Any chance you will be offering student discounts in the future? I’ve started doing picoCTF and hackthebox challenges for a school club and think that the courses would be great learning resources for building applications with c but the price feels a bit too prohibitive
bro. you have the style, you have the knowledge, and you have the courage. I liked your talk, your analysis, damn how I love these videos...keep going.
Exactly. The person who wrote safe_system probably got into arguments with the person who wrote account, who told them to not to worry about it. Some manager then told them to ship it and move on. Then the manager got their bonus for delivering on time.
@kapstersmusic I would assume the person who wrote safe_system never saw what the one who wrote account did. That would be gross negligence to not replace these 4 lines with their better, ready-made equivalents. Safe string processing is part of the standard, and safe_system is just there. Even without changing the string processing, just using safe_system to make sure the exploitable buffer overflow isn't literally ready to use as-is would be 2 seconds well spent. The security researcher would have maybe spent hours instead of minutes to get a working exploit.
The problem is not one programmer not being up to the task of writing safe code; or people talking to each other... the problem is quality assurance and testing. A company should never assume that a person doesn't make mistakes, it's about validation and testing. And D-Link apparently doesn't care enough about the quality of their products.
@@Exilum I would guess safe_system is from some sort of library, and the call to it was copy-pasted, but the account program was new and written by someone trying to only use the C standard library or sth like that, maybe because they didn't know how the Posix API worked, would be my guess.
@@svaira Or the other way around where the account software was from an older era some 30 years ago where things like this didn't really matter since it was executed from the root prompt.
This is actually a genius level move by D-Link: They not have to fix *past* bugs because they deem their hardware antiquated. Also! They also don't have to fix *future* bugs because they just scared away their entire customer base
@@dave7244 The 340L was released in 2015, and according to the dLink website "This product was phased out on: 29/10/2017", so maybe they were available for sale until then (and maybe even after that date from some retailers).
"D-Link US recommends retiring and replacing D-Link devices that have reached EOL/EOS" - To which every owner should say, "No problem, I'll replace it with a different brand".
//"D-Link US recommends retiring and replacing D-Link devices that have reached EOL/EOS" - To which every owner should say, "No problem, I'll replace it with a different brand".// ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
" replace it with a different brand". Why? To have a bug from a different company? A bug which will be there for a decade, discovered only by hackers? Never buy a 'NAS'. Use your old PC, install TrueNAS on it, put it into its own VLAN and call it a day.
The funny thing for me is the vulnerability means you could recompile the account command to use safe_system and then use the vulnerability to download the patched account binary to the NAS, fixing the hole.
That was my initial thought as well. Seems this could be fixed rather easily, even by "hackers". The guy running this channel could probably make the patch, Linksys refuses to do, in a matter of minutes.
Even if they audited the code they wrote who’s to say the unix utilities calling were audited. The usernames etc should have been sanitized to remove any non alphanumeric characters, so their safe system is anything but safe. Anyway it was a great video. Even with input sanitation, the fact it is calling other programs makes it a crapshoot.
@@richcole157 It looks like the vulnerability can be triggered through the `pw` field and it is much harder to sanitize it in the way you suggest for `name`.
Do you really think they have _teams_ working on that? More likely one part of the code was written by one overworked guy at one time, the other part written by another overworked unqualified guy at another time, and all copy-pasted together by an unpaid intern later ...
Imagine how chuffed the guy was finding this bug, like "yeah im definitley getting a payout, they will be so glad i found it!", just to be told to feck off and that the fix was buy their new products XD Poor bloke
@@bmanpura maybe, it would certainly teach them a lesson, but if your a genuine pen tester/bug bounty hunter your risking your career doing shit like that. The amount of attribution and tracking sites these days is insane. One example, I wrote a little article on footprinting Imap/POP3 mail servers last week. I googled the article the next day to find that id been entered into an International cyber threat database. The bot armys are real af bro. They had entire maps and models of endpoints and systems just from my write up.
No consumer protection law protects your from end of life products. In fact in Europe it's only 3 years warranty for a new product. Some pro or enterprise products get 5 or 10 years warranty but then consumer laws don't apply because the buyer acts as a company not individual.
Reminds me of a time a car dealership sent me lottery thing in the mail. Said I won a $50 gift card. Had a number to verify. Verified as valid. Walked into the car dealership and it was a "raffle" with the winning numbers already picked. Mine was not one of those numbers. Told them fuck you and that I'm never coming there again. The kind of idiot that looks at and buys a car after that is next level stupid.
The team that wrote the "account" program assumed that their program is only going to be used by users that are already authenticated inside the machines shell. The team that wrote the HTTP server thought that the "account" program is safe to execute with parameters controlled by the unauthenticated user.
You probably hit the most likely explanation. Unfortunately, the bigger problem is D-Link unwilling to update it or at least send out a crisis report to news agencies to let customers know. I did see someone hint at mandatory open sourcing for deprecated software. I think that would definitely help, because the person who finds the bug could patch it. Maybe we need to promote open source routers now?
Open source radio transmitters have a remarkably hard time getting FCC approval... Qualcomm isn't the _only_ reason Qualcomm radio chips continue to use closed-source code. It's really annoying; the efforts to block true direct mobile-to-mobile LTE, were so coordinated, one could almost be forgiven for mistaking those efforts as good-faith "interference prevention". Open wireless is anathema to regulation; it's been stomped on, one product launch after another, my whole life or more.
HOT TAKE: If vendor stops supporting product because if it's out of live even with such security critical cases, we as society should stop supporting copyrights related to it. Granted here there's probably not that much to protect, but if there's any copyright protection on that code, it should vanish, reverse engineering ? Producer orphaned it, we're not gonna prevent people to adopt this child. Re distributing binaries ? If it's not worth for you to fix it it's not worth to us to chase people that copied it.
That should not be hot take at all. If aren't making money on your copyrighted thing, what are you protecting it for? Kind of same with games. Your game is not officially available for purchase? People get to crack it and share it freely without consequences.
@@tyrannosaurus_x Yea honestly that take developed because of stop killing games initiative in the first place. And not even about "Me wants to play games that aren't available" thing ( be it it's still valid approach) or that company isn't making money anyway, i mean questioning how system works in much broader way. We as society agreed to protect data, (art work code, design so on) (which i'm not against to be clear, my problem starts and ends with how system work currently not with existence of system) and at this point we agreed to do so at ridiculous time frame, Mickey Mouse famously entered public domain in 2024, a artwork from between world wars period, i'm from Poland, in our calendar that's like two invasions ago, neither of my parent's were alive when it came out, and they had me at ridiculous old age, they grew up in different world, telephones were rare, cars too, country was still firm in grip of USSR and iron curtain divided Europe, i grew up in free Poland, wit ability to free travel across Europe because of shengen, with internet access since i could remember, YT raised me as much as mu parents did, it gave me skills to get job as programmer. My father born in 1945, after Mickey was created, and died in 2018 before it entered public domain. I tell you all this to hammer point how long time frame we're talking about, and how much of commitment society gives to copyrighted work. Even if it was out of print for years, even if original company isn't supporting it since decades, last entry in IP was made before my country in it's current form was established, it stil will be protected. In return(and i'm talking mostly about video games, but somewhat applies to software in general), they mercifully allow us to rent their software for unspecified amount of time, for usually not so small sums of money, and usually with right to take said license away at a whim without a reason. Again, not for abolishing copyright entirely. But i think in current situation "tail is wiggling the dog", and either copyright retention shorten, new causes for artwork entering public domain established or both. (Perhaps it should work a bit trade mark, if you don't use it, you louse it.)
@@sootikins Right, because manufacturers update their software after 14 years from their initial release date. You guys might be some retards or a bit clueless how things work when producing hardware and software components but hey, I'm a salesman, you got me
Synology has it's own security issues unfortunately. Their security settings page forces you to give a phone number for 2FA setup, but SMS 2FA is easily exploitable.
As a person that has programmed for 30+ years, that is absolutely insane. The incompetency is astounding. If D-link can't fix things like this, then don't buy D-link products, it's that simple. They clearly don't care about their customers.
Yes, it is truly astounding. I've done some PHP programming for myself and some friends, and did some professionally a number of years ago. One of the first things I did was write a shell command to read all PHP files and find all instances of "if X = Y", and I used that shell command during and after each programming session to ensure that I never accidentally assigned a value when I intended to query it. Checking for calls to system() would be similar (I never used system calls, so I never needed to do such checks, but it would have been simple to check for them). If I -- a single individual -- could do some simple checking and validation to prevent problems, then surely a corporation such as D-Link could have done so.
@@nullvoid3545 What? No it's not. D-Link is a subsidiary of the Taiwanese Steel Group. They have no affiliation to Netgear. Why would you post blatantly false information like that?
It's hard to imagine a scenario where this is an isolated incident. At any competent organization, the first time something similar happened, the dev-sec-ops team would've forced all kinds of commit/deploy hooks checking for system calls and requiring the lead/PO to sign off that they weren't doing something stupid. This makes all D-Link hardware sketchy. They're not a new company, and they're not small, and they're not new to making routers.
I had once a dlink router, and it was losing connection about once a day, so I had to unplug and plug it again. I decided to update the firmware, in the hope that it would be fixed. After the update, the connection was dropping every 20-30 mins. Horrible experience. I installed de-wrt (which fixed everything) and never got a dlink device ever again.
Id believe it. Like immediately after some companies want you to upgrade they say "hey there's a backdoor you should stop using the product or your product is gonna be 15% slower" Spectre and meltdown, windows XP, apple battery health, etc are ideas that come to mind.
Microsoft refusing to patch critical vulneralibity is how Windows 7 got abandoned. The idea have been around.. _Activating them is a new level of evil_
Forced obsolescence? They were obsolete before this disclosure. They're 14 year old devices. On top of that, one should NEVER use a consumer branded anything for anything actually sensitive or mission critical. These devices don't have redundant power or controllers. Those interfaces/ports/protocols shouldn't be exposed to the internet anyway. If you actually put one of these open to the internet, that's on you, not D-Link. If it's NOT exposed to the internet, in order to exploit it, you'd need to be on the local network already, in which case, you've already been compromised and you're fucked. This is something that should absolutely be fixed in any still supported devices, but end of life means end of life.
Prob a junior tech that was tasked to write the account script. This is why you need THOROUGH PR reviews and things like sonar to check for code smells like system and sprintf calls.
@speedweasel yup, a junior tech should never be blamed for something like this. If a junior dev is accidentally able to get such a bug into production, then a senior dev with bad intentions DEFINITELY would be capable of doing that as well. It's up to your pipeline engineers to make sure that CAN'T happen.
@@rikschaaf There is no such thing as code review in Chinese software development world in many places)) Nobody looks code, they just make it work, do some stuff to pass manual and automatic tests and this all. And because there was no code review for years they can't start doing it effectively because everyone is more incompetent and can't spot other people bugs just by looking code (this is separate skill which require not just technical knowledge but also able fast understand code and see whats can goes wrong) Also code review would kill they productivity and increase cost, so for them there is no reason to introduce some "bad" practices from financial perspective)
I like collar-shirt Ed. He said "You shouldn't have your NAS with its, like, butt, in the ether-net port, facing out into the internet..." omg. I lol too hard at the mental picture that paints.
As a Junior, I was terrified of making mistakes like this. As a Lead, I now realise how most of the world runs on software that people go out of their way to make utter s**t. Ask a locksmith and they'd always rather have software locks, ask a software dev and they'd always rather have physical locks. When you know, you know how bad things are lmao
Dude, the physical locks thing is so true. When I found out about lockpicking, I took a thin, flat piece of metal and just raked my apartment lock. In 30 seconds it was unlocked. Most locks are a joke. 😐
I was in disbelief about the "cut off a Bic pen & wobble it around in the keyhole" method for circular keys, so I tried it: Took me ~12 minutes the first time,
As someone who has worked in both residential and corporate IT for over 20 years now, I'll never go near D-Link. Garbage products made by a company that does not care. Nothing about this situation surprises me.
@@flarebear5346 Yes, I know. But which end user knows this. And now the vendor name is in the press again an they can start their next product. Always remember, "The S in IoT is for security" (Need to find this T-Shirt for next week it must be somewhere. )
You shouldn't have the nas open to the public internet, especially not your admin console. You'd want to have an authentication layer in front of any requests to the applications on your system, or better yet, only allow access to your system through a secure VPN. In the case of this bug, you wouldn't be able to send a request to (target IP)/cgi-bin... if it wasn't already open to the public internet (which again, it shouldn't be), but if it was or say you're connected to the same network, then your whole machine is wide open.
I used to have a shell script to redial the internet set up as a CGI. Anyone on the LAN could reconnect the internet as needed that way. We paid per call back then for local calls, so doing it this way made it convenient, but saved calls at night when no one was using it. There was a 4 hour session limit on our ISP.
I was particularly impressed by your mastery to size up the thing and communicate in relevant-human-readable. Coding is a dark art already (which is a compliment).
According to Wikipedia: "In 2022, D-Link obtained the TRUSTe Privacy seal, certification of ISO/IEC 27001:2013 and BS 10012." Certifications truly mean nothing!
Dumb switches are one thing. No one should be using D-Link for anything more than that. There's plenty of much better stuff available in the NAS or higher end consumer networking market for not much more money. I'd rather get a TP-Link setup and a Synology or QNAP NAS, but if you just need a 8 or 16 port gigabit switch? Buy whatever is cheapest because it'll work fine.
I have abandoned using any D-LINK devices decades ago (around 2005-6) for exactly these kind of practices (and bugs). It's almost unbelievable they are still doing these things after all these years and are still part of the market ...
As primarily a sysadmin with basic programming knowledge, I really appreciate the way you explained the code. Nice and easy to follow and your enthusiasm is very engaging.
I'm honestly astounded at how easy your videos are to understand and follow. My only background in coding was one course that used Python in uni, and a little introductory C++ in high school, but I'm mostly able to keep up with what you're putting down. Good vids, is what I mean to say
I actually have/had one of the affected devices (DNS-320LW). Bought it in 2012, put the community-made and still maintained custom firmware on it in 2019 when it hit EOL that December. AFAIK it hasn't been sold since 2015 so to not bother with updates a decade after going out of sale and 5 years after going EOL seems perfectly reasonable to me.
He did mention that in the video too but the low hanging fruit is the system call. I mean both need to be fixed and are right next to each other. Not sure how people are going to do that though, if at all.
Some companies one should just never deal with. This is literally the opposite of the kind of support we have been used to from companies like IBM for example.
IMO this is not a bug but a design flaw. I can't say it's intended but definitely never thought of it in security perspective(or just abandoned the security scope). This is not "fixable", this just shouldn't exist in the first place. If you say something EOL so no more security update, OK. But if you put something known with flaw(at least we all known), that's not security update. It's just a garbage be advertised as something useful. It should be RECALL. Can Tesla say their car has a known risk to explode if you press certain button before EOL but now it's EOL so they won't fix? Elon Musk will be put in jail if so.
Just because the exploit was found now (at least publicly) doesn't mean it didn't exist the whole time. Just for that fact alone, they should be required to fix their stuff. And you were correct - pants were peed on this side of the wire. Also I grabbed your lifetime subscription, Ed! Really excited to dive in! I've been a Security Engineer for over a decade now, but excited to learn more low-level skills and far more formally!
That was fun... 😂 I know you know, but I'll pointing out that at 2:34 it is just URL-encoding of plain ASCII, no Base64, so %27 is a single quotation mark and %20 is a space. I would expect the exploit to be a little bit different in the quotation style, by looking at 11:13... is it done on purpose to fool the skids? 🤔Am I blind? 😆Or maybe there was some string replacement along the way...? The stuff is pretty basic nonetheless, LOL 😁
I've seen more than once maintainers of very active, open source, self-hosted applications saying "our average user does not need enterprise level security features" when they refuse to implement things like mTLS support in their mobile client. Or sometimes they tell you to use treafik as your reverse proxy when you expose the service to wan, while traefik requires the docker socket in a container that is supposed to be facing internet. Absolutely unforgivable.
oh you mean that 'computing appliances' aren't like toasters, and are really just computers that need constant updates forever? but I bough this 'appliance' because it is cute and single purpose like a toaster that needs no updates ever
I'm on the older side of Gen Z but I absolutely despise *wearing* collared shirts. Though I don't mind you having one. It's not tight too, so it doesn't feel like I'm getting choked just by watching.
D-Link has a history of doing this. When I was in university, I found a couple of significant bugs in DIR-601 routers that could lead to RCE in many cases. The first bug was a command injection in the router's diagnostics page that let me inject arbitrary shell commands. This page normally requires that the user be authenticated as an administrator to access it. Unfortunately, that authentication was flawed and due to an API endpoint in the router not being properly authenticated, it was possible for a user authenticated as a regular user to generate and download a configuration backup. The administrator password was stored as plain text in this backup. I can imagine most people would not change the default user password, since it isn't privileged. I attempted to report this, but every email I sent bounced with an inbox full error. No idea if it was ever patched.
This is the rare occasion I'm actually sort of on D-Links side. They're not even in the NAS business any more. I'm sure there are lots of 0-days lurking in the mountains of EOL hardware & software out there. At some point using old stuff becomes "use at your own risk"
I don't like D-Link, at all, but I completely agree. For all we know, their engineers discovered this among other things, and that's WHY they killed the product. Corpo's would never call an end of life without immense pressure from the engineers, not while there's still any free milk left to squeeze.
It's not an excuse to not inform the public if the info was made known and not allowing for the community to fix the bug on their own. If anything, they should write that on the product box with the warranty. If the product is out of warranty, you are at risk of your devices being hacked and the company will not make any further patches to protect you. This is not apparent to any consumer, because we don't know the End Of Life ahead of time and no public announcements are made. Maybe this more of a legislative issue regarding packaging, like food expiration dates.
@@someonespotatohmm9513 yeah we did... on smartphones as long as they are guarantee cases. so 2 years more or less. the d-link stuff mentioned here is EoL since 2017. not really fair to blame somebody to not have updated their old ass fk. anybody here mad at Microsoft for not patching Vista anymore? no? exactly the same thing.
Oh yeah, D-Link. I'm a dev as well as an IT consultant. Got hired for a project because a company was facing issues where their entire network went down intermittently. Turned out they were using D-Link switches everywhere in their network. These switches had a vulnerability that could trigger a packet storm. There was no firmware update or fix. I replaced every single piece of network equipment that was made by D-Link with its CISCO equivalent. This was 5 years ago and their network has been working reliably ever since. D-Link is a total mess.
And no mention was made anywhere about requiring authentication to access the CGI... So even if you could not run arbitrary commands, you could likely still create accounts.
Aaaaaand that is another final nail in the coffin for D-link anything now. I mean, on top of the surprise d-link is even a thing anymore still.... But yeah, that kind of reply, without say....releasing some source so the community can support the products they refuse to....has done exactly what they want but not how they want it. Yeah, Ill replace EVERY d-link device with NOT d-link now. Good job on the PR front d-link....morons....
@@corvusnocturne Kai Saikota and Fauna are the only vtubers I know that have one, except them, I have never seen anyone with one Eric Parker has kitty headphones, so Low Level could learn from him
Great video, really good!! I think an additional (final nail in the cofin) and also good information for the rest of the mortals is, the following - How would you fix that issue; to make it safe? - What measures could we all take to avoid stupid stuff like this getting out? It seems to me they are avoiding fixing it for some reason, which says to me that some company advocated for this fix and they pay big so they don't want to remove it. That security flaw is a feature for some company which is the worst case and the scary part I think.
It's frustrating that companies aren't more accountable but please for the love of god don't call for legal accountability. The law can't and shouldn't make it illegal to sell shitty software. The only fix is for consumers to care. At worst such a law just ends up making it effectively illegal to pay someone to install OSS since they can't cover the lawsuits if someone finds a bug. At best you'll just get a law like they have in the EU which means most upstream providers can only use software that is certified not to have known vulnerabilities. Guess what that encourages? Closed source bullshit that discourages security research.
Indeed, road to hell is paved with good intentions. In 10 years when all the free open source will be pushed out because nobody will be willing to risk going to jail or pay fines for bad code or paying for certification, same people who asked for this will be crying about corporations destroying open source and wondering how we ended up there.
We need software engineers who, like other professional engineers, can be held personally legally liable for their work. The software industry is much too lax with the rigor of their code.
You have to have legal technical standards to have individual liabilities. No such thing in software (and good luck), so who sells the product, the company, takes liability.
Your device ... your possession I really don't get it that adult man and woman are not able to install ... effing OpenWRT ! Have I uttered a secret? ROTFL
Wow. And what would that liability be? Perfect code? And for how long? Forever? Why is it not enough to have companies liable? Software is more complex than anything else and also not a very relaxed industry for most people.
Not to be "that guy" but these affected hardware platforms were released between 2011 (the 32x devices) and 2014 (340L) - how long *should* a manufacturer support software for a device that was sold that cheaply? I'm curious because while I understand this vulnerability is bad, the fact that they're not patching it on some hardware models that they shipped 10-13 years ago shouldn't really be a knock against them - only the vulnerability being this simple and destructive. Saying they're saying "f off" because they won't update software on some almost 14 year old NAS devices seems a bit unfair and distracts a bit from the discussion around the vulnerability itself.
@@cluberti another way to think about it is that this bug has been around for 10+ years. D-link should be fixing this out of principle alone. Otherwise why would anyone trust with their products in the future? The fact that they dont care at all about this pretty simple exploit is a major red flag for any of their existing products. Points to a lack of basic security hardening in their products. Imo it shows theyre too focused on making and selling new and shiny things. Instead of products youd feel okay about on your network I should add that I never particularly liked D-link already. Feeling pretty justified ngl
@@Aguyinachair D-Link gear was always bottom tier garbage and that's probably why you don't like it, or been taught not to like it, but having sloppy code that creates pretty glaring security flaws was the final nail in that cheap coffin.
Oh I get it, but this is getting what you paid for as a customer. No way DLink is going to pay anyone to fix this code at this point given the price point these sold at when new, and that was a long time ago.
That's a very good point but I think in a world where we're pushing towards "net zero"; they should have some basic support for at least 10 years after the last one rolls off the production line. Their EOS policy seems to be 5 years after introduction which seems crazy to me.
I owned DNS 320 some time ago, but since It doesn't even support SMB v2 I had to give up, and upgrade into something newer, because apparently DLink doesn't give a s*** on this :) This Video made my day, thanks :)
I get the feeling that this was a case of a high-level executive saying, "My nephew is a wizard at this computer stuff and he's going to be interning with us for the summer. Give him something important to do."
i'm an swe student and i still don't see myself a good coder programmer I don't understand a lot of concepts and I wasn't passionate about computers in general before entering college. i only know the theoretical concepts but these videos are really making me love the field and wanting to learn more and make me curious more and more!
Being anti-bug is discriminatory. You must tolerate the inclusion of these diverse bugs. They are our strength. Being vulnerable and diverse is better than being discriminatory and intolerant.
The list of affected devices doesn't include my D-Link NAS model, but I'm concerned that it might be an oversight or because it's a minor version that is also affected but they didn't mention for some reason. It's a DNS-321.
That’s hilarious!😆 I mean, I wrote some php scripts for my department, which themselves call a “exec” command. But I switched to borderline paranoia mode, when I wrote that to get all requests sanitised. Funny and frightening to see, that those “pros” didn’t bother.
That account code has to be that "I just whipped this up in a few minutes" code that the founder wrote decades earlier and "it worked" so they never wanted to touch it. Even if that somehow wasn't there until 2018 (there's no way...) it's still actually insane that it took this long to find!
"- Does this mean that I have flawed the exam?" "- Oh no, oh no! Of course not. We are strictly DEI here. We really don't wanna get sued. You should go get another employer if you wanna do that. Here I have a list of some 'friends' that I can recommend!"
D-link is also known as bottom-link. Even their enterprise switches firmware is not stable, and its distributed from some sketchy ftp server over non-secure connections, without providing the hashsums. Its true that this is your problem if you found the bug after the EOSL, but its also your problem if you bought their hardware in the first place. Id suggest avoiding their hardware even if they give it away for free, as long as you want to use it as-intended.
Here's a random take : In most programming courses, people are not taught shit about code vulnerability! I think the safe exevp() part was written by a decently experienced dev, and the unsafe system() part by a not so experienced one.
you know what else is unforgivable? not checking out lowlevel.academy (and getting a DISCOUNT?)
I would buy a good ghidra course.
"I can't believe a company isn't held legally responsible" XD
Any chance you will be offering student discounts in the future? I’ve started doing picoCTF and hackthebox challenges for a school club and think that the courses would be great learning resources for building applications with c but the price feels a bit too prohibitive
How long do you expect a company to support their software after EoS/EoL?
bro. you have the style, you have the knowledge, and you have the courage. I liked your talk, your analysis, damn how I love these videos...keep going.
The guy who wrote the safe_system code is definitely a different person from the one who wrote account. I can't believe it is any other way
Exactly. The person who wrote safe_system probably got into arguments with the person who wrote account, who told them to not to worry about it. Some manager then told them to ship it and move on. Then the manager got their bonus for delivering on time.
@kapstersmusic I would assume the person who wrote safe_system never saw what the one who wrote account did. That would be gross negligence to not replace these 4 lines with their better, ready-made equivalents. Safe string processing is part of the standard, and safe_system is just there. Even without changing the string processing, just using safe_system to make sure the exploitable buffer overflow isn't literally ready to use as-is would be 2 seconds well spent. The security researcher would have maybe spent hours instead of minutes to get a working exploit.
The problem is not one programmer not being up to the task of writing safe code; or people talking to each other... the problem is quality assurance and testing. A company should never assume that a person doesn't make mistakes, it's about validation and testing. And D-Link apparently doesn't care enough about the quality of their products.
@@Exilum I would guess safe_system is from some sort of library, and the call to it was copy-pasted, but the account program was new and written by someone trying to only use the C standard library or sth like that, maybe because they didn't know how the Posix API worked, would be my guess.
@@svaira Or the other way around where the account software was from an older era some 30 years ago where things like this didn't really matter since it was executed from the root prompt.
It's not a bug, it's a low effort backdoor
The CIA was too busy trying to kill fidel castro...
Semantic arguments are fun, but that's all they are. Backdoors target vulnerabilities. Vulnerabilities are bugs.
I think they’re implying it was intentional
@@himothanielCondescending responses to comments you don't understand are fun, but that's all they are.
You can read condescension into my comment if you like, but there wasn't any there. A small joke went over my head. I can acknowledge that.
"Buy another NAS", definitely won't be a D-Link, I can tell you that for nothing.
QNAP or Synology should use this as free advertising for their newest kit
@@FrankEBailey WTF are you?
Buy the stuff and install firmware, that can be called that way:
OpenWRT !!!
@@FrankEBaileyI think Synology had a zero day like 2 weeks ago
@@adammontgomery7980 was the zero day as stupid as this one?
@@dancom6030 its not the first...
This is actually a genius level move by D-Link:
They not have to fix *past* bugs because they deem their hardware antiquated.
Also!
They also don't have to fix *future* bugs because they just scared away their entire customer base
they are just playing multi-dimansional chess 😆
XD 200 iq
@@dave7244 but the bug was present on day 1.
@@dave7244 The 340L was released in 2015, and according to the dLink website "This product was phased out on: 29/10/2017", so maybe they were available for sale until then (and maybe even after that date from some retailers).
@@dave7244 Are you using D-Link's suggested NTP server?
en.wikipedia.org/wiki/D-Link#Server_misuse
"D-Link US recommends retiring and replacing D-Link devices that have reached EOL/EOS" - To which every owner should say, "No problem, I'll replace it with a different brand".
//"D-Link US recommends retiring and replacing D-Link devices that have reached EOL/EOS" - To which every owner should say, "No problem, I'll replace it with a different brand".//
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^6
I agree.
" replace it with a different brand". Why? To have a bug from a different company? A bug which will be there for a decade, discovered only by hackers?
Never buy a 'NAS'. Use your old PC, install TrueNAS on it, put it into its own VLAN and call it a day.
@@temp50 Most companies do emergency patches when these kinds of bugs pop up. Even microsoft does that.
The funny thing for me is the vulnerability means you could recompile the account command to use safe_system and then use the vulnerability to download the patched account binary to the NAS, fixing the hole.
Now this is bug fixing
lol that is amazing maliciously fixing bugs its like bethesda game modders.
Might as well install a webshell while you are at it.
Great idea. Shame its a read only file system.
Shouldnt be upto the fbi or whitehats to fix easy fixes like this.
That was my initial thought as well.
Seems this could be fixed rather easily, even by "hackers".
The guy running this channel could probably make the patch, Linksys refuses to do, in a matter of minutes.
This is what happens when you have 2 teams not talking to each other. One team did it right, the other not so much.
Even if they audited the code they wrote who’s to say the unix utilities calling were audited. The usernames etc should have been sanitized to remove any non alphanumeric characters, so their safe system is anything but safe. Anyway it was a great video. Even with input sanitation, the fact it is calling other programs makes it a crapshoot.
@@richcole157 It looks like the vulnerability can be triggered through the `pw` field and it is much harder to sanitize it in the way you suggest for `name`.
Do you really think they have _teams_ working on that? More likely one part of the code was written by one overworked guy at one time, the other part written by another overworked unqualified guy at another time, and all copy-pasted together by an unpaid intern later ...
@@memyshelfandeye318 Well, that's like 2 teams right there! :D
@@IvanToshkov good point.
Imagine how chuffed the guy was finding this bug, like "yeah im definitley getting a payout, they will be so glad i found it!", just to be told to feck off and that the fix was buy their new products XD
Poor bloke
Nah, said bloke can scour the internet for eol products to hack. Win win.
@@bmanpura maybe, it would certainly teach them a lesson, but if your a genuine pen tester/bug bounty hunter your risking your career doing shit like that. The amount of attribution and tracking sites these days is insane.
One example, I wrote a little article on footprinting Imap/POP3 mail servers last week.
I googled the article the next day to find that id been entered into an International cyber threat database. The bot armys are real af bro. They had entire maps and models of endpoints and systems just from my write up.
Now he's mining bitcoin on your NAS, so whatever.
😂
"Fuck you, pay me" is a genius strategy when most of your customers do not have consumer protection laws
And any attempt to pass consumer protection would be lobbied (read: "bribed") away by the powerful corporations that would be impacted by it.
@afjer this is why people become cyber criminals, stupidity
No consumer protection law protects your from end of life products. In fact in Europe it's only 3 years warranty for a new product. Some pro or enterprise products get 5 or 10 years warranty but then consumer laws don't apply because the buyer acts as a company not individual.
Reminds me of a time a car dealership sent me lottery thing in the mail. Said I won a $50 gift card. Had a number to verify. Verified as valid. Walked into the car dealership and it was a "raffle" with the winning numbers already picked. Mine was not one of those numbers. Told them fuck you and that I'm never coming there again. The kind of idiot that looks at and buys a car after that is next level stupid.
Neither does the Mafia - thanks for the Goodfellas quote.
The team that wrote the "account" program assumed that their program is only going to be used by users that are already authenticated inside the machines shell. The team that wrote the HTTP server thought that the "account" program is safe to execute with parameters controlled by the unauthenticated user.
You probably hit the most likely explanation. Unfortunately, the bigger problem is D-Link unwilling to update it or at least send out a crisis report to news agencies to let customers know.
I did see someone hint at mandatory open sourcing for deprecated software. I think that would definitely help, because the person who finds the bug could patch it. Maybe we need to promote open source routers now?
Open source radio transmitters have a remarkably hard time getting FCC approval... Qualcomm isn't the _only_ reason Qualcomm radio chips continue to use closed-source code.
It's really annoying; the efforts to block true direct mobile-to-mobile LTE, were so coordinated, one could almost be forgiven for mistaking those efforts as good-faith "interference prevention".
Open wireless is anathema to regulation; it's been stomped on, one product launch after another, my whole life or more.
HOT TAKE:
If vendor stops supporting product because if it's out of live even with such security critical cases, we as society should stop supporting copyrights related to it.
Granted here there's probably not that much to protect, but if there's any copyright protection on that code, it should vanish, reverse engineering ? Producer orphaned it, we're not gonna prevent people to adopt this child.
Re distributing binaries ? If it's not worth for you to fix it it's not worth to us to chase people that copied it.
That should not be hot take at all. If aren't making money on your copyrighted thing, what are you protecting it for? Kind of same with games. Your game is not officially available for purchase? People get to crack it and share it freely without consequences.
@@tyrannosaurus_x Yea honestly that take developed because of stop killing games initiative in the first place.
And not even about "Me wants to play games that aren't available" thing ( be it it's still valid approach) or that company isn't making money anyway, i mean questioning how system works in much broader way.
We as society agreed to protect data, (art work code, design so on) (which i'm not against to be clear, my problem starts and ends with how system work currently not with existence of system) and at this point we agreed to do so at ridiculous time frame, Mickey Mouse famously entered public domain in 2024, a artwork from between world wars period, i'm from Poland, in our calendar that's like two invasions ago, neither of my parent's were alive when it came out, and they had me at ridiculous old age, they grew up in different world, telephones were rare, cars too, country was still firm in grip of USSR and iron curtain divided Europe, i grew up in free Poland, wit ability to free travel across Europe because of shengen, with internet access since i could remember, YT raised me as much as mu parents did, it gave me skills to get job as programmer. My father born in 1945, after Mickey was created, and died in 2018 before it entered public domain. I tell you all this to hammer point how long time frame we're talking about, and how much of commitment society gives to copyrighted work.
Even if it was out of print for years, even if original company isn't supporting it since decades, last entry in IP was made before my country in it's current form was established, it stil will be protected.
In return(and i'm talking mostly about video games, but somewhat applies to software in general), they mercifully allow us to rent their software for unspecified amount of time, for usually not so small sums of money, and usually with right to take said license away at a whim without a reason.
Again, not for abolishing copyright entirely.
But i think in current situation "tail is wiggling the dog", and either copyright retention shorten, new causes for artwork entering public domain established or both.
(Perhaps it should work a bit trade mark, if you don't use it, you louse it.)
it's a 14 year old NAS
@veryCreativeName0001-zv1ir and you're point is ?
This is a great idea! Added to the list of things I'd want to change.
D-Link has been a security liability since the 2000's. :)
As long as you keep using EoL devices, that's on you buddy
@@BotDetector-44 what are you taking about?
@@dynad00d15 Just ignore him - he's a D-Link salesman!
@@dynad00d15 I'm assuming that was sarcasm. I'm _hoping_ that was sarcasm...
@@sootikins Right, because manufacturers update their software after 14 years from their initial release date. You guys might be some retards or a bit clueless how things work when producing hardware and software components but hey, I'm a salesman, you got me
So a common, old-school Shell Injection vulnerability. The Bobby Tables of system("command").
For clueless - xkcd reference. Someone embedded a "Drop table" command in child's name. Deleted main database at school.
Like a day 1 training scenario lol
@xmine08 - That is "Little" Bobby Tables to you. 😂
New vulnerability found in D-Link NAS devices
D-Link : It's not my problem, it's yours
@@play-good "sorry,we sold it to you,so your problem now"
@@92sieghart D-Link, the last big company around that still respects ownership 🤣🤣
.oO( Who did buy that s. in the first place? ... ROTFL )
at least open source this sht
Synology could do the funniest PR thing and give your a 10% discount buying one of their products when you own one of those exploitable NASes
Synology has it's own security issues unfortunately. Their security settings page forces you to give a phone number for 2FA setup, but SMS 2FA is easily exploitable.
Synology give up 10% margin? Who are you kidding?!? 🤔
As a person that has programmed for 30+ years, that is absolutely insane. The incompetency is astounding. If D-link can't fix things like this, then don't buy D-link products, it's that simple. They clearly don't care about their customers.
But D-link is just A subsidiary of netgear, which own A good majority of home routers currently distributed.
Yes, it is truly astounding. I've done some PHP programming for myself and some friends, and did some professionally a number of years ago. One of the first things I did was write a shell command to read all PHP files and find all instances of "if X = Y", and I used that shell command during and after each programming session to ensure that I never accidentally assigned a value when I intended to query it. Checking for calls to system() would be similar (I never used system calls, so I never needed to do such checks, but it would have been simple to check for them). If I -- a single individual -- could do some simple checking and validation to prevent problems, then surely a corporation such as D-Link could have done so.
@@nullvoid3545 What? No it's not. D-Link is a subsidiary of the Taiwanese Steel Group. They have no affiliation to Netgear. Why would you post blatantly false information like that?
@@nullvoid3545 this is what happens when a company is a monopoly (or almost one).
@@nullvoid3545Netgear and D-Link are unrelated companies.
It's hard to imagine a scenario where this is an isolated incident. At any competent organization, the first time something similar happened, the dev-sec-ops team would've forced all kinds of commit/deploy hooks checking for system calls and requiring the lead/PO to sign off that they weren't doing something stupid. This makes all D-Link hardware sketchy. They're not a new company, and they're not small, and they're not new to making routers.
Exactly how many "competent" organizations do you think exist now? Three? Four?
Before the first time, hopefully.
Took their development queues off Crowdstrike.
D-Link once made a router where the web-server ran in kernel-mode and had debug-commands
I had once a dlink router, and it was losing connection about once a day, so I had to unplug and plug it again. I decided to update the firmware, in the hope that it would be fixed. After the update, the connection was dropping every 20-30 mins. Horrible experience. I installed de-wrt (which fixed everything) and never got a dlink device ever again.
This server is running as root (or the CGI binaries are setuid) if it can add users via a web request.
A new form of forced obsolesce? Activate all the security flaws after a specific date and refuse to patch them.
Id believe it. Like immediately after some companies want you to upgrade they say "hey there's a backdoor you should stop using the product or your product is gonna be 15% slower"
Spectre and meltdown, windows XP, apple battery health, etc are ideas that come to mind.
Microsoft refusing to patch critical vulneralibity is how Windows 7 got abandoned. The idea have been around.. _Activating them is a new level of evil_
1. Push a "security patch"
2. The patch actually contains vulnerabilities, on purpose
3. Profit
Ah yes, the μTorrent v≥3.0 approach
Forced obsolescence? They were obsolete before this disclosure. They're 14 year old devices. On top of that, one should NEVER use a consumer branded anything for anything actually sensitive or mission critical. These devices don't have redundant power or controllers. Those interfaces/ports/protocols shouldn't be exposed to the internet anyway. If you actually put one of these open to the internet, that's on you, not D-Link. If it's NOT exposed to the internet, in order to exploit it, you'd need to be on the local network already, in which case, you've already been compromised and you're fucked. This is something that should absolutely be fixed in any still supported devices, but end of life means end of life.
When does incompetence become sabotage?
When they refuse to fix it.
Prob a junior tech that was tasked to write the account script. This is why you need THOROUGH PR reviews and things like sonar to check for code smells like system and sprintf calls.
@speedweasel yup, a junior tech should never be blamed for something like this. If a junior dev is accidentally able to get such a bug into production, then a senior dev with bad intentions DEFINITELY would be capable of doing that as well. It's up to your pipeline engineers to make sure that CAN'T happen.
@@rikschaaf There is no such thing as code review in Chinese software development world in many places)) Nobody looks code, they just make it work, do some stuff to pass manual and automatic tests and this all. And because there was no code review for years they can't start doing it effectively because everyone is more incompetent and can't spot other people bugs just by looking code (this is separate skill which require not just technical knowledge but also able fast understand code and see whats can goes wrong) Also code review would kill they productivity and increase cost, so for them there is no reason to introduce some "bad" practices from financial perspective)
I like collar-shirt Ed. He said "You shouldn't have your NAS with its, like, butt, in the ether-net port, facing out into the internet..." omg. I lol too hard at the mental picture that paints.
As a Junior, I was terrified of making mistakes like this. As a Lead, I now realise how most of the world runs on software that people go out of their way to make utter s**t. Ask a locksmith and they'd always rather have software locks, ask a software dev and they'd always rather have physical locks. When you know, you know how bad things are lmao
Dude, the physical locks thing is so true. When I found out about lockpicking, I took a thin, flat piece of metal and just raked my apartment lock. In 30 seconds it was unlocked. Most locks are a joke. 😐
I do both (locksmith/safesmith and pentesting). None of it works XD
@@aieverythingsfinethat's a terribly unfair thing to say... lockpicks and cracks work perfectly
@@capturedflame XD
I was in disbelief about the "cut off a Bic pen & wobble it around in the keyhole" method for circular keys, so I tried it: Took me ~12 minutes the first time,
Holy moly, if I can get how bad it is without rewinding, it's a really stupid bug
I'm loving the channel name exploration in every video
As someone who has worked in both residential and corporate IT for over 20 years now, I'll never go near D-Link. Garbage products made by a company that does not care. Nothing about this situation surprises me.
D-link? You mean the company unable to understand how email works? Whatever they did, I'm not surprised.
they are like hp lol
But isn't connecting your NAS to the Internet an advertised feature? "Run your own cloud!"
Not like this. If you are going to do that then you should have security measures that can authenticate and restrict what can connect to it.
@@flarebear5346 Yes, I know. But which end user knows this. And now the vendor name is in the press again an they can start their next product.
Always remember, "The S in IoT is for security" (Need to find this T-Shirt for next week it must be somewhere. )
lmfao
You shouldn't have the nas open to the public internet, especially not your admin console. You'd want to have an authentication layer in front of any requests to the applications on your system, or better yet, only allow access to your system through a secure VPN. In the case of this bug, you wouldn't be able to send a request to (target IP)/cgi-bin... if it wasn't already open to the public internet (which again, it shouldn't be), but if it was or say you're connected to the same network, then your whole machine is wide open.
Just run everything on the local network and have wireguard to connect to it
I love watching these kinds of videos, it helps me see deeper into how the devices really work.... and that stupidity really knows no bounds....
I've never in 30 years heard of CGI "typically being a bash script or an ELF"
@@bparker06 well it was. Even PHP worked/works like that.
In your defence, I've seen more Perl scripts as CGI than bash ones :-)
That is probably the case for these sorts of "UI glue for small devices"
C, Bash, and Perl are the typical ones.
I used to have a shell script to redial the internet set up as a CGI. Anyone on the LAN could reconnect the internet as needed that way. We paid per call back then for local calls, so doing it this way made it convenient, but saved calls at night when no one was using it. There was a 4 hour session limit on our ISP.
German home router manufacturer AVM handled a security flaw in 2023 completely different. They even patched a model that had been EOL 7 years earlier.
Dlink basically "F U pay me *again*!" surely inspires customer confidence in their products.
03:25 I appreciate the heads up, but sadly, I failed to contain myself.
Bad code is always dangerous, but dangerous code is not always an accident.
Wow thanks. Never buying D-Link (or their parent Netgear), ever. This passed code review?!
You think they did code reviews? Dlink in 2012 probably didn't even use a code repository, let alone agile development.
I was particularly impressed by your mastery to size up the thing and communicate in relevant-human-readable. Coding is a dark art already (which is a compliment).
According to Wikipedia: "In 2022, D-Link obtained the TRUSTe Privacy seal, certification of ISO/IEC 27001:2013 and BS 10012."
Certifications truly mean nothing!
This device is way older than 2022 so I'm not sure what your point is.
First mistake they made was buying a D-link. If I see d-link device on customer’s network it has immediately to go out.
Dumb switches are one thing. No one should be using D-Link for anything more than that. There's plenty of much better stuff available in the NAS or higher end consumer networking market for not much more money. I'd rather get a TP-Link setup and a Synology or QNAP NAS, but if you just need a 8 or 16 port gigabit switch? Buy whatever is cheapest because it'll work fine.
I will never again in my life buy D-Link equipment and will encourage all of my clients to do the same.
Anyone who doesn’t take security seriously has no business being a vendor. Samsung and SONOS I’m looking at you.
I have abandoned using any D-LINK devices decades ago (around 2005-6) for exactly these kind of practices (and bugs). It's almost unbelievable they are still doing these things after all these years and are still part of the market ...
I absolutely lost it when you described an open port facing WAN as the NAS's butt exposed to the internet
Queue penetration joke?
Gives code injection a whole new context innit
Love this guy immediately when he explain all the detail for beginner in such a short time
8:36 that's what I call a well organized home dir!
Lol!
As primarily a sysadmin with basic programming knowledge, I really appreciate the way you explained the code. Nice and easy to follow and your enthusiasm is very engaging.
I've heard of people getting dismissed for lesser bugs. this is SUCH a rookie mistake.
TY for the content
I'm honestly astounded at how easy your videos are to understand and follow. My only background in coding was one course that used Python in uni, and a little introductory C++ in high school, but I'm mostly able to keep up with what you're putting down.
Good vids, is what I mean to say
As a Gen-Zer even if I hated the collared shirt, that fire jacket makes up for it.
I actually have/had one of the affected devices (DNS-320LW). Bought it in 2012, put the community-made and still maintained custom firmware on it in 2019 when it hit EOL that December. AFAIK it hasn't been sold since 2015 so to not bother with updates a decade after going out of sale and 5 years after going EOL seems perfectly reasonable to me.
this video literally had "no views" as he said "this video is gonna get no views"
Security goes against D-Link's core values. They have a reputation to uphold.
is nobody going to talk about how those sprintfs probably are a buffer overflow vulnerability as well
He did mention that in the video too but the low hanging fruit is the system call. I mean both need to be fixed and are right next to each other. Not sure how people are going to do that though, if at all.
@@steveftoth by buying a new device - D-Link
Please place your checkmark and then try again.
[ ] I watched the whole video
No one cares. Probably there are s lot more spots to cover in the firmware. Why would you want a buffer overflow if you have system calls at your hand
you're one of the most competent coders im watching on youtube if not THe best. Good job breaking this down for all the up and coming wizards
Like your attitude here! :) Also the colors are so fresh ;)
Some companies one should just never deal with.
This is literally the opposite of the kind of support we have been used to from companies like IBM for example.
IMO this is not a bug but a design flaw.
I can't say it's intended but definitely never thought of it in security perspective(or just abandoned the security scope).
This is not "fixable", this just shouldn't exist in the first place.
If you say something EOL so no more security update, OK.
But if you put something known with flaw(at least we all known), that's not security update. It's just a garbage be advertised as something useful. It should be RECALL.
Can Tesla say their car has a known risk to explode if you press certain button before EOL but now it's EOL so they won't fix? Elon Musk will be put in jail if so.
Just because the exploit was found now (at least publicly) doesn't mean it didn't exist the whole time. Just for that fact alone, they should be required to fix their stuff.
And you were correct - pants were peed on this side of the wire. Also I grabbed your lifetime subscription, Ed! Really excited to dive in! I've been a Security Engineer for over a decade now, but excited to learn more low-level skills and far more formally!
That was fun... 😂 I know you know, but I'll pointing out that at 2:34 it is just URL-encoding of plain ASCII, no Base64, so %27 is a single quotation mark and %20 is a space. I would expect the exploit to be a little bit different in the quotation style, by looking at 11:13... is it done on purpose to fool the skids? 🤔Am I blind? 😆Or maybe there was some string replacement along the way...? The stuff is pretty basic nonetheless, LOL 😁
Place holder for uname n pass
I've seen more than once maintainers of very active, open source, self-hosted applications saying "our average user does not need enterprise level security features" when they refuse to implement things like mTLS support in their mobile client. Or sometimes they tell you to use treafik as your reverse proxy when you expose the service to wan, while traefik requires the docker socket in a container that is supposed to be facing internet. Absolutely unforgivable.
oh you mean that 'computing appliances' aren't like toasters, and are really just computers that need constant updates forever? but I bough this 'appliance' because it is cute and single purpose like a toaster that needs no updates ever
I'm on the older side of Gen Z but I absolutely despise *wearing* collared shirts. Though I don't mind you having one. It's not tight too, so it doesn't feel like I'm getting choked just by watching.
D-Link has a history of doing this. When I was in university, I found a couple of significant bugs in DIR-601 routers that could lead to RCE in many cases. The first bug was a command injection in the router's diagnostics page that let me inject arbitrary shell commands. This page normally requires that the user be authenticated as an administrator to access it. Unfortunately, that authentication was flawed and due to an API endpoint in the router not being properly authenticated, it was possible for a user authenticated as a regular user to generate and download a configuration backup. The administrator password was stored as plain text in this backup. I can imagine most people would not change the default user password, since it isn't privileged.
I attempted to report this, but every email I sent bounced with an inbox full error. No idea if it was ever patched.
This would be incredibly easy for them to patch this. It’s a one line fix. They just don’t want to do it.
This is the rare occasion I'm actually sort of on D-Links side. They're not even in the NAS business any more. I'm sure there are lots of 0-days lurking in the mountains of EOL hardware & software out there. At some point using old stuff becomes "use at your own risk"
I don't like D-Link, at all, but I completely agree. For all we know, their engineers discovered this among other things, and that's WHY they killed the product. Corpo's would never call an end of life without immense pressure from the engineers, not while there's still any free milk left to squeeze.
It's not an excuse to not inform the public if the info was made known and not allowing for the community to fix the bug on their own.
If anything, they should write that on the product box with the warranty. If the product is out of warranty, you are at risk of your devices being hacked and the company will not make any further patches to protect you. This is not apparent to any consumer, because we don't know the End Of Life ahead of time and no public announcements are made.
Maybe this more of a legislative issue regarding packaging, like food expiration dates.
It's D-Link. Whenever I see their equipment hanging on walls I'm thinking let's have a poke around in there.
At thjs point we need to make cyber security flaws illegal. Theres not really another way to force these companies to actually be responsible
The EU kinda did, atleast they force a minimum ammount of years of updates for things like vulnerabilities now.
@@someonespotatohmm9513 yeah we did... on smartphones as long as they are guarantee cases. so 2 years more or less. the d-link stuff mentioned here is EoL since 2017. not really fair to blame somebody to not have updated their old ass fk. anybody here mad at Microsoft for not patching Vista anymore? no? exactly the same thing.
Oh yeah, D-Link. I'm a dev as well as an IT consultant. Got hired for a project because a company was facing issues where their entire network went down intermittently. Turned out they were using D-Link switches everywhere in their network. These switches had a vulnerability that could trigger a packet storm. There was no firmware update or fix. I replaced every single piece of network equipment that was made by D-Link with its CISCO equivalent. This was 5 years ago and their network has been working reliably ever since. D-Link is a total mess.
0:04 > This video is gonna get no views because I'm wearing a colored shirt and apparently, like, Gen Z hates colors.
What?
Collared
@@Chris-on5bt Yeah but still, the question remains: What? :D
It's Little Johnny ;DROP TABLES; but it's your NAS 😂
D-LINK. As in the grade.
And no mention was made anywhere about requiring authentication to access the CGI... So even if you could not run arbitrary commands, you could likely still create accounts.
Aaaaaand that is another final nail in the coffin for D-link anything now. I mean, on top of the surprise d-link is even a thing anymore still.... But yeah, that kind of reply, without say....releasing some source so the community can support the products they refuse to....has done exactly what they want but not how they want it. Yeah, Ill replace EVERY d-link device with NOT d-link now. Good job on the PR front d-link....morons....
Stop it ... stop it!
Take the hardware and install your own firmware.
Or ... are you some kind of child? Not?!:)
OpenWRT
D-Link coffins are made of quarter inch balsa wood and three inches of coffin nails.
Assembly was my favorite CS class. It's so satisfying having specific memory adresses.
if your worried about not getting views put on a choker it'll work, trust me
🤨📸
@@drgabi18 its a proven fact, thats why so many streamers wear them and why so many vtubers have them on their models
@@corvusnocturne Kai Saikota and Fauna are the only vtubers I know that have one, except them, I have never seen anyone with one
Eric Parker has kitty headphones, so Low Level could learn from him
Stop it.
Get some help
D-Link has had these problems forever. The same thing was going on 10 years ago. Oh wait, it’s the same bloody devices!!
> Gen-Z hates collars
Not true, I have multiple collars! One even has my name :3
Great video, really good!!
I think an additional (final nail in the cofin) and also good information for the rest of the mortals is, the following
- How would you fix that issue; to make it safe?
- What measures could we all take to avoid stupid stuff like this getting out?
It seems to me they are avoiding fixing it for some reason, which says to me that some company advocated for this fix and they pay big so they don't want to remove it. That security flaw is a feature for some company which is the worst case and the scary part I think.
It's frustrating that companies aren't more accountable but please for the love of god don't call for legal accountability. The law can't and shouldn't make it illegal to sell shitty software. The only fix is for consumers to care.
At worst such a law just ends up making it effectively illegal to pay someone to install OSS since they can't cover the lawsuits if someone finds a bug.
At best you'll just get a law like they have in the EU which means most upstream providers can only use software that is certified not to have known vulnerabilities. Guess what that encourages? Closed source bullshit that discourages security research.
Indeed, road to hell is paved with good intentions. In 10 years when all the free open source will be pushed out because nobody will be willing to risk going to jail or pay fines for bad code or paying for certification, same people who asked for this will be crying about corporations destroying open source and wondering how we ended up there.
“I have never seen a situation so dismal that a policeman couldn't make it worse.”
- Brendan Behan
Thanks D-Link for your statement on EoL products so we can avoid buying any of your products in the future! Nice one!
We need software engineers who, like other professional engineers, can be held personally legally liable for their work.
The software industry is much too lax with the rigor of their code.
You have to have legal technical standards to have individual liabilities. No such thing in software (and good luck), so who sells the product, the company, takes liability.
Your device ... your possession
I really don't get it that adult man and woman are not able to install ...
effing OpenWRT !
Have I uttered a secret? ROTFL
Wow. And what would that liability be? Perfect code? And for how long? Forever? Why is it not enough to have companies liable?
Software is more complex than anything else and also not a very relaxed industry for most people.
> inserts obligatory Rust recommendation
Not to be "that guy" but these affected hardware platforms were released between 2011 (the 32x devices) and 2014 (340L) - how long *should* a manufacturer support software for a device that was sold that cheaply? I'm curious because while I understand this vulnerability is bad, the fact that they're not patching it on some hardware models that they shipped 10-13 years ago shouldn't really be a knock against them - only the vulnerability being this simple and destructive. Saying they're saying "f off" because they won't update software on some almost 14 year old NAS devices seems a bit unfair and distracts a bit from the discussion around the vulnerability itself.
This bug shows that their code is ( guess it) 😂
@@cluberti another way to think about it is that this bug has been around for 10+ years.
D-link should be fixing this out of principle alone. Otherwise why would anyone trust with their products in the future? The fact that they dont care at all about this pretty simple exploit is a major red flag for any of their existing products. Points to a lack of basic security hardening in their products.
Imo it shows theyre too focused on making and selling new and shiny things. Instead of products youd feel okay about on your network
I should add that I never particularly liked D-link already. Feeling pretty justified ngl
@@Aguyinachair D-Link gear was always bottom tier garbage and that's probably why you don't like it, or been taught not to like it, but having sloppy code that creates pretty glaring security flaws was the final nail in that cheap coffin.
Oh I get it, but this is getting what you paid for as a customer. No way DLink is going to pay anyone to fix this code at this point given the price point these sold at when new, and that was a long time ago.
That's a very good point but I think in a world where we're pushing towards "net zero"; they should have some basic support for at least 10 years after the last one rolls off the production line. Their EOS policy seems to be 5 years after introduction which seems crazy to me.
I was so invested in the investigation process from the half of the video that I had to put it in fullscreen.
02:35 where base64?
There is, but you've become so good at reading it in your head that you can't tell anymore 😂😂😂
Go test if it works with assembly as well 😊😂
@@showmeyourcritz321where anything related to base64 happens?
Mc0Ca
@@jyothishkumar3098"McOCa" is 5 characters
base64 encoding length is divisible by 4
5 is not divisible by 4
It’s not base64 encoded, it’s url encoded. He was just wrong.
I owned DNS 320 some time ago, but since It doesn't even support SMB v2 I had to give up, and upgrade into something newer, because apparently DLink doesn't give a s*** on this :) This Video made my day, thanks :)
to answer your last question: gen z doesn't only hate collars gen z also hates accountability
I wonder if in the US, If this would qualify as gross negligence in a district court case?? It's absolutely regular negligence.
I get the feeling that this was a case of a high-level executive saying, "My nephew is a wizard at this computer stuff and he's going to be interning with us for the summer. Give him something important to do."
i'm an swe student and i still don't see myself a good coder programmer I don't understand a lot of concepts and I wasn't passionate about computers in general before entering college. i only know the theoretical concepts but these videos are really making me love the field and wanting to learn more and make me curious more and more!
Being anti-bug is discriminatory.
You must tolerate the inclusion of these diverse bugs.
They are our strength.
Being vulnerable and diverse is better than being discriminatory and intolerant.
Lol @: "the NSAs reverse engineering framework... it also has dark mode, which is awesome." That was gold.
The list of affected devices doesn't include my D-Link NAS model, but I'm concerned that it might be an oversight or because it's a minor version that is also affected but they didn't mention for some reason.
It's a DNS-321.
it also doesn't include mine (DNS-327L) but i'm fairly certain that it also is affected by this vulnerability
That’s hilarious!😆
I mean, I wrote some php scripts for my department, which themselves call a “exec” command.
But I switched to borderline paranoia mode, when I wrote that to get all requests sanitised.
Funny and frightening to see, that those “pros” didn’t bother.
They haven't had their double-popped collars phase yet, they don't know what it's _really_ like to hate collars.
That account code has to be that "I just whipped this up in a few minutes" code that the founder wrote decades earlier and "it worked" so they never wanted to touch it. Even if that somehow wasn't there until 2018 (there's no way...) it's still actually insane that it took this long to find!
"- Does this mean that I have flawed the exam?"
"- Oh no, oh no! Of course not. We are strictly DEI here. We really don't wanna get sued. You should go get another employer if you wanna do that. Here I have a list of some 'friends' that I can recommend!"
D-link is also known as bottom-link.
Even their enterprise switches firmware is not stable, and its distributed from some sketchy ftp server over non-secure connections, without providing the hashsums.
Its true that this is your problem if you found the bug after the EOSL, but its also your problem if you bought their hardware in the first place. Id suggest avoiding their hardware even if they give it away for free, as long as you want to use it as-intended.
i c bajs
Great stuff! BTW what font are you using in terminal? I absolutely love it!
12:23
"How is nobody held accountable?" Because it's a free market. Businesses are allowed to 'do what they want,' and this is what they do.
Here's a random take : In most programming courses, people are not taught shit about code vulnerability!
I think the safe exevp() part was written by a decently experienced dev, and the unsafe system() part by a not so experienced one.