Why you should Close Your Files | bin 0x02
ฝัง
- เผยแพร่เมื่อ 1 ต.ค. 2024
- #BinaryExploitation #FileDescriptor #Attack
In this video, we're gonna look at how one can abuse file descriptors in some cases to get access to "sensitive" documents.
🔗 Code + Build Instructions: old.hackercamp...
🔗 Original Blog: www.sektionein...
💬 Discord: / discord
🐤 Twitter: / pwnfunction
🎵 Track: Warriyo - Mortals (feat. Laura Brehm)
NCS link: • Warriyo - Mortals (fea...
Bois I've got covid, I'll be back soon.
cool
RIP
the fact you commented 13 minutes ago is insane, ive gotten this in my recommended like every refresh for like the past week and just now decided to watch it
F
rip
"Why you should close your files." "Network sockets are a file"
Okay, closed them. How do I connect to the internet again now?
linux be like: "everything is a file"
--> sudo shutdown now -h
@@julians.2597 Wait if everythings a file am I a file?
This is like OOP, everything is an object
@@Rudxain Imagine programming with FOP
@@Handlessuck1 That would be an interesting concept. Like accessing file metadata using computed property access. Setting permissions using object descriptors (file descriptors). Classes would be programs specifically designed to create a certain kind of file, so VIM is a class whose constructor returns a new plaintext file object.
The only problem is that *EVERY* file is allowed to have own function properties, which means they can come bundled with method scripts that aren't inherited from the prototype, possibly allowing arbitrary code execution lol
0:27 “guys I gotta close my keyboard hold on”
Unplug it after using XD
@@jhonreydaffon8156 just cut the wire
Hold on... Lets close my network socket as well. 0:28
I want youtube to start recommending this type of videos more! sadly I can't help but watch cat videos every now and then...
Go to the 3 dot menu against those videos and select 'Not Interested'.
I know it'll be hard but you gotta do it😥
This whole channel is so good, I'm glad i stumbled upon this gem of the internet today!
same!
Same
well, I did today!1
That's why we use 'with open...' so it get closed when the code is finished.
python
that's why they made 'with' keyword so we don't fck up, another amazing thing is defer in golang.
That's all fine and good in python, but there's no such thing in C, and all the "real" code that does actual work is written mostly in C
@@gorak9000 you’re watching this on TH-cam, on a website written in html, with effects written in JavaScript, with a backend of C++. Take your elitism elsewhere
@@techheck3358 Uh, I'm not sure where you got this sense of "elitism" from, but thank you for re-enforcing my point that not all software is written in Python, so saying "use 'with' in Python" is not a solution to this issue. I'm just trying to quell the "python fanbois" that no, there actually do exist other languages out there that don't have "auto" file closing. So many "coders" these days think they can string 5 lines of python together, so now they're "software developers". I interviewed 5 or 6 such people in the last couple of weeks. I don't know wtf they are teaching in CS these days, but it's either not getting through to people, or CS education has really taken a nosedive in the last 5 or 6 years. You ask these "software developers" basic data structures questions, or complexity (big oh) questions, and they look at you with a blank stare like you're talking a foreign language.
Bruh, YT recommended this video to me today, I saw the channel name, I saw the video title, and I immediately subscribed
Windows solves all of your issues by remembering you that if you don't close the file handler you won't be able to use the file >:D
lmao
lmao
You can still read from a file handler on Windows even if it's open as write or read in another program. You just can't write to it if it's open as write in another program.
@@PyPylia Whether you can depends on how the file has been opened. You can open a file for read and still block everyone else from accessing it.
@@Aidiakapi Which is what PowerPoint does. So annoying
with sincere admiration, between the art style and the narrator’s voice I fully expected him to end with “now, fire ze missiles!”
But I am le tired
so old school before even TH-cam was out and flash cartoons were all the rave!
@@kevinalexander4959 hell yeah, just like burnt face man
A File Descriptor is NOT a file handle. It has NEVER been a file handle. It is a collection of information about a file, that may or may not be opaque depending of the os/function used to obtain one. A handle may be a component of a descriptor. On Windows for instance, a HANDLE is opaque, I think it's a typedef to a void*, but it's actually also a collection of information, but it's STILL NOT file descriptor.
i love you
Thanks, Rust, for closing files on drop (standard: when the variable goes out of scope), as do many others. Sometimes I think RAII is kinda the wrong term, as closing/deallocating/whatever on dropping your value seem equally if not more important in practice.
RAII has always been the wrong term, but it caught on. And I guess C(lose)O(n)D(estruction) would remind too much Call of Duty
Yup, let's all have the compiler do stuff for us because it's too complex to do it ourselves!! It's what makes the difference between a good coder who is aware of such things and people who need a runtime to remember all the things they forget because resource management is too complex for them. You might as well just advocate for gameSpaceInvaders.create(); gameSpaceInvaders.run() and have the compiler generate the entire thing for you. Coding and coding well is a skill, but NOT today, it's, let the runtime handle that, import some else's library, job done.
@@thewelder3538 It's a matter of efficiency. Why have people write the same code hundreds or thousands of times? Consumers (because that is who needs to pay for software at the end, even internal software) don't want to pay for developers writing boilerplate code over and over. You want working code the smallest possible amount of effort. Of course, it needs to be fast and safe as well, but nobody has time and money for developers to mess around and try to perfect every little thing.
It's generally not that people couldn't do it, but simply that they don't want to.
@@jort93z I'm not sure if you're actually arguing what you think you are. It's simple, if a class opens a file handle, it should close it. It has nothing to do with efficiency. Your arguing that the runtime should close the file handles that YOU forgot to close. This is like the ultimate lazy coders paradigm, where you rely on the runtime and compiler to fix all your bad code for you. Sure, there are always deadlines and stuff, but releasing a badly bugged product affects reputation WAY more than a release delay. The problem with many coders nowadays, is they have literally NO idea what is going on under the hood of the languages they are writing in. I think they should all do a stint writing x86 or ARM assembly because then you HAVE to take care and do things properly. None of this... whoopsie, I accidently left a file handle open, not to worry, the runtime will sort that for me, mentality. You do things right, or you resource leak and your program dies. Then, once you've got that level of understanding, apply it to a higher level and then you'll realise just how much nonsense it is letting a runtime close a file handle, just because it can. This applies to more than just file handles though, it applies to any resource. The same as a GOOD coder has no concept of a string, it's just a list of bytes. Dynamic containers, like vector/map/set etc, most have no idea what's actually going on. But work in assembly for a bit and then you realise how much pain and suffering these dynamic containers save you from.
@@thewelder3538 "This is like the ultimate lazy coders paradigm, where you rely on the runtime and compiler to fix all your bad code for you"
Well, or you look at it another way, you rely on the compiler/runtime, so you need to write less code for the same thing. Just because your code is less verbose, doesn't make it worse. If you know you can rely on the compiler/runtime, there is no need to write it out explicitly.
Your problem is you seem to think that people just forget to close it. It isn't that people forget, but simply that people don't want to.
Being stupid, and being lazy, are very different things. Generally, smart and lazy people are the best programmers.
Devices are a file in the /dev/ directory, so on and so forth.
on recommended today, immediately subbed. Is there a way to scan for open handles with elevated privileges, that are 'not supposed to be there'?
This video is literally the most informative piece of media about this topic in the entire platform. Instantly subscribed to the channel. Great stuff.
I appreciate you and your work so much. As someone with a learning disability, my learning curves are fucked to shit. Sometimes I'll go a month feeling like no progress had been made, then all in one jump every subject and related ones click. Watching your videos, speed this learning process up for me immensely, and I'm so grateful. I hope your Covid-19 is gone by now. We need you ❤️
I need some clarification about the Apple bug - isn't the ability for a regular user to overwrite a root owned file with logs a huge issue already, even if you didn't have control of the contents?
Havent finished vid but at 1:22 the screen looks cool with the asian code running in background like the Matrix. NICE !
Don't think you explained why the redirect is dependent on not closing the file. No way anything can just read from an opened file just because it's opened. So why then can we read despite it not being opened by or even by the shell?
thanks liveoverflow for introducing me to this channel
love the lack of accent in ur voice
Stuff like this is why I'm never going to make my own operating system
In python i always use:
With open ("file.txt", "a") as f:
If you do it like this the file closes when you're done.
i just started watching this series today
wasn't expecting 3rd ep so soon
btw
Nice PFP bro
@@callumery119 commendable to you too, lol
someone who notices :)
U did it worng it's btw >& this 😂😂
What about the time the process use the file? I mean it do close it but it takes time - users can still read the content during that time or am i missing something?
Epic channel btw
0:39 "Everything is not a file" is wrong and means that everything is something but a file. That would mean that file do not exist.
The correct way would be: "Not everything is a file".
so when you leave a file open, the root permission of that system can be accessed by another program having access to the running program?
I think he's saying the process that opened it while elevated can continue to access it after changing to plain user. Perhaps some system API in OSX did this while starting a new process and didn't close the file, which would give the new process (now running as a user) access to the file.
@@Christobanistan correct. The vulnerability was in dyld, macOS's dynamic linker (a program that adds the code for libraries your program uses to the code for your program). BTW, the equivalent on Linux is usually ld-linux
@@laurinneff4304 Dang.
This is very important and not clearly state in the video. The video can suggest that every file open by a running programm can be accessed
Java actually has some edge cases that keeping a file open helps in, like, for example, temporarily adding a certificate to the certificate store without having permissions to actually write to it, because your CA is relatively recent and has compatibility issues with Java (talking about Let's Encrypt here lol)
this works because Java keeps a copy of the file in memory until you close it that it writes any changes to, before dumping them into the file when you close it. but if that never happens, the file will stay resident in memory, and Java being Java will reuse that copy in memory rather than reloading it into memory when something else in the same vm tries to access that same file, that file being the Java certificate store in this case
I thought buffered IO was a thing in most programming languages?
Heyo, could you share your terminal colorscheme? I've been looking for a contrasty/vibrant colorscheme for quite some time and yours looks absolutely amazing.
It's hard to not subscribe, it's like another LiveOverflow channel.
bro uploaded this content for absolutely free. you are a legend
So you did a fork/exec of a Bourne shell subprocess from a suid program. As soon as you do that you should have a comment # There Be Dragons Here. All code designed to do that needs extra special care, and KISS (no subprocess, no interpreters included, no linking iffy libs). I suggest liberal use of close-on-exec on any files opened up to the point the root euid is dropped. In Python using "with" opened files syntax is also a good safety measure. I think you're being a little click-batey as this will not apply to the vast majority of programs - only suid programs (and sgid ones, but group permission isn't used so often allow critical access); not many people will be running "chmod u+s" or the like of "chmod 4755 " on their programs. Never do this on your bourne shell scripts, and if you do it to your Perl scripts, find out about "taint mode".
Not mentioning close on exec, the specific mitigation for the demonstrated issue, is a serious oversight.
Got worried that your last pinned message was 2 weeks ago saying you got COVID. Had to sort the comments by date to see if you made other replies since then. Saw one from last week and then one from today. Glad you're still with us. I hope you're feeling better.
I'm good now, writing script for the next video :)
Are you from india? And this is just a voice over?
I like the font... What font is it?
Comic Sans
Dank Mono
@@barjo_ Thanks :D
What are the fonts you use? Quite aesthetic!
Wait. What if a program crashes? Do its files close then?
Kernel would take care of freeing the resources the process consumed, so things like file descriptors will be removed.
"Some things are homework"
I think you misunderstood the homework folder
Much awaited ❤ i hope this playlist grows n grows 😍
lmao i keep text files open 24/7
Always set FD_CLOEXEC on descriptors which you don't want to pass to a new process image.
music is 1337
Cool video, but wait a minute, is it means that I able to get access to every file which opened for long read/write operations or opened inside an infinite loop?
Really good videos! It definitively makes me a better developer.
I also like your video style with the hand drawn aestetics. What do you use to record your drawing? Just curious 😇
ok so I've created this text file with vim
now how do I close it
ok esc
then :
and wq
and enter
what why does it ask me to add an !
wait why am I in insert mode again
why did I delete everything
ok no this isn't working
copy everything
:!/bin/sh
tee and ctrl-v
enter
done
now just turn off the system
glad to see my pentest skill come to use
Does this attack also work on non-unix systems?
I am also wondering that.
Amazing video...but how do you achieve that live writing kinda effect?
I was trying to figure it out and was about to conclude that it was not possible on a large scale and then I came past your video. So...what's your secret?
You could just record in paint/Paint.NET and edit the cursor out in post
@Ellie How would you edit the cursor out?
Any language without really easy-to-use RAII should be reconsidered, in my opinion
You were pronouncing etc like Etsy and I was SO CONFUSED. It's et cetera. 😭
excellent video, thanks! btw, how do I setup my linux cli the same style as yours? (:
Tldr anyone?
Great video, maybe boost the volume a bit in your next video.
This channel is amazing. I just love the graphics and how you explain those things. Wish you'd do more videos about linux filesystem, and low level stuff.
Definition of file - named region of memory. If it has name, and some memory associated, then it is file. Note that, there is no requirements for memory in this definition, neither nor requirements for name. As long as it refers to at least bit of any kind of memory, and it is somehow named (and that includes index-names), object is technically file! Even if object is possess properties that can classify it more precisely, it still considered file.
This is basics, undisputed basics! And if video starts with demonstration of ignorance of basics, it ends for me at that point.
use the with statement to ensure files close automatically
[code]
with open ("filepath") as file:
process(file)
[more code]
like so, as soon as execution leaves the "with" block your files will be always closed, even during exceptions.
so... what if someone made a program to just constantly attempt the vulnerability, and try to catch the small window a file is open........
EDIT: Turns out I was wrong, cat is not a shell builtin
5:07 it doesn't work, but not because it's "an external program" (cat is a shell builtin). It's because by using the symlink in /proc/.../fd/ you're trying to open a _new_ descriptor for the symlink, different from the first one opened as root for the actual file.
Using the redirection syntax works because then you're reading from the _existing_ descriptor and not opening a new one.
EDIT: After listening to that bit again I realize you pretty much tried to say the same thing. I think the wording confused me for some reason. Anyway, great video!
I should've said it better. Noted, thanks.
Which shell has cat as a builtin? No shell I tested (bash, sh, dash, zsh) has has it, it's just a regular executable at /bin/cat (in my testing).
@@Gramini Wow you're totally right. I assumed it was a shell builtin because it was such a simple program. I'm sorry, I should have looked into it before spreading misinformation
@@seerlite5256Most implementations of cat are not simple programs as they have flags to symbolically print out non printable characters. The theoretical POSIX cat only requires copying from 1 or more files and/or stdin to standard out.
You might be thinking of the echo command which is built into many shells and is relatively simple.
Pls stop this... We're becoming truly schizophrenic
Wont this also cause an memory leak?
In effect yes. File descriptors are a limited resource both per process and system.
Java actually has some edge cases that keeping a file open helps in, like, for example, temporarily adding a certificate to the certificate store without having permissions to actually write to it, because your CA is relatively recent and has compatibility issues with Java (talking about Let's Encrypt here lol)
this works because Java keeps a copy of the file in memory until you close it that it writes any changes to, before dumping them into the file when you close it. but if that never happens, the file will stay resident in memory, and Java being Java will reuse that copy in memory rather than reloading it into memory when something else in the same vm tries to access that same file, that file being the Java certificate store in this case
I've usually got like three different text files open in the background, felt attacked when I read the title.
It seams to me that not closing the file is not the real issue here but the fact you can read another processes files using
I love it that people call C a bad programming language then go on to write code like this without thoroughly checking.
the explaination is so short and not clear, suddenly you talk about blackhole then you say
Why þ instead of p, it is to annoy us and make us read e.g. oþen as othen?
At least you don't use ſ instead of f, or as I've seen elsewhere f instead of ſ.
i finished this video subscribed to the channel went to check more from your channel then realised that i have watched all your videos already now i feel what crack addicts feel :(
in windows universe, we call them HANDLEs
So after this long time....this channel get recomend in everyone's homepage....I wish, I got this channel before
It doesn't work for me so maybe its already been patched. It didn't even create a file descriptor lol
"Oops my computer crashed BECAUSE I CLOSED IT IDIOT is a valid argument to this" is a valid argument to this
It isn't even a coherent sentence, let alone an argument.
Indeed, a garbage collector will collect abandoned data, but not closed files.... never.
cant wait for the Nvidia RTX Files 4070
Your visualisations are on point! Everything feels smooth. Thank you!
That is not the case when you try doing it yourself!
I am trying just right now and file 3 is not left behind, I think that is a patch of the ubuntu that made this for now but I may return to edit this comm if I figure out what is the wrong
Why do you delete your hack electron apps video??
I've made the video private. Because electron.js has transformed soo much after that video, none of those things apply anymore. So I'd like to redo a video with better research that meet today's reality with the framework.
@@PwnFunction Cool. looking forward to it
This is a hella cool video
Does Windows exibit similar behavior or is this a Linux specific issue?
First the generic Nihon trap and at the end a Trapwolf classic...
what happends when certan programm using file and yet to close that file
this just blow my mind. How a simple mistake can open a backdoor to any system it ran on.
I love how wannabe hackers always find local exploits. Like you already need ssh access, and warn about dumb things like leaving file descriptors open. By that logic, someone could simply have something on a tight loop and they'll get root at some point, even if your program closes the descriptor. Here's a tip, don't let random people from the internet have ssh access to your machine.
Yo, why are you spelling open as othen with that thorn instead of a P, shaking my head.
That intro was really slick. Where and how did you make this?
you are using which font for vscode and terminal ?
🎵 Close Your Files and i'll kiss you, tomorrow i miss you...
Wow, so when exec you have to clean up all of your state. Is there another form of exec that causes your program to completely close first?
There's a close on exec flag (CLOEXEC) you can set using open() or fcntl() to avoid this issue.
Another common bug is leaving the last written data in buffers due to not flushing or closing files, leading to corruption if the program doesn't finish cleanly.
can you please share you vimrc file, thank you
Hacking the government is technically ethical, right?
Sounds like file descriptors aren't so descriptive after all
hi. font name pls
Dank Mono
Where is a machine to exploit this vulnerability?
Oh, that was good, I didn't knew that... THX!
can you show how did you setup your env ? theme and other software. cheers
Respect for mahboiz who use with or using.
@filedescriptor a huge fan of him, since long time.
Still waiting for you to share your dotfiles.
Excellent explanation! 🔥 also, your terminal theme is sick! what theme is it?
If you open it, close it.
If you instantiate it, destroy it.
If you dont care about performance, accuracy or maintainability you choose the language C, otherwise C++ and you let the deconstructor handle stuff like this 🤣
that's lots of things to not care about. no?
This channel is actually amazing. I love it!
Nice video! What does the & do in cat
'< 3' would read from file named '3'.
'
@@PwnFunction right makes sense
Holy audio-levels. This is like 18 dB too quiet.