I found this video and thought: "Damn, I can root my phone this way". I can't root it with normal ways cuz i have blocked bootloader and no code, but yeah, gonna try that
i was thinking the same exact thing! i've got a samsung a54, and the thing is locked down tight...anyone have any idea how to use this on an adroid device with user/terminal access? maybe modify the exploit code for sudo access or a root group? this would be an AWESOME way for TONS of phone modders to root their devices before the phone gets patched! lets come up with something!
hmm, i compiled this on my arch desktop as well as a raspberry pi running aarch64, and i get the same error: "fsconfig: Invalid argument [-] failed to write, retry..."
@Hope You are alone, child. There is only darkness for you, and only death for your people. These ancients are just the beginning. I will command a great and terrible army, and we will sail to a billion worlds. We will sail until every light has been extinguished. You are strong, child, but I am beyond strength. I am the end, and I have come for you. Hope.
write(fd, "HACKED", 6) does not write "HACKED" to the line 6, "6" is the buffer size, which is the length of the "HACKED" string. it is needed as there are different buffer representations that can be given to the syscall.
For android, this is a good thing and a bad thing. You can root previously unrootable phones. But so can badguys, who can permanently lock you out of your device.
How? there's no unprivileged users able to remotely log into an android phone. By default android doesn't even include a sudo binary. Are you sure you understand what this exploit does? You would have to willingly download and execute malware for this to be effective on android, at which point your security is fucked with or without DirtyCred.
Well to be a little more explicit, androids can generally be rooted with common procedures but the issue comes with advanced cellular features locked behind A/B partitions (pitched as partitioning to help with live updates) that break when edited. Some have magisk/xposed modules that re-establish those security features allowing a rooted android to actually be usable. Thankfully, it means that if this was leveraged to gain root access to any given android it would likely break most networking to begin with
@@silverywingsagain you are downloading whatever software from PlayStore. But it somehow guarded by android OS, uless you give permission to storage/camera/etc. After this exploit you would be vulnurable to bad apps in paly store.
@@silverywingsagain There are actually two different exploits. One for processes and second for files. For one with processes no code published yet. But you can use files to get executable. Just need to owerwrite any binary with suid(root) on device.
It's super bad actually. Now literally any app on your phone can do whatever the developer wants with everything that's on your phone And many phones will never be patched
@Omelette au Fromage Just buy from a manufacturer that will let you unlock the bootloader. I got a google pixel straight from google and i can unlock it and root it without any magic
Dear god, I hope they're able to patch this quickly. It could be a disaster for the entire internet if hackers managed to take down entire major servers.
i have a factory locked bootloader Android phone (SM-G960U) so as soon as i saw this notification i turned off the phone, i want to learn how to do this exploit so i can use it to root my phone before AT&T and samsung force upgrade its kernel to a patched one, this is 100% legal reason to perform this exploit right?
"sales people doing provisioning" picturing an ansible task that gets a salesperson on the telephone and gives them instructions to build out your cloud infrastructure over text to speech
Linux: "There's a biiig bug. But you have to sit on the on the Keyboard in front of the pc to use it." Windows: "... before you turn on your machine make sure that it isn't connected to the outside world!"
Actually you don't for this. If you, as it was said in the video, have an unpriviliged access to machine and can launch arbitrary code - boom, you have a root. It's a serious bug, and it will be interesting to see what is the ROOT (lmao) of this problem.
@@rogo7330 Shell access is the same as being at the keyboard in UNIX. If you have unprivileged access to a machine you can still run arbitrary code and do a ton of damage even without root. The root of the problem is that computers use buffers, and buffers can overflow. Unless you can think of a completely different paradigm, exploits will always exist. The solution is to make sure USERS don't have unprivileged access, only APPS and SERVICES do. Then you can implement security on a case by case basis instead of trying to "herd cats" on a system-wide basis. Of course all of this is better than windows and mac where escalation is boiled down to a brain-dead popup that 99% of users will click "OK" without thinking.
@@silverywingsagain "apps and services" are users. You at the keyboard not doing much unless you executing something. If you as user only answering questions from apps and services ("There is 10 people in the room. Is it true? [y/n]", "Press Enter to continue", etc.), you can't do much. If your service or app is a big clusterfuck of code that doing some weird shit and because of that you put it inside docker or something - there it is, just put some symbols into Minecraft chat on the server and you have access to minecraft server's user and its shell.
Privilege escalation is a bigger deal on Linux not only because they're servers... but because Windows/MacOS are usually "single user admin" and you hardly have to escalate to do anything.
Windows yes, macOS no. macOS is a (very locked down) UNIX system at its core since 2001 and requires privilege execution to write to system files, however applications can be installed without the administrator password as long as your account is an administrator (and not a "Standard") account. However, privilege escalation bugs can't usually cause any harm to a system (besides deleting/stealing files, but that could be done without admin privileges) due to Apple making the system files read only, even to root, by default in 2015, and further when they put them on a read-only partition.
@@DistrosProjects I guess you're mainly talking about SIP here. And yeah, for most macOS users, it makes sense. Most are dumb enough to just click "yes" to anything the computer asks and thus infect the system. For more experienced users it's not really necessary I guess, but still pretty useful.
@@DistrosProjects UAC does the same thing in Windows for admin users, as MacOS. The 1st user on MacOS is always an admin just like Windows. The only difference is MacOS prompts the user to enter their password, where as UAC just asks the user Yes or No. UAC made most malware happy to run in userspace, which subsequently became the exact same behavior in MacOS.
@Kris Nicholson you got it wrong. Unix is Unix, Linux is a Unix-clone (others call it Unix-like) and never shared some code from Unix . Hence, you can't just say Unix is derived Linux. :) other points are correct though.
Pretty Cool one of Siemens 101 Classes in cyber security is called 'From Web to Root". Where we use a weak user base system to get admins account and then use a form to executed shell code in turn giving use a remote login and use this exploit to take over the docker to get to the host shell with SU access. It just took 4 hours to teach a whole class to do this with most not having an ounce of training or Linux knowledge.
This is neat. I tried it out. I check all of my systems to see if they were vuln, and everything seemed to be patched. Nice testing tool. But I also played around with it. This could very easily be a copy past script fast and bang in. We all know plenty of systems admins out there slow to update....
It usually is not Linux itself but, the fact that those addons and plugins all made by random people who think they're edgy, then introduce a vulnerability. Of course they left a ton of them. The problem is, of course, if it's a vulnerability in a 'widely used' component. You're giving total nobodies ability to make these things most of the time, even when talking about the more popular linux distros. There's likely even more than Windows at this point, considering they started actually trying to secure things, probably after Windows XP. Even then it's still useful to have exploits like this imo because I'd rather be able to mod my kernel or do what I want. For example, I wanted to make a new exploit for fun. Within 3 days I found a way to exploit the NVidia Driver (latest/current ones).. You can then shut down any antivirus or access any game process without even trying because it just accesses most of them already. No one even knows and it's completely private how their drivers work. Maybe a few have recently released more about dxgkrnl vulnerabilities, but, those can be easily found now because of that. Now there's like 3 other things you can hook down the line from that, including the driver itself.
Dirty pipe has been known about forever, this is a local exploit. Secure your infrastructure properly and it's a non issue. If you already have access to a system there will always be another overflow exploit waiting to be found. It's basically intrinsic to how programming works. You can isolate and prevent individual cases but nothing will ever really prevent a user who already has access to a system from escalating privileges.
@@gg-gn3re If you assume your bootloader isn't protected and you do not use disk encryption, yeah maybe. Let's say, you already are admin of the hardware in that case 🙃
sad that most of our critical, low-level infrastructure is using unsafe languages. the amount of code is so large in these projects that not one single person can manage or know it all. vulnerabilities become inevitable
@@ratchicken8159 he means that it's very easy to introduce a vulnerability writing in C because it allows you to do practically anything, it doesn't check for memory management errors, unlike say, Rust, with its borrow checker, or Python, where you don't have to manage memory at all.
I hate containers. I hate all-in-one packaging like Flatpak. Both are used so inappropriately all the damn time. _edit to add, since I was asked "why are those bad?":_ You know how the end of firmware updates for IoT stuff like a wireless router means that the router is forever frozen with all its security flaws after firmware stops being put out? Now imagine that for every program on your system. That's the problem with "containers." They package everything required for a program at the time of building, including the version of every single library in use on the build system. If, say, glibc (the most common/widely used Linux C standard library that the vast majority of software uses in some capacity) patches a horribly massive flaw and you update your packages and the fixed glibc build is in those, it does not update the glibc instance in ANY of your containerized software. This is just one facet; it completely avoids the point of reusable shared library code as well, blah blah.
@my burner google account Oh god. Where do I start? You know how the end of firmware updates for IoT stuff like a wireless router means that the router is forever frozen with all its security flaws after firmware stops being put out? Now imagine that for every program on your system. That's the problem with "containers." They package *everything* required for a program at the time of building, *including the version of every single library in use on the build system.* If, say, glibc (the most common/widely used Linux C standard library that the vast majority of software uses in some capacity) patches a horribly massive flaw and you update your packages and the fixed glibc build is in those, *it does not update the glibc instance in ANY of your containerized software.* This is just one facet; it completely avoids the point of reusable shared library code as well, blah blah.
@@Cookiekeks the problem is that you have to rely on the application developer to update it. Though when normal software packs it's own dependencies it's the same, but this is rarer and usually requires using the system wide updated ones. FlatPak allows for ways of having the runtime updated normally, but it depends on the choice of the developer. And if they abandon the software, it becomes insecure or breaks in the future.
the thing about using shared system libraries is that they aren't guaranteed to actually work with the code you've written for very long, or even be consistent between distributions - glibc itself demonstrated why using it directly from the source is unattractive, literally last week
Why would a micro kernel be less prone to implementation bugs? I can see some benefits to micro kernels, such as not everything sharing same memory… but implementation bugs where affected functionally is all contained in same subsystem? E.g. making cgroups into its own subsystem wouldn’t help preventing this bug?
I am completely a beginner when it comes to computers/ linux, so I have one question: how does a hacker even get the chance to use this security problem on your personal computer? Do you have to download malware?
The biggest risk is to servers running critical applications to business, infrastructure, etc. compared to one's personal computer. But to address the essence of your question, they'd first have to penetrate the system they're targeting--be that from targeted phishing, exploiting a vulnerable process running on a server's open port, brute forcing login credentials, etc.
Difference between local and remote exploit. This is a local one. Like the examples he gave in the video, this is an issue with e.g. rogue employees. And there's possibly no way of screening all those people. Take a 1st level support guy, for example. Easy to get in and if the whole infrastructure is Linux, you start with exploiting the system you're allowed to work on. You gain root on that and then go from there. There's almost always some ssh key or config with a password lying around that gives you access to another system. Rinse and repeat... But mind you, this isn't financial advice - or so.
This is used after they’re in your system. So either they are in physical possession of your computer or you download malware that creates a back door they can remote into.
Wouldn't corpos limit low level pissons to a short list (or protected directory) of pre-authorized programs anyway on company server hardware? Besides that, it blows my mind that Linux lets you access/modify pages of memory allocated by other users without permissions or segmentation faults. Would modern computers really suffer that much of a performance loss if the kernel checked when unprivileged users attempted to read/write to a memory address that had previously been freed by them?
@@jokroast6912 Stop wasting your time. You spend 30 seconds to type a comment and the bot sends out millions in a second. Besides, people on this channel know what bots are.
This could actually be useful for android like imagine this, what if someone made a file explorer that used this exploit to allow writing files anywhere without needing to root the phone! would be incredible
bad idea. Once you start modifying files outside of /data, on the next reboot your bootloader will just say "no" and you'll have a nice brick. Things like checksums exist for a reason my man.
4:28 my inner rustacean thought "this wouldn't have happened if the entire Linux kernel was written in Rust", because of a meme by STEMgamer that mentioned "use after free"
@@Hellohiq10 yeah, but the unsafe parts are very clearly marked, and if you make a safe api for that, then you only need to audit the unsafe parts when you have some memory errors
Nice vid, mind doing a video about vim plugins? I started learning vim now to fit in wiv the femboys, great progress so far, and vim plugins seem quite hard to understand
Kenny I know this sounds weird but in regards to you rice how did you get firefox and a couple other applications to actually follow your window theme. Also are you still using CINNXP or are you using something newer. I am still running ZorinOS because of an older video but i decided to install the cinnamon desktop environment on a whim just cause. Could we see a video about your current rice? thanks kenny.
Right now I'm just learning everything I can on Android customisation, privacy and rooting so when my warranty expires I'll be able to get straight into what I want.
@@hippopilot6750 don't know what happened to the reply I wrote 2 days ago. But here it goes. I don't really have an idea of Lineage OS microG because my device does not have an official LOS build and I have also never used microG on any ROM, always Gapps.
Hey Mental, Can you do a video about android degoogled roms (like arrowos, havocos etc. Because calyx or graphene or lineage is not supported for some phones. [like mine] ) Also great video.
@@skeletonbones6995 i was thinking the same exact thing! i've got a samsung a54, and the thing is locked down tight...Skeleton, can you say some ideas how to use this on an adroid device with user/terminal access? maybe modify the exploit code for sudo access or a root group? this would be an AWESOME way for TONS of phone modders to root their devices before the phone gets patched! thanks!
@_____ haha...if only it were that easy i would've stuck this POS in the fertilizer long ago. i seriously want to get root on my phone before updating patches. theres no /etc/passwd or shadow or group, so i'm not sure how to use this yet. i believe user accounts on android are stored in db. gonna first try the code on my phone to see if it works first
hmm, i tried this on my arch desktop as well as a raspberry pi running aarch64, and i get the same error: "fsconfig: Invalid argument [-] failed to write, retry..."
FYI, "daemon" is pronounced "demon". Of course there are millions of vulnerable devices that will continue to be vulnerable because manufacturers don't do security updates for very long. Very handy if you want to full control your own hardware though.
I dont think you can install custom roms using this vulnerability. I think you can just root your phone even with a locked bootloader unless this vulnerability can also spits out the keys required to unlock it, but I doubt they stored it in the firmware....
so wait. 2 basic questions. in which kernel will this be fixed? 6.0 ? or was it fixed in 5.19, earlier? also what are the prerequisites for this? physical access to the machine? or already compromised via other trojan?
Some random server running Ubuntu 18.04 without any update: 💀
2 роки тому+1
This is also why you should encrypt your linux installment.. If I get raw access to the /etc/sudoers file, I can escalate anyone I want to. This is why macOS encrypts their install disks by default now. (this is also to mitigate the single root boot mode vulnerability of tampering with the installed environment by requiring a password before booting) I used the single root boot to add my own account to the sudoers, which is not the same as this exploit, but Apple has had that vulnerability for a long time (also fixed it for a long time). Seriously, encrypt your Mac and Linux installs to prevent these types of primary attacks.
I don't see how disk encryption is at all related.
2 роки тому
@@eDoc2020 well, think about it. If your disk is unencrypted (and thus clearly your files are accessible when you mount the partition), I could spin up an environment that ignores linux filesystem access rules and edit them, creating a new user with root privileges. If your disk is encrypted, you’ll need the password before you can mount it and edit any files. The point is privilege escalation. With physical access to the device, if your disk is not encrypted, you’re vulnerable to these types of attacks.
@ Even with disk encryption like that somebody could install a modified bootloader which steals your password. Given enough skill/resources physical access can break any digital security.
2 роки тому
@@eDoc2020 yes, they could.. Altering the bootloader to listen to the entering of this password is another vector of attack that comes on top of the previously mentioned vulnerability. It’s a new issue. But if you don’t encrypt your disk, I could much more easily walk through the door than if you did. Security is never total, but you’re trying to make it as hard as possible for anyone to gain unauthorised access. Altering that bootloader to give you that password would require fairly specialised knowledge, and takes more time to accomplish. It’s “safer”, not bulletproof.
2 роки тому
@@eDoc2020 again.. I’m not saying it is bulletproof.. But are you trying to say that because “someone can break the glass to get in you shouldn’t install a lock..”?
I'm convinced that soon companies are going to come up with some serious air-gap security solutions. At least they should. It seems most just keep to the "Everyone in the company uses the same network!" model, which always results in lulz.
For a while it seemed like security was finally winning, but it's looking like we need whole new paradigms, like it's the 90s again when nothing was encrypted, and everyone was running Windows 9x lacking privilege separation. Our OSs are broken. Our programming languages are broken. Our hardware is broken.
Software hasn't seen any real innovation in 20 years. That's what happens when anyone who knows how to actually program is stuck writing frameworks so "software engineers" can pump out the next TikTok.
I think this goes to show you that updating the Linux kernel with Rust code is a good idea. This is basically a multithreading conflict, right? If we look at each user as a thread and the physical memory as the resource they both want to access, then we find a situation where both users are basically allowed to access the same resource at the same time, a big nono. Rust is supposedly REALLY good about doing multithreading properly and safely so I'm sure that would translate here.
Internet is broken, it's a major security risk for gov workers and relatives to be using. Solution: Use landline telephone, dsl direct connection, no wifi. There is 0 guarantee, even with all the firewalls etc. No need to unplug , but try to keep all personal data away from hackers..after all, that is what hackers do themselves.
hmm, i compiled this on my arch desktop as well as a raspberry pi running aarch64, and i get the same error: "fsconfig: Invalid argument [-] failed to write, retry..."
how can we use or modify this code for android??? i have a samsung a54, and the thing is locked down tight...anyone have any idea how to use this on an adroid device with user/terminal access? maybe modify the exploit code for sudo access or a root group? this would be an AWESOME way for TONS of phone modders to root their devices before the phone gets patched! lets come up with something!
hmm, i compiled this on my arch desktop as well as a raspberry pi running aarch64, and i get the same error: "fsconfig: Invalid argument [-] failed to write, retry..."
i have tried a few ways to execute dirtycred on android so far (copying dirtycred to phone and tried running using adb and also tried as different user through termux user). both of those ways didnt work, either the user has no access to the directory, or the user has access but no execute permissions. i did try like so: /storage (and other accessible mounts have 'noexec' set on the mounts, so cant execute dirtycred through adb. i tried has termux user on the phone, but that user has no access to /storage at all, it seems jailed or chrooted into the '/data/data/com.termux/files/home' directory, also, there is no user/password in passwd/shadow on android, so would have to find a way to add a new user or to give access to existing user to a privileged group....or some other way?
TL;DW: Go abuse this to root your Android device and modify your OS before the security patch drops from your manufacturer.
I found this video and thought: "Damn, I can root my phone this way". I can't root it with normal ways cuz i have blocked bootloader and no code, but yeah, gonna try that
i was thinking the same exact thing! i've got a samsung a54, and the thing is locked down tight...anyone have any idea how to use this on an adroid device with user/terminal access? maybe modify the exploit code for sudo access or a root group? this would be an AWESOME way for TONS of phone modders to root their devices before the phone gets patched! lets come up with something!
hmm, i compiled this on my arch desktop as well as a raspberry pi running aarch64, and i get the same error:
"fsconfig: Invalid argument
[-] failed to write, retry..."
I want to reuse old android phones to run windows I know it is the worst os but to recycle old devices.
@@WilliamHollinger2019 You're gonna get worse performance with windows than Android...
This is why I do all my computing on paper
😎
I hope you run your sudo commands on red paper, so you remember it’s potentially dangerous.
Until your paper connects to the Internet and gets hacked.
@Keith Berjeron * takes about 10 seconds or more depending on their file system management techniques *
If I print every file in my windows os and matc hthe folder structure in a file cabinet did I install windows on a file cabinet?
That's why TempleOS is best
You can't have privilege escalation bugs if you run everything at ring-0, big brain moment
Checkmate root kit
@Hope You are alone, child. There is only darkness for you, and only death for your people. These ancients are just the beginning. I will command a great and terrible army, and we will sail to a billion worlds. We will sail until every light has been extinguished. You are strong, child, but I am beyond strength. I am the end, and I have come for you. Hope.
Run literally everything in ring 0, what escalation?
Front line, you are joking, right?
This is getting to the point where you should just turn off your internet whenever you don't explicitly need it.
Or use windows so you are pre-hacked :p
@@theopendoor3716 time to mix up some concrete then lol
@@theopendoor3716 pre hacked?
@@chrissi.enbyYT Yep b/ Windows is glowing AF
@@BruceCarbonLakeriver what u mean
write(fd, "HACKED", 6) does not write "HACKED" to the line 6, "6" is the buffer size, which is the length of the "HACKED" string. it is needed as there are different buffer representations that can be given to the syscall.
@whaaa t fucking bots.
@whaaa t 袜子
@@MoradorDeCalcada ?
@whaaa t Ratio
@whaaa t
🤡🤡🤡🤡🤡🤡
For android, this is a good thing and a bad thing. You can root previously unrootable phones. But so can badguys, who can permanently lock you out of your device.
How? there's no unprivileged users able to remotely log into an android phone. By default android doesn't even include a sudo binary. Are you sure you understand what this exploit does? You would have to willingly download and execute malware for this to be effective on android, at which point your security is fucked with or without DirtyCred.
@@silverywingsagain you can include yourself now, lol.
Well to be a little more explicit, androids can generally be rooted with common procedures but the issue comes with advanced cellular features locked behind A/B partitions (pitched as partitioning to help with live updates) that break when edited. Some have magisk/xposed modules that re-establish those security features allowing a rooted android to actually be usable. Thankfully, it means that if this was leveraged to gain root access to any given android it would likely break most networking to begin with
@@silverywingsagain you are downloading whatever software from PlayStore. But it somehow guarded by android OS, uless you give permission to storage/camera/etc. After this exploit you would be vulnurable to bad apps in paly store.
@@silverywingsagain There are actually two different exploits. One for processes and second for files. For one with processes no code published yet.
But you can use files to get executable. Just need to owerwrite any binary with suid(root) on device.
Memory management vulns are scarce but when they appear it's always a giant mess
So what you're saying is: *don't update* if you want to root your phone, but *do update* your computer running Linux, yeah?
It's super bad actually. Now literally any app on your phone can do whatever the developer wants with everything that's on your phone
And many phones will never be patched
@@NJ-wb1cz well, don't install shitware but only FOSS apps from developers you trust
@Omelette au Fromage Just buy from a manufacturer that will let you unlock the bootloader. I got a google pixel straight from google and i can unlock it and root it without any magic
Dear god, I hope they're able to patch this quickly. It could be a disaster for the entire internet if hackers managed to take down entire major servers.
Do not click the sussy link from Hope because like... he sends it to multiple people
same. this is a big one.
i have a factory locked bootloader Android phone (SM-G960U) so as soon as i saw this notification i turned off the phone, i want to learn how to do this exploit so i can use it to root my phone before AT&T and samsung force upgrade its kernel to a patched one, this is 100% legal reason to perform this exploit right?
I long for the day the internet is dead.
It's not as likely to happen. Servers have a much smaller attack surface than regular computers.
so this is what all those people mean when they say "you need to check your privilege"
Based 😂
"sales people doing provisioning" picturing an ansible task that gets a salesperson on the telephone and gives them instructions to build out your cloud infrastructure over text to speech
Imagine that shit? If you're letting your rank and file spin up infrastructure directly you're objectively bad at your job.
Linux: "There's a biiig bug. But you have to sit on the on the Keyboard in front of the pc to use it."
Windows: "... before you turn on your machine make sure that it isn't connected to the outside world!"
I had the same thought LOL
Actually you don't for this. If you, as it was said in the video, have an unpriviliged access to machine and can launch arbitrary code - boom, you have a root.
It's a serious bug, and it will be interesting to see what is the ROOT (lmao) of this problem.
@@rogo7330 Shell access is the same as being at the keyboard in UNIX. If you have unprivileged access to a machine you can still run arbitrary code and do a ton of damage even without root. The root of the problem is that computers use buffers, and buffers can overflow. Unless you can think of a completely different paradigm, exploits will always exist. The solution is to make sure USERS don't have unprivileged access, only APPS and SERVICES do. Then you can implement security on a case by case basis instead of trying to "herd cats" on a system-wide basis.
Of course all of this is better than windows and mac where escalation is boiled down to a brain-dead popup that 99% of users will click "OK" without thinking.
@@silverywingsagain "apps and services" are users. You at the keyboard not doing much unless you executing something. If you as user only answering questions from apps and services ("There is 10 people in the room. Is it true? [y/n]", "Press Enter to continue", etc.), you can't do much. If your service or app is a big clusterfuck of code that doing some weird shit and because of that you put it inside docker or something - there it is, just put some symbols into Minecraft chat on the server and you have access to minecraft server's user and its shell.
you are so butthurt, that you to bring up Windows
Privilege escalation is a bigger deal on Linux not only because they're servers... but because Windows/MacOS are usually "single user admin" and you hardly have to escalate to do anything.
Windows yes, macOS no. macOS is a (very locked down) UNIX system at its core since 2001 and requires privilege execution to write to system files, however applications can be installed without the administrator password as long as your account is an administrator (and not a "Standard") account. However, privilege escalation bugs can't usually cause any harm to a system (besides deleting/stealing files, but that could be done without admin privileges) due to Apple making the system files read only, even to root, by default in 2015, and further when they put them on a read-only partition.
@@DistrosProjects I guess you're mainly talking about SIP here. And yeah, for most macOS users, it makes sense. Most are dumb enough to just click "yes" to anything the computer asks and thus infect the system. For more experienced users it's not really necessary I guess, but still pretty useful.
@@DistrosProjects UAC does the same thing in Windows for admin users, as MacOS. The 1st user on MacOS is always an admin just like Windows. The only difference is MacOS prompts the user to enter their password, where as UAC just asks the user Yes or No. UAC made most malware happy to run in userspace, which subsequently became the exact same behavior in MacOS.
@@blkspade23 you can log as user and use an admin password for UAC. i couldnt quite make it practical but it works
@Kris Nicholson you got it wrong. Unix is Unix, Linux is a Unix-clone (others call it Unix-like) and never shared some code from Unix . Hence, you can't just say Unix is derived Linux. :) other points are correct though.
May the UA-cam algorithm bless the channel with growth and prosperity forever.
10:08
last argument of 'write' is number of bytes to write, not a line number.
This was interesting and could explain how some roommates got into my Linux NAS a few years back. Thanks for the content...
I wonder if this effects GrapheneOS because they use a hardened memory allocator, it would be nice to see thay spare them
You know, I like to point the positives - and this could maybe allow plenty of phones to be be rooted.
little did the penguin know this was a planned sabotage by the rustceans to overthrow C and rewrite the kernel in rust
Pretty Cool one of Siemens 101 Classes in cyber security is called 'From Web to Root". Where we use a weak user base system to get admins account and then use a form to executed shell code in turn giving use a remote login and use this exploit to take over the docker to get to the host shell with SU access. It just took 4 hours to teach a whole class to do this with most not having an ounce of training or Linux knowledge.
This is neat. I tried it out. I check all of my systems to see if they were vuln, and everything seemed to be patched. Nice testing tool. But I also played around with it. This could very easily be a copy past script fast and bang in. We all know plenty of systems admins out there slow to update....
It usually is not Linux itself but, the fact that those addons and plugins all made by random people who think they're edgy, then introduce a vulnerability. Of course they left a ton of them. The problem is, of course, if it's a vulnerability in a 'widely used' component. You're giving total nobodies ability to make these things most of the time, even when talking about the more popular linux distros. There's likely even more than Windows at this point, considering they started actually trying to secure things, probably after Windows XP. Even then it's still useful to have exploits like this imo because I'd rather be able to mod my kernel or do what I want.
For example, I wanted to make a new exploit for fun. Within 3 days I found a way to exploit the NVidia Driver (latest/current ones).. You can then shut down any antivirus or access any game process without even trying because it just accesses most of them already. No one even knows and it's completely private how their drivers work. Maybe a few have recently released more about dxgkrnl vulnerabilities, but, those can be easily found now because of that. Now there's like 3 other things you can hook down the line from that, including the driver itself.
Have you reported the exploit?
@@Cookiekeks this, nvidia probably has a bounty for this sort of thing
@@Cookiekeks this person is simply daydreaming about things
I hope the patches come soon.
It's almost as if C is not good for memory management
SHUT UP
Well, C is good for memory management, and that's the problem...
Because _people_ aren't good at memory management
Biggest problem are old Android devices which no longer receive security updates...
Bad news for my 2011 Samsung Galaxy Mini
an year ago, i switched to Linux because of you. its awesome and thank you
Dirty pipe has been known about forever, this is a local exploit. Secure your infrastructure properly and it's a non issue. If you already have access to a system there will always be another overflow exploit waiting to be found. It's basically intrinsic to how programming works. You can isolate and prevent individual cases but nothing will ever really prevent a user who already has access to a system from escalating privileges.
You can't architect your way around this if your entire service is built on shared tenants
yep these are all over on every system, on windows you can just delete the keychain file and gain access to everything
@@gg-gn3re If you can do that, you already are admin ... 😹
@@LordNementon no you aren't. You boot into another OS and delete it, dummy. you can't do this on windows login.
@@gg-gn3re If you assume your bootloader isn't protected and you do not use disk encryption, yeah maybe.
Let's say, you already are admin of the hardware in that case 🙃
sad that most of our critical, low-level infrastructure is using unsafe languages. the amount of code is so large in these projects that not one single person can manage or know it all. vulnerabilities become inevitable
Still better than Microsoft or Apple. Not that it _shouldn't_ be fixed. But rather that it _can_ be fixed
Wdym unsafe
@@ratchicken8159 he means that it's very easy to introduce a vulnerability writing in C because it allows you to do practically anything, it doesn't check for memory management errors, unlike say, Rust, with its borrow checker, or Python, where you don't have to manage memory at all.
@@WofWca yes ofc but making a language memory safe doesnt solve all the vulnerabilities
only a couple
@@ratchicken8159 well, a ton of vulnerabilities are memory-related, including this one, so I'd say using safer tools is worth.
Dude imagine installing Roblox on somebodies system by force
Based
Good thing I don't run a public access Linux shell host where there's lots of unprivileged and untrusted users on a system...
Hurray my favorite topic for content
I hate containers. I hate all-in-one packaging like Flatpak. Both are used so inappropriately all the damn time. _edit to add, since I was asked "why are those bad?":_ You know how the end of firmware updates for IoT stuff like a wireless router means that the router is forever frozen with all its security flaws after firmware stops being put out? Now imagine that for every program on your system. That's the problem with "containers." They package everything required for a program at the time of building, including the version of every single library in use on the build system. If, say, glibc (the most common/widely used Linux C standard library that the vast majority of software uses in some capacity) patches a horribly massive flaw and you update your packages and the fixed glibc build is in those, it does not update the glibc instance in ANY of your containerized software. This is just one facet; it completely avoids the point of reusable shared library code as well, blah blah.
@my burner google account He's got bitten by a rabid container when he was a child 😔😔😔😔😔
@my burner google account Oh god. Where do I start? You know how the end of firmware updates for IoT stuff like a wireless router means that the router is forever frozen with all its security flaws after firmware stops being put out? Now imagine that for every program on your system. That's the problem with "containers." They package *everything* required for a program at the time of building, *including the version of every single library in use on the build system.* If, say, glibc (the most common/widely used Linux C standard library that the vast majority of software uses in some capacity) patches a horribly massive flaw and you update your packages and the fixed glibc build is in those, *it does not update the glibc instance in ANY of your containerized software.* This is just one facet; it completely avoids the point of reusable shared library code as well, blah blah.
But you can update containers as well?
@@Cookiekeks the problem is that you have to rely on the application developer to update it.
Though when normal software packs it's own dependencies it's the same, but this is rarer and usually requires using the system wide updated ones.
FlatPak allows for ways of having the runtime updated normally, but it depends on the choice of the developer.
And if they abandon the software, it becomes insecure or breaks in the future.
the thing about using shared system libraries is that they aren't guaranteed to actually work with the code you've written for very long, or even be consistent between distributions - glibc itself demonstrated why using it directly from the source is unattractive, literally last week
That's why you should always delete the Linux kernel to remove any bloat and run Linux from a spaghetti.
Run Bsd
Oh no! Better switch to an even less secure system so I don't need to worry about this one bug.
Like FreeBSD?
monolithic vs microkernels, given enough complexity - or enough utility, macrokernels will always have exploits
Why would a micro kernel be less prone to implementation bugs? I can see some benefits to micro kernels, such as not everything sharing same memory… but implementation bugs where affected functionally is all contained in same subsystem? E.g. making cgroups into its own subsystem wouldn’t help preventing this bug?
@@randomgeocacher privelage escalation
openBSD users be like: "what's a privilege escalation?"
Whenever a bug is patched, it's also patched for LTS versions used by Ubuntu and Debian for instance
Lets hope for a wave of root on Auto head units/Android/settop boxes/consoles ect!
I am completely a beginner when it comes to computers/ linux, so I have one question: how does a hacker even get the chance to use this security problem on your personal computer?
Do you have to download malware?
The biggest risk is to servers running critical applications to business, infrastructure, etc. compared to one's personal computer. But to address the essence of your question, they'd first have to penetrate the system they're targeting--be that from targeted phishing, exploiting a vulnerable process running on a server's open port, brute forcing login credentials, etc.
@@ThisCanNotBTheFuture damn.... not good. Thanks for the info.
if you are a web developer you install and execute all kind of crap.
Difference between local and remote exploit. This is a local one. Like the examples he gave in the video, this is an issue with e.g. rogue employees.
And there's possibly no way of screening all those people. Take a 1st level support guy, for example. Easy to get in and if the whole infrastructure is Linux, you start with exploiting the system you're allowed to work on. You gain root on that and then go from there. There's almost always some ssh key or config with a password lying around that gives you access to another system. Rinse and repeat...
But mind you, this isn't financial advice - or so.
This is used after they’re in your system. So either they are in physical possession of your computer or you download malware that creates a back door they can remote into.
"Remember that time we did the updates to OPEN VMS?
Wasn't that version 4.4?
Yeah, we broke our own security and OPEN VMS turned into:
WIDE OPEN VMS!"
Wouldn't corpos limit low level pissons to a short list (or protected directory) of pre-authorized programs anyway on company server hardware? Besides that, it blows my mind that Linux lets you access/modify pages of memory allocated by other users without permissions or segmentation faults. Would modern computers really suffer that much of a performance loss if the kernel checked when unprivileged users attempted to read/write to a memory address that had previously been freed by them?
Hello, thank you for the good explanation, does the attack you conducted correspond to an insider attack or an attacker with remote access?
This is so simple. Crazy it took this long to discover it.
Thank you, Kenny!
I'm starting to think that the kernel is full of privilege escalation exploits. A new one seems to be found every other month. :|
Uh, yes. Why do you think the alphabet agencies and major corporations ALL are fighting to be the “best contributors” to Linux. Linux glows
@@ghost-user559 Ever used Mach or Hurd? How would you rate them?
thank you for your videos
i don’t think that’s good
gonna have to agree with you here
ratio bot
yeah it ain't looking good chief
Do not click on the sussy YT link from Hope. They are sending it to multiple people.
@@jokroast6912 Stop wasting your time. You spend 30 seconds to type a comment and the bot sends out millions in a second. Besides, people on this channel know what bots are.
Hilldawg did the big brain corruption move, windows servers, bit bleach, hammers
Love your channel
another defcon another look into 10 year old vulnerabilities.
DO not click on the sussy YT link from Hope. They spam it to multiple people.
@@jokroast6912 good job looking like a bot
@@TheGhostFart good job looking like a bot
@@TheGhostFart right on m8. Im out here tho. Warning people
Defcon run the world. We are all just lucky to coexist with them.
This could actually be useful for android
like imagine this, what if someone made a file explorer that used this exploit to allow writing files anywhere without needing to root the phone! would be incredible
Might as well just root your phone once and do that whenever.
@@SpongeBlaster rooting my phone means resetting my phone, which would cause me lots of trouble
bad idea. Once you start modifying files outside of /data, on the next reboot your bootloader will just say "no" and you'll have a nice brick. Things like checksums exist for a reason my man.
@@PvtAnonymous Aw :/
"Use after free" Oh god no, I can hear the Rust developers stampeding over the hills to proclaim their superiority once again.
they're here
4:28 my inner rustacean thought "this wouldn't have happened if the entire Linux kernel was written in Rust", because of a meme by STEMgamer that mentioned "use after free"
True, a rusty linux kernel woul be amazing
@@peternrdstrm no it wouldn’t. Rust as a systems programming language isn’t even memory safe, you have to use unsafe.
@@Hellohiq10 yeah, but the unsafe parts are very clearly marked, and if you make a safe api for that, then you only need to audit the unsafe parts when you have some memory errors
Nice vid, mind doing a video about vim plugins? I started learning vim now to fit in wiv the femboys, great progress so far, and vim plugins seem quite hard to understand
Outwaw-chan, pwease do a weview of uwuntuOS, da best distrow of winux for weeaboos uwu
Is that true? I haven't heard of it.
Albania #1
Absolutely disgusting
Lol I just looked it up, I didn't think it was possible to make Ubuntu worse but sure enough they found a way!
@@MentalOutlaw Better than windows
A bug in the linux kernel? I'm shocked. Shocked!
Sarcasm, right?
i'm glad that linux is (probably) going to get rust support, so less of these memory errors happen.
Time to break out the Leapfrog OS
Kenny I know this sounds weird but in regards to you rice how did you get firefox and a couple other applications to actually follow your window theme. Also are you still using CINNXP or are you using something newer.
I am still running ZorinOS because of an older video but i decided to install the cinnamon desktop environment on a whim just cause. Could we see a video about your current rice? thanks kenny.
Seems like the best place to ask even though it’s a bit off-topic: What’s the go-to custom android OS these days?
Pixel Experience, Lineage OS
Not go to, but promising privacy oriented fork: /e/
@@rohit31chauhan How's LineageOS-microG? I heard it doesn't update as often as it says.
Right now I'm just learning everything I can on Android customisation, privacy and rooting so when my warranty expires I'll be able to get straight into what I want.
@@hippopilot6750 don't know what happened to the reply I wrote 2 days ago. But here it goes.
I don't really have an idea of Lineage OS microG because my device does not have an official LOS build and I have also never used microG on any ROM, always Gapps.
Hey Mental, Can you do a video about android degoogled roms (like arrowos, havocos etc. Because calyx or graphene or lineage is not supported for some phones. [like mine] )
Also great video.
will this make android phones easier to root ?
Extremely easy.
@@skeletonbones6995 i was thinking the same exact thing! i've got a samsung a54, and the thing is locked down tight...Skeleton, can you say some ideas how to use this on an adroid device with user/terminal access? maybe modify the exploit code for sudo access or a root group? this would be an AWESOME way for TONS of phone modders to root their devices before the phone gets patched! thanks!
@_____ haha...if only it were that easy i would've stuck this POS in the fertilizer long ago. i seriously want to get root on my phone before updating patches. theres no /etc/passwd or shadow or group, so i'm not sure how to use this yet. i believe user accounts on android are stored in db. gonna first try the code on my phone to see if it works first
hmm, i tried this on my arch desktop as well as a raspberry pi running aarch64, and i get the same error:
"fsconfig: Invalid argument
[-] failed to write, retry..."
overwrite /system/bin/runas, just like dirtycow
oh wait dm-verity
Thoughts on Louis Rossman joining FUTO? He's now sort of making the kind of videos you make
FYI, "daemon" is pronounced "demon".
Of course there are millions of vulnerable devices that will continue to be vulnerable because manufacturers don't do security updates for very long. Very handy if you want to full control your own hardware though.
No, it's pronounced "day-mon"
@@pvshka Go to wikipedia /wiki/Daemon_(computing)#Terminology
Check your privilege
White male cis froma poor family and with no future whatsoever.
10/10 ?
could this help with being able to installing degoogled OS on all android devices?
I dont think you can install custom roms using this vulnerability. I think you can just root your phone even with a locked bootloader unless this vulnerability can also spits out the keys required to unlock it, but I doubt they stored it in the firmware....
I like how you gave up on censoring the gun 1/3rd of the way through. :D
I let out a small chuckle when I heard "use after free". Who would have thunk it.
so wait. 2 basic questions.
in which kernel will this be fixed? 6.0 ? or was it fixed in 5.19, earlier?
also what are the prerequisites for this? physical access to the machine? or already compromised via other trojan?
Some random server running Ubuntu 18.04 without any update: 💀
This is also why you should encrypt your linux installment..
If I get raw access to the /etc/sudoers file, I can escalate anyone I want to.
This is why macOS encrypts their install disks by default now. (this is also to mitigate the single root boot mode vulnerability of tampering with the installed environment by requiring a password before booting)
I used the single root boot to add my own account to the sudoers, which is not the same as this exploit, but Apple has had that vulnerability for a long time (also fixed it for a long time).
Seriously, encrypt your Mac and Linux installs to prevent these types of primary attacks.
I don't see how disk encryption is at all related.
@@eDoc2020 well, think about it.
If your disk is unencrypted (and thus clearly your files are accessible when you mount the partition), I could spin up an environment that ignores linux filesystem access rules and edit them, creating a new user with root privileges.
If your disk is encrypted, you’ll need the password before you can mount it and edit any files.
The point is privilege escalation.
With physical access to the device, if your disk is not encrypted, you’re vulnerable to these types of attacks.
@ Even with disk encryption like that somebody could install a modified bootloader which steals your password. Given enough skill/resources physical access can break any digital security.
@@eDoc2020 yes, they could..
Altering the bootloader to listen to the entering of this password is another vector of attack that comes on top of the previously mentioned vulnerability.
It’s a new issue.
But if you don’t encrypt your disk, I could much more easily walk through the door than if you did.
Security is never total, but you’re trying to make it as hard as possible for anyone to gain unauthorised access.
Altering that bootloader to give you that password would require fairly specialised knowledge, and takes more time to accomplish.
It’s “safer”, not bulletproof.
@@eDoc2020 again..
I’m not saying it is bulletproof..
But are you trying to say that because “someone can break the glass to get in you shouldn’t install a lock..”?
Woah nice I hope nothing bad happens next
Big oof, how much did glows pay Linus to get this backdoor in?
$0
Idea: A virus that changes the system in such a way that doesn't damage much, but makes it hard for viruses to navigate
what
US and Chinese definitely mad about this one.
OH BOY Muta has something to talk about
something else to patch up, great. somebody man the bilge! thanks for the info.
I can just hear the seytonic music playing in the background and it wont stop 😔
I'm convinced that soon companies are going to come up with some serious air-gap security solutions. At least they should. It seems most just keep to the "Everyone in the company uses the same network!" model, which always results in lulz.
When the next archery video or nature video ?
I feel privileged writing these comments.
The NSA and Unit 8200 have probably been using it for years.
For what, exactly? You first need to ssh into the server in order to escalate privileges.
Why use this when they can just remote into the CPU itself?
Windows 10 still has 2016 bugs they recognised and didn't patch so this is the least of OS creepiness
I'll be safe, I use hannah Montana linux
For a while it seemed like security was finally winning, but it's looking like we need whole new paradigms, like it's the 90s again when nothing was encrypted, and everyone was running Windows 9x lacking privilege separation. Our OSs are broken. Our programming languages are broken. Our hardware is broken.
...Our minds are broken. Our souls are broken.
You're trying to vouche for perfection, which isn't possible.
Software hasn't seen any real innovation in 20 years. That's what happens when anyone who knows how to actually program is stuck writing frameworks so "software engineers" can pump out the next TikTok.
Our world.
is broken
@@ZERARCHIVE2023 Last century, reality was broken. I grew up with quantum mechanics, but it must have been hard for the people who didn't.
If it works on Android then all devices that are bootloader locked is able to be rooted, right?
You'd have to re-run it on every boot since this still wouldn't give you a way to modify the system image.
Are we going to see videogame sourcecode leaked from this exploit? I hope that's the worst that comes from this.
Gigaleak round 2 would be super.
The best*
Not a remote exploit so very unlikely.
I think this goes to show you that updating the Linux kernel with Rust code is a good idea.
This is basically a multithreading conflict, right? If we look at each user as a thread and the physical memory as the resource they both want to access, then we find a situation where both users are basically allowed to access the same resource at the same time, a big nono.
Rust is supposedly REALLY good about doing multithreading properly and safely so I'm sure that would translate here.
nice hack alright, thanks for the vid ^^
Bout to get 5 TB of mega storage
Bout to take it from you.
Interesting is it exploitable inside docker? and to what extent.
when your virtual machine WM is programmed to look like WinXP...
00:28 Why is this written like it’s the title of an anime episode?
Internet is broken, it's a major security risk for gov workers and relatives to be using. Solution: Use landline telephone, dsl direct connection, no wifi. There is 0 guarantee, even with all the firewalls etc. No need to unplug , but try to keep all personal data away from hackers..after all, that is what hackers do themselves.
You are spitting facts but do you think its possible to do this widely?
Good thing I run Qubes OS on my neighbors PC with VNC
if this works on android we can root phones with locked boot loaders
hmm, i compiled this on my arch desktop as well as a raspberry pi running aarch64, and i get the same error:
"fsconfig: Invalid argument
[-] failed to write, retry..."
but can we use this exploit to root phones in order to get rid of facebook?
Reject technology return to monke
yes
You should take a look at Plan 9 & 9front
how can we use or modify this code for android??? i have a samsung a54, and the thing is locked down tight...anyone have any idea how to use this on an adroid device with user/terminal access? maybe modify the exploit code for sudo access or a root group? this would be an AWESOME way for TONS of phone modders to root their devices before the phone gets patched! lets come up with something!
hmm, i compiled this on my arch desktop as well as a raspberry pi running aarch64, and i get the same error:
"fsconfig: Invalid argument
[-] failed to write, retry..."
i have tried a few ways to execute dirtycred on android so far (copying dirtycred to phone and tried running using adb and also tried as different user through termux user). both of those ways didnt work, either the user has no access to the directory, or the user has access but no execute permissions.
i did try like so: /storage (and other accessible mounts have 'noexec' set on the mounts, so cant execute dirtycred through adb. i tried has termux user on the phone, but that user has no access to /storage at all, it seems jailed or chrooted into the '/data/data/com.termux/files/home' directory,
also, there is no user/password in passwd/shadow on android, so would have to find a way to add a new user or to give access to existing user to a privileged group....or some other way?