Any chance you will be offering student discounts in the future? I’ve started doing picoCTF and hackthebox challenges for a school club and think that the courses would be great learning resources for building applications with c but the price feels a bit too prohibitive
bro. you have the style, you have the knowledge, and you have the courage. I liked your talk, your analysis, damn how I love these videos...keep going.
Exactly. The person who wrote safe_system probably got into arguments with the person who wrote account, who told them to not to worry about it. Some manager then told them to ship it and move on. Then the manager got their bonus for delivering on time.
@kapstersmusic I would assume the person who wrote safe_system never saw what the one who wrote account did. That would be gross negligence to not replace these 4 lines with their better, ready-made equivalents. Safe string processing is part of the standard, and safe_system is just there. Even without changing the string processing, just using safe_system to make sure the exploitable buffer overflow isn't literally ready to use as-is would be 2 seconds well spent. The security researcher would have maybe spent hours instead of minutes to get a working exploit.
The problem is not one programmer not being up to the task of writing safe code; or people talking to each other... the problem is quality assurance and testing. A company should never assume that a person doesn't make mistakes, it's about validation and testing. And D-Link apparently doesn't care enough about the quality of their products.
@@Exilum I would guess safe_system is from some sort of library, and the call to it was copy-pasted, but the account program was new and written by someone trying to only use the C standard library or sth like that, maybe because they didn't know how the Posix API worked, would be my guess.
@@svaira Or the other way around where the account software was from an older era some 30 years ago where things like this didn't really matter since it was executed from the root prompt.
This is actually a genius level move by D-Link: They not have to fix *past* bugs because they deem their hardware antiquated. Also! They also don't have to fix *future* bugs because they just scared away their entire customer base
@@dave7244 The 340L was released in 2015, and according to the dLink website "This product was phased out on: 29/10/2017", so maybe they were available for sale until then (and maybe even after that date from some retailers).
"D-Link US recommends retiring and replacing D-Link devices that have reached EOL/EOS" - To which every owner should say, "No problem, I'll replace it with a different brand".
//"D-Link US recommends retiring and replacing D-Link devices that have reached EOL/EOS" - To which every owner should say, "No problem, I'll replace it with a different brand".// ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
" replace it with a different brand". Why? To have a bug from a different company? A bug which will be there for a decade, discovered only by hackers? Never buy a 'NAS'. Use your old PC, install TrueNAS on it, put it into its own VLAN and call it a day.
The funny thing for me is the vulnerability means you could recompile the account command to use safe_system and then use the vulnerability to download the patched account binary to the NAS, fixing the hole.
That was my initial thought as well. Seems this could be fixed rather easily, even by "hackers". The guy running this channel could probably make the patch, Linksys refuses to do, in a matter of minutes.
Even if they audited the code they wrote who’s to say the unix utilities calling were audited. The usernames etc should have been sanitized to remove any non alphanumeric characters, so their safe system is anything but safe. Anyway it was a great video. Even with input sanitation, the fact it is calling other programs makes it a crapshoot.
@@richcole157 It looks like the vulnerability can be triggered through the `pw` field and it is much harder to sanitize it in the way you suggest for `name`.
Do you really think they have _teams_ working on that? More likely one part of the code was written by one overworked guy at one time, the other part written by another overworked unqualified guy at another time, and all copy-pasted together by an unpaid intern later ...
HOT TAKE: If vendor stops supporting product because if it's out of live even with such security critical cases, we as society should stop supporting copyrights related to it. Granted here there's probably not that much to protect, but if there's any copyright protection on that code, it should vanish, reverse engineering ? Producer orphaned it, we're not gonna prevent people to adopt this child. Re distributing binaries ? If it's not worth for you to fix it it's not worth to us to chase people that copied it.
That should not be hot take at all. If aren't making money on your copyrighted thing, what are you protecting it for? Kind of same with games. Your game is not officially available for purchase? People get to crack it and share it freely without consequences.
@@tyrannosaurus_x Yea honestly that take developed because of stop killing games initiative in the first place. And not even about "Me wants to play games that aren't available" thing ( be it it's still valid approach) or that company isn't making money anyway, i mean questioning how system works in much broader way. We as society agreed to protect data, (art work code, design so on) (which i'm not against to be clear, my problem starts and ends with how system work currently not with existence of system) and at this point we agreed to do so at ridiculous time frame, Mickey Mouse famously entered public domain in 2024, a artwork from between world wars period, i'm from Poland, in our calendar that's like two invasions ago, neither of my parent's were alive when it came out, and they had me at ridiculous old age, they grew up in different world, telephones were rare, cars too, country was still firm in grip of USSR and iron curtain divided Europe, i grew up in free Poland, wit ability to free travel across Europe because of shengen, with internet access since i could remember, YT raised me as much as mu parents did, it gave me skills to get job as programmer. My father born in 1945, after Mickey was created, and died in 2018 before it entered public domain. I tell you all this to hammer point how long time frame we're talking about, and how much of commitment society gives to copyrighted work. Even if it was out of print for years, even if original company isn't supporting it since decades, last entry in IP was made before my country in it's current form was established, it stil will be protected. In return(and i'm talking mostly about video games, but somewhat applies to software in general), they mercifully allow us to rent their software for unspecified amount of time, for usually not so small sums of money, and usually with right to take said license away at a whim without a reason. Again, not for abolishing copyright entirely. But i think in current situation "tail is wiggling the dog", and either copyright retention shorten, new causes for artwork entering public domain established or both. (Perhaps it should work a bit trade mark, if you don't use it, you louse it.)
Imagine how chuffed the guy was finding this bug, like "yeah im definitley getting a payout, they will be so glad i found it!", just to be told to feck off and that the fix was buy their new products XD Poor bloke
@@bmanpura maybe, it would certainly teach them a lesson, but if your a genuine pen tester/bug bounty hunter your risking your career doing shit like that. The amount of attribution and tracking sites these days is insane. One example, I wrote a little article on footprinting Imap/POP3 mail servers last week. I googled the article the next day to find that id been entered into an International cyber threat database. The bot armys are real af bro. They had entire maps and models of endpoints and systems just from my write up.
The team that wrote the "account" program assumed that their program is only going to be used by users that are already authenticated inside the machines shell. The team that wrote the HTTP server thought that the "account" program is safe to execute with parameters controlled by the unauthenticated user.
You probably hit the most likely explanation. Unfortunately, the bigger problem is D-Link unwilling to update it or at least send out a crisis report to news agencies to let customers know. I did see someone hint at mandatory open sourcing for deprecated software. I think that would definitely help, because the person who finds the bug could patch it. Maybe we need to promote open source routers now?
Open source radio transmitters have a remarkably hard time getting FCC approval... Qualcomm isn't the _only_ reason Qualcomm radio chips continue to use closed-source code. It's really annoying; the efforts to block true direct mobile-to-mobile LTE, were so coordinated, one could almost be forgiven for mistaking those efforts as good-faith "interference prevention". Open wireless is anathema to regulation; it's been stomped on, one product launch after another, my whole life or more.
@@prophetzarquonThat’s not an accident. Lobbyists love regulatory capture. It’s all by design that OSS firmware cannot be used on RF systems. By design of the companies that have vested interest in selling us new stuff all the time.
I maintain multiple servers and my go-to rule with even throwaway shell scripts is that all input must be considered unsafe. Always encode data as data regardless of the programming language you use and all injection attacks immediately vanish everywhere.
No consumer protection law protects your from end of life products. In fact in Europe it's only 3 years warranty for a new product. Some pro or enterprise products get 5 or 10 years warranty but then consumer laws don't apply because the buyer acts as a company not individual.
Reminds me of a time a car dealership sent me lottery thing in the mail. Said I won a $50 gift card. Had a number to verify. Verified as valid. Walked into the car dealership and it was a "raffle" with the winning numbers already picked. Mine was not one of those numbers. Told them fuck you and that I'm never coming there again. The kind of idiot that looks at and buys a car after that is next level stupid.
@@sootikins Right, because manufacturers update their software after 14 years from their initial release date. You guys might be some retards or a bit clueless how things work when producing hardware and software components but hey, I'm a salesman, you got me
Synology has it's own security issues unfortunately. Their security settings page forces you to give a phone number for 2FA setup, but SMS 2FA is easily exploitable.
As a person that has programmed for 30+ years, that is absolutely insane. The incompetency is astounding. If D-link can't fix things like this, then don't buy D-link products, it's that simple. They clearly don't care about their customers.
Yes, it is truly astounding. I've done some PHP programming for myself and some friends, and did some professionally a number of years ago. One of the first things I did was write a shell command to read all PHP files and find all instances of "if X = Y", and I used that shell command during and after each programming session to ensure that I never accidentally assigned a value when I intended to query it. Checking for calls to system() would be similar (I never used system calls, so I never needed to do such checks, but it would have been simple to check for them). If I -- a single individual -- could do some simple checking and validation to prevent problems, then surely a corporation such as D-Link could have done so.
@@nullvoid3545 What? No it's not. D-Link is a subsidiary of the Taiwanese Steel Group. They have no affiliation to Netgear. Why would you post blatantly false information like that?
It's hard to imagine a scenario where this is an isolated incident. At any competent organization, the first time something similar happened, the dev-sec-ops team would've forced all kinds of commit/deploy hooks checking for system calls and requiring the lead/PO to sign off that they weren't doing something stupid. This makes all D-Link hardware sketchy. They're not a new company, and they're not small, and they're not new to making routers.
I had once a dlink router, and it was losing connection about once a day, so I had to unplug and plug it again. I decided to update the firmware, in the hope that it would be fixed. After the update, the connection was dropping every 20-30 mins. Horrible experience. I installed de-wrt (which fixed everything) and never got a dlink device ever again.
As a Junior, I was terrified of making mistakes like this. As a Lead, I now realise how most of the world runs on software that people go out of their way to make utter s**t. Ask a locksmith and they'd always rather have software locks, ask a software dev and they'd always rather have physical locks. When you know, you know how bad things are lmao
Dude, the physical locks thing is so true. When I found out about lockpicking, I took a thin, flat piece of metal and just raked my apartment lock. In 30 seconds it was unlocked. Most locks are a joke. 😐
I was in disbelief about the "cut off a Bic pen & wobble it around in the keyhole" method for circular keys, so I tried it: Took me ~12 minutes the first time,
Prob a junior tech that was tasked to write the account script. This is why you need THOROUGH PR reviews and things like sonar to check for code smells like system and sprintf calls.
@speedweasel yup, a junior tech should never be blamed for something like this. If a junior dev is accidentally able to get such a bug into production, then a senior dev with bad intentions DEFINITELY would be capable of doing that as well. It's up to your pipeline engineers to make sure that CAN'T happen.
@@rikschaaf There is no such thing as code review in Chinese software development world in many places)) Nobody looks code, they just make it work, do some stuff to pass manual and automatic tests and this all. And because there was no code review for years they can't start doing it effectively because everyone is more incompetent and can't spot other people bugs just by looking code (this is separate skill which require not just technical knowledge but also able fast understand code and see whats can goes wrong) Also code review would kill they productivity and increase cost, so for them there is no reason to introduce some "bad" practices from financial perspective)
Id believe it. Like immediately after some companies want you to upgrade they say "hey there's a backdoor you should stop using the product or your product is gonna be 15% slower" Spectre and meltdown, windows XP, apple battery health, etc are ideas that come to mind.
Microsoft refusing to patch critical vulneralibity is how Windows 7 got abandoned. The idea have been around.. _Activating them is a new level of evil_
Forced obsolescence? They were obsolete before this disclosure. They're 14 year old devices. On top of that, one should NEVER use a consumer branded anything for anything actually sensitive or mission critical. These devices don't have redundant power or controllers. Those interfaces/ports/protocols shouldn't be exposed to the internet anyway. If you actually put one of these open to the internet, that's on you, not D-Link. If it's NOT exposed to the internet, in order to exploit it, you'd need to be on the local network already, in which case, you've already been compromised and you're fucked. This is something that should absolutely be fixed in any still supported devices, but end of life means end of life.
Oh yeah, D-Link. I'm a dev as well as an IT consultant. Got hired for a project because a company was facing issues where their entire network went down intermittently. Turned out they were using D-Link switches everywhere in their network. These switches had a vulnerability that could trigger a packet storm. There was no firmware update or fix. I replaced every single piece of network equipment that was made by D-Link with its CISCO equivalent. This was 5 years ago and their network has been working reliably ever since. D-Link is a total mess.
As someone who has worked in both residential and corporate IT for over 20 years now, I'll never go near D-Link. Garbage products made by a company that does not care. Nothing about this situation surprises me.
I like collar-shirt Ed. He said "You shouldn't have your NAS with its, like, butt, in the ether-net port, facing out into the internet..." omg. I lol too hard at the mental picture that paints.
@@flarebear5346 Yes, I know. But which end user knows this. And now the vendor name is in the press again an they can start their next product. Always remember, "The S in IoT is for security" (Need to find this T-Shirt for next week it must be somewhere. )
You shouldn't have the nas open to the public internet, especially not your admin console. You'd want to have an authentication layer in front of any requests to the applications on your system, or better yet, only allow access to your system through a secure VPN. In the case of this bug, you wouldn't be able to send a request to (target IP)/cgi-bin... if it wasn't already open to the public internet (which again, it shouldn't be), but if it was or say you're connected to the same network, then your whole machine is wide open.
I used to have a shell script to redial the internet set up as a CGI. Anyone on the LAN could reconnect the internet as needed that way. We paid per call back then for local calls, so doing it this way made it convenient, but saved calls at night when no one was using it. There was a 4 hour session limit on our ISP.
I'm honestly astounded at how easy your videos are to understand and follow. My only background in coding was one course that used Python in uni, and a little introductory C++ in high school, but I'm mostly able to keep up with what you're putting down. Good vids, is what I mean to say
I had to pause at 2:11, scream a little, grab a coffee, calm down and resume 5-10min later. ... turns out I was not done screaming. HOW DID THAT GET WORSE
You make a great point at the start that EOL is decided by manufacturer itself. When you put it that way, it should be legally mandated to support for 20 years
Some companies one should just never deal with. This is literally the opposite of the kind of support we have been used to from companies like IBM for example.
I have abandoned using any D-LINK devices decades ago (around 2005-6) for exactly these kind of practices (and bugs). It's almost unbelievable they are still doing these things after all these years and are still part of the market ...
26 วันที่ผ่านมา +6
First mistake they made was buying a D-link. If I see d-link device on customer’s network it has immediately to go out.
Dumb switches are one thing. No one should be using D-Link for anything more than that. There's plenty of much better stuff available in the NAS or higher end consumer networking market for not much more money. I'd rather get a TP-Link setup and a Synology or QNAP NAS, but if you just need a 8 or 16 port gigabit switch? Buy whatever is cheapest because it'll work fine.
I was particularly impressed by your mastery to size up the thing and communicate in relevant-human-readable. Coding is a dark art already (which is a compliment).
Using "safe_system" to just call "system" anyway is awesome. It's like storing the key of the storage that holds your valuables in a bank vault for safety, but the storage with the actual valuables inside is just a cardboard box with a padlock.
I've seen more than once maintainers of very active, open source, self-hosted applications saying "our average user does not need enterprise level security features" when they refuse to implement things like mTLS support in their mobile client. Or sometimes they tell you to use treafik as your reverse proxy when you expose the service to wan, while traefik requires the docker socket in a container that is supposed to be facing internet. Absolutely unforgivable.
That's pretty standard for a vendor to not cover a patch no matter the severity for end of life devices. If you have a Naz that is 10 plus years old, the hardware itself went end of Life 3 years ago and the vendor puts wine in the sand after so many years that they can no longer allocate resources to still patch and create firmware for devices that are so old and probably only have a very small percentage of users still using it. I would be interested in seeing if D-Link has the ability to see how many users are using their NAS with a phone home feature or something like that so they can say that this vulnerability only happens in 5% of users utilizing their equipment and most of the other product has been retired thrown away or trash to recycled. Very rarely will accompany actually create a patch for a end of life device. And it usually comes down to the amount of users still using that device and how bad the vulnerability is. Very few times have I actually seen a vendor cover and patch of vulnerability that is end of life The last big one that I remember seeing was Microsoft and Intel and AMD whenever specter and meltdown were announced and since it affected every CPU created in the last 20 years It made sense for them to create code updates in microcode updates and even OS updates to help patch these issues even friend of life hardware and software.
According to Wikipedia: "In 2022, D-Link obtained the TRUSTe Privacy seal, certification of ISO/IEC 27001:2013 and BS 10012." Certifications truly mean nothing!
I’m glad we have people like you who dig into and white hat this stuff. What the hell…never going with D-Link. They should be held responsible for patching this *regardless* of EOL. I mean, arcane hacks are one this, but this vulnerability is blatant and moronic - they should have to provide a fix for this…not force people to buy a new router.
i'm an swe student and i still don't see myself a good coder programmer I don't understand a lot of concepts and I wasn't passionate about computers in general before entering college. i only know the theoretical concepts but these videos are really making me love the field and wanting to learn more and make me curious more and more!
He did mention that in the video too but the low hanging fruit is the system call. I mean both need to be fixed and are right next to each other. Not sure how people are going to do that though, if at all.
As primarily a sysadmin with basic programming knowledge, I really appreciate the way you explained the code. Nice and easy to follow and your enthusiasm is very engaging.
IMO this is not a bug but a design flaw. I can't say it's intended but definitely never thought of it in security perspective(or just abandoned the security scope). This is not "fixable", this just shouldn't exist in the first place. If you say something EOL so no more security update, OK. But if you put something known with flaw(at least we all known), that's not security update. It's just a garbage be advertised as something useful. It should be RECALL. Can Tesla say their car has a known risk to explode if you press certain button before EOL but now it's EOL so they won't fix? Elon Musk will be put in jail if so.
In the early 2000s I used to have a D-Link DSL-504 ADSL router. If you enabled SNMP to e.g. graph traffic statistics, you could walk the device and retrieve the username and password of the attached broadband service, in plain text. Am I really surprised that D-Link equipment still has such egregious errors? They've been at it since the early 2000s. Old habits die hard I guess.
And no mention was made anywhere about requiring authentication to access the CGI... So even if you could not run arbitrary commands, you could likely still create accounts.
could not stop laughing at 11 minutes, was not expecting this, looks like a mistake I would make, mind you I am very very bad at coding. Thanks for the video, almost as comical as self reflection, but without all the pain that comes alongside it.
oh you mean that 'computing appliances' aren't like toasters, and are really just computers that need constant updates forever? but I bough this 'appliance' because it is cute and single purpose like a toaster that needs no updates ever
D-Link has a history of doing this. When I was in university, I found a couple of significant bugs in DIR-601 routers that could lead to RCE in many cases. The first bug was a command injection in the router's diagnostics page that let me inject arbitrary shell commands. This page normally requires that the user be authenticated as an administrator to access it. Unfortunately, that authentication was flawed and due to an API endpoint in the router not being properly authenticated, it was possible for a user authenticated as a regular user to generate and download a configuration backup. The administrator password was stored as plain text in this backup. I can imagine most people would not change the default user password, since it isn't privileged. I attempted to report this, but every email I sent bounced with an inbox full error. No idea if it was ever patched.
@@corvusnocturne Kai Saikota and Fauna are the only vtubers I know that have one, except them, I have never seen anyone with one Eric Parker has kitty headphones, so Low Level could learn from him
That was fun... 😂 I know you know, but I'll pointing out that at 2:34 it is just URL-encoding of plain ASCII, no Base64, so %27 is a single quotation mark and %20 is a space. I would expect the exploit to be a little bit different in the quotation style, by looking at 11:13... is it done on purpose to fool the skids? 🤔Am I blind? 😆Or maybe there was some string replacement along the way...? The stuff is pretty basic nonetheless, LOL 😁
@@someonespotatohmm9513 yeah we did... on smartphones as long as they are guarantee cases. so 2 years more or less. the d-link stuff mentioned here is EoL since 2017. not really fair to blame somebody to not have updated their old ass fk. anybody here mad at Microsoft for not patching Vista anymore? no? exactly the same thing.
This is the rare occasion I'm actually sort of on D-Links side. They're not even in the NAS business any more. I'm sure there are lots of 0-days lurking in the mountains of EOL hardware & software out there. At some point using old stuff becomes "use at your own risk"
I don't like D-Link, at all, but I completely agree. For all we know, their engineers discovered this among other things, and that's WHY they killed the product. Corpo's would never call an end of life without immense pressure from the engineers, not while there's still any free milk left to squeeze.
It's not an excuse to not inform the public if the info was made known and not allowing for the community to fix the bug on their own. If anything, they should write that on the product box with the warranty. If the product is out of warranty, you are at risk of your devices being hacked and the company will not make any further patches to protect you. This is not apparent to any consumer, because we don't know the End Of Life ahead of time and no public announcements are made. Maybe this more of a legislative issue regarding packaging, like food expiration dates.
Dude Its my first time watching your video and this video just forced me to subscribe to you, just from a single video I got to learn hell a lot. Thanks Man!!
Aaaaaand that is another final nail in the coffin for D-link anything now. I mean, on top of the surprise d-link is even a thing anymore still.... But yeah, that kind of reply, without say....releasing some source so the community can support the products they refuse to....has done exactly what they want but not how they want it. Yeah, Ill replace EVERY d-link device with NOT d-link now. Good job on the PR front d-link....morons....
We need software engineers who, like other professional engineers, can be held personally legally liable for their work. The software industry is much too lax with the rigor of their code.
You have to have legal technical standards to have individual liabilities. No such thing in software (and good luck), so who sells the product, the company, takes liability.
Your device ... your possession I really don't get it that adult man and woman are not able to install ... effing OpenWRT ! Have I uttered a secret? ROTFL
Wow. And what would that liability be? Perfect code? And for how long? Forever? Why is it not enough to have companies liable? Software is more complex than anything else and also not a very relaxed industry for most people.
![เปิดบ้าน โคตรสวย ป๋องกพล รู้จักตั้งนาน เพิ่งรู้ว่ารวย!!! l [Nickynachat]](http://i.ytimg.com/vi/tmgCF_2HfYI/mqdefault.jpg)
![เป็นไปได้ไหม - WanMai [Performance Video]](http://i.ytimg.com/vi/Eh5hItD4Mr0/mqdefault.jpg)
you know what else is unforgivable? not checking out lowlevel.academy (and getting a DISCOUNT?)
I would buy a good ghidra course.
"I can't believe a company isn't held legally responsible" XD
Any chance you will be offering student discounts in the future? I’ve started doing picoCTF and hackthebox challenges for a school club and think that the courses would be great learning resources for building applications with c but the price feels a bit too prohibitive
How long do you expect a company to support their software after EoS/EoL?
bro. you have the style, you have the knowledge, and you have the courage. I liked your talk, your analysis, damn how I love these videos...keep going.
The guy who wrote the safe_system code is definitely a different person from the one who wrote account. I can't believe it is any other way
Exactly. The person who wrote safe_system probably got into arguments with the person who wrote account, who told them to not to worry about it. Some manager then told them to ship it and move on. Then the manager got their bonus for delivering on time.
@kapstersmusic I would assume the person who wrote safe_system never saw what the one who wrote account did. That would be gross negligence to not replace these 4 lines with their better, ready-made equivalents. Safe string processing is part of the standard, and safe_system is just there. Even without changing the string processing, just using safe_system to make sure the exploitable buffer overflow isn't literally ready to use as-is would be 2 seconds well spent. The security researcher would have maybe spent hours instead of minutes to get a working exploit.
The problem is not one programmer not being up to the task of writing safe code; or people talking to each other... the problem is quality assurance and testing. A company should never assume that a person doesn't make mistakes, it's about validation and testing. And D-Link apparently doesn't care enough about the quality of their products.
@@Exilum I would guess safe_system is from some sort of library, and the call to it was copy-pasted, but the account program was new and written by someone trying to only use the C standard library or sth like that, maybe because they didn't know how the Posix API worked, would be my guess.
@@svaira Or the other way around where the account software was from an older era some 30 years ago where things like this didn't really matter since it was executed from the root prompt.
It's not a bug, it's a low effort backdoor
The CIA was too busy trying to kill fidel castro...
Semantic arguments are fun, but that's all they are. Backdoors target vulnerabilities. Vulnerabilities are bugs.
I think they’re implying it was intentional
@@himothanielCondescending responses to comments you don't understand are fun, but that's all they are.
You can read condescension into my comment if you like, but there wasn't any there. A small joke went over my head. I can acknowledge that.
"Buy another NAS", definitely won't be a D-Link, I can tell you that for nothing.
QNAP or Synology should use this as free advertising for their newest kit
@@FrankEBailey WTF are you?
Buy the stuff and install firmware, that can be called that way:
OpenWRT !!!
@@FrankEBaileyI think Synology had a zero day like 2 weeks ago
@@adammontgomery7980 was the zero day as stupid as this one?
@@dancom6030 its not the first...
This is actually a genius level move by D-Link:
They not have to fix *past* bugs because they deem their hardware antiquated.
Also!
They also don't have to fix *future* bugs because they just scared away their entire customer base
they are just playing multi-dimansional chess 😆
XD 200 iq
@@dave7244 but the bug was present on day 1.
@@dave7244 The 340L was released in 2015, and according to the dLink website "This product was phased out on: 29/10/2017", so maybe they were available for sale until then (and maybe even after that date from some retailers).
@@dave7244 Are you using D-Link's suggested NTP server?
en.wikipedia.org/wiki/D-Link#Server_misuse
"D-Link US recommends retiring and replacing D-Link devices that have reached EOL/EOS" - To which every owner should say, "No problem, I'll replace it with a different brand".
//"D-Link US recommends retiring and replacing D-Link devices that have reached EOL/EOS" - To which every owner should say, "No problem, I'll replace it with a different brand".//
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^6
I agree.
" replace it with a different brand". Why? To have a bug from a different company? A bug which will be there for a decade, discovered only by hackers?
Never buy a 'NAS'. Use your old PC, install TrueNAS on it, put it into its own VLAN and call it a day.
@@temp50 Most companies do emergency patches when these kinds of bugs pop up. Even microsoft does that.
The funny thing for me is the vulnerability means you could recompile the account command to use safe_system and then use the vulnerability to download the patched account binary to the NAS, fixing the hole.
Now this is bug fixing
lol that is amazing maliciously fixing bugs its like bethesda game modders.
Might as well install a webshell while you are at it.
Great idea. Shame its a read only file system.
Shouldnt be upto the fbi or whitehats to fix easy fixes like this.
That was my initial thought as well.
Seems this could be fixed rather easily, even by "hackers".
The guy running this channel could probably make the patch, Linksys refuses to do, in a matter of minutes.
This is what happens when you have 2 teams not talking to each other. One team did it right, the other not so much.
Even if they audited the code they wrote who’s to say the unix utilities calling were audited. The usernames etc should have been sanitized to remove any non alphanumeric characters, so their safe system is anything but safe. Anyway it was a great video. Even with input sanitation, the fact it is calling other programs makes it a crapshoot.
@@richcole157 It looks like the vulnerability can be triggered through the `pw` field and it is much harder to sanitize it in the way you suggest for `name`.
Do you really think they have _teams_ working on that? More likely one part of the code was written by one overworked guy at one time, the other part written by another overworked unqualified guy at another time, and all copy-pasted together by an unpaid intern later ...
@@memyshelfandeye318 Well, that's like 2 teams right there! :D
@@IvanToshkov good point.
HOT TAKE:
If vendor stops supporting product because if it's out of live even with such security critical cases, we as society should stop supporting copyrights related to it.
Granted here there's probably not that much to protect, but if there's any copyright protection on that code, it should vanish, reverse engineering ? Producer orphaned it, we're not gonna prevent people to adopt this child.
Re distributing binaries ? If it's not worth for you to fix it it's not worth to us to chase people that copied it.
That should not be hot take at all. If aren't making money on your copyrighted thing, what are you protecting it for? Kind of same with games. Your game is not officially available for purchase? People get to crack it and share it freely without consequences.
@@tyrannosaurus_x Yea honestly that take developed because of stop killing games initiative in the first place.
And not even about "Me wants to play games that aren't available" thing ( be it it's still valid approach) or that company isn't making money anyway, i mean questioning how system works in much broader way.
We as society agreed to protect data, (art work code, design so on) (which i'm not against to be clear, my problem starts and ends with how system work currently not with existence of system) and at this point we agreed to do so at ridiculous time frame, Mickey Mouse famously entered public domain in 2024, a artwork from between world wars period, i'm from Poland, in our calendar that's like two invasions ago, neither of my parent's were alive when it came out, and they had me at ridiculous old age, they grew up in different world, telephones were rare, cars too, country was still firm in grip of USSR and iron curtain divided Europe, i grew up in free Poland, wit ability to free travel across Europe because of shengen, with internet access since i could remember, YT raised me as much as mu parents did, it gave me skills to get job as programmer. My father born in 1945, after Mickey was created, and died in 2018 before it entered public domain. I tell you all this to hammer point how long time frame we're talking about, and how much of commitment society gives to copyrighted work.
Even if it was out of print for years, even if original company isn't supporting it since decades, last entry in IP was made before my country in it's current form was established, it stil will be protected.
In return(and i'm talking mostly about video games, but somewhat applies to software in general), they mercifully allow us to rent their software for unspecified amount of time, for usually not so small sums of money, and usually with right to take said license away at a whim without a reason.
Again, not for abolishing copyright entirely.
But i think in current situation "tail is wiggling the dog", and either copyright retention shorten, new causes for artwork entering public domain established or both.
(Perhaps it should work a bit trade mark, if you don't use it, you louse it.)
it's a 14 year old NAS
@veryCreativeName0001-zv1ir and you're point is ?
This is a great idea! Added to the list of things I'd want to change.
Imagine how chuffed the guy was finding this bug, like "yeah im definitley getting a payout, they will be so glad i found it!", just to be told to feck off and that the fix was buy their new products XD
Poor bloke
Nah, said bloke can scour the internet for eol products to hack. Win win.
@@bmanpura maybe, it would certainly teach them a lesson, but if your a genuine pen tester/bug bounty hunter your risking your career doing shit like that. The amount of attribution and tracking sites these days is insane.
One example, I wrote a little article on footprinting Imap/POP3 mail servers last week.
I googled the article the next day to find that id been entered into an International cyber threat database. The bot armys are real af bro. They had entire maps and models of endpoints and systems just from my write up.
Now he's mining bitcoin on your NAS, so whatever.
😂
The team that wrote the "account" program assumed that their program is only going to be used by users that are already authenticated inside the machines shell. The team that wrote the HTTP server thought that the "account" program is safe to execute with parameters controlled by the unauthenticated user.
You probably hit the most likely explanation. Unfortunately, the bigger problem is D-Link unwilling to update it or at least send out a crisis report to news agencies to let customers know.
I did see someone hint at mandatory open sourcing for deprecated software. I think that would definitely help, because the person who finds the bug could patch it. Maybe we need to promote open source routers now?
Open source radio transmitters have a remarkably hard time getting FCC approval... Qualcomm isn't the _only_ reason Qualcomm radio chips continue to use closed-source code.
It's really annoying; the efforts to block true direct mobile-to-mobile LTE, were so coordinated, one could almost be forgiven for mistaking those efforts as good-faith "interference prevention".
Open wireless is anathema to regulation; it's been stomped on, one product launch after another, my whole life or more.
@@prophetzarquonThat’s not an accident. Lobbyists love regulatory capture. It’s all by design that OSS firmware cannot be used on RF systems. By design of the companies that have vested interest in selling us new stuff all the time.
I maintain multiple servers and my go-to rule with even throwaway shell scripts is that all input must be considered unsafe. Always encode data as data regardless of the programming language you use and all injection attacks immediately vanish everywhere.
"Fuck you, pay me" is a genius strategy when most of your customers do not have consumer protection laws
And any attempt to pass consumer protection would be lobbied (read: "bribed") away by the powerful corporations that would be impacted by it.
@afjer this is why people become cyber criminals, stupidity
No consumer protection law protects your from end of life products. In fact in Europe it's only 3 years warranty for a new product. Some pro or enterprise products get 5 or 10 years warranty but then consumer laws don't apply because the buyer acts as a company not individual.
Reminds me of a time a car dealership sent me lottery thing in the mail. Said I won a $50 gift card. Had a number to verify. Verified as valid. Walked into the car dealership and it was a "raffle" with the winning numbers already picked. Mine was not one of those numbers. Told them fuck you and that I'm never coming there again. The kind of idiot that looks at and buys a car after that is next level stupid.
Neither does the Mafia - thanks for the Goodfellas quote.
D-Link has been a security liability since the 2000's. :)
As long as you keep using EoL devices, that's on you buddy
@@BotDetector-44 what are you taking about?
@@dynad00d15 Just ignore him - he's a D-Link salesman!
@@dynad00d15 I'm assuming that was sarcasm. I'm _hoping_ that was sarcasm...
@@sootikins Right, because manufacturers update their software after 14 years from their initial release date. You guys might be some retards or a bit clueless how things work when producing hardware and software components but hey, I'm a salesman, you got me
New vulnerability found in D-Link NAS devices
D-Link : It's not my problem, it's yours
@@play-good "sorry,we sold it to you,so your problem now"
@@92sieghart D-Link, the last big company around that still respects ownership 🤣🤣
.oO( Who did buy that s. in the first place? ... ROTFL )
at least open source this sht
Kind of true, yeah
Synology could do the funniest PR thing and give your a 10% discount buying one of their products when you own one of those exploitable NASes
Synology has it's own security issues unfortunately. Their security settings page forces you to give a phone number for 2FA setup, but SMS 2FA is easily exploitable.
Synology give up 10% margin? Who are you kidding?!? 🤔
As a person that has programmed for 30+ years, that is absolutely insane. The incompetency is astounding. If D-link can't fix things like this, then don't buy D-link products, it's that simple. They clearly don't care about their customers.
But D-link is just A subsidiary of netgear, which own A good majority of home routers currently distributed.
Yes, it is truly astounding. I've done some PHP programming for myself and some friends, and did some professionally a number of years ago. One of the first things I did was write a shell command to read all PHP files and find all instances of "if X = Y", and I used that shell command during and after each programming session to ensure that I never accidentally assigned a value when I intended to query it. Checking for calls to system() would be similar (I never used system calls, so I never needed to do such checks, but it would have been simple to check for them). If I -- a single individual -- could do some simple checking and validation to prevent problems, then surely a corporation such as D-Link could have done so.
@@nullvoid3545 What? No it's not. D-Link is a subsidiary of the Taiwanese Steel Group. They have no affiliation to Netgear. Why would you post blatantly false information like that?
@@nullvoid3545 this is what happens when a company is a monopoly (or almost one).
@@nullvoid3545Netgear and D-Link are unrelated companies.
1:42 They are right about that, buy another NAS, but NOT FROM D-LINK
So a common, old-school Shell Injection vulnerability. The Bobby Tables of system("command").
For clueless - xkcd reference. Someone embedded a "Drop table" command in child's name. Deleted main database at school.
Like a day 1 training scenario lol
@xmine08 - That is "Little" Bobby Tables to you. 😂
It's hard to imagine a scenario where this is an isolated incident. At any competent organization, the first time something similar happened, the dev-sec-ops team would've forced all kinds of commit/deploy hooks checking for system calls and requiring the lead/PO to sign off that they weren't doing something stupid. This makes all D-Link hardware sketchy. They're not a new company, and they're not small, and they're not new to making routers.
Exactly how many "competent" organizations do you think exist now? Three? Four?
Before the first time, hopefully.
Took their development queues off Crowdstrike.
D-Link once made a router where the web-server ran in kernel-mode and had debug-commands
I had once a dlink router, and it was losing connection about once a day, so I had to unplug and plug it again. I decided to update the firmware, in the hope that it would be fixed. After the update, the connection was dropping every 20-30 mins. Horrible experience. I installed de-wrt (which fixed everything) and never got a dlink device ever again.
This server is running as root (or the CGI binaries are setuid) if it can add users via a web request.
As a Junior, I was terrified of making mistakes like this. As a Lead, I now realise how most of the world runs on software that people go out of their way to make utter s**t. Ask a locksmith and they'd always rather have software locks, ask a software dev and they'd always rather have physical locks. When you know, you know how bad things are lmao
Dude, the physical locks thing is so true. When I found out about lockpicking, I took a thin, flat piece of metal and just raked my apartment lock. In 30 seconds it was unlocked. Most locks are a joke. 😐
I do both (locksmith/safesmith and pentesting). None of it works XD
@@aieverythingsfinethat's a terribly unfair thing to say... lockpicks and cracks work perfectly
@@capturedflame XD
I was in disbelief about the "cut off a Bic pen & wobble it around in the keyhole" method for circular keys, so I tried it: Took me ~12 minutes the first time,
Prob a junior tech that was tasked to write the account script. This is why you need THOROUGH PR reviews and things like sonar to check for code smells like system and sprintf calls.
@speedweasel yup, a junior tech should never be blamed for something like this. If a junior dev is accidentally able to get such a bug into production, then a senior dev with bad intentions DEFINITELY would be capable of doing that as well. It's up to your pipeline engineers to make sure that CAN'T happen.
@@rikschaaf There is no such thing as code review in Chinese software development world in many places)) Nobody looks code, they just make it work, do some stuff to pass manual and automatic tests and this all. And because there was no code review for years they can't start doing it effectively because everyone is more incompetent and can't spot other people bugs just by looking code (this is separate skill which require not just technical knowledge but also able fast understand code and see whats can goes wrong) Also code review would kill they productivity and increase cost, so for them there is no reason to introduce some "bad" practices from financial perspective)
A new form of forced obsolesce? Activate all the security flaws after a specific date and refuse to patch them.
Id believe it. Like immediately after some companies want you to upgrade they say "hey there's a backdoor you should stop using the product or your product is gonna be 15% slower"
Spectre and meltdown, windows XP, apple battery health, etc are ideas that come to mind.
Microsoft refusing to patch critical vulneralibity is how Windows 7 got abandoned. The idea have been around.. _Activating them is a new level of evil_
1. Push a "security patch"
2. The patch actually contains vulnerabilities, on purpose
3. Profit
Ah yes, the μTorrent v≥3.0 approach
Forced obsolescence? They were obsolete before this disclosure. They're 14 year old devices. On top of that, one should NEVER use a consumer branded anything for anything actually sensitive or mission critical. These devices don't have redundant power or controllers. Those interfaces/ports/protocols shouldn't be exposed to the internet anyway. If you actually put one of these open to the internet, that's on you, not D-Link. If it's NOT exposed to the internet, in order to exploit it, you'd need to be on the local network already, in which case, you've already been compromised and you're fucked. This is something that should absolutely be fixed in any still supported devices, but end of life means end of life.
When does incompetence become sabotage?
When they refuse to fix it.
Oh yeah, D-Link. I'm a dev as well as an IT consultant. Got hired for a project because a company was facing issues where their entire network went down intermittently. Turned out they were using D-Link switches everywhere in their network. These switches had a vulnerability that could trigger a packet storm. There was no firmware update or fix. I replaced every single piece of network equipment that was made by D-Link with its CISCO equivalent. This was 5 years ago and their network has been working reliably ever since. D-Link is a total mess.
As someone who has worked in both residential and corporate IT for over 20 years now, I'll never go near D-Link. Garbage products made by a company that does not care. Nothing about this situation surprises me.
Holy moly, if I can get how bad it is without rewinding, it's a really stupid bug
03:25 I appreciate the heads up, but sadly, I failed to contain myself.
I'm loving the channel name exploration in every video
I like collar-shirt Ed. He said "You shouldn't have your NAS with its, like, butt, in the ether-net port, facing out into the internet..." omg. I lol too hard at the mental picture that paints.
But isn't connecting your NAS to the Internet an advertised feature? "Run your own cloud!"
Not like this. If you are going to do that then you should have security measures that can authenticate and restrict what can connect to it.
@@flarebear5346 Yes, I know. But which end user knows this. And now the vendor name is in the press again an they can start their next product.
Always remember, "The S in IoT is for security" (Need to find this T-Shirt for next week it must be somewhere. )
lmfao
You shouldn't have the nas open to the public internet, especially not your admin console. You'd want to have an authentication layer in front of any requests to the applications on your system, or better yet, only allow access to your system through a secure VPN. In the case of this bug, you wouldn't be able to send a request to (target IP)/cgi-bin... if it wasn't already open to the public internet (which again, it shouldn't be), but if it was or say you're connected to the same network, then your whole machine is wide open.
Just run everything on the local network and have wireguard to connect to it
German home router manufacturer AVM handled a security flaw in 2023 completely different. They even patched a model that had been EOL 7 years earlier.
I've never in 30 years heard of CGI "typically being a bash script or an ELF"
@@bparker06 well it was. Even PHP worked/works like that.
In your defence, I've seen more Perl scripts as CGI than bash ones :-)
That is probably the case for these sorts of "UI glue for small devices"
C, Bash, and Perl are the typical ones.
I used to have a shell script to redial the internet set up as a CGI. Anyone on the LAN could reconnect the internet as needed that way. We paid per call back then for local calls, so doing it this way made it convenient, but saved calls at night when no one was using it. There was a 4 hour session limit on our ISP.
I'm honestly astounded at how easy your videos are to understand and follow. My only background in coding was one course that used Python in uni, and a little introductory C++ in high school, but I'm mostly able to keep up with what you're putting down.
Good vids, is what I mean to say
Don't blame interns.
Don't recall who said it, but "if an intern can break production, you as a company have failed."
Security goes against D-Link's core values. They have a reputation to uphold.
it's pretty simple why this happens: Developer thought that you can only reach this, when you are an authenticated good guy
D-link? You mean the company unable to understand how email works? Whatever they did, I'm not surprised.
they are like hp lol
Bad code is always dangerous, but dangerous code is not always an accident.
I love watching these kinds of videos, it helps me see deeper into how the devices really work.... and that stupidity really knows no bounds....
I had to pause at 2:11, scream a little, grab a coffee, calm down and resume 5-10min later. ... turns out I was not done screaming. HOW DID THAT GET WORSE
8:36 that's what I call a well organized home dir!
Lol!
i like the todo dir
probably more exploits explained right there for one to just try
You make a great point at the start that EOL is decided by manufacturer itself. When you put it that way, it should be legally mandated to support for 20 years
Dlink basically "F U pay me *again*!" surely inspires customer confidence in their products.
Thanks D-Link for your statement on EoL products so we can avoid buying any of your products in the future! Nice one!
Some companies one should just never deal with.
This is literally the opposite of the kind of support we have been used to from companies like IBM for example.
I have abandoned using any D-LINK devices decades ago (around 2005-6) for exactly these kind of practices (and bugs). It's almost unbelievable they are still doing these things after all these years and are still part of the market ...
First mistake they made was buying a D-link. If I see d-link device on customer’s network it has immediately to go out.
Dumb switches are one thing. No one should be using D-Link for anything more than that. There's plenty of much better stuff available in the NAS or higher end consumer networking market for not much more money. I'd rather get a TP-Link setup and a Synology or QNAP NAS, but if you just need a 8 or 16 port gigabit switch? Buy whatever is cheapest because it'll work fine.
I was particularly impressed by your mastery to size up the thing and communicate in relevant-human-readable. Coding is a dark art already (which is a compliment).
when i saw it calling sprintf and system my jaw hit the floor. i then exclaimed "excuse me?!"
Using "safe_system" to just call "system" anyway is awesome.
It's like storing the key of the storage that holds your valuables in a bank vault for safety, but the storage with the actual valuables inside is just a cardboard box with a padlock.
Wow thanks. Never buying D-Link (or their parent Netgear), ever. This passed code review?!
You think they did code reviews? Dlink in 2012 probably didn't even use a code repository, let alone agile development.
12:23
"How is nobody held accountable?" Because it's a free market. Businesses are allowed to 'do what they want,' and this is what they do.
I've seen more than once maintainers of very active, open source, self-hosted applications saying "our average user does not need enterprise level security features" when they refuse to implement things like mTLS support in their mobile client. Or sometimes they tell you to use treafik as your reverse proxy when you expose the service to wan, while traefik requires the docker socket in a container that is supposed to be facing internet. Absolutely unforgivable.
That's pretty standard for a vendor to not cover a patch no matter the severity for end of life devices. If you have a Naz that is 10 plus years old, the hardware itself went end of Life 3 years ago and the vendor puts wine in the sand after so many years that they can no longer allocate resources to still patch and create firmware for devices that are so old and probably only have a very small percentage of users still using it. I would be interested in seeing if D-Link has the ability to see how many users are using their NAS with a phone home feature or something like that so they can say that this vulnerability only happens in 5% of users utilizing their equipment and most of the other product has been retired thrown away or trash to recycled.
Very rarely will accompany actually create a patch for a end of life device. And it usually comes down to the amount of users still using that device and how bad the vulnerability is. Very few times have I actually seen a vendor cover and patch of vulnerability that is end of life The last big one that I remember seeing was Microsoft and Intel and AMD whenever specter and meltdown were announced and since it affected every CPU created in the last 20 years It made sense for them to create code updates in microcode updates and even OS updates to help patch these issues even friend of life hardware and software.
I absolutely lost it when you described an open port facing WAN as the NAS's butt exposed to the internet
Queue penetration joke?
Gives code injection a whole new context innit
I've known people with this train of thought. Where once you do the safe thing everything afterwards is magically safe.
As a Gen-Zer even if I hated the collared shirt, that fire jacket makes up for it.
you're one of the most competent coders im watching on youtube if not THe best. Good job breaking this down for all the up and coming wizards
According to Wikipedia: "In 2022, D-Link obtained the TRUSTe Privacy seal, certification of ISO/IEC 27001:2013 and BS 10012."
Certifications truly mean nothing!
This device is way older than 2022 so I'm not sure what your point is.
Well I mean the certification is called "BS xxxxxx" for a reason 😃
In the end all internet connected devices will end up being public domain computers.
This would be incredibly easy for them to patch this. It’s a one line fix. They just don’t want to do it.
This channel is soooo good
You are saving the future of the internet my friend, thanks
I will never again in my life buy D-Link equipment and will encourage all of my clients to do the same.
Anyone who doesn’t take security seriously has no business being a vendor. Samsung and SONOS I’m looking at you.
It's Little Johnny ;DROP TABLES; but it's your NAS 😂
this video literally had "no views" as he said "this video is gonna get no views"
I’m glad we have people like you who dig into and white hat this stuff. What the hell…never going with D-Link. They should be held responsible for patching this *regardless* of EOL. I mean, arcane hacks are one this, but this vulnerability is blatant and moronic - they should have to provide a fix for this…not force people to buy a new router.
I've heard of people getting dismissed for lesser bugs. this is SUCH a rookie mistake.
TY for the content
i'm an swe student and i still don't see myself a good coder programmer I don't understand a lot of concepts and I wasn't passionate about computers in general before entering college. i only know the theoretical concepts but these videos are really making me love the field and wanting to learn more and make me curious more and more!
is nobody going to talk about how those sprintfs probably are a buffer overflow vulnerability as well
He did mention that in the video too but the low hanging fruit is the system call. I mean both need to be fixed and are right next to each other. Not sure how people are going to do that though, if at all.
@@steveftoth by buying a new device - D-Link
Please place your checkmark and then try again.
[ ] I watched the whole video
No one cares. Probably there are s lot more spots to cover in the firmware. Why would you want a buffer overflow if you have system calls at your hand
As primarily a sysadmin with basic programming knowledge, I really appreciate the way you explained the code. Nice and easy to follow and your enthusiasm is very engaging.
Like your attitude here! :) Also the colors are so fresh ;)
Love this guy immediately when he explain all the detail for beginner in such a short time
IMO this is not a bug but a design flaw.
I can't say it's intended but definitely never thought of it in security perspective(or just abandoned the security scope).
This is not "fixable", this just shouldn't exist in the first place.
If you say something EOL so no more security update, OK.
But if you put something known with flaw(at least we all known), that's not security update. It's just a garbage be advertised as something useful. It should be RECALL.
Can Tesla say their car has a known risk to explode if you press certain button before EOL but now it's EOL so they won't fix? Elon Musk will be put in jail if so.
In the early 2000s I used to have a D-Link DSL-504 ADSL router. If you enabled SNMP to e.g. graph traffic statistics, you could walk the device and retrieve the username and password of the attached broadband service, in plain text.
Am I really surprised that D-Link equipment still has such egregious errors? They've been at it since the early 2000s. Old habits die hard I guess.
And no mention was made anywhere about requiring authentication to access the CGI... So even if you could not run arbitrary commands, you could likely still create accounts.
could not stop laughing at 11 minutes, was not expecting this, looks like a mistake I would make, mind you I am very very bad at coding.
Thanks for the video, almost as comical as self reflection, but without all the pain that comes alongside it.
oh you mean that 'computing appliances' aren't like toasters, and are really just computers that need constant updates forever? but I bough this 'appliance' because it is cute and single purpose like a toaster that needs no updates ever
Imagine a millennial judging gen zs fashion sense, pot meet kettle
D-LINK. As in the grade.
"Gen Z hates collars."
I mean.. Depends on what kind.
0:04 > This video is gonna get no views because I'm wearing a colored shirt and apparently, like, Gen Z hates colors.
What?
Collared
@@Chris-on5bt Yeah but still, the question remains: What? :D
As a 71 y. o. Techie - Much respect for good programmers. It's really is rocket science!
D-Link has a history of doing this. When I was in university, I found a couple of significant bugs in DIR-601 routers that could lead to RCE in many cases. The first bug was a command injection in the router's diagnostics page that let me inject arbitrary shell commands. This page normally requires that the user be authenticated as an administrator to access it. Unfortunately, that authentication was flawed and due to an API endpoint in the router not being properly authenticated, it was possible for a user authenticated as a regular user to generate and download a configuration backup. The administrator password was stored as plain text in this backup. I can imagine most people would not change the default user password, since it isn't privileged.
I attempted to report this, but every email I sent bounced with an inbox full error. No idea if it was ever patched.
This is why the best "NAS" is just your last used computer with FreeBSD and ZFS.
if your worried about not getting views put on a choker it'll work, trust me
🤨📸
@@drgabi18 its a proven fact, thats why so many streamers wear them and why so many vtubers have them on their models
@@corvusnocturne Kai Saikota and Fauna are the only vtubers I know that have one, except them, I have never seen anyone with one
Eric Parker has kitty headphones, so Low Level could learn from him
Stop it.
Get some help
I was so invested in the investigation process from the half of the video that I had to put it in fullscreen.
02:35 where base64?
There is, but you've become so good at reading it in your head that you can't tell anymore 😂😂😂
Go test if it works with assembly as well 😊😂
@@showmeyourcritz321where anything related to base64 happens?
Mc0Ca
@@jyothishkumar3098"McOCa" is 5 characters
base64 encoding length is divisible by 4
5 is not divisible by 4
It’s not base64 encoded, it’s url encoded. He was just wrong.
You say its the interns fault. But 9/10 it's the exhausted full time dev who tried to take a short cut to save time.
That was fun... 😂 I know you know, but I'll pointing out that at 2:34 it is just URL-encoding of plain ASCII, no Base64, so %27 is a single quotation mark and %20 is a space. I would expect the exploit to be a little bit different in the quotation style, by looking at 11:13... is it done on purpose to fool the skids? 🤔Am I blind? 😆Or maybe there was some string replacement along the way...? The stuff is pretty basic nonetheless, LOL 😁
Place holder for uname n pass
It's D-Link. Whenever I see their equipment hanging on walls I'm thinking let's have a poke around in there.
At thjs point we need to make cyber security flaws illegal. Theres not really another way to force these companies to actually be responsible
The EU kinda did, atleast they force a minimum ammount of years of updates for things like vulnerabilities now.
@@someonespotatohmm9513 yeah we did... on smartphones as long as they are guarantee cases. so 2 years more or less. the d-link stuff mentioned here is EoL since 2017. not really fair to blame somebody to not have updated their old ass fk. anybody here mad at Microsoft for not patching Vista anymore? no? exactly the same thing.
Always learn a lot from you with this stuff. You explain it so well! Keep it up
This is the rare occasion I'm actually sort of on D-Links side. They're not even in the NAS business any more. I'm sure there are lots of 0-days lurking in the mountains of EOL hardware & software out there. At some point using old stuff becomes "use at your own risk"
I don't like D-Link, at all, but I completely agree. For all we know, their engineers discovered this among other things, and that's WHY they killed the product. Corpo's would never call an end of life without immense pressure from the engineers, not while there's still any free milk left to squeeze.
It's not an excuse to not inform the public if the info was made known and not allowing for the community to fix the bug on their own.
If anything, they should write that on the product box with the warranty. If the product is out of warranty, you are at risk of your devices being hacked and the company will not make any further patches to protect you. This is not apparent to any consumer, because we don't know the End Of Life ahead of time and no public announcements are made.
Maybe this more of a legislative issue regarding packaging, like food expiration dates.
Dude Its my first time watching your video and this video just forced me to subscribe to you, just from a single video I got to learn hell a lot. Thanks Man!!
Aaaaaand that is another final nail in the coffin for D-link anything now. I mean, on top of the surprise d-link is even a thing anymore still.... But yeah, that kind of reply, without say....releasing some source so the community can support the products they refuse to....has done exactly what they want but not how they want it. Yeah, Ill replace EVERY d-link device with NOT d-link now. Good job on the PR front d-link....morons....
Stop it ... stop it!
Take the hardware and install your own firmware.
Or ... are you some kind of child? Not?!:)
OpenWRT
D-Link coffins are made of quarter inch balsa wood and three inches of coffin nails.
D-Link has had these problems forever. The same thing was going on 10 years ago. Oh wait, it’s the same bloody devices!!
> Gen-Z hates collars
Not true, I have multiple collars! One even has my name :3
Assembly was my favorite CS class. It's so satisfying having specific memory adresses.
We need software engineers who, like other professional engineers, can be held personally legally liable for their work.
The software industry is much too lax with the rigor of their code.
You have to have legal technical standards to have individual liabilities. No such thing in software (and good luck), so who sells the product, the company, takes liability.
Your device ... your possession
I really don't get it that adult man and woman are not able to install ...
effing OpenWRT !
Have I uttered a secret? ROTFL
Wow. And what would that liability be? Perfect code? And for how long? Forever? Why is it not enough to have companies liable?
Software is more complex than anything else and also not a very relaxed industry for most people.