Any chance you will be offering student discounts in the future? I’ve started doing picoCTF and hackthebox challenges for a school club and think that the courses would be great learning resources for building applications with c but the price feels a bit too prohibitive
bro. you have the style, you have the knowledge, and you have the courage. I liked your talk, your analysis, damn how I love these videos...keep going.
Exactly. The person who wrote safe_system probably got into arguments with the person who wrote account, who told them to not to worry about it. Some manager then told them to ship it and move on. Then the manager got their bonus for delivering on time.
@kapstersmusic I would assume the person who wrote safe_system never saw what the one who wrote account did. That would be gross negligence to not replace these 4 lines with their better, ready-made equivalents. Safe string processing is part of the standard, and safe_system is just there. Even without changing the string processing, just using safe_system to make sure the exploitable buffer overflow isn't literally ready to use as-is would be 2 seconds well spent. The security researcher would have maybe spent hours instead of minutes to get a working exploit.
The problem is not one programmer not being up to the task of writing safe code; or people talking to each other... the problem is quality assurance and testing. A company should never assume that a person doesn't make mistakes, it's about validation and testing. And D-Link apparently doesn't care enough about the quality of their products.
@@Exilum I would guess safe_system is from some sort of library, and the call to it was copy-pasted, but the account program was new and written by someone trying to only use the C standard library or sth like that, maybe because they didn't know how the Posix API worked, would be my guess.
@@svaira Or the other way around where the account software was from an older era some 30 years ago where things like this didn't really matter since it was executed from the root prompt.
This is actually a genius level move by D-Link: They not have to fix *past* bugs because they deem their hardware antiquated. Also! They also don't have to fix *future* bugs because they just scared away their entire customer base
@@dave7244 The 340L was released in 2015, and according to the dLink website "This product was phased out on: 29/10/2017", so maybe they were available for sale until then (and maybe even after that date from some retailers).
"D-Link US recommends retiring and replacing D-Link devices that have reached EOL/EOS" - To which every owner should say, "No problem, I'll replace it with a different brand".
//"D-Link US recommends retiring and replacing D-Link devices that have reached EOL/EOS" - To which every owner should say, "No problem, I'll replace it with a different brand".// ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
" replace it with a different brand". Why? To have a bug from a different company? A bug which will be there for a decade, discovered only by hackers? Never buy a 'NAS'. Use your old PC, install TrueNAS on it, put it into its own VLAN and call it a day.
The funny thing for me is the vulnerability means you could recompile the account command to use safe_system and then use the vulnerability to download the patched account binary to the NAS, fixing the hole.
That was my initial thought as well. Seems this could be fixed rather easily, even by "hackers". The guy running this channel could probably make the patch, Linksys refuses to do, in a matter of minutes.
Imagine how chuffed the guy was finding this bug, like "yeah im definitley getting a payout, they will be so glad i found it!", just to be told to feck off and that the fix was buy their new products XD Poor bloke
@@bmanpura maybe, it would certainly teach them a lesson, but if your a genuine pen tester/bug bounty hunter your risking your career doing shit like that. The amount of attribution and tracking sites these days is insane. One example, I wrote a little article on footprinting Imap/POP3 mail servers last week. I googled the article the next day to find that id been entered into an International cyber threat database. The bot armys are real af bro. They had entire maps and models of endpoints and systems just from my write up.
Even if they audited the code they wrote who’s to say the unix utilities calling were audited. The usernames etc should have been sanitized to remove any non alphanumeric characters, so their safe system is anything but safe. Anyway it was a great video. Even with input sanitation, the fact it is calling other programs makes it a crapshoot.
@@richcole157 It looks like the vulnerability can be triggered through the `pw` field and it is much harder to sanitize it in the way you suggest for `name`.
Do you really think they have _teams_ working on that? More likely one part of the code was written by one overworked guy at one time, the other part written by another overworked unqualified guy at another time, and all copy-pasted together by an unpaid intern later ...
HOT TAKE: If vendor stops supporting product because if it's out of live even with such security critical cases, we as society should stop supporting copyrights related to it. Granted here there's probably not that much to protect, but if there's any copyright protection on that code, it should vanish, reverse engineering ? Producer orphaned it, we're not gonna prevent people to adopt this child. Re distributing binaries ? If it's not worth for you to fix it it's not worth to us to chase people that copied it.
That should not be hot take at all. If aren't making money on your copyrighted thing, what are you protecting it for? Kind of same with games. Your game is not officially available for purchase? People get to crack it and share it freely without consequences.
@@tyrannosaurus_x Yea honestly that take developed because of stop killing games initiative in the first place. And not even about "Me wants to play games that aren't available" thing ( be it it's still valid approach) or that company isn't making money anyway, i mean questioning how system works in much broader way. We as society agreed to protect data, (art work code, design so on) (which i'm not against to be clear, my problem starts and ends with how system work currently not with existence of system) and at this point we agreed to do so at ridiculous time frame, Mickey Mouse famously entered public domain in 2024, a artwork from between world wars period, i'm from Poland, in our calendar that's like two invasions ago, neither of my parent's were alive when it came out, and they had me at ridiculous old age, they grew up in different world, telephones were rare, cars too, country was still firm in grip of USSR and iron curtain divided Europe, i grew up in free Poland, wit ability to free travel across Europe because of shengen, with internet access since i could remember, YT raised me as much as mu parents did, it gave me skills to get job as programmer. My father born in 1945, after Mickey was created, and died in 2018 before it entered public domain. I tell you all this to hammer point how long time frame we're talking about, and how much of commitment society gives to copyrighted work. Even if it was out of print for years, even if original company isn't supporting it since decades, last entry in IP was made before my country in it's current form was established, it stil will be protected. In return(and i'm talking mostly about video games, but somewhat applies to software in general), they mercifully allow us to rent their software for unspecified amount of time, for usually not so small sums of money, and usually with right to take said license away at a whim without a reason. Again, not for abolishing copyright entirely. But i think in current situation "tail is wiggling the dog", and either copyright retention shorten, new causes for artwork entering public domain established or both. (Perhaps it should work a bit trade mark, if you don't use it, you louse it.)
The team that wrote the "account" program assumed that their program is only going to be used by users that are already authenticated inside the machines shell. The team that wrote the HTTP server thought that the "account" program is safe to execute with parameters controlled by the unauthenticated user.
You probably hit the most likely explanation. Unfortunately, the bigger problem is D-Link unwilling to update it or at least send out a crisis report to news agencies to let customers know. I did see someone hint at mandatory open sourcing for deprecated software. I think that would definitely help, because the person who finds the bug could patch it. Maybe we need to promote open source routers now?
Open source radio transmitters have a remarkably hard time getting FCC approval... Qualcomm isn't the _only_ reason Qualcomm radio chips continue to use closed-source code. It's really annoying; the efforts to block true direct mobile-to-mobile LTE, were so coordinated, one could almost be forgiven for mistaking those efforts as good-faith "interference prevention". Open wireless is anathema to regulation; it's been stomped on, one product launch after another, my whole life or more.
@@prophetzarquonThat’s not an accident. Lobbyists love regulatory capture. It’s all by design that OSS firmware cannot be used on RF systems. By design of the companies that have vested interest in selling us new stuff all the time.
I maintain multiple servers and my go-to rule with even throwaway shell scripts is that all input must be considered unsafe. Always encode data as data regardless of the programming language you use and all injection attacks immediately vanish everywhere.
And the team that wrote the HTTP server, if there were teams, didn't take the time to understand HTTP. And the lead designer of the configuration API, if there was one, didn't push the big red button to stop this and do it right (and more simply).
No consumer protection law protects your from end of life products. In fact in Europe it's only 3 years warranty for a new product. Some pro or enterprise products get 5 or 10 years warranty but then consumer laws don't apply because the buyer acts as a company not individual.
Reminds me of a time a car dealership sent me lottery thing in the mail. Said I won a $50 gift card. Had a number to verify. Verified as valid. Walked into the car dealership and it was a "raffle" with the winning numbers already picked. Mine was not one of those numbers. Told them fuck you and that I'm never coming there again. The kind of idiot that looks at and buys a car after that is next level stupid.
Synology has it's own security issues unfortunately. Their security settings page forces you to give a phone number for 2FA setup, but SMS 2FA is easily exploitable.
As a person that has programmed for 30+ years, that is absolutely insane. The incompetency is astounding. If D-link can't fix things like this, then don't buy D-link products, it's that simple. They clearly don't care about their customers.
Yes, it is truly astounding. I've done some PHP programming for myself and some friends, and did some professionally a number of years ago. One of the first things I did was write a shell command to read all PHP files and find all instances of "if X = Y", and I used that shell command during and after each programming session to ensure that I never accidentally assigned a value when I intended to query it. Checking for calls to system() would be similar (I never used system calls, so I never needed to do such checks, but it would have been simple to check for them). If I -- a single individual -- could do some simple checking and validation to prevent problems, then surely a corporation such as D-Link could have done so.
@@nullvoid3545 What? No it's not. D-Link is a subsidiary of the Taiwanese Steel Group. They have no affiliation to Netgear. Why would you post blatantly false information like that?
@@sootikins Right, because manufacturers update their software after 14 years from their initial release date. You guys might be some retards or a bit clueless how things work when producing hardware and software components but hey, I'm a salesman, you got me
I had once a dlink router, and it was losing connection about once a day, so I had to unplug and plug it again. I decided to update the firmware, in the hope that it would be fixed. After the update, the connection was dropping every 20-30 mins. Horrible experience. I installed de-wrt (which fixed everything) and never got a dlink device ever again.
When I realized the vid hit a promo segment, skipped it, then realized it was a Low Level code promo, skipped back to the promo and happily watched it. I'm super interested in security after having some fun and mishaps with that as a teenager and later becoming a developer for 11 professional years ongoing. This inspires me (although it was a trivial vuln) to revisit offensive security again, it is exhilarating 🔥 Also often skills used for offensive security can be helpful in debugging issues and solving problems. Lastly many thanks and my appreciation for putting quality content out and raising awareness ❤
Id believe it. Like immediately after some companies want you to upgrade they say "hey there's a backdoor you should stop using the product or your product is gonna be 15% slower" Spectre and meltdown, windows XP, apple battery health, etc are ideas that come to mind.
Microsoft refusing to patch critical vulneralibity is how Windows 7 got abandoned. The idea have been around.. _Activating them is a new level of evil_
Forced obsolescence? They were obsolete before this disclosure. They're 14 year old devices. On top of that, one should NEVER use a consumer branded anything for anything actually sensitive or mission critical. These devices don't have redundant power or controllers. Those interfaces/ports/protocols shouldn't be exposed to the internet anyway. If you actually put one of these open to the internet, that's on you, not D-Link. If it's NOT exposed to the internet, in order to exploit it, you'd need to be on the local network already, in which case, you've already been compromised and you're fucked. This is something that should absolutely be fixed in any still supported devices, but end of life means end of life.
It's hard to imagine a scenario where this is an isolated incident. At any competent organization, the first time something similar happened, the dev-sec-ops team would've forced all kinds of commit/deploy hooks checking for system calls and requiring the lead/PO to sign off that they weren't doing something stupid. This makes all D-Link hardware sketchy. They're not a new company, and they're not small, and they're not new to making routers.
@@BTrain-is8ch I misspoke implying that a "competent organization" was even a thing... But a lot of industries are regulated/audited kinda hard for IT sercurity and SDLC stuff. If 100 CVEs popped up that were caused by D-Link I would expect there to be a lot of places cancelling orders/contracts... But I guess D-Link is 100% discount consumer hardware if they can afford to not care and not fix it. You don't have to worry about what you do to the general public.
As someone who has worked in both residential and corporate IT for over 20 years now, I'll never go near D-Link. Garbage products made by a company that does not care. Nothing about this situation surprises me.
Prob a junior tech that was tasked to write the account script. This is why you need THOROUGH PR reviews and things like sonar to check for code smells like system and sprintf calls.
@speedweasel yup, a junior tech should never be blamed for something like this. If a junior dev is accidentally able to get such a bug into production, then a senior dev with bad intentions DEFINITELY would be capable of doing that as well. It's up to your pipeline engineers to make sure that CAN'T happen.
@@rikschaaf There is no such thing as code review in Chinese software development world in many places)) Nobody looks code, they just make it work, do some stuff to pass manual and automatic tests and this all. And because there was no code review for years they can't start doing it effectively because everyone is more incompetent and can't spot other people bugs just by looking code (this is separate skill which require not just technical knowledge but also able fast understand code and see whats can goes wrong) Also code review would kill they productivity and increase cost, so for them there is no reason to introduce some "bad" practices from financial perspective)
As a Junior, I was terrified of making mistakes like this. As a Lead, I now realise how most of the world runs on software that people go out of their way to make utter s**t. Ask a locksmith and they'd always rather have software locks, ask a software dev and they'd always rather have physical locks. When you know, you know how bad things are lmao
Dude, the physical locks thing is so true. When I found out about lockpicking, I took a thin, flat piece of metal and just raked my apartment lock. In 30 seconds it was unlocked. Most locks are a joke. 😐
I was in disbelief about the "cut off a Bic pen & wobble it around in the keyhole" method for circular keys, so I tried it: Took me ~12 minutes the first time,
I'm honestly astounded at how easy your videos are to understand and follow. My only background in coding was one course that used Python in uni, and a little introductory C++ in high school, but I'm mostly able to keep up with what you're putting down. Good vids, is what I mean to say
I like collar-shirt Ed. He said "You shouldn't have your NAS with its, like, butt, in the ether-net port, facing out into the internet..." omg. I lol too hard at the mental picture that paints.
Oh yeah, D-Link. I'm a dev as well as an IT consultant. Got hired for a project because a company was facing issues where their entire network went down intermittently. Turned out they were using D-Link switches everywhere in their network. These switches had a vulnerability that could trigger a packet storm. There was no firmware update or fix. I replaced every single piece of network equipment that was made by D-Link with its CISCO equivalent. This was 5 years ago and their network has been working reliably ever since. D-Link is a total mess.
Same experience here! Worked for a small aerospace R&D company as a dev & IT consultant. After many random LAN outages I got them off D-Link switches entirely. How garbage are they that they can't even build a 100mbps switch without messing something up?
I was particularly impressed by your mastery to size up the thing and communicate in relevant-human-readable. Coding is a dark art already (which is a compliment).
@@flarebear5346 Yes, I know. But which end user knows this. And now the vendor name is in the press again an they can start their next product. Always remember, "The S in IoT is for security" (Need to find this T-Shirt for next week it must be somewhere. )
You shouldn't have the nas open to the public internet, especially not your admin console. You'd want to have an authentication layer in front of any requests to the applications on your system, or better yet, only allow access to your system through a secure VPN. In the case of this bug, you wouldn't be able to send a request to (target IP)/cgi-bin... if it wasn't already open to the public internet (which again, it shouldn't be), but if it was or say you're connected to the same network, then your whole machine is wide open.
I used to have a shell script to redial the internet set up as a CGI. Anyone on the LAN could reconnect the internet as needed that way. We paid per call back then for local calls, so doing it this way made it convenient, but saved calls at night when no one was using it. There was a 4 hour session limit on our ISP.
I’m glad we have people like you who dig into and white hat this stuff. What the hell…never going with D-Link. They should be held responsible for patching this *regardless* of EOL. I mean, arcane hacks are one this, but this vulnerability is blatant and moronic - they should have to provide a fix for this…not force people to buy a new router.
Using "safe_system" to just call "system" anyway is awesome. It's like storing the key of the storage that holds your valuables in a bank vault for safety, but the storage with the actual valuables inside is just a cardboard box with a padlock.
I had to pause at 2:11, scream a little, grab a coffee, calm down and resume 5-10min later. ... turns out I was not done screaming. HOW DID THAT GET WORSE
I have abandoned using any D-LINK devices decades ago (around 2005-6) for exactly these kind of practices (and bugs). It's almost unbelievable they are still doing these things after all these years and are still part of the market ...
And no mention was made anywhere about requiring authentication to access the CGI... So even if you could not run arbitrary commands, you could likely still create accounts.
I've seen more than once maintainers of very active, open source, self-hosted applications saying "our average user does not need enterprise level security features" when they refuse to implement things like mTLS support in their mobile client. Or sometimes they tell you to use treafik as your reverse proxy when you expose the service to wan, while traefik requires the docker socket in a container that is supposed to be facing internet. Absolutely unforgivable.
As primarily a sysadmin with basic programming knowledge, I really appreciate the way you explained the code. Nice and easy to follow and your enthusiasm is very engaging.
To be fair to D-Link, the affected devices are over 12 years old. I would replace internet-facing equipment at 5 years or sooner. There will always be new vulnerabilities around the corner.
i'm an swe student and i still don't see myself a good coder programmer I don't understand a lot of concepts and I wasn't passionate about computers in general before entering college. i only know the theoretical concepts but these videos are really making me love the field and wanting to learn more and make me curious more and more!
Some companies one should just never deal with. This is literally the opposite of the kind of support we have been used to from companies like IBM for example.
Dumb switches are one thing. No one should be using D-Link for anything more than that. There's plenty of much better stuff available in the NAS or higher end consumer networking market for not much more money. I'd rather get a TP-Link setup and a Synology or QNAP NAS, but if you just need a 8 or 16 port gigabit switch? Buy whatever is cheapest because it'll work fine.
According to Wikipedia: "In 2022, D-Link obtained the TRUSTe Privacy seal, certification of ISO/IEC 27001:2013 and BS 10012." Certifications truly mean nothing!
In the early 2000s I used to have a D-Link DSL-504 ADSL router. If you enabled SNMP to e.g. graph traffic statistics, you could walk the device and retrieve the username and password of the attached broadband service, in plain text. Am I really surprised that D-Link equipment still has such egregious errors? They've been at it since the early 2000s. Old habits die hard I guess.
"Sanitize your inputs" is, like, lesson 6 of intro to programming. Sure, the safe_system thing is definitely a good idea, but there's just no need to allow a semicolon in a username (or a colon, dollar sign, octothorpe, parentheses, ampersand, percent sign, at sign, exclamation point, quotation marks, angle brackets, curly brackets, slash, backslash, vertical bar, or equals).
Dude Its my first time watching your video and this video just forced me to subscribe to you, just from a single video I got to learn hell a lot. Thanks Man!!
Great video, really good!! I think an additional (final nail in the cofin) and also good information for the rest of the mortals is, the following - How would you fix that issue; to make it safe? - What measures could we all take to avoid stupid stuff like this getting out? It seems to me they are avoiding fixing it for some reason, which says to me that some company advocated for this fix and they pay big so they don't want to remove it. That security flaw is a feature for some company which is the worst case and the scary part I think.
You don't need a willingly designed malevolent hidden agenda to explain what is just plain stupid greediness. Most likely someone in D-Link's sales department thought it was a good opportunity to sell new devices to ancient customers with no effort and make some easy sales commissions. Really all you need is someone with short-minded KPI drive and no incentive to build a high reputation for the company on the long term.
Since I had issues with a NAS and found out they closed down I now see the issues with buying manufatured items and now build my own and use open source NAS software, at least you have more control when you learn a bit
He did mention that in the video too but the low hanging fruit is the system call. I mean both need to be fixed and are right next to each other. Not sure how people are going to do that though, if at all.
The list of affected devices doesn't include my D-Link NAS model, but I'm concerned that it might be an oversight or because it's a minor version that is also affected but they didn't mention for some reason. It's a DNS-321.
D-Link has a history of doing this. When I was in university, I found a couple of significant bugs in DIR-601 routers that could lead to RCE in many cases. The first bug was a command injection in the router's diagnostics page that let me inject arbitrary shell commands. This page normally requires that the user be authenticated as an administrator to access it. Unfortunately, that authentication was flawed and due to an API endpoint in the router not being properly authenticated, it was possible for a user authenticated as a regular user to generate and download a configuration backup. The administrator password was stored as plain text in this backup. I can imagine most people would not change the default user password, since it isn't privileged. I attempted to report this, but every email I sent bounced with an inbox full error. No idea if it was ever patched.
That's pretty standard for a vendor to not cover a patch no matter the severity for end of life devices. If you have a Naz that is 10 plus years old, the hardware itself went end of Life 3 years ago and the vendor puts wine in the sand after so many years that they can no longer allocate resources to still patch and create firmware for devices that are so old and probably only have a very small percentage of users still using it. I would be interested in seeing if D-Link has the ability to see how many users are using their NAS with a phone home feature or something like that so they can say that this vulnerability only happens in 5% of users utilizing their equipment and most of the other product has been retired thrown away or trash to recycled. Very rarely will accompany actually create a patch for a end of life device. And it usually comes down to the amount of users still using that device and how bad the vulnerability is. Very few times have I actually seen a vendor cover and patch of vulnerability that is end of life The last big one that I remember seeing was Microsoft and Intel and AMD whenever specter and meltdown were announced and since it affected every CPU created in the last 20 years It made sense for them to create code updates in microcode updates and even OS updates to help patch these issues even friend of life hardware and software.
oh you mean that 'computing appliances' aren't like toasters, and are really just computers that need constant updates forever? but I bough this 'appliance' because it is cute and single purpose like a toaster that needs no updates ever
IMO this is not a bug but a design flaw. I can't say it's intended but definitely never thought of it in security perspective(or just abandoned the security scope). This is not "fixable", this just shouldn't exist in the first place. If you say something EOL so no more security update, OK. But if you put something known with flaw(at least we all known), that's not security update. It's just a garbage be advertised as something useful. It should be RECALL. Can Tesla say their car has a known risk to explode if you press certain button before EOL but now it's EOL so they won't fix? Elon Musk will be put in jail if so.
You can't say they "never thought of it in security perspective" when they actually have a "safe_system" command to cover this exact security issue that is actively in use in the same firmware and even in the same operation.
That was fun... 😂 I know you know, but I'll pointing out that at 2:34 it is just URL-encoding of plain ASCII, no Base64, so %27 is a single quotation mark and %20 is a space. I would expect the exploit to be a little bit different in the quotation style, by looking at 11:13... is it done on purpose to fool the skids? 🤔Am I blind? 😆Or maybe there was some string replacement along the way...? The stuff is pretty basic nonetheless, LOL 😁
This upsets me, a few years back, I had D-LINK NVR that wouldn't work with out Dehua cameras. Turns out it was pretty much EOL in 8 months I contacted D-LINK and instead of brushing me off, they put me in contact with the devs who built us custom firmware for the box to make it work. They used to care
Back in 2007, I discovered the Backtrack operating system and pen tested all of the wifi networks in my apartment complex. The only one that was unbelievably insecure was the D-Link router. I've never wanted to own anything by them.
@@corvusnocturne Kai Saikota and Fauna are the only vtubers I know that have one, except them, I have never seen anyone with one Eric Parker has kitty headphones, so Low Level could learn from him
I actually have/had one of the affected devices (DNS-320LW). Bought it in 2012, put the community-made and still maintained custom firmware on it in 2019 when it hit EOL that December. AFAIK it hasn't been sold since 2015 so to not bother with updates a decade after going out of sale and 5 years after going EOL seems perfectly reasonable to me.
Considering the patch seems like it's just changing the account stuff to run safesystem instead of system and that would completely prevent people from being able to run code on someone else's device it's still pretty crappy to just not do that very easy fix no matter how long it's been EOL.
@@ericgoodman3510 You sure you wanna go down the rabbit hole of arguing how long past selling what was a bottom-of-the-range NAS its manufacturer should support it? Especially when its got a community run alternative firmware/OS that isn't vulnerable to this?
@@LAG09 Sure why not go down that rabbit hole? Because the literal first question is should they be responsible for patching it if it had been discovered less than 24 hours after entering EOL? The obvious (unless you are a piece of sh**) answer is yes, a vunerability of this magnitude should be patched if the product has been in EOL for less than 24 hours. Since that establishes there is clearly some amount of time after entering EOL they should be held liable for not patching this magnitude of a bug then the next question is simply for how long after EOL should they be responsible? Well in my opinion they should be liable for as long as the patent is good. If you think that's too long of a timeframe let me repeat the point that LLL already made in his video that EOL is determined solely and exclusively by the manufacturer for a date that is completely arbitrary. If they don't want to be liable for fixing a vunerability of this magnitude then they need to publicly announce they are no longer interested in protecting their patent opening the door for any other manufacturer to step in if they desire because as long as they are willing to sue someone if they create the same product then they need to be liable for when their product contained a bug of this magnitude when it was still being sold and not EOL.
Thank you for the great explanation. I HATE programming. I understand the basic concepts, but I rely on the pros to do their job correctly. Your explanation was simple enough technically; that I could follow the idea. Thanks and keep up the great work. I’ll be going back and watching the things that interest me in regards to security and usability. I’m the guy that breaks software or finds the UI interaction that’s crap. Did XBOX game testing for MS in early 2000’s and testing for Pre windows 7. I want to move my home stuff into Linux and am slowly working that way.
I owned DNS 320 some time ago, but since It doesn't even support SMB v2 I had to give up, and upgrade into something newer, because apparently DLink doesn't give a s*** on this :) This Video made my day, thanks :)
This is the rare occasion I'm actually sort of on D-Links side. They're not even in the NAS business any more. I'm sure there are lots of 0-days lurking in the mountains of EOL hardware & software out there. At some point using old stuff becomes "use at your own risk"
I don't like D-Link, at all, but I completely agree. For all we know, their engineers discovered this among other things, and that's WHY they killed the product. Corpo's would never call an end of life without immense pressure from the engineers, not while there's still any free milk left to squeeze.
It's not an excuse to not inform the public if the info was made known and not allowing for the community to fix the bug on their own. If anything, they should write that on the product box with the warranty. If the product is out of warranty, you are at risk of your devices being hacked and the company will not make any further patches to protect you. This is not apparent to any consumer, because we don't know the End Of Life ahead of time and no public announcements are made. Maybe this more of a legislative issue regarding packaging, like food expiration dates.
![I.N "HALLUCINATION" | [Stray Kids : SKZ-PLAYER]](http://i.ytimg.com/vi/n5B5q1Hwt_U/mqdefault.jpg)
![Felix "Unfair" | [Stray Kids : SKZ-PLAYER]](http://i.ytimg.com/vi/Oswujxm2Ag0/mqdefault.jpg)
you know what else is unforgivable? not checking out lowlevel.academy (and getting a DISCOUNT?)
I would buy a good ghidra course.
"I can't believe a company isn't held legally responsible" XD
Any chance you will be offering student discounts in the future? I’ve started doing picoCTF and hackthebox challenges for a school club and think that the courses would be great learning resources for building applications with c but the price feels a bit too prohibitive
How long do you expect a company to support their software after EoS/EoL?
bro. you have the style, you have the knowledge, and you have the courage. I liked your talk, your analysis, damn how I love these videos...keep going.
The guy who wrote the safe_system code is definitely a different person from the one who wrote account. I can't believe it is any other way
Exactly. The person who wrote safe_system probably got into arguments with the person who wrote account, who told them to not to worry about it. Some manager then told them to ship it and move on. Then the manager got their bonus for delivering on time.
@kapstersmusic I would assume the person who wrote safe_system never saw what the one who wrote account did. That would be gross negligence to not replace these 4 lines with their better, ready-made equivalents. Safe string processing is part of the standard, and safe_system is just there. Even without changing the string processing, just using safe_system to make sure the exploitable buffer overflow isn't literally ready to use as-is would be 2 seconds well spent. The security researcher would have maybe spent hours instead of minutes to get a working exploit.
The problem is not one programmer not being up to the task of writing safe code; or people talking to each other... the problem is quality assurance and testing. A company should never assume that a person doesn't make mistakes, it's about validation and testing. And D-Link apparently doesn't care enough about the quality of their products.
@@Exilum I would guess safe_system is from some sort of library, and the call to it was copy-pasted, but the account program was new and written by someone trying to only use the C standard library or sth like that, maybe because they didn't know how the Posix API worked, would be my guess.
@@svaira Or the other way around where the account software was from an older era some 30 years ago where things like this didn't really matter since it was executed from the root prompt.
This is actually a genius level move by D-Link:
They not have to fix *past* bugs because they deem their hardware antiquated.
Also!
They also don't have to fix *future* bugs because they just scared away their entire customer base
they are just playing multi-dimansional chess 😆
XD 200 iq
@@dave7244 but the bug was present on day 1.
@@dave7244 The 340L was released in 2015, and according to the dLink website "This product was phased out on: 29/10/2017", so maybe they were available for sale until then (and maybe even after that date from some retailers).
@@dave7244 Are you using D-Link's suggested NTP server?
en.wikipedia.org/wiki/D-Link#Server_misuse
"D-Link US recommends retiring and replacing D-Link devices that have reached EOL/EOS" - To which every owner should say, "No problem, I'll replace it with a different brand".
//"D-Link US recommends retiring and replacing D-Link devices that have reached EOL/EOS" - To which every owner should say, "No problem, I'll replace it with a different brand".//
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^6
I agree.
" replace it with a different brand". Why? To have a bug from a different company? A bug which will be there for a decade, discovered only by hackers?
Never buy a 'NAS'. Use your old PC, install TrueNAS on it, put it into its own VLAN and call it a day.
@@temp50 Most companies do emergency patches when these kinds of bugs pop up. Even microsoft does that.
"Buy another NAS", definitely won't be a D-Link, I can tell you that for nothing.
QNAP or Synology should use this as free advertising for their newest kit
@@FrankEBailey WTF are you?
Buy the stuff and install firmware, that can be called that way:
OpenWRT !!!
@@FrankEBaileyI think Synology had a zero day like 2 weeks ago
@@adammontgomery7980 was the zero day as stupid as this one?
@@dancom6030 its not the first...
The funny thing for me is the vulnerability means you could recompile the account command to use safe_system and then use the vulnerability to download the patched account binary to the NAS, fixing the hole.
Now this is bug fixing
lol that is amazing maliciously fixing bugs its like bethesda game modders.
Might as well install a webshell while you are at it.
Great idea. Shame its a read only file system.
Shouldnt be upto the fbi or whitehats to fix easy fixes like this.
That was my initial thought as well.
Seems this could be fixed rather easily, even by "hackers".
The guy running this channel could probably make the patch, Linksys refuses to do, in a matter of minutes.
It's not a bug, it's a low effort backdoor
The CIA was too busy trying to kill fidel castro...
Semantic arguments are fun, but that's all they are. Backdoors target vulnerabilities. Vulnerabilities are bugs.
I think they’re implying it was intentional
@@himothanielCondescending responses to comments you don't understand are fun, but that's all they are.
You can read condescension into my comment if you like, but there wasn't any there. A small joke went over my head. I can acknowledge that.
Imagine how chuffed the guy was finding this bug, like "yeah im definitley getting a payout, they will be so glad i found it!", just to be told to feck off and that the fix was buy their new products XD
Poor bloke
Nah, said bloke can scour the internet for eol products to hack. Win win.
@@bmanpura maybe, it would certainly teach them a lesson, but if your a genuine pen tester/bug bounty hunter your risking your career doing shit like that. The amount of attribution and tracking sites these days is insane.
One example, I wrote a little article on footprinting Imap/POP3 mail servers last week.
I googled the article the next day to find that id been entered into an International cyber threat database. The bot armys are real af bro. They had entire maps and models of endpoints and systems just from my write up.
Now he's mining bitcoin on your NAS, so whatever.
😂
I got a free replacement switch after finding a backdoor in D-Link.
This is what happens when you have 2 teams not talking to each other. One team did it right, the other not so much.
Even if they audited the code they wrote who’s to say the unix utilities calling were audited. The usernames etc should have been sanitized to remove any non alphanumeric characters, so their safe system is anything but safe. Anyway it was a great video. Even with input sanitation, the fact it is calling other programs makes it a crapshoot.
@@richcole157 It looks like the vulnerability can be triggered through the `pw` field and it is much harder to sanitize it in the way you suggest for `name`.
Do you really think they have _teams_ working on that? More likely one part of the code was written by one overworked guy at one time, the other part written by another overworked unqualified guy at another time, and all copy-pasted together by an unpaid intern later ...
@@memyshelfandeye318 Well, that's like 2 teams right there! :D
@@IvanToshkov good point.
HOT TAKE:
If vendor stops supporting product because if it's out of live even with such security critical cases, we as society should stop supporting copyrights related to it.
Granted here there's probably not that much to protect, but if there's any copyright protection on that code, it should vanish, reverse engineering ? Producer orphaned it, we're not gonna prevent people to adopt this child.
Re distributing binaries ? If it's not worth for you to fix it it's not worth to us to chase people that copied it.
That should not be hot take at all. If aren't making money on your copyrighted thing, what are you protecting it for? Kind of same with games. Your game is not officially available for purchase? People get to crack it and share it freely without consequences.
@@tyrannosaurus_x Yea honestly that take developed because of stop killing games initiative in the first place.
And not even about "Me wants to play games that aren't available" thing ( be it it's still valid approach) or that company isn't making money anyway, i mean questioning how system works in much broader way.
We as society agreed to protect data, (art work code, design so on) (which i'm not against to be clear, my problem starts and ends with how system work currently not with existence of system) and at this point we agreed to do so at ridiculous time frame, Mickey Mouse famously entered public domain in 2024, a artwork from between world wars period, i'm from Poland, in our calendar that's like two invasions ago, neither of my parent's were alive when it came out, and they had me at ridiculous old age, they grew up in different world, telephones were rare, cars too, country was still firm in grip of USSR and iron curtain divided Europe, i grew up in free Poland, wit ability to free travel across Europe because of shengen, with internet access since i could remember, YT raised me as much as mu parents did, it gave me skills to get job as programmer. My father born in 1945, after Mickey was created, and died in 2018 before it entered public domain. I tell you all this to hammer point how long time frame we're talking about, and how much of commitment society gives to copyrighted work.
Even if it was out of print for years, even if original company isn't supporting it since decades, last entry in IP was made before my country in it's current form was established, it stil will be protected.
In return(and i'm talking mostly about video games, but somewhat applies to software in general), they mercifully allow us to rent their software for unspecified amount of time, for usually not so small sums of money, and usually with right to take said license away at a whim without a reason.
Again, not for abolishing copyright entirely.
But i think in current situation "tail is wiggling the dog", and either copyright retention shorten, new causes for artwork entering public domain established or both.
(Perhaps it should work a bit trade mark, if you don't use it, you louse it.)
it's a 14 year old NAS
@veryCreativeName0001-zv1ir and you're point is ?
This is a great idea! Added to the list of things I'd want to change.
The team that wrote the "account" program assumed that their program is only going to be used by users that are already authenticated inside the machines shell. The team that wrote the HTTP server thought that the "account" program is safe to execute with parameters controlled by the unauthenticated user.
You probably hit the most likely explanation. Unfortunately, the bigger problem is D-Link unwilling to update it or at least send out a crisis report to news agencies to let customers know.
I did see someone hint at mandatory open sourcing for deprecated software. I think that would definitely help, because the person who finds the bug could patch it. Maybe we need to promote open source routers now?
Open source radio transmitters have a remarkably hard time getting FCC approval... Qualcomm isn't the _only_ reason Qualcomm radio chips continue to use closed-source code.
It's really annoying; the efforts to block true direct mobile-to-mobile LTE, were so coordinated, one could almost be forgiven for mistaking those efforts as good-faith "interference prevention".
Open wireless is anathema to regulation; it's been stomped on, one product launch after another, my whole life or more.
@@prophetzarquonThat’s not an accident. Lobbyists love regulatory capture. It’s all by design that OSS firmware cannot be used on RF systems. By design of the companies that have vested interest in selling us new stuff all the time.
I maintain multiple servers and my go-to rule with even throwaway shell scripts is that all input must be considered unsafe. Always encode data as data regardless of the programming language you use and all injection attacks immediately vanish everywhere.
And the team that wrote the HTTP server, if there were teams, didn't take the time to understand HTTP. And the lead designer of the configuration API, if there was one, didn't push the big red button to stop this and do it right (and more simply).
"Fuck you, pay me" is a genius strategy when most of your customers do not have consumer protection laws
And any attempt to pass consumer protection would be lobbied (read: "bribed") away by the powerful corporations that would be impacted by it.
@afjer this is why people become cyber criminals, stupidity
No consumer protection law protects your from end of life products. In fact in Europe it's only 3 years warranty for a new product. Some pro or enterprise products get 5 or 10 years warranty but then consumer laws don't apply because the buyer acts as a company not individual.
Reminds me of a time a car dealership sent me lottery thing in the mail. Said I won a $50 gift card. Had a number to verify. Verified as valid. Walked into the car dealership and it was a "raffle" with the winning numbers already picked. Mine was not one of those numbers. Told them fuck you and that I'm never coming there again. The kind of idiot that looks at and buys a car after that is next level stupid.
Neither does the Mafia - thanks for the Goodfellas quote.
Synology could do the funniest PR thing and give your a 10% discount buying one of their products when you own one of those exploitable NASes
Synology has it's own security issues unfortunately. Their security settings page forces you to give a phone number for 2FA setup, but SMS 2FA is easily exploitable.
Synology give up 10% margin? Who are you kidding?!? 🤔
New vulnerability found in D-Link NAS devices
D-Link : It's not my problem, it's yours
@@play-good "sorry,we sold it to you,so your problem now"
@@92sieghart D-Link, the last big company around that still respects ownership 🤣🤣
.oO( Who did buy that s. in the first place? ... ROTFL )
at least open source this sht
Kind of true, yeah
As a person that has programmed for 30+ years, that is absolutely insane. The incompetency is astounding. If D-link can't fix things like this, then don't buy D-link products, it's that simple. They clearly don't care about their customers.
But D-link is just A subsidiary of netgear, which own A good majority of home routers currently distributed.
Yes, it is truly astounding. I've done some PHP programming for myself and some friends, and did some professionally a number of years ago. One of the first things I did was write a shell command to read all PHP files and find all instances of "if X = Y", and I used that shell command during and after each programming session to ensure that I never accidentally assigned a value when I intended to query it. Checking for calls to system() would be similar (I never used system calls, so I never needed to do such checks, but it would have been simple to check for them). If I -- a single individual -- could do some simple checking and validation to prevent problems, then surely a corporation such as D-Link could have done so.
@@nullvoid3545 What? No it's not. D-Link is a subsidiary of the Taiwanese Steel Group. They have no affiliation to Netgear. Why would you post blatantly false information like that?
@@nullvoid3545 this is what happens when a company is a monopoly (or almost one).
@@nullvoid3545Netgear and D-Link are unrelated companies.
D-Link has been a security liability since the 2000's. :)
As long as you keep using EoL devices, that's on you buddy
@@BotDetector-44 what are you taking about?
@@dynad00d15 Just ignore him - he's a D-Link salesman!
@@dynad00d15 I'm assuming that was sarcasm. I'm _hoping_ that was sarcasm...
@@sootikins Right, because manufacturers update their software after 14 years from their initial release date. You guys might be some retards or a bit clueless how things work when producing hardware and software components but hey, I'm a salesman, you got me
So a common, old-school Shell Injection vulnerability. The Bobby Tables of system("command").
For clueless - xkcd reference. Someone embedded a "Drop table" command in child's name. Deleted main database at school.
Like a day 1 training scenario lol
@xmine08 - That is "Little" Bobby Tables to you. 😂
D-Link once made a router where the web-server ran in kernel-mode and had debug-commands
I had once a dlink router, and it was losing connection about once a day, so I had to unplug and plug it again. I decided to update the firmware, in the hope that it would be fixed. After the update, the connection was dropping every 20-30 mins. Horrible experience. I installed de-wrt (which fixed everything) and never got a dlink device ever again.
This server is running as root (or the CGI binaries are setuid) if it can add users via a web request.
When I realized the vid hit a promo segment, skipped it, then realized it was a Low Level code promo, skipped back to the promo and happily watched it. I'm super interested in security after having some fun and mishaps with that as a teenager and later becoming a developer for 11 professional years ongoing. This inspires me (although it was a trivial vuln) to revisit offensive security again, it is exhilarating 🔥 Also often skills used for offensive security can be helpful in debugging issues and solving problems. Lastly many thanks and my appreciation for putting quality content out and raising awareness ❤
Don't blame interns.
Don't recall who said it, but "if an intern can break production, you as a company have failed."
1:42 They are right about that, buy another NAS, but NOT FROM D-LINK
A new form of forced obsolesce? Activate all the security flaws after a specific date and refuse to patch them.
Id believe it. Like immediately after some companies want you to upgrade they say "hey there's a backdoor you should stop using the product or your product is gonna be 15% slower"
Spectre and meltdown, windows XP, apple battery health, etc are ideas that come to mind.
Microsoft refusing to patch critical vulneralibity is how Windows 7 got abandoned. The idea have been around.. _Activating them is a new level of evil_
1. Push a "security patch"
2. The patch actually contains vulnerabilities, on purpose
3. Profit
Ah yes, the μTorrent v≥3.0 approach
Forced obsolescence? They were obsolete before this disclosure. They're 14 year old devices. On top of that, one should NEVER use a consumer branded anything for anything actually sensitive or mission critical. These devices don't have redundant power or controllers. Those interfaces/ports/protocols shouldn't be exposed to the internet anyway. If you actually put one of these open to the internet, that's on you, not D-Link. If it's NOT exposed to the internet, in order to exploit it, you'd need to be on the local network already, in which case, you've already been compromised and you're fucked. This is something that should absolutely be fixed in any still supported devices, but end of life means end of life.
It's hard to imagine a scenario where this is an isolated incident. At any competent organization, the first time something similar happened, the dev-sec-ops team would've forced all kinds of commit/deploy hooks checking for system calls and requiring the lead/PO to sign off that they weren't doing something stupid. This makes all D-Link hardware sketchy. They're not a new company, and they're not small, and they're not new to making routers.
Exactly how many "competent" organizations do you think exist now? Three? Four?
Before the first time, hopefully.
Took their development queues off Crowdstrike.
@@BTrain-is8ch I misspoke implying that a "competent organization" was even a thing... But a lot of industries are regulated/audited kinda hard for IT sercurity and SDLC stuff. If 100 CVEs popped up that were caused by D-Link I would expect there to be a lot of places cancelling orders/contracts... But I guess D-Link is 100% discount consumer hardware if they can afford to not care and not fix it. You don't have to worry about what you do to the general public.
As someone who has worked in both residential and corporate IT for over 20 years now, I'll never go near D-Link. Garbage products made by a company that does not care. Nothing about this situation surprises me.
Prob a junior tech that was tasked to write the account script. This is why you need THOROUGH PR reviews and things like sonar to check for code smells like system and sprintf calls.
@speedweasel yup, a junior tech should never be blamed for something like this. If a junior dev is accidentally able to get such a bug into production, then a senior dev with bad intentions DEFINITELY would be capable of doing that as well. It's up to your pipeline engineers to make sure that CAN'T happen.
@@rikschaaf There is no such thing as code review in Chinese software development world in many places)) Nobody looks code, they just make it work, do some stuff to pass manual and automatic tests and this all. And because there was no code review for years they can't start doing it effectively because everyone is more incompetent and can't spot other people bugs just by looking code (this is separate skill which require not just technical knowledge but also able fast understand code and see whats can goes wrong) Also code review would kill they productivity and increase cost, so for them there is no reason to introduce some "bad" practices from financial perspective)
When does incompetence become sabotage?
When they refuse to fix it.
As a Junior, I was terrified of making mistakes like this. As a Lead, I now realise how most of the world runs on software that people go out of their way to make utter s**t. Ask a locksmith and they'd always rather have software locks, ask a software dev and they'd always rather have physical locks. When you know, you know how bad things are lmao
Dude, the physical locks thing is so true. When I found out about lockpicking, I took a thin, flat piece of metal and just raked my apartment lock. In 30 seconds it was unlocked. Most locks are a joke. 😐
I do both (locksmith/safesmith and pentesting). None of it works XD
@@capturedflame XD
I was in disbelief about the "cut off a Bic pen & wobble it around in the keyhole" method for circular keys, so I tried it: Took me ~12 minutes the first time,
@@prophetzarquon Haha. This is the funniest example of car security: ruclips.net/video/VNdygguAMQA/видео.html
I'm honestly astounded at how easy your videos are to understand and follow. My only background in coding was one course that used Python in uni, and a little introductory C++ in high school, but I'm mostly able to keep up with what you're putting down.
Good vids, is what I mean to say
I'm loving the channel name exploration in every video
I love watching these kinds of videos, it helps me see deeper into how the devices really work.... and that stupidity really knows no bounds....
I like collar-shirt Ed. He said "You shouldn't have your NAS with its, like, butt, in the ether-net port, facing out into the internet..." omg. I lol too hard at the mental picture that paints.
Holy moly, if I can get how bad it is without rewinding, it's a really stupid bug
Security goes against D-Link's core values. They have a reputation to uphold.
Oh yeah, D-Link. I'm a dev as well as an IT consultant. Got hired for a project because a company was facing issues where their entire network went down intermittently. Turned out they were using D-Link switches everywhere in their network. These switches had a vulnerability that could trigger a packet storm. There was no firmware update or fix. I replaced every single piece of network equipment that was made by D-Link with its CISCO equivalent. This was 5 years ago and their network has been working reliably ever since. D-Link is a total mess.
Same experience here! Worked for a small aerospace R&D company as a dev & IT consultant. After many random LAN outages I got them off D-Link switches entirely. How garbage are they that they can't even build a 100mbps switch without messing something up?
German home router manufacturer AVM handled a security flaw in 2023 completely different. They even patched a model that had been EOL 7 years earlier.
I was particularly impressed by your mastery to size up the thing and communicate in relevant-human-readable. Coding is a dark art already (which is a compliment).
But isn't connecting your NAS to the Internet an advertised feature? "Run your own cloud!"
Not like this. If you are going to do that then you should have security measures that can authenticate and restrict what can connect to it.
@@flarebear5346 Yes, I know. But which end user knows this. And now the vendor name is in the press again an they can start their next product.
Always remember, "The S in IoT is for security" (Need to find this T-Shirt for next week it must be somewhere. )
lmfao
You shouldn't have the nas open to the public internet, especially not your admin console. You'd want to have an authentication layer in front of any requests to the applications on your system, or better yet, only allow access to your system through a secure VPN. In the case of this bug, you wouldn't be able to send a request to (target IP)/cgi-bin... if it wasn't already open to the public internet (which again, it shouldn't be), but if it was or say you're connected to the same network, then your whole machine is wide open.
Just run everything on the local network and have wireguard to connect to it
I've never in 30 years heard of CGI "typically being a bash script or an ELF"
@@bparker06 well it was. Even PHP worked/works like that.
In your defence, I've seen more Perl scripts as CGI than bash ones :-)
That is probably the case for these sorts of "UI glue for small devices"
C, Bash, and Perl are the typical ones.
I used to have a shell script to redial the internet set up as a CGI. Anyone on the LAN could reconnect the internet as needed that way. We paid per call back then for local calls, so doing it this way made it convenient, but saved calls at night when no one was using it. There was a 4 hour session limit on our ISP.
I’m glad we have people like you who dig into and white hat this stuff. What the hell…never going with D-Link. They should be held responsible for patching this *regardless* of EOL. I mean, arcane hacks are one this, but this vulnerability is blatant and moronic - they should have to provide a fix for this…not force people to buy a new router.
Using "safe_system" to just call "system" anyway is awesome.
It's like storing the key of the storage that holds your valuables in a bank vault for safety, but the storage with the actual valuables inside is just a cardboard box with a padlock.
you're one of the most competent coders im watching on youtube if not THe best. Good job breaking this down for all the up and coming wizards
I had to pause at 2:11, scream a little, grab a coffee, calm down and resume 5-10min later. ... turns out I was not done screaming. HOW DID THAT GET WORSE
D-link? You mean the company unable to understand how email works? Whatever they did, I'm not surprised.
they are like hp lol
Bad code is always dangerous, but dangerous code is not always an accident.
I have abandoned using any D-LINK devices decades ago (around 2005-6) for exactly these kind of practices (and bugs). It's almost unbelievable they are still doing these things after all these years and are still part of the market ...
And no mention was made anywhere about requiring authentication to access the CGI... So even if you could not run arbitrary commands, you could likely still create accounts.
This channel is soooo good
You are saving the future of the internet my friend, thanks
I've seen more than once maintainers of very active, open source, self-hosted applications saying "our average user does not need enterprise level security features" when they refuse to implement things like mTLS support in their mobile client. Or sometimes they tell you to use treafik as your reverse proxy when you expose the service to wan, while traefik requires the docker socket in a container that is supposed to be facing internet. Absolutely unforgivable.
As primarily a sysadmin with basic programming knowledge, I really appreciate the way you explained the code. Nice and easy to follow and your enthusiasm is very engaging.
03:25 I appreciate the heads up, but sadly, I failed to contain myself.
Thanks D-Link for your statement on EoL products so we can avoid buying any of your products in the future! Nice one!
8:36 that's what I call a well organized home dir!
Lol!
i like the todo dir
probably more exploits explained right there for one to just try
To be fair to D-Link, the affected devices are over 12 years old. I would replace internet-facing equipment at 5 years or sooner. There will always be new vulnerabilities around the corner.
Like your attitude here! :) Also the colors are so fresh ;)
i'm an swe student and i still don't see myself a good coder programmer I don't understand a lot of concepts and I wasn't passionate about computers in general before entering college. i only know the theoretical concepts but these videos are really making me love the field and wanting to learn more and make me curious more and more!
Dlink basically "F U pay me *again*!" surely inspires customer confidence in their products.
it's pretty simple why this happens: Developer thought that you can only reach this, when you are an authenticated good guy
Some companies one should just never deal with.
This is literally the opposite of the kind of support we have been used to from companies like IBM for example.
Love this guy immediately when he explain all the detail for beginner in such a short time
As a Gen-Zer even if I hated the collared shirt, that fire jacket makes up for it.
First mistake they made was buying a D-link. If I see d-link device on customer’s network it has immediately to go out.
Dumb switches are one thing. No one should be using D-Link for anything more than that. There's plenty of much better stuff available in the NAS or higher end consumer networking market for not much more money. I'd rather get a TP-Link setup and a Synology or QNAP NAS, but if you just need a 8 or 16 port gigabit switch? Buy whatever is cheapest because it'll work fine.
According to Wikipedia: "In 2022, D-Link obtained the TRUSTe Privacy seal, certification of ISO/IEC 27001:2013 and BS 10012."
Certifications truly mean nothing!
This device is way older than 2022 so I'm not sure what your point is.
Well I mean the certification is called "BS xxxxxx" for a reason 😃
In the early 2000s I used to have a D-Link DSL-504 ADSL router. If you enabled SNMP to e.g. graph traffic statistics, you could walk the device and retrieve the username and password of the attached broadband service, in plain text.
Am I really surprised that D-Link equipment still has such egregious errors? They've been at it since the early 2000s. Old habits die hard I guess.
I absolutely lost it when you described an open port facing WAN as the NAS's butt exposed to the internet
Queue penetration joke?
Gives code injection a whole new context innit
I've known people with this train of thought. Where once you do the safe thing everything afterwards is magically safe.
when i saw it calling sprintf and system my jaw hit the floor. i then exclaimed "excuse me?!"
"It's not even snprintf!" I cried. But even that wouldn't have made it better since the quoting is completely unsafe.
"Sanitize your inputs" is, like, lesson 6 of intro to programming. Sure, the safe_system thing is definitely a good idea, but there's just no need to allow a semicolon in a username (or a colon, dollar sign, octothorpe, parentheses, ampersand, percent sign, at sign, exclamation point, quotation marks, angle brackets, curly brackets, slash, backslash, vertical bar, or equals).
This would be incredibly easy for them to patch this. It’s a one line fix. They just don’t want to do it.
Always learn a lot from you with this stuff. You explain it so well! Keep it up
Wow thanks. Never buying D-Link (or their parent Netgear), ever. This passed code review?!
You think they did code reviews? Dlink in 2012 probably didn't even use a code repository, let alone agile development.
Dude Its my first time watching your video and this video just forced me to subscribe to you, just from a single video I got to learn hell a lot. Thanks Man!!
I will never again in my life buy D-Link equipment and will encourage all of my clients to do the same.
Anyone who doesn’t take security seriously has no business being a vendor. Samsung and SONOS I’m looking at you.
Great video, really good!!
I think an additional (final nail in the cofin) and also good information for the rest of the mortals is, the following
- How would you fix that issue; to make it safe?
- What measures could we all take to avoid stupid stuff like this getting out?
It seems to me they are avoiding fixing it for some reason, which says to me that some company advocated for this fix and they pay big so they don't want to remove it. That security flaw is a feature for some company which is the worst case and the scary part I think.
You don't need a willingly designed malevolent hidden agenda to explain what is just plain stupid greediness.
Most likely someone in D-Link's sales department thought it was a good opportunity to sell new devices to ancient customers with no effort and make some easy sales commissions.
Really all you need is someone with short-minded KPI drive and no incentive to build a high reputation for the company on the long term.
This is why the best "NAS" is just your last used computer with FreeBSD and ZFS.
Since I had issues with a NAS and found out they closed down I now see the issues with buying manufatured items and now build my own and use open source NAS software, at least you have more control when you learn a bit
is nobody going to talk about how those sprintfs probably are a buffer overflow vulnerability as well
He did mention that in the video too but the low hanging fruit is the system call. I mean both need to be fixed and are right next to each other. Not sure how people are going to do that though, if at all.
@@steveftoth by buying a new device - D-Link
Please place your checkmark and then try again.
[ ] I watched the whole video
No one cares. Probably there are s lot more spots to cover in the firmware. Why would you want a buffer overflow if you have system calls at your hand
The list of affected devices doesn't include my D-Link NAS model, but I'm concerned that it might be an oversight or because it's a minor version that is also affected but they didn't mention for some reason.
It's a DNS-321.
it also doesn't include mine (DNS-327L) but i'm fairly certain that it also is affected by this vulnerability
I've heard of people getting dismissed for lesser bugs. this is SUCH a rookie mistake.
TY for the content
It's Little Johnny ;DROP TABLES; but it's your NAS 😂
D-Link has a history of doing this. When I was in university, I found a couple of significant bugs in DIR-601 routers that could lead to RCE in many cases. The first bug was a command injection in the router's diagnostics page that let me inject arbitrary shell commands. This page normally requires that the user be authenticated as an administrator to access it. Unfortunately, that authentication was flawed and due to an API endpoint in the router not being properly authenticated, it was possible for a user authenticated as a regular user to generate and download a configuration backup. The administrator password was stored as plain text in this backup. I can imagine most people would not change the default user password, since it isn't privileged.
I attempted to report this, but every email I sent bounced with an inbox full error. No idea if it was ever patched.
That's pretty standard for a vendor to not cover a patch no matter the severity for end of life devices. If you have a Naz that is 10 plus years old, the hardware itself went end of Life 3 years ago and the vendor puts wine in the sand after so many years that they can no longer allocate resources to still patch and create firmware for devices that are so old and probably only have a very small percentage of users still using it. I would be interested in seeing if D-Link has the ability to see how many users are using their NAS with a phone home feature or something like that so they can say that this vulnerability only happens in 5% of users utilizing their equipment and most of the other product has been retired thrown away or trash to recycled.
Very rarely will accompany actually create a patch for a end of life device. And it usually comes down to the amount of users still using that device and how bad the vulnerability is. Very few times have I actually seen a vendor cover and patch of vulnerability that is end of life The last big one that I remember seeing was Microsoft and Intel and AMD whenever specter and meltdown were announced and since it affected every CPU created in the last 20 years It made sense for them to create code updates in microcode updates and even OS updates to help patch these issues even friend of life hardware and software.
oh you mean that 'computing appliances' aren't like toasters, and are really just computers that need constant updates forever? but I bough this 'appliance' because it is cute and single purpose like a toaster that needs no updates ever
Assembly was my favorite CS class. It's so satisfying having specific memory adresses.
IMO this is not a bug but a design flaw.
I can't say it's intended but definitely never thought of it in security perspective(or just abandoned the security scope).
This is not "fixable", this just shouldn't exist in the first place.
If you say something EOL so no more security update, OK.
But if you put something known with flaw(at least we all known), that's not security update. It's just a garbage be advertised as something useful. It should be RECALL.
Can Tesla say their car has a known risk to explode if you press certain button before EOL but now it's EOL so they won't fix? Elon Musk will be put in jail if so.
You can't say they "never thought of it in security perspective" when they actually have a "safe_system" command to cover this exact security issue that is actively in use in the same firmware and even in the same operation.
I came here expecting the most absurdly complex exploit chain that slipped through the cracks. I was pleasantly surprised.
That was fun... 😂 I know you know, but I'll pointing out that at 2:34 it is just URL-encoding of plain ASCII, no Base64, so %27 is a single quotation mark and %20 is a space. I would expect the exploit to be a little bit different in the quotation style, by looking at 11:13... is it done on purpose to fool the skids? 🤔Am I blind? 😆Or maybe there was some string replacement along the way...? The stuff is pretty basic nonetheless, LOL 😁
Place holder for uname n pass
As a 71 y. o. Techie - Much respect for good programmers. It's really is rocket science!
this video literally had "no views" as he said "this video is gonna get no views"
This upsets me, a few years back, I had D-LINK NVR that wouldn't work with out Dehua cameras. Turns out it was pretty much EOL in 8 months
I contacted D-LINK and instead of brushing me off, they put me in contact with the devs who built us custom firmware for the box to make it work. They used to care
02:35 where base64?
There is, but you've become so good at reading it in your head that you can't tell anymore 😂😂😂
Go test if it works with assembly as well 😊😂
@@showmeyourcritz321where anything related to base64 happens?
Mc0Ca
@@jyothishkumar3098"McOCa" is 5 characters
base64 encoding length is divisible by 4
5 is not divisible by 4
It’s not base64 encoded, it’s url encoded. He was just wrong.
You do great works man; always appreciated.
D-LINK. As in the grade.
Back in 2007, I discovered the Backtrack operating system and pen tested all of the wifi networks in my apartment complex. The only one that was unbelievably insecure was the D-Link router. I've never wanted to own anything by them.
if your worried about not getting views put on a choker it'll work, trust me
🤨📸
@@drgabi18 its a proven fact, thats why so many streamers wear them and why so many vtubers have them on their models
@@corvusnocturne Kai Saikota and Fauna are the only vtubers I know that have one, except them, I have never seen anyone with one
Eric Parker has kitty headphones, so Low Level could learn from him
Stop it.
Get some help
Great breakdown of the vulnerability and the triaging process!
I actually have/had one of the affected devices (DNS-320LW). Bought it in 2012, put the community-made and still maintained custom firmware on it in 2019 when it hit EOL that December. AFAIK it hasn't been sold since 2015 so to not bother with updates a decade after going out of sale and 5 years after going EOL seems perfectly reasonable to me.
Considering the patch seems like it's just changing the account stuff to run safesystem instead of system and that would completely prevent people from being able to run code on someone else's device it's still pretty crappy to just not do that very easy fix no matter how long it's been EOL.
@@ericgoodman3510 You sure you wanna go down the rabbit hole of arguing how long past selling what was a bottom-of-the-range NAS its manufacturer should support it?
Especially when its got a community run alternative firmware/OS that isn't vulnerable to this?
@@LAG09 Sure why not go down that rabbit hole? Because the literal first question is should they be responsible for patching it if it had been discovered less than 24 hours after entering EOL? The obvious (unless you are a piece of sh**) answer is yes, a vunerability of this magnitude should be patched if the product has been in EOL for less than 24 hours. Since that establishes there is clearly some amount of time after entering EOL they should be held liable for not patching this magnitude of a bug then the next question is simply for how long after EOL should they be responsible? Well in my opinion they should be liable for as long as the patent is good. If you think that's too long of a timeframe let me repeat the point that LLL already made in his video that EOL is determined solely and exclusively by the manufacturer for a date that is completely arbitrary. If they don't want to be liable for fixing a vunerability of this magnitude then they need to publicly announce they are no longer interested in protecting their patent opening the door for any other manufacturer to step in if they desire because as long as they are willing to sue someone if they create the same product then they need to be liable for when their product contained a bug of this magnitude when it was still being sold and not EOL.
Thank you for the great explanation. I HATE programming. I understand the basic concepts, but I rely on the pros to do their job correctly. Your explanation was simple enough technically; that I could follow the idea. Thanks and keep up the great work. I’ll be going back and watching the things that interest me in regards to security and usability. I’m the guy that breaks software or finds the UI interaction that’s crap. Did XBOX game testing for MS in early 2000’s and testing for Pre windows 7. I want to move my home stuff into Linux and am slowly working that way.
0:04 > This video is gonna get no views because I'm wearing a colored shirt and apparently, like, Gen Z hates colors.
What?
Collared
@@Chris-on5bt Yeah but still, the question remains: What? :D
I owned DNS 320 some time ago, but since It doesn't even support SMB v2 I had to give up, and upgrade into something newer, because apparently DLink doesn't give a s*** on this :) This Video made my day, thanks :)
This is the rare occasion I'm actually sort of on D-Links side. They're not even in the NAS business any more. I'm sure there are lots of 0-days lurking in the mountains of EOL hardware & software out there. At some point using old stuff becomes "use at your own risk"
I don't like D-Link, at all, but I completely agree. For all we know, their engineers discovered this among other things, and that's WHY they killed the product. Corpo's would never call an end of life without immense pressure from the engineers, not while there's still any free milk left to squeeze.
It's not an excuse to not inform the public if the info was made known and not allowing for the community to fix the bug on their own.
If anything, they should write that on the product box with the warranty. If the product is out of warranty, you are at risk of your devices being hacked and the company will not make any further patches to protect you. This is not apparent to any consumer, because we don't know the End Of Life ahead of time and no public announcements are made.
Maybe this more of a legislative issue regarding packaging, like food expiration dates.