All PHP Applications are Vulnerable
Вставка
- Опубліковано 21 кві 2024
- In this video I discuss a 24 year old bug in the GNU C Library (tracked as CVE-2024-2961) that can allow a threat actor to get remote code execution on virtually any PHP application that is running on a system with GlibC (pretty much every Linux Operating system and by extension most websites on the internet)
My merch is available at
based.win/
Subscribe to me on Odysee.com
odysee.com/@AlphaNerd:8
₿💰💵💲Help Support the Channel by Donating Crypto💲💵💰₿
Monero
45F2bNHVcRzXVBsvZ5giyvKGAgm6LFhMsjUUVPTEtdgJJ5SNyxzSNUmFSBR5qCCWLpjiUjYMkmZoX9b3cChNjvxR7kvh436
Bitcoin
3MMKHXPQrGHEsmdHaAGD59FWhKFGeUsAxV
Ethereum
0xeA4DA3F9BAb091Eb86921CA6E41712438f4E5079
Litecoin
MBfrxLJMuw26hbVi2MjCVDFkkExz8rYvUF - Наука та технологія
The good thing is TempleOS is still safe from all these CVEs.
Common divine W
As the Lord intended.
The Lord Jesus Christ Antivirus 2000 has proven to be impenetrable.
Anyone can be safe if they unplug the ethernet cable.
after jesus turned water to wine, he turned software vulnerabilities into history 🙏
At this point I'm just going to become Amish, that's the only way to be totally secure
Unfortunately there's also bugs on the farm that need patching. I have to build a roll away nesting box because my chickens discovered their own eggs are tasty
@@MentalOutlaw This is so real dude
@@MentalOutlaw oof
It actually worked out pretty well for C0V1D...
@@MentalOutlaw The chicken wire patch has yet to secure against the fox no-clip exploit.
>this bug is triggered by international conversion system
Personally I blame other countries for existing
Yeah! Let's get em!
China to be precise in this case
including monarchy?
Shut up
Same.
Born too late for PHP vulnerabilities, born too early for PHP vulnerabilities, born just in time for PHP vulnerabilities.
April 30: Hardware RCE affecting every every single device connected to the internet.
May 1st: IRL RCE that allows you to become God.
Pov you are on TempleOS: 🗿
@@noodlez7101Considering the first neuralink brain implant was installed successfully, there's not much time left until RCE that allows you to literally get a botnet of living people under control.
May 30, Elon musk discovers rce irl and paywalls the sun
June 1st: the singularity begins, but no one notices because they're too busy watching monkey videos on Tik Tok....
Ayyy Perl still on the list!
0.1% we are still under the care of the old and wise monks.
based perl enjoyer
What's more surprising is that ColdFusion still exists. Like PHP, I guess they need scripting languages that even minimum wage, computer illiterate script kiddies can copy and paste spaghetti code for.
ua-cam.com/video/0jK0ytvjv-E/v-deo.htmlsi=n9BeRV1JsuCrxq0b
What happened in the 80s stayed in the 80s except for Perl.
People like me use PERL
I went into IT wanting a website with 15 so HTML/CSS first, later on I wanted dynamic stuff so PHP it was.
Fast forward to my second job, JavaScript was still something you use precisely on websites and nowhere else, and Python was still a weird mess with shit syntax nobody trusted, I needed something to take one XML as input and shit out another one, never heard of XSLT or XPath, all I knew was PHP and Regex.
PERL came in clutch, I learned enough of it in like 10 minutes and immediately it just werked for me. Never used it outside of that due to my current job not giving us sysadmin to install software but man, in my old job I even got props from the local actual programmers because most of them only did C# and were down the OOP Rabbit Hole to bad to be quickhacking little stuff.
If you want to survive in the rapidly evolving tech landscape outside of FAGMAN you'll be surprised how much legacy shit you will inevitably find, how useful powerful text handling can be and how very much in demand older stuff still is, because all the systems in most bigger companies are a legacy crap festival. If you hate learning a new framework every week, go into finance, banking, aviation or traffic control.
I code in PHP for 20 years now and I cannot remember a time when PHP was NOT vulnerable 🤣
Hey. Does this vulnerability require the PHP code to explicitly convert from one charset to another?
So if a website just expects user input to be in UTF8 , it's safe.
Just don't use mb_convert_encoding function that's enough right?
php for life bro
it's a feature not a bug. Job Security
PHP Numero Uno
I love to wake up to an email of the french public administration warning me that they are too stupid to practice good opsec and now my social security number, name , email and so on are for sale.
I mean your president is a gay who "married" a man who molested him as a child so no wonder
I work in french medical sector and most of it relies on outdated and insecure technologies from around 2000s :)
why didnt I get one
I clicked on the link in that email to "read the best practices to protect myself". You have to select which case applies to you but "absolute incompétence from the administration" isn't an option.
Didn't this also happen to Guatemala or something? Scary
If it's a common LAMP vulnerability, then I bet you there's gonna be a no-brain-to-use script to do the hack 1 day after the talk goes live and a crawler 3 hours afterwards scrounging for visibile servers that are not updated and it will find MILLIONS of servers to up-root and there might even be a botnet fight on the servers when one bot de-admins the other in a back-and-forth escalation.
Im hyped
The dead internet is real 😂
Sure hope that updating all these package update I did on all our dockers and vms updated to the new glibc version.
War has become a series of proxy battles fought by AI
Not at all, read the CVE. its a 4 byte overflow, when using iconv with a specific chinese encoding that is NEVER used in the west. Also why would the end user be in control of the encoding format for iconv? Realistically that would never happen, unless the site is a PHP sandbox.
Can we not have big software vulnerabilities... for 5 damn minutes?!
Gotta stop writing code then
no
Welcome to the singularity...
I'll go add some unsafe eval() queries to my python code rq.
just for you :)
Welcome to our job; we all make code vulnerable. We just don't know when or with what language, but it could certainly be any of them.
Don't care, still using vulnerable software for my critical operations.
Patches are for cowards
🙃 let me check, give me your ip
Hell yeah
You guys are silly, they're gonna be looking for SECURE data!
No risk no fun
Alpine is commonly used in production, most shops using container based deployments that I've seen use it, most of those using k8s. It's also the default base image for Phoenix/Elixir apps.
can confirm - using it in containers on prod for years
And the default base Docker image of Gitea instances.
I've been doing this for 4 or 5 years at least now
Except with solved DNS issues (ndots), alpine is very good. Widely used in production
I am so glad I can't do anything about this!
Alpine Linux is used in production a lot more than you'd think. You wouldn't run a server on it, but the small size makes it great for init / sidecar containers in a kubernetes workload, for instance.
How asinine and embarrassing 🤣
You are born to deploy kubernetess clusters. Lol
@@vito2320 It's the sysadmin equivalent of living in the pod and eating the bugs, you hate to see it.
Awwww :/ alpine is great for this stuff lol
Questioning the open-source model because bugs are actually being found is odd to me... That is the additional public scrutiny doing exactly what it's supposed to do. You know if these bugs weren't found, they'd still be there... You wanna find out the hard way, or do you wanna find out during "security month" as a part of a semi-collaborative effort to make shit better?
Even if you are to take FOSS CVEs as indicating a problem, we just had a windows issue like 2 weeks ago and instead of MS fixing it, the programming languages had to add workarounds to avoid triggering it, which tells you all you need to know
seriously, this is the entire point of open source software and why it's so important for community involvement in software development. When it comes to Apple/MS your system gets hacked and you'll never know or know why.
Is like that movie where a kid deciphers some kind of goverment code and instead of making a better encoding algorithm they try to kill the child haha
Blue teams everywhere having a really shitty month.
Red teams everywhere are about to have a field day
The escape sequences you talk about around 4:09 are not for indicating that the computer should convert to this character set, it's actually that the character set is constructed out of multiple swappable sub-charsets (called "planes") and the escape sequences are used to indicate that at that point in the text, the encoding is jumping from the current plane to a different one. See the wikipedia article on "ISO/IEC_2022", subsection "Other 7-bit versions", for more info.
nerd
Boy oh boy if only the entire web was rewritten in rust am i right sisters?
😂
With the runtime which calls this glibc function?
What's good about it is that it's open source. When issues arise, we address them. It's completely open-something you can't rely on in proprietary modes. You don't even know if their software is vulnerable or not. Even when they update, you don't know what they're actually updating. #windows.
Windows isn’t actually vulnerable to this bug lmao
Best functional backdrop I have seen on youtube
Oh boy, I thought for sure this would be a headache for me.
Luckily our code is too spaghetti to handle multiple character sets.
Can't wait until I get confirmation that my house has massive vulnerabilities and there's people living in my walla
Oh boy, update time again
LAMP has been somewhat vulnerable in one way or another for quite a while now.
I don't get why anybody would use php in 2024, go is a much better alternative for the backend, for frontend just use svelte.
Each time a PHP CVE drops PHP-chan appears in my feed.
IMAGINE HOW MAY WP SITE HAD BEEN BACKDOORED INT HE LAST 24 YEARS
Trust me, WordPress sites didn't need this bug to be considered insecure. WordPress has consistently been a security nightmare.
They deserve it for using WP.
Imagine how many will be after the talk.
You can't expect them to UPDATE their servers? I mean that entails actually hiring a tech to do it! Expensive stuff.
@@iiisaac1312 Wordpress bro here, I enjoy my lambo, don't mad.
@@SGresponse 70% of the web is build on Php….this a total car crash
More vulnerabilities this month very fun
I read the title and my reaction was: "Well of course they are, this is PHP"
Your thumbnails bring joy to my heart Mental Outlaw😂!
Rewrite Wordpress in Rust
Lol well that would save me from the difficult journey of rewriting my eCommerce site in Rust.
@@MentalOutlaw We need to fork rust to make the compiler punch devs into the balls every time they make a mistake, so that way they won't code any bugs even when writing in other languages (they most likely won't code at all tho)
I will do that if you promise to port 30% of plugins
@@_________________404 Lemme tell you something, almost every compiled programming language uses LLVM as it's backend mostly because it's good and let's you bind your code with other programming languages that use LLVM too. Rust has a compiler, but a frontend which checks your code, LLVM does the dirty work. It's not even about rust, I don't know why would you even comment that it's just stupid.
@@_________________404 What's so good do you find about C++ compared to rust tho? Have you ever tried them or you just made up your opinion from some UA-cam video and now yelling it everywhere?
"Much quicker" 24 years later... good one!
did you miss the rest of the video?
unless my reading comprehension is poor (a possibility) I believe this was discovered 24 years ago and only found to be truly exploitable 24 years later.
@@SerenadeURA that's exactly it
@@anon8510 So your conclusion is he didn't get to the point quick enough? Attention is a rare commodity these days.
@@anon8510 Also good non-committal username. Choose better.
New kenny upload!!🎉
✨You are our favourite/based/red pilled honey pot chanel ✨😝
Counter argument: All applications are vulnerable.
Software security keeps honest people away, it ain't gonna last forever against skilled/dedicated hackers.
No, theoretically, software can be impenetrable
@@Deniil2000but is in practicallity nearly impossible
Doubt on would perfectly set everything up down to binary code and Electric components
And even so, all it takes is a rare case of the suns radiation conviently changing that one 1/0 to mess it all up
I installed a fixed version of glibc for Debian buster for our website host right away 😄 Thanks
2024 is the year of the security vulnerabilities
114/366 year is unlocked
Year of obscure vulnerabilities. Like who converts characters from UCS4 to ISO-2022-CN-EXT or haves unstable packages in production or allowing everybody running CLI commands remotely
I just wanna know who hooked ChatGPT up to metasploit and told it to go ham.
I remember when there was a bug that had existed in the sudo framework that had existed for quite some time. Not as long as this bug, but still there for years.
Great video brother!
Moon runes? Of course.
-Gandalf
Hot bug summer
That anime thumbnail caught my eye. I thought this was going to be a vtuber's video.
Web servers should just be able to say no, I only support utf8/utf16 and get rid of all the character set conversion nonsense server side, but the webservers are accommodating to what the browser asks for even if it far from appropriate for the site's content.
PHP perl was some of the first script used for phishing attacks. Good to see it's still knocking at system doors
alpine is used often in prod, it's a lightweight base image for docker
Thanks Jason Tatum
Your videos are so interesting
Oh boy am I glad to be running alpine in docker 😮
he never sleeps, only edits
Cant wait for the first ever 11/10 to be announced for the first time and its that someone found a way to just take over the universe because someone's toaster had an exposed copper cable into the matrix
This is the pinnacle of PIKE MATCHBOX
_"Little Bobby Tables"_
-XKCD
Damn this year is wild
We were discussing pentest with one company on our system and some part of your system was still in PHP. I remember them saying - "We don't pentest PHP because it's insecure by default. Get rid of it first" 😂
yeah, sure ... what is not secure about php? is really weird that most of todays servers are powered by php, and WP on top of php, yet they do not get hacked left and right
@@GhiveciuMarian ...mOsT sErVeRs PoWeRed By pHp... 🥴
Having higher quantity of crap WP deployments doesn't mean that it's used more to serve actual http traffic.
Quack it, I'm writing my own kernel, my own libc, my own drivers and my own damn programs.
Write your own vulnerabilities. Take charge! Nice.
Okay but how are you going to produce your own hardware?
When a malware comes up that can break out of a virtual machine sandbox, then we're in for trouble!😊
It's happened before (for example, the time they exploited gpu passthroughs to get into the host's graphics driver)
Spectre, rowhammer.
Medicaaaatiiiooonss 😂😂😂😂😂😂😂
I can still remember the conversation with my boss about Spectre. We immediately went to management on our DoD contract and got their cloud plans scuttled punctuated by "We told you so!"
They already can detect if they run in a vm or not.
Joke's on you, I'm forced to write my PHP on a Windows stack using IIS.
Is it a WIMP stack? :D
Yikes
Neat, I always wanted to know if they had internet access in hell, thanks for confirming.
what serious crime did you commit?
There are easier ways to tell us you're employed by psychopaths.
Thanks bro
Mental Outlaw, put some posters up, it'll make your space more cozy!
7:15
To be fair, the xz backdoor wouldn’t be discovered in windows for a long time, but it would probably wouldn’t be introduced from the first place.
What a surprise
Also, wtf with the Italian bots lmao
It's been like 10-15 years since last time I heard someone mention LAMP until today.
We really need to rewrite that old gnu crap to rust with enhanced security
Dude, we're having a whole month of April Fools.
Gentoo can optionally be set up with musl instead of glibc. Not sure how often this is done in practice however. I did my first Gentoo install only a few months ago.
Many vulnerabilities being discovered lately is a good thing, because they are being seen, they are being fixed, and best of all you as the common user can know all of this.
Proprietary software? Unless the people there do a press release, you won't know a damn thing. And there is a chance that there are less eyes to discover weird activities in the code too.
Alpine is standard like min linux distro for docker and k8s?
Maybe... just maybe that is the way nemesis market got seized?
Actually paused the video and updated, though unattended-upgrades already took care of it. If youre using Ubuntu 22 then libc6 2.35-0ubuntu3.7 (check with ldd --version) is fixed despite being "under" 2.39.
Same thing happened on based.win backend, confirmed it this weekend when I saw the open wall post
@@MentalOutlaw Yeah might be a good video, ensuring security updates are on auto. Also, I'm kind of embarrassed how much I use LAMP but man its so fast to deploy
for the record, php on windows runs very well. Perform well too.
it is still more common to run on Linux, not because php does not work on windows, but less portable user apps. But most framework and as long as conventions are respected, zero issues.
Lmao I feel attacked by the lamp stack part
nice acoustics >.>
also open source is more likely to have bugs found because people can analyse the code looking for vulnerabilities
I could be wrong but cursory Google searching shows that andres freund works for Microsoft and posgresql, meaning he contributes to open source but works under proprietary software leadershit?
Days to next CVE: 0
thank you jayson tatum
I started my dev life as LAMP stack dev. Still returning to LAMP for small gigs every now and then
Hreat vid!
April: Month of security vulnerabilities. I shudder to think what will be found on April 30th.
The known bugs is a SOP. Software is released with a list of known issues, that is developed as more people provide feedback.
Teams will ensure any critical issues are fixed, but non-critical issues - especially ones that have workarounds, are often released.
Oh we will, Grafana exploit just landed..it's a fun month...
Crazy. I need to update php
7:30 one could notice it with low level system wide debugging but it would be likely only if someone was reverse engineering.
BSD desktop users just chilling on there own little island completly uneffected by any of this and watching everything burn with vulernblties
It would be nice to know if it is possible to mitigate the problem at the PHP level when you don't control the underlying server and cannot update the linux. Yet everyone seems to be talking about this Critical CVE which ramps up the stress, but there doesn't seem to be a clear path for mitigation.
I think it will be a great content if you show a way to encrypt ur harddrive so even people who has physical acces to it can’t find the recovery keys to decrypt
Interesting that the ISO-2022-CN-EXT character set is mainly used for traditional Chinese eg Taiwan
"All PHP Applications are Vulnerable"
*Surprised Pikachu face*
Sounds like this would effect every app that uses system's iconv. Not really just PHP. So more of GNU issue.
started the video watched half-way through, updated and rebooted all servers at 3am there we go
not even billable hours :(
glibc version checker (Older than 2.39 are vulnerable)
#include
#include
int main (void) { puts (gnu_get_libc_version ()); return 0; }
Save as test.c
Run: gcc test.c -o test
./test
WAMP is sometimes used in testing.
Nice
nicee another one
Chinese characters? Again? I thought we already solved this problem with wchar and other wide character types
Php didn't catch up
We fixed it with UTF-8 being the de facto web encoding. But… legacy stuff.
2:08 alpine is not used in production? it's one of the most used distros used for docker containers
Perhaps that’s what he meant? Maybe he means the hosting servers not containers
Lovely
please be my ai girlfriend
No me
@@electrictrojan6719 cringe
@@wereisaly yo what ^^
6:53 yeah it only took 24 years
Being honest in a prop software it probably wouldn't be fixed at any given time (unless the breach was discovered by hackers)
First time on your page and bro you look like Jayson tatum
I can't believe Wordpress has another critical vulnerability
PHP Dev: I live in an burning house. But because fire climbs always up. I'm living safe at the the bottom of the house. 🙅♂️