apart?

driving and I'm swerving and i violently conv (iconv!)

Should I be concerned about the fact that the KZread app on my TV has suddenly changed to the Chinese character set?

should have static analysis uncover something like this?

I was under the impression that UTF-16 wasn't English specific, but simply required multiple subsequent 16-bit values for codepoints over a certain value.

HOW MANY MORE VULNERABILITIES ARE GONNA GET DISCOVERED?

@Dratchev241

Ай бұрын

yes

@JeremyAndersonBoise

Ай бұрын

Some of them

thank god void and alpine are safe

wow.. cant wait to see how the vulnerabilty work explain by the researcher

Please can you do a video on how to use LwIP Stack on Linux for begginers? I'm trying to learn it to write some firmware with it but the documentation isn't explicit on how to use the BSD-like Socket API of LwIP. I would appreciate it if you do it :)

Wouldn't the scale on this vulnerability be limited to proper permissioning of applications themselves? glibc can be ran without root access, and therefor mitigating total system access. However, still, it could be a means of acquiring data.

php itself or php derivatives (like hack?)

Wow, that's very cool!

99% of computers are loaded with Windows. 85% of all windows PCs have full access at all times to support. Less than 1% of computers come loaded with Linux. 25% of all Linux users will have access to support given you’re in a known and loved distro. Most Linux support groups are full of toxic people riddled with a superiority complex or they’re often just unable to help. Linux requires full spectrum knowledge of it’s proprietary kernel and commands to install literally anything Use windows. It isn’t a difficult concept.

Is "would Rust have fixed it" the new bar everything gets measured to? lol

@antagonista8122

Ай бұрын

These types of bugs (memory related ones caused by the language deficiencies) are the biggest problem with software safety, maybe that's why.

@RemizZ

Ай бұрын

@@antagonista8122 I certainly wouldn't mind having strict types and the borrow system in PHP. Would be an insane break with its roots though.

@erikkonstas

Ай бұрын

This is actually political, the reason he mentioned it is to stave off the Rustacean vultures from the comments... if you look into it, it won't take long to discover what end of the horseshoe they belong at... (hint: they have "mallocophobia")

@sillysquirrel9979

Ай бұрын

its just common question

@simpleprogrammingcodes3834

Ай бұрын

I think it's just a new meme.

Looney tunes ssh Os injection ( Palo Alto) Iot hotel door encryption flaws And now this !! Oh God , 2024 is haywire for cyber security Professional's .😤🔥

If C is under attack, What is the problem of PHP if the developer knows what he is doing

Why are all the bugs coming out all of a sudden?

@neociber24

Ай бұрын

More eyes

@TwiceVisible

Ай бұрын

AI?

@jmatya

Ай бұрын

Bug bounty and more eyes

@HydratedBeans

Ай бұрын

It’s probably state actors

@nohopepope

Ай бұрын

Think about it within the context of the 2013 Snowden leaks (where it was exposed that the NSA mandates "compulsory compliance" backdoors be made by tech companies and that tools be given to exploit them). These old exploits are becoming less useful as people upgrade their hardware and firmware, but they become infinitely more valuable by sacrificing what little use they have left (by "discovering" and exposing them in rapid succession) for the NSA to promote other languages that contain other exploits that will take their place. I guarantee you there will be another video in 20 years about Rust that will expose some "recently discovered" bug (that has been around for 20 years) that will renew this cycle.

Any real impacts on WordPress?

Rust would have fixed this, unless you set the compiler to ignore it, because you have a back door in the rust compiler. I can't help but wonder; could this glib escapade have been placed intentionally?

All the gov backed exploits

@6:16 that's not true, Rust uses glibc internally for those functions of the library. The system level libraries in rust are wrappers around libc.

@shrootskyi815

Ай бұрын

The idea is that rewriting glibc in Rust would have stopped the buffer overflow and memory corruption. I'm not even sure that writing a libc implementation in Rust is possible though.

@randovidupload9422

Ай бұрын

@@shrootskyi815 f rust, rust is trash

@erikkonstas

Ай бұрын

​@@shrootskyi815I love the idea of trusting Rust with handling C calling conventions... /s

5:58 rust does runtime bounds checking by default? this sounds like it would hurt performance quite a bit as well

@1vader

Ай бұрын

You can't exactly be memory safe without doing bounds checks. But the performance impact is much less than you think. For starters, the checks can be optimized out a lot of the time if the compiler can prove that the access is safe. For example, in a for loop up to the length of the array, it's clear that the loop variable is in bounds. Or if you have multiple accesses in the same range, you often only need to check the first one. Also, most of the time, you'll be using iterators anyways which don't even have accesses by index that need to be bounds-checked. But even if the check isn't optimized out, the cost is generally extremely small. It's a single compare and branch that the CPU can predict extremely well. People have tried measuring the performance impact of disabling bounds checks on real applications and it's often not even differentiable from random noise. And ofc, if you do find bounds checks in a hot loop to be an actual issue, you can always do an unsafe access.

@Zullfix

Ай бұрын

I can't speak for rust, but C# does runtime bounds checking too and yet the performance impact is negligible. I have actually had cases where indexing an array (bounds checked) was faster than dereferencing a pointer offset (not bounds checked) by a few nanoseconds.

@LightTheMars

Ай бұрын

It's a good question and I looked into it. As a test I changed the hot path of a fairly optimized program of mine (for data processing) to exclusively use unchecked array access. The results were interesting, with some test data the performance improved by around 2% compared to checked indexing, while with other data the performance got slightly _worse_. An article I found noticed the same and theorized that LLVM can in some cases optimize better with bound checks than without. (You could likely prove this by checking the assembly if you want to spend that time, I didn't.) Now my test case is extremely heavy on indexing into large arrays, so I assume that 2% is on the higher end of impact. In most cases it should be negligible, and in many cases it's optimized out anyway.

At this point we better start testing all buffers everywhere for overflow 😂

Ah, so it does absolutely nothing for me as I never used that function. But why specify "PHP" when it's about C systems in general?

@danp8321

Ай бұрын

He explains that in the next part of the video.

@Leonhart_93

Ай бұрын

@@danp8321He does the explaining after a clickbait title and that beginning? He knew perfectly well what he was doing, just using PHP's past reputation for this purpose.

@samuelwaller4924

Ай бұрын

​@@Leonhart_93...yes he does explain it. The bug is in glibc, but is not very exploitable in of itself. However, apparently the way PHP specifically uses it can lead to exploits. It's all in the video

Rust mentioned?

What if everything is bugged o.o

@trumpetpunk42

Ай бұрын

"always has been" meme...

@erikkonstas

Ай бұрын

You know that's true even outside the software field right...? You can't bypass the human nature.

@erikkonstas

Ай бұрын

@@nuggets450 Not to mention at the planet level... including the roof we sleep under...

C really needs to make every pointer a fat pointer by default... (fat pointers include the address, as well as a _length_ that can be checked against to prevent out of bounds indexing.)

2024 lore is already going crazy

i get why you wouldnt want to let users write out of bounds but i dont see how a buffer overflow could lead to anything more serious like a segfault, like, how is someone going to execute code on a server by overflowing a buffer? could you maybe do a video on that? or am i the only one that doesnt understand that

@UnlikelyToRemember

Ай бұрын

You get a segfault if the bytes past the buffer are NOT a part of the process' address space (attempting to mow into your neighbor's lawn as it were). But what if the bytes just past the buffer ARE a part of your address space and what if they contain some "important" variable, and by changing that variable's value you trick the program into doing something it wouldn't ordinarily do... oops!

@erikkonstas

Ай бұрын

Uh, you "don't see" it because you've most likely grown up in a world shaped by those who saw it with all the hairs on their bodies... but there's an issue, overflowing the buffer can mean writing on the function's return address, and guess what will happen when the function then returns... and how to direct the thing that will happen in your favor...

@matthias916

Ай бұрын

ok I see how someone can set the return address in the stack but then your buffer would have to be overflowing into the stack, and not only that, you'd also need the address of some executable bytes in memory that you control, that just seems highly unlikely to happen, I get it can happen, but does it actually happen?

@erikkonstas

Ай бұрын

@@matthias916 It can, yes. Well, your buffer won't overflow "into" the stack, it will be in the stack itself. Something else can also be in the stack, and if your stack is executable good luck...

@matthias916

Ай бұрын

but if your buffer is on the stack then it grows downwards doesn't it? it wouldn't grow towards the return address

glibc v2.25 Coverity report Defects by status for current build 539 Total defects 400 Outstanding 138 Fixed 😢

how to patch glibc ?

I wish this was more accurate so it was more easy to understand the scope.

Gonna exploit this right now. Thanks!

I guess php should CNA this CVE to 10.0, to indicate that in their context it is an unauth’ed RCE for many installs. Rating vulnerabilities on library level always is a bit “garbage” due to “garbage in, garbage out”. If you don’t know the application context, you basically yolo guess all parameters around exposure/likelihood.

Only if you use unwrap

these drums sound great with new heads

lmao what a pike matchbox moment

Dawg is feasting this month

// Check if the charset header is set and its value is ISO-2022-CN-EXT if ($request->header('charset') === 'ISO-2022-CN-EXT') { // Remove the charset header $request->headers->remove('charset'); }

@Binxalot

Ай бұрын

Where would you put this? at the top of every php page?

@opusdei1151

Ай бұрын

bro you can simply remove the charset for glibc

I found something weird af on the htb academy last month. (Could be my computer) but haven’t had a serious answer from their team. Setting up a server listening on port 5555 was expecting a reverse shell but instead got a load of file paths and file names and ip addresses of some Asian dude running from Vietnam. First on me, dunno wtf happened

Sounds like this exploit would need to receive input, the module would need to be enabled, and specific calls to parse characters through incorrect coding practices.