this is a warning to anyone using php
ฝัง
- เผยแพร่เมื่อ 22 พ.ค. 2024
- An 8/10 vulnerability has been found in glibc, that could lead to the compromise of PHP around the world. Check it out in this video.
nvd.nist.gov/vuln/detail/CVE-...
🏫 COURSES 🏫 Learn to code in C at lowlevel.academy
🛒 GREAT BOOKS FOR THE LOWEST LEVEL🛒
Blue Fox: Arm Assembly Internals and Reverse Engineering: amzn.to/4394t87
Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation : amzn.to/3C1z4sk
Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software : amzn.to/3C1daFy
The Ghidra Book: The Definitive Guide: amzn.to/3WC2Vkg
🔥🔥🔥 SOCIALS 🔥🔥🔥
Low Level Merch!: lowlevel.store/
Follow me on Twitter: / lowleveltweets
Follow me on Twitch: / lowlevellearning
Join me on Discord!: / discord - วิทยาศาสตร์และเทคโนโลยี
learn to code in C correctly so this stops happening lowlevel.academy theres a sale 😥
1:25 “may overflow the output buffer”
Everybody drink!
"...that basically lives on every Linux distribution" and another!
*whiny voice* You guys... drinking this much is how these C programming bugs happen...
@@jim0_o vicious circle eh?
php = personal heap overflow program
@@monad_tcp more like phop :P
Is it me, TH-cam's algorithm, or have there been quite a few big vulnerabilities lately? Don't get me wrong, it's good we're catching them, but they're a good reason for good update/patch management.
Bro the NSA is getting all of their exploits leaked 💀
proot
yes, the NSA and their international ally. In the case of xz, they tried to blame the Chineses.
@@eng3dMossad, aka 'is real'
Proot
The ain't using php anymore, they switched to Asp
sending chills down my spine with "SET THE CHARSET TO RCE" 💀🔥🔥
It sounds like some Star Trek technobabble that some writer came up with
What is charset and what is RCE?
@@TheJackal917 Charset: character set, think ASCII or UTF-8
RCE: Remote code execution, where an attacker can execute arbitrary code on a system
@@jameslando1 thamks.
that phrase rolls like an epic dis from a nerd rap track
UTF-8 and UTF-16 are NOT just the english character sets. They're literally all character sets, cause it's you know...unicode. English characters would be ASCII which UTF-8 is backwards compatible with.
Came here to say the same thing.
As a php dev, this does not surprise me at all. *Continues to code in php 5.6*
Man, I wish I could upgrade all my clients to 5.6.
@@Betacak3 feels good to be the admin too. I switched all that stuff to 7 and then 8 years ago lol
*lol* To be fair: update politics have changed to the better with webspace providers / managed servers. In fact were making a lot of money atm migrating systems to PHP 8.2/8.3 because many providers are charging extra money for "legacy" 7.4 support.
Rip 😂😂
@@prima_ballerina my current projects: upgrade two websites from php 5.6 to 8.3. Easiest money for my boss in the world
Wow, another vulnerability
Someone left the nsa lately? 🤔
Availability bias, TH-camrs saw that the XZ vulnerability (yes an actual crucial and scary one) did well among viewers, so now every vulnerability under the sun is being posted about. I would bet on it being a trend in posting, rather than a trend in actual vulnerabilities. Just something I see, I could easily be wrong
@@-Ldcould also relate to more people being sceptical of the software they use and thus looking for vulnerabilities
@@plaintext7288 the most insane vulnerability I've ever seen in my life (look up operation triangulation) came shortly before (what I consider) this recent trend, and it was not well known. The best documentation was by the firm who found it themselves, which had around 1k views. Basically the attacker could send a text to someone (unopened), and instantly get kernel access to their iPhone, so if you have an iPhone, you were 100% compromised unless iMessages were disabled. If this happened a week ago, I would speculate that it would be more well known
@-Ld I don't know why vulnerabilities wouldn't always be posted because a lot of people want to be hackers and the well-paying cybersecurity field is continuing to grow massively.
There could be an uptick in vulnerabilities because people were inspired to look for more of them. The collective power of humanity is wild.
"Update glibc" could use some clarification. If a distribution has an official update available (and many distros will incorporate the patch into their supported versions), then by all means, but be prepared for serious complications when installing a version of glibc your distribution doesn't support.
Hopefully people already know their systems well enough to know how to install updates, but yes, realistically in most cases it'll be a backported fix to whatever glibc version you already had.
If all the dependent packages are not ready for an updated glib and it’s not listed by your package manager when you check for updates AND you force an update on glib, couldn’t that essentially break your disto?
This title is so misleading. The vulnerability is not in PHP and it can only be exploited if you use user supplied inputs when calling the iconv-function and not filtering on allowed values for the conversion.
You clearly clicked off early 🙄
3.49
Watch the video. PHP abused the function so poorly that the kernel can be exploited with this bug. So yes you are technically correct that other apps could be vulnerable but few of them have used this function and few of them have made so huge of a blunder calling the function that the technology can be brought to its knees. It’s sort of like saying we shouldn’t single out the Tacoma Narrows Bridge collapse because bridges can be vulnerable to high winds. Yes they could but we don’t see them collapsing everyday like the narrows did
Totally agree. A total clickbait.
not completely unjustified to make it about php as the exploit that is being claimed is said to apply to php servers why and how i still have no idea after trying to find a bit more about it to no avail. However you are right in the sense that this video is indeed being needlessly alarmist and more importantly it does not address the issues that would have been of interest such as is the character set in question installed by default on an out of the box apache? does it affect nginx? does it happen on both phpmod and fpm? updating glibc is not always an option (debian here), it would have been nice to have more practically useful information on the context in which the exploit is available and how to prevent it.
My current understanding is that the exploit can happen when php processes any request that is made using the specific character set. Restricting this on the web server level should be an option and it might not even be needed if this character set has to manually installed.
Most importantly going from an exploit that will kill one apache process to one that allows an attacker to do something (gain control or run something else) is extremely far fetched and unlikely to be real threat.
so happy I never really did much complicated stuff with PHP in all projects I still have out there. I essentially just went `php index.php => index.html` and replaced the files on the production server for every project still using PHP and that basically saved me from having to look into 99% of CVEs for php. I mean I am still running PHP on an apache host, but since it's managed by the hosting provider it's their job to fix what's left.
These videos are a great way to be notified of things like this, and appreciate you taking the time to explain the bugs too!
I work for a web hosting company as a developer, not as security - but I alerted our security team to this thanks to you.
brb, writing a middleware that removes the charset header from the requests LOL
Heros don't always wear capes
A tech talker explaining that UTF-8 is English encoded, is like a car mechanic explaining that oil goes into the inlet for the heating system.
Also utf-8 is not just 8 bits, but 8 to 32.
0:43 you should say "most Linux distributions". for example alpine runs on musl and also gentoo has a musl option.
However, the code for the exploited function is most likely the same in musl.
@@tripplefives1402 No, the code in musl isn't most likely the exact same. glibc includes many non-standard optimisations and extensions, while the principles of the musl codebase are simplicity, correctness, standards compliance, and security. musl has had only six CVEs to date, while glibc has had over one hundred. This vulnerability is due to a logic error in glibc's implementation, and it would be unlikely the exact same logic error exists in musl. I would be quite surprised if musl's iconv() implementation was affected by this.
@@shrootskyi815musl has had 8, not 6, CVEs. Check MITRE.
How much of musl's CVE track record is due to its limited visibility and exposure? Younger age? Going simply by the number of CVEs is misleading. I recommend examining the fixes made to address this in glibc commit e1135387deded5d73924f6ca20c72a35dc8e1bda and comparing to musl libc's iconv rather than operating off of assumptions.
@@tripplefives1402 Nope. Musl says "The iconv implementation musl is very small and oriented towards being unobtrusive to static link. Its character set/encoding coverage is very strong for its size, but not comprehensive like glibc’s." plus a few more paragraphs with details.
@@shrootskyi815 6 cve's in 13 years : 100 cve's in 37 years is pretty damn good. Glibc is almost 5 times worse even taking into account how much older it is.
Why it is reported as php bug?
It is glibc bug, but I get it more now... it is just php bad luck... or unfortaunte decision of placing buffer
For the same reason xz was tried to get attributed to systemd: People, rightly or wrongly, dislike PHP and any reason to attack it is valid.
@@videocommenter235And despite their attacks, it ain't going anywhere
No kidding, glibc is used by a lot of other languages too. It’s good to point out that php is impacted, but to say it’s a php bug is weird
It's same as eval in exiftool that lead to an rce in gitlab.
Looks like because it is easier to exploit the bug on PHP.
"Hellow my name is Oliverlearning"
is what my brain heard for some reason xD
i cant unhear it now! 🤣💀
I had to watch this video with closed captions and no sound. The captions printed Oliv Learning, so it heard that too! 😂
Me too. Before reading comments
00:25 Oliver Earning
It's weird name, tbh
this should affect every web request system, not just php that can accept and react to that http header, including node , it uses glibc too , and does accept http headers
That’s my understanding too, this does not seem isolated to PHP whatsoever.
That all depends on how those other systems implement functionality for character sets and HTTP headers. The bug in PHP is specifically related to PHP's use of glibc's iconv() function. While it's possible that other systems use iconv() in a similar manner, and have similar vulnerabilities, it isn't guaranteed that a web request sytem that depends on glibc is vulnerable. Other systems could be using character encoding conversion mechanisms other than iconv().
This affects every binary that links to the iconv() function. However not all implementations will have an RCE exploit, just a possibility of one. So they fall under the lower rating of 8.8 until one is found.
Also I would guess this exploit makes heavy use of the way PHP makes use of path-variables for passing data. Not all request systems are as liberal nor straightforward in the way they do this.
I think the point is that in the case of PHP the researchers managed to find an exploit chain that started with this bug. Until their research is published we don't know where else they tried or how hard they tried.
Two notes, this isn't a Linux only bug, GCC is used for windows PHP deployments as well.
Chinese uses double or even quad byte characters depending on the encoding. Since it seems to require installation of Chinese support and requires chaining that limits the vulnerability substantially.
In ancient times burned once by external library wich theoretically has versioning but forgot about it i started round external structures or buffers with 256 or 512 bytes of "spares", which saved me ours of debugging strange errors or showed very beneficial to stability (additionaly i zeroed those spares before and after call)
Fake news, they just want to take our lambos!
😂
😂
🤣🤣🤣🤣🤣🤣
Lol 😂
This impacts basically everything, not just php lol
Only if they use glibc’s iconv implementation. There are at least two functional replacements for iconv if I don’t count wholesale alternatives to glibc.
april be a crazy month
This, putty... was the apple sidechannel key extraction (gofetch) this month? I'm honestly having trouble keeping up. What have I missed? What have I forgotten that I'll still need to act on (or at least discuss with IT) when I go back in to work?
@Relkond the few I can recall of the top of my head are as follows:
linux (networking code?) giving ring 0 access
xz & liblzma backdoor
poorly escaped strings in windows allowing for "script execution" (shouldnt be a 10.0/10 exploit)
firewall having exploit
putty (as you mentioned)
this
and others I forgotten about
Hi ! I have a few sites in PHP and now I code in Go. Do you think Go is better itself in regards to security and buffer-overflow proof choice or this is rather skill issue? Cheers!
Yes, major vulnerability. Everyone zip your projects hide them and start running.
Anyone else think it's weird when a TH-camr says, "Hi, my name is ..."
A few weeks ago I played a CTF with a challenge that had this kind of bug. It was written in rust, but it was all wrapped in an unsafe block
the glibc website says "The current development version of glibc is 2.40, releasing on or around August 1st, 2024." so it's not something that we can do about upgrading it
Yeah, this part stuck with me to. Most youtubers casually says "just upgrade you glibc or linux distro" but glibc 2.40 is not released and current LTS distros are don't have a patch for this. Is there an actual viable fix for this?
With a lot of these vulnerabilities require a particular level of access to be exploited which he noted but didn’t really expand upon.
Also a lot of php frameworks probably have expanded or limited access to request methods. Also these vulnerabilities would probably be more in development projects where people are not putting security infront of requests or not whitelist ips, or blacklisting IPs.
Also this would probably only apply to public facing php apps, websites .. with very little security or poorly written code. So your local environment or a docker container is outside of this ..
You're most likely won't encounter such vulv anyway if you're not dealing with encoding conversion. Most likely you're using mbstring because of its multibyte-safe character encoding. Even then it's best to check the requirements or soft deps your packages might be using.
So that's how I find good vulv... 😂😂😂
Saying rust would have fixed that bug is kinda misleading since any language that employs bounds checking would have
Yeah, I guess... If you also embed the whole GC just to run that code module. Only Rust could be used to write something that could be embedded without forcing you to run a GC
The reason this is always asked rust and not other memory safe languages is that rust has the right features to replace c, while most others do not.
If you were to rewrite iconv in Rust, no other software would even notice. If you rewrote it in (insert GC language here) a lot of software would have new and interesting performance problems from having GC heaps stuck in them
@@antoniong4380 you have bounds checking in C++. if you write an inline function/macro e.g. array_get_checked(), then you also have bounds checking in C
Most other languages that do bounds checking are garbage collected and not suitable for tasks like this as a result. C++ does not do bounds checking, that's a common misconception. I do know that Ada does however. There's also ATS, although that's a research language. I can't really think of anything else, perhaps D-lang might do it?
I wonder if it has been used previously and how many times.
I know I’m asking you for content that the algorithm is not kind to, but could you make some more videos that hit hard in the bare metal embedded world?
I’d love to see you do some stuff with RTOS, sensors, sensor fusion, bootloaders and other nifty. Even just building some neat little project would be great. Cheers!
The feeling when you switched to static html after a wordpress plugin allowed attacker to do their things (for example: delete all on-site backups). Since that there has been at least 10 more plugins that are vulnerable and now this sort of thing pops up.
Could this bug be used as a basis for an SQL injection attack? If you have complex Chinese characters that decompose into quotes, wouldn’t that be bad to put into text fields of a web page that expect western languages? I suppose in the software that I write, I use prepared queries!
Also, could this be used to write and execute code with the same privileges as Apache (depending on how the memory immediately following the buffer is treated)?
I love these kinds of videos! I have hardly any experience or knowledge with security and am unsure how to start. These videos make the concepts more understandable. Thank you!
Go for it!
Seems weird not to comment on php on musl in this context. Is running on musl an effective mitigation?
Yes
He got his hairs cut! Really wanna see you try out Go, just seems like such a good fit for how you operate
If you're running Ubuntu LTS with unattended-upgrades your system was updated last Friday (19th).
It doesn't affect my Lamborghini, won't fix.
It would be great to have an in depth video on why just 4 extra bytes are such a thread. I never dealt with low level code so I have no idea, it’s a complete mystery to me.
I probably don't understand it well enough to explain it but basically a program allocates a very specific amount of bytes for a task, if said task overflows it overwrites memory allocated for something else, even if it's 4 bytes that can do a lot of harm and escalate to arbitrary code execution
Simply put, the compiler doesn't waste memory if it can avoid it. If you have a bunch of variables, it usually puts them right next to each other.
Now imagine that you've got a variable that's supposed to be 20 bytes long. Right after it in memory is another variable - let's say it's the address the code should jump to at the end of the current function. If you write 24 bytes into that first variable, you're really writing 20 bytes into the first variable and 4 bytes into the second. You've just changed where the program jumps to at the end of the function.
Normally that sort of thing would cause a hard-to-debug crash in the best case and memory corruption in the worst. However, if things are arranged just right, you might be able to use something like this to intentionally specify the jump location to something that invokes a shell or otherwise opens the program up to more manipulation.
This sort of thing works because the computer doesn't really understand the concept of a "variable." It just sees memory addresses. It's up to the compiler and the programmer to make sure that the correct memory addresses are used and that you don't write to addresses you aren't supposed to.
Languages like C don't give the compiler enough information to pick up on this sort of thing, so it's up to the programmer to make sure it doesn't happen. They're only concerned with the raw mechanics of what the computer should be doing, so if the programmer wants to copy bytes from one location to another they have to write out exactly how that happens. Programmers make mistakes. Well-written libraries help a lot, but C will happily let you shoot yourself in the foot if you tell it to.
Languages like Rust and Ada require the programmer to provide more information about the intent of the program, so the compiler is able to do more checks to find programmer mistakes. There's a cost though - either in runtime (bounds checking) or loss of flexibility (i.e. sometimes you really do want to shoot yourself in the foot). Good languages offer the programmer usable tools to overcome the loss of flexibility, and bad languages are just a pain to use.
I've never written any Rust or Ada, but from what I hear they're pretty good languages.
4 bytes can easily be a return address...
The operating system gives certain access to memory. When memory is in use, that space is protected from being read and wrote. When you overflow without crashing the program, you are essentially corrupting this entire model.
Often times, this simply leads to data corrupting which usually results in a runtime crash. The way this can be exploited however is somewhat program dependent. If you overflow in just the right place at the right time, you may call a system function or server function with arbitrary arguments. Note that attackers are often smart and patient. They will do this for months and even years to get access to a system and exploit it.
If I don't use ICONV to translate to that character set, should I worry too? I use it specially to convert between and from UTF-8 to WINDOWS-1252.
We don't know yet....
@@autohmae how about if I don't use iconv() at all?
@@ThomPorter74 We do NOT know YET.
@@autohmae ok, I WASN'T sure.
@@ThomPorter74 we got to wait till May 10
could this cause a glibc error when attempting a shutdown? Could that be a result of or indicative of an overflowed buffer?
I was under the impression that UTF-16 wasn't English specific, but simply required multiple subsequent 16-bit values for codepoints over a certain value.
Would disabling the iconv extension for php be another way to mitigate the bug?
Maybe, but only if your application doesn't depend on it.
Bro, for PHP this is so specific, that only applies to 3 webpages in the whole world if not -1. For anything else only applies if you mess with that exact specific Chinese character set in HTTP headers a very specific way. OMG quick we f.n need to panic coz another mind blowing huge bug is here... What do you think why does this one was discovered after 24 years? Because it is so frequently used technique? No, because that one person who found it was trying to break a system. This concept was the example he came up with, but in reality nobody is coding like that, if so, than they deserve a good hacking.
Actually, I disagree. This is not exclusive to just websites, blogs, but many people forget forums. Yeah, those exist. Most forum software TODAY are stuck on legacy php. I'm not kidding. And, even if you're an admin that run forums, you might still have 5.6 still installed. Eeek. Fortunately, I keep up with the latest versions of forums every update released.
how can you take over a device with 4 bytes?
What's up with all the kinds of vulnerabilities suddenly appearing this month?
I am forcing UTF8 in headers, and in php itself in my applications so I doubt in my case users can spoof to the Chinese char set on page submissions.
wow.. cant wait to see how the vulnerabilty work explain by the researcher
Watching this while running many instances of wordpress on Linux Server🤒 [Edit] is this the same as GHOST vulnerability that came out in 2015?
Another alternative fix would be to run on Alpine Linux, which uses musl instead of glibc. If you're using a container just add -alpine to the base image.
So really dumb question incoming. If I have a fresh install of Linux mint, with nothing extra installed except for steam and discord. Is my system in the clear or do I need to do something? Im sort of new to this whole thing.
thank god void and alpine are safe
We have to be scratching world record territory st this point. How are all of these massive vulnerabilities being found just days apart?
driving and I'm swerving and i violently conv (iconv!)
Should I be concerned about the fact that the TH-cam app on my TV has suddenly changed to the Chinese character set?
Please can you do a video on how to use LwIP Stack on Linux for begginers? I'm trying to learn it to write some firmware with it but the documentation isn't explicit on how to use the BSD-like Socket API of LwIP. I would appreciate it if you do it :)
Wow, that's very cool!
Wouldn't the scale on this vulnerability be limited to proper permissioning of applications themselves? glibc can be ran without root access, and therefor mitigating total system access. However, still, it could be a means of acquiring data.
C really needs to make every pointer a fat pointer by default...
(fat pointers include the address, as well as a _length_ that can be checked against to prevent out of bounds indexing.)
For your own PHP project, disable Iconv in the PHP settings (or .htaccess) and run the project again. If it's not throwing any error, I would say, your PHP installation is fine of this particular issue.
wordpress is typing.......
Gonna exploit this right now. Thanks!
@6:16 that's not true, Rust uses glibc internally for those functions of the library. The system level libraries in rust are wrappers around libc.
The idea is that rewriting glibc in Rust would have stopped the buffer overflow and memory corruption. I'm not even sure that writing a libc implementation in Rust is possible though.
@@shrootskyi815 f rust, rust is trash
@@shrootskyi815I love the idea of trusting Rust with handling C calling conventions... /s
should have static analysis uncover something like this?
Sounds like this exploit would need to receive input, the module would need to be enabled, and specific calls to parse characters through incorrect coding practices.
I wish this was more accurate so it was more easy to understand the scope.
Rust would have fixed this, unless you set the compiler to ignore it, because you have a back door in the rust compiler. I can't help but wonder; could this glib escapade have been placed intentionally?
Dawg is feasting this month
5:58 rust does runtime bounds checking by default? this sounds like it would hurt performance quite a bit as well
You can't exactly be memory safe without doing bounds checks. But the performance impact is much less than you think. For starters, the checks can be optimized out a lot of the time if the compiler can prove that the access is safe. For example, in a for loop up to the length of the array, it's clear that the loop variable is in bounds. Or if you have multiple accesses in the same range, you often only need to check the first one. Also, most of the time, you'll be using iterators anyways which don't even have accesses by index that need to be bounds-checked.
But even if the check isn't optimized out, the cost is generally extremely small. It's a single compare and branch that the CPU can predict extremely well. People have tried measuring the performance impact of disabling bounds checks on real applications and it's often not even differentiable from random noise.
And ofc, if you do find bounds checks in a hot loop to be an actual issue, you can always do an unsafe access.
I can't speak for rust, but C# does runtime bounds checking too and yet the performance impact is negligible. I have actually had cases where indexing an array (bounds checked) was faster than dereferencing a pointer offset (not bounds checked) by a few nanoseconds.
It's a good question and I looked into it. As a test I changed the hot path of a fairly optimized program of mine (for data processing) to exclusively use unchecked array access. The results were interesting, with some test data the performance improved by around 2% compared to checked indexing, while with other data the performance got slightly _worse_. An article I found noticed the same and theorized that LLVM can in some cases optimize better with bound checks than without. (You could likely prove this by checking the assembly if you want to spend that time, I didn't.)
Now my test case is extremely heavy on indexing into large arrays, so I assume that 2% is on the higher end of impact. In most cases it should be negligible, and in many cases it's optimized out anyway.
All the gov backed exploits
Which PHP version are we talking about here?
these drums sound great with new heads
Will this affect my InfinityFree website?
How exactly would you create a back door with a 4 bytes buffer overflow?
4 bytes can easily be a return address...
@@erikkonstasspecific to 32 bit architectures?
I found something weird af on the htb academy last month. (Could be my computer) but haven’t had a serious answer from their team.
Setting up a server listening on port 5555 was expecting a reverse shell but instead got a load of file paths and file names and ip addresses of some Asian dude running from Vietnam.
First on me, dunno wtf happened
Huh, what about php linked with musl libc ?
Is "would Rust have fixed it" the new bar everything gets measured to? lol
These types of bugs (memory related ones caused by the language deficiencies) are the biggest problem with software safety, maybe that's why.
@@antagonista8122 I certainly wouldn't mind having strict types and the borrow system in PHP. Would be an insane break with its roots though.
This is actually political, the reason he mentioned it is to stave off the Rustacean vultures from the comments... if you look into it, it won't take long to discover what end of the horseshoe they belong at... (hint: they have "mallocophobia")
its just common question
I think it's just a new meme.
At this point we better start testing all buffers everywhere for overflow 😂
Wouldn’t python Django be vulnerable as well?
do you have to have the chinese char set installed ? would you by default
Only if you use unwrap
php itself or php derivatives (like hack?)
HOW MANY MORE VULNERABILITIES ARE GONNA GET DISCOVERED?
yes
Some of them
Thanks Buddha I've never touched PHP.
jesus christ april is like the month of the critical software vuln
Just wait for May.
Hey man can you a beginner guide to get into cybersecurity related to web developement?
Eek given how popular WordPress is and it uses PHP it sounds like this could be a pretty widespread issue!
good moment to let the ansible update playbok run ^^
No danger that I'll ever trigger this bug.
lmao what a pike matchbox moment
I guess php should CNA this CVE to 10.0, to indicate that in their context it is an unauth’ed RCE for many installs. Rating vulnerabilities on library level always is a bit “garbage” due to “garbage in, garbage out”. If you don’t know the application context, you basically yolo guess all parameters around exposure/likelihood.
If C is under attack, What is the problem of PHP if the developer knows what he is doing
I want to get Mr. glibc wild ride 💀
I've always disliked character sets / encodings that have these kinds of state switches in them.
2024 lore is already going crazy
Rust mentioned?
Looney tunes
ssh
Os injection ( Palo Alto)
Iot hotel door encryption flaws
And now this !! Oh God , 2024 is haywire for cyber security Professional's .😤🔥
What if everything is bugged o.o