@@docbrown1157 If you're not interested you don't have to click but an upvote on an ad for the Creator's livelihood is a small sign of appreciation of the time & effort that goes into educational videos like this that have been made freely available. At least it's relevant and not some annoying sh*te like nordvpn or some sweepstakes scam.
Exploiting webkit has been a pretty popular way to jailbreak things. You can even do it on the PS3. I used to have to use an E3 flasher back in the day. I totally prefer webkit exploits any day over popping open something and attaching random shit to the onboard chips
There's been loads of very scary bugs in software that nobody ever seems to have cared about the potential risks. For example, you have no idea whether you've been hacked or not. Really.
Seem to recall a similar bug in Internet Explorer (IE 5.0.x) from nearly 20 years ago that allowed a carefully crafted JPEG file to exploit a Windows system.
Yeah, similar problems have existed in libjpeg and libpng, both exploitable in practice. Shows the value of both memory safe programming environments and simple data formats.
Exploits that target software used for handling media are so interesting to me because they're such an unintuitive way to hack something. The Car Hacking Village had a case study where a similar vulnerability was exploited against a tesla
In this case, it was a bug. But especially with Machine Learning, there can be 100% correct code, but the AI is still vulnerable to image/video/data stream manipulation. Fascinating stuff! I don't know about the case with tesla, but it is (or was) possible to confuse many AIs used for street sign recognition in a way that made them completely useless (Stop signs to 50 signs and similar things). Luckily, as far as I know, it is near impossible outside of laboratory circumstances, as it relies on the specific learned topology of the target AI. It is very weakly transferrable and near impossible to generate without access to the AI. Do you maybe remember the paper? It sounds very interesting, but I could not pin it down with a quick google search. "Hacking Tesla with image" seems too generic.
@@eanredur9920 Machine Learning turned out to be the biggest crock of shit once it started being rolled out, it can't even hold a conversation without its mind wandering into fucking Narnia, and you expect it to write perfect code??
That's an interesting question, yes. You have to somehow get the compiled form of the code you want to run into a region of memory that will be executed from.
thanks for making this awesome content LLL. I used to think cybersecurity and low level programming were really dry but the way you narrate how these major events unfolded makes it so engaging.
Decades ago I was told "we use Windows at this company because it's secure and stable. You cannot run Linux". So I sent out an email to the entire company with an urgent sounding headline. It contained an HTML IMG tag with the source set to C:\CON\CON There was absolute chaos as nobody could open Outlook after their computers blue-screened and restarted... Because it was the last message in their inbox, and it would display it before it got around to polling the exchange server for new messages. It would even crash if you went in through the web interface.
I'm so old that I think I remember something like this has also happened to JPEG images; maybe in the exif data. May be all the way back to the very early days of the interwebs. Edit: discovered in 2004 apparently.
Reminds me of the discord videos that crash discord. also turns out WebM has an infinitely adjustable dynamic resolution that can change on the fly, the speed bottleneck is the player. you can change the resolution of a WebM videos 60 times a second even. discord didn't put a box limit so users were making videos that would seemingly disappear (turn into 1x1) the second you clicked on it, also videos that look like a game character dancing and it's bouncing the discord chat up and down with it. personally I think they should keep it but they removed it.
I downloaded two videos using that. It was the Rick Roll that slowly shrunk, and a cat meowing where the video would change size when the cat meowed. It's pretty cool, and is even viewable in certain desktop media players.
True, but you don't know it is a 1x1 pixel image unless you parse the image. Size is also misleading, because many image formats have many meta-data fields that allow me balloon the image to a point you no longer consider it suspicious. Browsers might be updates by now, but there is a lot of software that are embedding webbrowser components that might not be updated, like mail and chat applications. Linux users get most of their applications from the distro repository which will automatically update the applications. Under Windows this is much more messy and we all know that people don't like to upgrade their software because it is often asked when you want to use the application. VLC for example tells me when I'm want to watch a video that there is a newer version and I only have a yes or no option, why not a install on exit of application?
@@2Fast4Mellow Aye, the webview world is due a massive wake up ... I mentioned the webP thing a while ago, barely got a response ... till I started listing all the things that use it.
A company that I know... ...sends out emails that contain 1x1 tracking pixels. The reason I know this is that the same company has MS-Outlook policies that prevent the automatic downloading of images, instead marking the email's missing images with little squares on each corner. At the bottom of each email is a 1x1 pixel collection of four squares, that contains a link to an online (served) image that contains a lengthy and obviously unique identifier in the filename. In summary: 1) Company uses tracking pixels on all Corporate Communication emails, and 2) Company's MS-Outlook reveals this to anyone that knows about the general topic of 1x1 pixel images. SMH...
Did you do Huffman Trees or is it more about understanding trees, compression, and recursion? Just asking because I found our Algorithms and Data Structures lecture useless. We did basic stuff, but nothing one could not have learned to a reasonable degree by reading 2-3 hours a day for a week.
How is it possible that you can do so nice videos, in a very simple arrangement and good explanations, causing time to fly so fast!!! Never looks like it's an almost 10min video 😊 Thanks for the good quality material you have been donating to the internet
at my work, we called these types of attacks compression bombs. that kind of terminology helped put my mind in the right frame of reference when i evaluate useful compression code.
At "maristroika dolls" I lost it. I think you made a portmanteau of matryoshka (the doll), and perestroika (the 1980s transparency policy used by gorbechev in the USSR)
The sad part is that it doesn't even surprise me, CVE after CVE I see that complexity + interaction => exploit. Given the complexity stack of anything today, the only way to avoid exploits is to avoid interactions with untrusted data. i.e. no internet, no file sharing. Next best thing is to separate everything, but that is really hard without carrying 3 phones in your pocket. I'm going with option 3 which is eat popcorn while reading the news.
Guess what, you're not safe even without Internet... and I don't mean your computer, I mean your physical body... the chance a sniper kills you is never zero.
The "picture" is a file which contains binary data representing the red, green, and blue (RGB) components of the color to be used for each distinct subunit of a digital image. With a large enough set of colored pencils (or an image composed from a limited color palette) and some graph paper you could open up the "picture" in a hex editor and render it on your graph paper in colored pencil.
@@paulstelian97 The first and modt important part is technically still true, because unless the compression is lossy decompression restores the original. A different encoding of data doesn't mean you don't have the data.
The storing of the Huffman table in the file does not occur in all Huffman use cases. I had to think about it for a moment, but unlike text compression, you can't assume a default starting point for images, so taking up space to store the table makes sense.
This bug sounds well worth a deep dive into. I wonder if it is something that also bypasses other typical security protocols by rendering the image as unrenderable. It reminds me of something that could be easily exploited in captive WiFi login portals where the user has no ability to block the execution image files being loaded and rendered. A bad actor could setup a spoofed WiFi related to their target’s activity and just embed the exploited file when they login out of habit.
When I started to play the video, I was wondering if it was on the UEFI spash image hack. Alas, it was not, but another interesting bug. I remember writing code and then setting up automated testing back on a Pr1me Mini back in the 1980's. Most of the programs were reasonable simple, and testing for invalid input didn't take long, until we got to the final project for the semester. And of course, final project time meant every class was in the lab trying to get their final project done. So, automating my testing was a big speed boost for my team. Rather than twenty minutes of entering something and waiting for our time slice to come around again, the mini took my scripts and gave us back a results file we could browse in about a minute.
I don't understand what can be done with an RCE bug, how it helps an attacker. What does it do to the attack surface? There must be a lot between "do overflow" and "hijack computer". Another vuln called Cable Haunt was also an RCE vuln but in Docsis modems. Anyone willing to help shed some light? Thanks.
@@potential900 remote code execution is dangerous because it allows an external agent to run software on your computer. any software. from a simple "hello world" program to something that could leak all of your private files to third parties and steal all of your passwords and basically anything stored in your machine. An attacker exploiting an RCE bug means it's literally using the bug to run unwanted software on your machine.
As no kind of expert, my understanding at the most basic level is, feeding a program/system/etc the right kind of garbage can make it enter unexpected states (ungraceful crashes, half-executed functions, etc). These unexpected states may leave the system in a place where it is not safeguarded in ways it would normally always be. For example, your car's battery died before you got a chance to lock the doors. Sure you can flip the manual locks if your car even has them, but then your alarm still doesn't work, so if someone DOES get in there's nothing left the car can do. So the subject of the video is more the vector of harm than the tool of harm; its the way in. Once you have access to the right things, you can make the infected system do whatever you want.
Too bad you didn't explain Huffman encoding in a simpler way. It can be described as giving the least amount of bits to most occurring repeating sequences of characters/data which gives the maximum possible compression while preserving some special properties in the bit sequences which allow constructing the tree.
Tbh you keep hearing about those buffer overflows and how dangerous they are but tbh other than crashing your browser, I haven't heard of any concrete exploit in recent times that managed to do a big intrusion thanks to such a bug
0:50 "A picture is a format that renders." Very logic indeed. Much useful not misleading definition. 3:32 "Merestroyka dolls." Nailed it. Just one letter away… from an irrelevant word.
The Darknet Diaries podcast actually talked to one of the folks at Citizen Labs in a episode that is centered around NSO. Highly recommend it, as they go into more of the high-level overview of what NSO (and their clients) were doing.
I remember a remote code execution available in the WMP and EMP image formats that affected Windows from version 3.0 to server 2003; that's twenty years' worth of Windows versions...
yes !! I created an EPS that exploited it to run regedit to disable the EPS rendering and show an alert stating "you are now safe" .. years later this got my website blocked by McAffee corporate firewalls for hosting malicious files 🙂 It was the easiest way for us to patch a lot of workstations :-)
literally just learned about huffman coding in my algorithms class when we went over greedy algorithms a week or so ago. pair that with the operating systems class im taking and im understanding a lot more in these videos.
In your next lesson you learn that Huffman coding has been largely replaced by arithmetic coding, which is more complicated but can achieve better compression.
Reminds me of the the time when I wrote to Thunderbird developers "showing image files in mails might be a security issue" and a developer responded: "There's no security issue here. Image libraries are so mature now, that they do not contain any severe bugs anymore".
Fuzzing shouldn't be applied just to the final program; individual functions should be tested in order to catch things like this more easily. You shouldn't need ti find the external input that would trigger the bug if you tested directly the last step that fails when receiving too big of an input.
This reminds me of the old PKZip bug from the 90s that caused PKZip to keep decompressing the same data over and over again. A ZIPBomb. It'd cause pkzip to "bomb" the harddrive and fill it up. Mind you the first version of that (that I remember) used pointers to make the pkzip file loop. It wasn't out of bounds as it stayed within bounds.
People still make zipbombs today, if mostly for tinkering and not as much harm There's one that has a theoretical decompression size of like more than Google's entire infrastructure lol
This is insane, and what is more insane that to this day there's no containerization of user apps by default on desktop OS's. Think of docker and careful management of permissions between apps and system stuff like FS. Or like on mobile OS's. This would prevent many security issues. MacOS doesn't even support MacOS inside docker.
You don't need containerization to achieve a reasonable degree of security. Buffer overflows can only compromise memory that the executing program with the "bug" actually has access to write. If that isn't the case, your program would a segmentation fault and crash. So if you just don't give a program more permissions than it needs to do it's job that reduces the risk considerably. This is precisely why you almost never login as root (super user) on a Unix/Linux system and you don't run background processes as root unless absolutely necessary.
MacOS is a bit of a fun case. It does support isolation, but it's not obvious to the user which apps are running with the capability sandbox and which aren't. Add to that, they added some vulnerabilities to the sandbox configuration of some apps (notably, ms office) that can be exploited to achieve complete and persistent system takeover. There are operating systems that can provably isolate applications and safely delegate permissions to them; these are known as object-capability systems. SculptOS and Fuchsia are some attempts to explore this area, although there are a lot of mainframe operating systems that already meet this standard.
Right off the bat, I will say that I don't understand your videos because I only have a first year college computer education as I quit learning there after heart surgery. The thing that I had never considered is that when I download a useful program off the internet I have no idea if it is dangerous because the code has vulnerabilities or is malicious. When I need to do a task (image manipulation for example), I rely on the Google to show me what is available.
the operating system is responsible for allocating the memory and giving it to the program. what the program does with the memory is up to it. the operating system only intervenes when the program tries to access memory that doesn't belong to it or that the program itself asked the operating system to be protected.
I was very interested in Virus program when i was 20 (1996 - 1999), and i have used to use this technic to store some executable or calling executable by using html and two image bmp.
Interestingly this exploit supposedly affects Linux. Of course it couldn't elevate, but an exploit like this could sure erase your home directory. I guess everyone saying that Linux is malware-proof aren't really thinking of their browser.
JPG has had worse exploits years ago. Webp is a good format, it's biggest flaw is being too young for widespread support yet. Give it 10 years and people might look at JPG like they look at AVI and FLV
@@csharpcoffee Not any more. Every web browser supports it now, except the legacy IE that is only left in Windows for compatibility reasons. Given that there are only two rendering engines and they both support WebP, you can safely use WebP on websites. Same for AVIF. Application support other than browsers is a bit inconsistent, and strangely so at times. Telegram, for example, won't recognise WebP as an image file - even though it uses WebP internally as the format for sticker images.
It’s already been around a long time, nobody wants it or it would already be widespread, nothing wrong with png/gif and the other dozen other media formats that work just fine
@@kuroilight1676 They work just fine, but it's a matter of resource use. PNG's compression is more capable than GIF, and WebP's lossless mode is in turn more capable then PNG. Substantially so - convert a PNG to WebP and it can be reduced to half the size. That means lower hosting cost and faster loading, especially important for people on lower-bandwidth mobile connections. There's no downside any more, now that all web browsers support PNG and AVIF, so there's no longer a reason not to adopt the new formats.
So, maybe find an initial table that unpacks to include one or more copies of the original table within it so that it results in a fractal unpack that can always be further unpacked into ever larger and larger tables.
Such a bug could easily have been stopped from occurring if the library had a simple bounds check. I can see why some people like the idea of Rust automatically enforcing such a bounds check, languages like Ada provided that in a long-long time ago, but people aren't coding rationally. Personally I think bounds checks should be a hardware part of the CPU.
Ask some of my friends...I used to use images to non-maliciously prank them years ago and they quickly learned haha. Then they learned it certainly wasn't just images that might contain some sort of payload...y'know, gotta pass time somehow. This is a rather interesting method, even fascinating.
It's a good format. Very efficient encoding (small file size) and high image quality. A programming error in one implementation has nothing to do with that.
@@LightTheMars I think the main reason people hate it is because it's annoying to work with. By default it will open in a browser, generaly speaking you cannot copy/paste it from a webpage, and a lot of softwares do not even know the format. It's efficient and the gain is obvious for big web companies that want to reduce servers cost, but for the simple mortals like us it's just an additionnal step to download/upload/modify an image.
@@pierrotA it's annoying because big tech makes some software that doesn't support their own file format conspiracy? At least back in the day it felt like they didn't support .ogg files out of malice
@@pierrotAIt's not .webp's fault if the user has failed to install software that can handle a file format that's been around since before I suspect that kind of user must have been born.
It's hard to find these issues but not hard to make them. The feds invest teams to find possibilities like this that are hard to detect, then pays them to put their bugs into open source libraries. Easiest way to get backdoors anywhere you want.
@@johnc3403it's funny because he constantly refers to it as this incredibly complex algorithm. I don't think he's trying to diminish the achievement in any way.
@@johnc3403 In azertyq's defense, I did also chuckle when he called Huffman Encoding super complex, because it's taught in undergraduate CS programs. After laughing, though, I did realize that most of LLL's audience likely lacks a degree in the field.
Reminds me of when there was that picture going around that if you set it as your phone's background (on Samsungs only, I think) it would brick your phone because it would get stuck in an endless crash - reboot loop.
I don't know about mobile platforms, but, IIRC firefox didn't need to be updated as it's linked against whatever libwebp exists in the system. The webapps (the slacks and discords of this world) that emebed libweb is an other story. one of the perks of dynamic linking I guess? edit: Oh well, may be a gentoo only thing?firefox has a system-webp useflag, so * in my case *, I didn;t need to update firefox.
If I understand correctly Huffman encoding wasn't causing the overflow but an implementation that converted the tree data structure into a table to get some speed benefits. An interesting reminder that speed comes at a risk. Did this error checking add any extra time cost to the algo?
Imagine that you want to load a huge image... most likely you can already see how it loads slowly, row by row or column by column. Now imagine they had bounds checking in there as well, and there's a recipe to make you switch back to dial-up...
Checking the size of a variable and continuing or not, is literally a few CPU clock cycles, so the speed penalty for this would be expressed in nanoseconds. You could confidently say there would be no extra time added by this check, although if you had to check and re-check multiple times, this could become microseconds, but still an absolutely tiny amount of time. I think the developers simply thought it's not necessary and skipped it.
@@TheRadiastral Do you know why Tim Berners-Lee regrets including the "//" part of the URI in the HTTP protocol? It's just 2 keypresses, not that hard right...?
You are interesting. I am here to hang out. I understand a fraction of what you are saying but its very interesting the way you tell the story of how stuff happened and how crazy it was that even happened. This is good youtube content.
These image conversion libraries feel like a great smallish project to begin re-writing (and optimizing) code that is very commonly used into a safe language.
As for the images that could be used to hack somebody's pc, jpg lib in Windows had a bug like that. If I remember correctly, the lib was created for Windows 3.11 and got patched in Vista (or maybe 7?).
Back in the AOL days, we would boot people from chat rooms by sending them an empty jpeg file. You could boot everyone by making your user icon an empty jpeg file. It would cause the renderer to crash the chat program.
I love the how NSO exploited legacy scan compression to create virtual processor and then evaluate whatever code you do and eventually escape it's prison and eventually take over device. AND it's zero interaction from the user at all.
Yes I did know about this. I mean it's whole reason you could jailbreak the PSP using a TIFF buffer overflow and downgrade or put custom firmware on it back in 2005 or so.
More proof that open source does not automatically mean secure, despite the nearly countless people who propagate that myth (and no, I'm not saying that closed source is any better). It's insane to me that there are no bounds checking /validation on a function which is working with user-supplied data.
I don't know if they ever got rid of those 0 day injection bugs with pictures. Gif and Jpegs with browsers for a long time, if not patched, is still needed address, is code injection through pictures.
The moral of the story: Write your own image library :D I actually wrote some code to parse png files without actually extracting the image data but just the chunks. I also wrote my own gif and bmp loaders. You learn alot about the formats and can be sure that any bug that may be in their belongs to yourself.
That's how you take years off your life... oh and you're not likely to make the code as bug-free OR efficient as the major libraries out there, instead you'd most likely end up with MORE bugs, MORE space and LESS speed!
I'm not sure how I feel about calling the XZ issue a bug. Bugs are generally unintended/unexpected functionality in the code. A buffer overflow exploit found in code that was not intentionally put there can be considered both a bug and (once found and used by potentially malicious parties) an exploit. The XZ backdoor (while not intended by the community) was intentionally injected into the project with full knowledge and intent of it's purpose by the contributor. The functionality was fully intended by the one who created it. I may be getting caught up on semantics here but I personally feel like calling that a bug is like someone intentionally and willfully harming someone else and calling it an "accident" even though it was entirely on purpose.
Hello, do you know anything about Tlauncher being spyware? I heard so many rumours but there never was concrete evidence. It has been reportedly and allegedly found out that Tlauncher incorporates an altered version of Java and that's why it was able to remain undetected throughout years on end, an explanation whcih I find palpable yet dubious. I would love to hear an expert's , like you, opinion on this matter!!!
Regarding the question, "how did we get here?", the answer is easy -- people don't like to validate data. They assume they will always be handed valid data which will conform to their implementation.
Honestly, I think relying on fuzzing for detecting this is overkill. Wouldn't most static analysis tools catch something as simple as unbounded array access? Is it not standard for most open source projects to run some semblance of static analysis checks regularly? I run them at work and it catches all sorts of bugs all the time.
Most of the terms you use are Greek to me, but I watched every second like "yup, that tracks". You've intrigued me into this and learning. Any good places to start? Brilliant?
Thanks, its amazing how ingenious some exploits are. I'd be interested to know if you think IoT devices are a significant risk to home networks - many of those devices don't get any attention after initial installation and have control servers located in foreign countries. Even if the vulnerability is unintended it may last for years before the device is updated or replaced
You mentioned a few times that a double free leads to remote code execution, but how? You really don't explain it, it's so vague how a simple buffer overflow leads to RCE
Yeah, this wasn’t at all clear to me either, though I’m no expert in such exploits. It would be interesting to know how the rather unlikely buffer overflow can actually lead to a meaningful exploit.
wanna get good at programming? check out lowlevel.academy and use code THREADS20 for 20% off lifetime access. or dont. im not a cop
when?
This is an Ad!!! Why are people "Thumbs UPing" an AD???? Huh, I guess the channel owner is getting a kick back from them...
@@docbrown1157
If you're not interested you don't have to click but an upvote on an ad for the Creator's livelihood is a small sign of appreciation of the time & effort that goes into educational videos like this that have been made freely available.
At least it's relevant and not some annoying sh*te like nordvpn or some sweepstakes scam.
I could offer a cheap tutorial on how to sync your audio and video already the during recording process :)
Was always sus of webp to the level of canceling it completely in my projects.
I miss the days of jailbreaking my iPhone by just going to a website, but in hindsight, maybe that wasn't a good idea.
Exploiting webkit has been a pretty popular way to jailbreak things. You can even do it on the PS3. I used to have to use an E3 flasher back in the day. I totally prefer webkit exploits any day over popping open something and attaching random shit to the onboard chips
There's been loads of very scary bugs in software that nobody ever seems to have cared about the potential risks. For example, you have no idea whether you've been hacked or not. Really.
It was an ok idea. Buuut it revealed that the phones security was garbage.
@@ryangrogan6839 Yeah, i modded my PS3 with HEN all thanks to the browser
@@syrus3k Ah yes, if only there was a popup on the screen every time the PC got hacked, lol
Seem to recall a similar bug in Internet Explorer (IE 5.0.x) from nearly 20 years ago that allowed a carefully crafted JPEG file to exploit a Windows system.
Yeah, similar problems have existed in libjpeg and libpng, both exploitable in practice.
Shows the value of both memory safe programming environments and simple data formats.
I seem to recall a similar bug in IE 5 once or twice a week, back in the day. 😂
Jeah, i think the bug was in the GDI or GDI+ library, but maybe this was another bug.
There was a similar exploit in IE and Firefox involving animated mouse cursors.
the first iphone jailbreak was through a image parsing exploit
The TIFF image format was used to hack the PSP early on.
Came here to say this!! Haha. The tiff overflow!
I still remember even somebody got a PSP back from being serviced with a magic battery in it that was immediately sent to the cracking scene.
It definitely was 😊
@@mgancarzjr yeah that was crazy
Also the iPhone/iPod Touch. 1.0 - 1.1.1. Was patched in 1.1.2.
Exploits that target software used for handling media are so interesting to me because they're such an unintuitive way to hack something. The Car Hacking Village had a case study where a similar vulnerability was exploited against a tesla
In this case, it was a bug. But especially with Machine Learning, there can be 100% correct code, but the AI is still vulnerable to image/video/data stream manipulation. Fascinating stuff!
I don't know about the case with tesla, but it is (or was) possible to confuse many AIs used for street sign recognition in a way that made them completely useless (Stop signs to 50 signs and similar things).
Luckily, as far as I know, it is near impossible outside of laboratory circumstances, as it relies on the specific learned topology of the target AI. It is very weakly transferrable and near impossible to generate without access to the AI.
Do you maybe remember the paper? It sounds very interesting, but I could not pin it down with a quick google search. "Hacking Tesla with image" seems too generic.
The problem with hacking a tesla is that you can never tell if it was you causing it to fail, or if it just failed on its own.
@@eanredur9920 Machine Learning turned out to be the biggest crock of shit once it started being rolled out, it can't even hold a conversation without its mind wandering into fucking Narnia, and you expect it to write perfect code??
So....where is the payload then?
A double free by itself will not hand over control to desired code, I like to see this explained.
Fr
I would assume either in the image data, or the table itself, but I also would have liked the video to cover it.
That's an interesting question, yes.
You have to somehow get the compiled form of the code you want to run into a region of memory that will be executed from.
He made a previous video explaining exactly how the webp exploit works.
He explained the hardest part.
3:34 He's trying say "matryoshka dolls".
maryastroyka dolls :D
Mary Striker Dolls! 🤘
ngl, Perestroika Dolls hit me hard. The idea of the dolls redesigning themselves so they no longer stack.
thanks for making this awesome content LLL. I used to think cybersecurity and low level programming were really dry but the way you narrate how these major events unfolded makes it so engaging.
its all so magical
I was thinking the same thing. I like the narration as well! Now I have to research more.
Decades ago I was told "we use Windows at this company because it's secure and stable. You cannot run Linux". So I sent out an email to the entire company with an urgent sounding headline. It contained an HTML IMG tag with the source set to C:\CON\CON
There was absolute chaos as nobody could open Outlook after their computers blue-screened and restarted... Because it was the last message in their inbox, and it would display it before it got around to polling the exchange server for new messages. It would even crash if you went in through the web interface.
Ironically this particular exploit also affects Linux. It couldn't run as root of course but it could sure erase your home folder!
🗣️😭☠️🙏🛐‼️ deserved
@@em7dim9 ???
@@ggsap Running Linux wouldn't have protected you from the exploit in the video. The comment was about Linux offering more protection.
@@em7dim9 You made "this particular exploit" sound like the exploit OP was referring to
I'm so old that I think I remember something like this has also happened to JPEG images; maybe in the exif data. May be all the way back to the very early days of the interwebs. Edit: discovered in 2004 apparently.
0:35 Bro's parents named this guy LowLevelLearning
Reminds me of the discord videos that crash discord. also turns out WebM has an infinitely adjustable dynamic resolution that can change on the fly, the speed bottleneck is the player. you can change the resolution of a WebM videos 60 times a second even.
discord didn't put a box limit so users were making videos that would seemingly disappear (turn into 1x1) the second you clicked on it, also videos that look like a game character dancing and it's bouncing the discord chat up and down with it.
personally I think they should keep it but they removed it.
Meanwhile i would prefer a compile of discord that cannot render user content.
I downloaded two videos using that. It was the Rick Roll that slowly shrunk, and a cat meowing where the video would change size when the cat meowed. It's pretty cool, and is even viewable in certain desktop media players.
Remember that clip of the annoying orange coming through the TV that crashed your discord? I think it also used this tech.
AFAIK, that behavior was not removed in Discord directly, but through a patch in Chromium
@@jsrodman What's the point of that? Wouldn't that just be the UI?
Quite a lot of evil has happened with a 1x1 image, over the years.
True, but you don't know it is a 1x1 pixel image unless you parse the image. Size is also misleading, because many image formats have many meta-data fields that allow me balloon the image to a point you no longer consider it suspicious. Browsers might be updates by now, but there is a lot of software that are embedding webbrowser components that might not be updated, like mail and chat applications. Linux users get most of their applications from the distro repository which will automatically update the applications. Under Windows this is much more messy and we all know that people don't like to upgrade their software because it is often asked when you want to use the application. VLC for example tells me when I'm want to watch a video that there is a newer version and I only have a yes or no option, why not a install on exit of application?
@@2Fast4Mellow Aye, the webview world is due a massive wake up ... I mentioned the webP thing a while ago, barely got a response ... till I started listing all the things that use it.
A company that I know... ...sends out emails that contain 1x1 tracking pixels. The reason I know this is that the same company has MS-Outlook policies that prevent the automatic downloading of images, instead marking the email's missing images with little squares on each corner. At the bottom of each email is a 1x1 pixel collection of four squares, that contains a link to an online (served) image that contains a lengthy and obviously unique identifier in the filename. In summary: 1) Company uses tracking pixels on all Corporate Communication emails, and 2) Company's MS-Outlook reveals this to anyone that knows about the general topic of 1x1 pixel images. SMH...
You can still do a ton of damage with a 1x1, depending on if you host it or not.
If you think that's bad you should see how Pokemon handles 0x0 images.
It’s kinda neat that after taking a data structures and algorithms class I now understand so much more in a lot of these types of videos.
I've been feeling the same!! Enjoy, happy learning ♥️
Did you do Huffman Trees or is it more about understanding trees, compression, and recursion?
Just asking because I found our Algorithms and Data Structures lecture useless. We did basic stuff, but nothing one could not have learned to a reasonable degree by reading 2-3 hours a day for a week.
@@eanredur9920 we learned both. Had to do Huffman encoding for an exam question actually.
@@Adreadon Cools stuff. I wish we did go a bit deeper.
Picture go boom. Computer be sad now.
Thanks!
Nice, just in case WebP doesn’t get more hate
How is it possible that you can do so nice videos, in a very simple arrangement and good explanations, causing time to fly so fast!!! Never looks like it's an almost 10min video 😊
Thanks for the good quality material you have been donating to the internet
at my work, we called these types of attacks compression bombs. that kind of terminology helped put my mind in the right frame of reference when i evaluate useful compression code.
At "maristroika dolls" I lost it. I think you made a portmanteau of matryoshka (the doll), and perestroika (the 1980s transparency policy used by gorbechev in the USSR)
The sad part is that it doesn't even surprise me, CVE after CVE I see that complexity + interaction => exploit.
Given the complexity stack of anything today, the only way to avoid exploits is to avoid interactions with untrusted data. i.e. no internet, no file sharing.
Next best thing is to separate everything, but that is really hard without carrying 3 phones in your pocket.
I'm going with option 3 which is eat popcorn while reading the news.
Guess what, you're not safe even without Internet... and I don't mean your computer, I mean your physical body... the chance a sniper kills you is never zero.
Technically not the picture will render the picture, the picture will be used to render a picture.
The "picture" is a file which contains binary data representing the red, green, and blue (RGB) components of the color to be used for each distinct subunit of a digital image.
With a large enough set of colored pencils (or an image composed from a limited color palette) and some graph paper you could open up the "picture" in a hex editor and render it on your graph paper in colored pencil.
@@jnharton That's only true of uncompressed formats.
@@paulstelian97 The first and modt important part is technically still true, because unless the compression is lossy decompression restores the original.
A different encoding of data doesn't mean you don't have the data.
@@jnharton PNG is the only often encountered lossless encoding soooooooo… there’s others like jpg or webp
"I used the picture to render the picture"
Great explanation and nice video (no annoying music, no effects and no loud voice). Thanks for it.
New LLL vid == good day => true
#ifdef newlllvid
bool goodday = true;
#endif
@@swiss_engplease don't use macro for runtime checks...
@@swiss_eng
I'll do you one better.
#ifndef newLLLvid
*(char*)0 = 0;
#endif // newLLLvid
This is some real strange dotnet syntax guys…
fn lllvid(new: Vid) {
match new.is_ok() {
true => true,
false => Err(Error::Nonsensical)
}
}
The storing of the Huffman table in the file does not occur in all Huffman use cases. I had to think about it for a moment, but unlike text compression, you can't assume a default starting point for images, so taking up space to store the table makes sense.
I think the researcher name was “Misty Mountain Cop”.
Thanks for the informative video.
Yep, definitely a play on Misty Mountain Hop by Led Zeppelin
This bug sounds well worth a deep dive into. I wonder if it is something that also bypasses other typical security protocols by rendering the image as unrenderable. It reminds me of something that could be easily exploited in captive WiFi login portals where the user has no ability to block the execution image files being loaded and rendered. A bad actor could setup a spoofed WiFi related to their target’s activity and just embed the exploited file when they login out of habit.
"marystroika dolls" killed me 💀
Nice video! 🎉
When I started to play the video, I was wondering if it was on the UEFI spash image hack. Alas, it was not, but another interesting bug. I remember writing code and then setting up automated testing back on a Pr1me Mini back in the 1980's. Most of the programs were reasonable simple, and testing for invalid input didn't take long, until we got to the final project for the semester. And of course, final project time meant every class was in the lab trying to get their final project done. So, automating my testing was a big speed boost for my team. Rather than twenty minutes of entering something and waiting for our time slice to come around again, the mini took my scripts and gave us back a results file we could browse in about a minute.
I don't understand what can be done with an RCE bug, how it helps an attacker. What does it do to the attack surface? There must be a lot between "do overflow" and "hijack computer". Another vuln called Cable Haunt was also an RCE vuln but in Docsis modems.
Anyone willing to help shed some light?
Thanks.
Asking because I've seen rce vulns mentioned several times over the years but as a dev not working that low-level, my understanding is lacking.
@@potential900 remote code execution is dangerous because it allows an external agent to run software on your computer. any software.
from a simple "hello world" program to something that could leak all of your private files to third parties and steal all of your passwords and basically anything stored in your machine.
An attacker exploiting an RCE bug means it's literally using the bug to run unwanted software on your machine.
As no kind of expert, my understanding at the most basic level is, feeding a program/system/etc the right kind of garbage can make it enter unexpected states (ungraceful crashes, half-executed functions, etc). These unexpected states may leave the system in a place where it is not safeguarded in ways it would normally always be.
For example, your car's battery died before you got a chance to lock the doors. Sure you can flip the manual locks if your car even has them, but then your alarm still doesn't work, so if someone DOES get in there's nothing left the car can do.
So the subject of the video is more the vector of harm than the tool of harm; its the way in. Once you have access to the right things, you can make the infected system do whatever you want.
Often it involves overwriting a function's intended return address with the location of a hacker's payload code
Too bad you didn't explain Huffman encoding in a simpler way. It can be described as giving the least amount of bits to most occurring repeating sequences of characters/data which gives the maximum possible compression while preserving some special properties in the bit sequences which allow constructing the tree.
Tbh you keep hearing about those buffer overflows and how dangerous they are but tbh other than crashing your browser, I haven't heard of any concrete exploit in recent times that managed to do a big intrusion thanks to such a bug
Almost anything that can crash the browser, could be used to run arbitrary code before crashing the browser.
"I wont talk about this very complex algortihm." Procced to talk about this very complex algorithm
0:50 "A picture is a format that renders." Very logic indeed. Much useful not misleading definition.
3:32 "Merestroyka dolls." Nailed it. Just one letter away… from an irrelevant word.
the people that make and catch these things are geniuses.
Interesting timing for the hair overflow condition to occur at 6:30
The Darknet Diaries podcast actually talked to one of the folks at Citizen Labs in a episode that is centered around NSO. Highly recommend it, as they go into more of the high-level overview of what NSO (and their clients) were doing.
Loved the explanation of this, short, sweet. Really interesting
Thank Low Level Learning for such an EYE-OPENING video.
I remember a remote code execution available in the WMP and EMP image formats that affected Windows from version 3.0 to server 2003; that's twenty years' worth of Windows versions...
*ten years
@@aylen7062 True.
yes !! I created an EPS that exploited it to run regedit to disable the EPS rendering and show an alert stating "you are now safe" ..
years later this got my website blocked by McAffee corporate firewalls for hosting malicious files 🙂
It was the easiest way for us to patch a lot of workstations :-)
literally just learned about huffman coding in my algorithms class when we went over greedy algorithms a week or so ago. pair that with the operating systems class im taking and im understanding a lot more in these videos.
In your next lesson you learn that Huffman coding has been largely replaced by arithmetic coding, which is more complicated but can achieve better compression.
Reminds me of the the time when I wrote to Thunderbird developers "showing image files in mails might be a security issue" and a developer responded: "There's no security issue here. Image libraries are so mature now, that they do not contain any severe bugs anymore".
Never assume that because something's modern, it's secure.
Fuzzing shouldn't be applied just to the final program; individual functions should be tested in order to catch things like this more easily. You shouldn't need ti find the external input that would trigger the bug if you tested directly the last step that fails when receiving too big of an input.
This reminds me of the old PKZip bug from the 90s that caused PKZip to keep decompressing the same data over and over again. A ZIPBomb. It'd cause pkzip to "bomb" the harddrive and fill it up.
Mind you the first version of that (that I remember) used pointers to make the pkzip file loop. It wasn't out of bounds as it stayed within bounds.
People still make zipbombs today, if mostly for tinkering and not as much harm
There's one that has a theoretical decompression size of like more than Google's entire infrastructure lol
This is insane, and what is more insane that to this day there's no containerization of user apps by default on desktop OS's. Think of docker and careful management of permissions between apps and system stuff like FS. Or like on mobile OS's. This would prevent many security issues. MacOS doesn't even support MacOS inside docker.
Flatpak sort of does this on Linux
You don't need containerization to achieve a reasonable degree of security.
Buffer overflows can only compromise memory that the executing program with the "bug" actually has access to write. If that isn't the case, your program would a segmentation fault and crash.
So if you just don't give a program more permissions than it needs to do it's job that reduces the risk considerably.
This is precisely why you almost never login as root (super user) on a Unix/Linux system and you don't run background processes as root unless absolutely necessary.
MacOS is a bit of a fun case. It does support isolation, but it's not obvious to the user which apps are running with the capability sandbox and which aren't. Add to that, they added some vulnerabilities to the sandbox configuration of some apps (notably, ms office) that can be exploited to achieve complete and persistent system takeover.
There are operating systems that can provably isolate applications and safely delegate permissions to them; these are known as object-capability systems. SculptOS and Fuchsia are some attempts to explore this area, although there are a lot of mainframe operating systems that already meet this standard.
Fun fact: LLL also stands for the algorithm you need to wrap you head around for a proper implementation of lattice based encryption like NTRUEncrypt.
Right off the bat, I will say that I don't understand your videos because I only have a first year college computer education as I quit learning there after heart surgery. The thing that I had never considered is that when I download a useful program off the internet I have no idea if it is dangerous because the code has vulnerabilities or is malicious. When I need to do a task (image manipulation for example), I rely on the Google to show me what is available.
NSA just lost another one of their favourite toys
Shouldn't operating systems have elements to prevent buffer overflow in general?
the operating system is responsible for allocating the memory and giving it to the program. what the program does with the memory is up to it. the operating system only intervenes when the program tries to access memory that doesn't belong to it or that the program itself asked the operating system to be protected.
amazing
exploit, subject, and video
nice dude
I was very interested in Virus program when i was 20 (1996 - 1999), and i have used to use this technic to store some executable or calling executable by using html and two image bmp.
Interestingly this exploit supposedly affects Linux. Of course it couldn't elevate, but an exploit like this could sure erase your home directory. I guess everyone saying that Linux is malware-proof aren't really thinking of their browser.
that's just another reason why you never trust a webp user...
JPG has had worse exploits years ago.
Webp is a good format, it's biggest flaw is being too young for widespread support yet. Give it 10 years and people might look at JPG like they look at AVI and FLV
@@csharpcoffee Not any more. Every web browser supports it now, except the legacy IE that is only left in Windows for compatibility reasons. Given that there are only two rendering engines and they both support WebP, you can safely use WebP on websites. Same for AVIF.
Application support other than browsers is a bit inconsistent, and strangely so at times. Telegram, for example, won't recognise WebP as an image file - even though it uses WebP internally as the format for sticker images.
*Laughs in AVIF*
It’s already been around a long time, nobody wants it or it would already be widespread, nothing wrong with png/gif and the other dozen other media formats that work just fine
@@kuroilight1676 They work just fine, but it's a matter of resource use. PNG's compression is more capable than GIF, and WebP's lossless mode is in turn more capable then PNG. Substantially so - convert a PNG to WebP and it can be reduced to half the size. That means lower hosting cost and faster loading, especially important for people on lower-bandwidth mobile connections. There's no downside any more, now that all web browsers support PNG and AVIF, so there's no longer a reason not to adopt the new formats.
So, maybe find an initial table that unpacks to include one or more copies of the original table within it so that it results in a fractal unpack that can always be further unpacked into ever larger and larger tables.
Such a bug could easily have been stopped from occurring if the library had a simple bounds check. I can see why some people like the idea of Rust automatically enforcing such a bounds check, languages like Ada provided that in a long-long time ago, but people aren't coding rationally. Personally I think bounds checks should be a hardware part of the CPU.
I agree but that would be one slow CPU.
Ask some of my friends...I used to use images to non-maliciously prank them years ago and they quickly learned haha. Then they learned it certainly wasn't just images that might contain some sort of payload...y'know, gotta pass time somehow. This is a rather interesting method, even fascinating.
Great video - excellent explanation! Thank you!
Thanks for validating my hatred for WEBP format.
It's a good format. Very efficient encoding (small file size) and high image quality. A programming error in one implementation has nothing to do with that.
@@LightTheMars I think the main reason people hate it is because it's annoying to work with.
By default it will open in a browser, generaly speaking you cannot copy/paste it from a webpage, and a lot of softwares do not even know the format.
It's efficient and the gain is obvious for big web companies that want to reduce servers cost, but for the simple mortals like us it's just an additionnal step to download/upload/modify an image.
@@pierrotA it's annoying because big tech makes some software that doesn't support their own file format conspiracy? At least back in the day it felt like they didn't support .ogg files out of malice
It's a PNG with a size of JPEG. I think it's annoying to work with, but useful.
@@pierrotAIt's not .webp's fault if the user has failed to install software that can handle a file format that's been around since before I suspect that kind of user must have been born.
It's hard to find these issues but not hard to make them. The feds invest teams to find possibilities like this that are hard to detect, then pays them to put their bugs into open source libraries. Easiest way to get backdoors anywhere you want.
lmao, huffman encoding is one of the easiest compression algos, an undergrad came up with it
..and that makes you "laugh my ass off"? OK then. And what have you come up with?
@@johnc3403it's funny because he constantly refers to it as this incredibly complex algorithm. I don't think he's trying to diminish the achievement in any way.
@@johnc3403 In azertyq's defense, I did also chuckle when he called Huffman Encoding super complex, because it's taught in undergraduate CS programs. After laughing, though, I did realize that most of LLL's audience likely lacks a degree in the field.
@@dagomara8380 just like anything else, its complicated unless you understand it
Huffman? WebP uses Huffman? Ugh... I thought we'd move on from that. Huffman was fine in its day, but we can do better now.
Reminds me of when there was that picture going around that if you set it as your phone's background (on Samsungs only, I think) it would brick your phone because it would get stuck in an endless crash - reboot loop.
Iphones dont get viruses.
Iphones cant get hacked.
Iphones are secure.
Iphones are safe.
This is sarcasm.
2:07 thus picture quality loss, like jpeg format (as opposed to GIF lossless compression)
I don't know about mobile platforms, but, IIRC firefox didn't need to be updated as it's linked against whatever libwebp exists in the system.
The webapps (the slacks and discords of this world) that emebed libweb is an other story.
one of the perks of dynamic linking I guess?
edit:
Oh well, may be a gentoo only thing?firefox has a system-webp useflag, so * in my case *, I didn;t need to update firefox.
Except that most of us use Windows and guess what Windows doesn't have 😂
@@erikkonstas ah man, I totally fofgot about that 🤣
If I understand correctly Huffman encoding wasn't causing the overflow but an implementation that converted the tree data structure into a table to get some speed benefits. An interesting reminder that speed comes at a risk. Did this error checking add any extra time cost to the algo?
Imagine that you want to load a huge image... most likely you can already see how it loads slowly, row by row or column by column. Now imagine they had bounds checking in there as well, and there's a recipe to make you switch back to dial-up...
Checking the size of a variable and continuing or not, is literally a few CPU clock cycles, so the speed penalty for this would be expressed in nanoseconds. You could confidently say there would be no extra time added by this check, although if you had to check and re-check multiple times, this could become microseconds, but still an absolutely tiny amount of time. I think the developers simply thought it's not necessary and skipped it.
@@TheRadiastral Do you know why Tim Berners-Lee regrets including the "//" part of the URI in the HTTP protocol? It's just 2 keypresses, not that hard right...?
man some people are so smart
You are interesting. I am here to hang out. I understand a fraction of what you are saying but its very interesting the way you tell the story of how stuff happened and how crazy it was that even happened. This is good youtube content.
These image conversion libraries feel like a great smallish project to begin re-writing (and optimizing) code that is very commonly used into a safe language.
As for the images that could be used to hack somebody's pc, jpg lib in Windows had a bug like that. If I remember correctly, the lib was created for Windows 3.11 and got patched in Vista (or maybe 7?).
Back in the AOL days, we would boot people from chat rooms by sending them an empty jpeg file. You could boot everyone by making your user icon an empty jpeg file. It would cause the renderer to crash the chat program.
There was a stupid movie where they hacked a terrorist on a plane by sending him an image
it's crazy how google has been pushing webp so hard yet doesn't support the format in their apps (docs, slides, etc)
I love the how NSO exploited legacy scan compression to create virtual processor and then evaluate whatever code you do and eventually escape it's prison and eventually take over device. AND it's zero interaction from the user at all.
Yes I did know about this.
I mean it's whole reason you could jailbreak the PSP using a TIFF buffer overflow and downgrade or put custom firmware on it back in 2005 or so.
Very informative! Thanks for the video details!
i would like to know if rust would have prevented this bug
Same question
Pronounced Matryoshka dolls (/ˌmætriˈɒʃkə/ MAT-ree-OSH-kə; Russian: матрёшка, IPA: [mɐˈtrʲɵʂkə]
I'm going through your pico videos now to learn C for the first time, thnx 4 the content bby.
More proof that open source does not automatically mean secure, despite the nearly countless people who propagate that myth (and no, I'm not saying that closed source is any better). It's insane to me that there are no bounds checking /validation on a function which is working with user-supplied data.
"Maristroka" dolls? Bruh.
Matroshka was how I learned it.
At least he didn't call it "Perestroika" 😂😂😂
was looking for this comment
07:54 how can a 1 pixel by 1 pixel image have more than one pixel in it?
It didn't
Amazing video ! I learned so many things... Thanks!
I don't know if they ever got rid of those 0 day injection bugs with pictures. Gif and Jpegs with browsers for a long time, if not patched, is still needed address, is code injection through pictures.
The moral of the story: Write your own image library :D
I actually wrote some code to parse png files without actually extracting the image data but just the chunks. I also wrote my own gif and bmp loaders. You learn alot about the formats and can be sure that any bug that may be in their belongs to yourself.
That's how you take years off your life... oh and you're not likely to make the code as bug-free OR efficient as the major libraries out there, instead you'd most likely end up with MORE bugs, MORE space and LESS speed!
Why is run time bounds checking not mandated everywhere? We've had Java for how long?
Performance
I'm not sure how I feel about calling the XZ issue a bug. Bugs are generally unintended/unexpected functionality in the code. A buffer overflow exploit found in code that was not intentionally put there can be considered both a bug and (once found and used by potentially malicious parties) an exploit. The XZ backdoor (while not intended by the community) was intentionally injected into the project with full knowledge and intent of it's purpose by the contributor. The functionality was fully intended by the one who created it. I may be getting caught up on semantics here but I personally feel like calling that a bug is like someone intentionally and willfully harming someone else and calling it an "accident" even though it was entirely on purpose.
Huffman coding is one of the simplest (and also provable optimal) universal compression encoding though
i was hearing about the 2017 LNK shortcut rendering RCE exploit recently, how similarly does that one work to this?
Hello, do you know anything about Tlauncher being spyware? I heard so many rumours but there never was concrete evidence. It has been reportedly and allegedly found out that Tlauncher incorporates an altered version of Java and that's why it was able to remain undetected throughout years on end, an explanation whcih I find palpable yet dubious. I would love to hear an expert's , like you, opinion on this matter!!!
TLauncher is probably spyware, yes. Do not use it, there are better version managers.
Why wouldn't you start with final data larger than the buffer then encode that until it fits (you know, the other way around)?
How about just adding the stackprotector-strong to the compile options for gcc? Would it then be still vulnerable?
This video reminds me of Richard describing about middle out to the judges in silicon valley. Pure classic.
Regarding the question, "how did we get here?", the answer is easy -- people don't like to validate data. They assume they will always be handed valid data which will conform to their implementation.
Honestly, I think relying on fuzzing for detecting this is overkill. Wouldn't most static analysis tools catch something as simple as unbounded array access? Is it not standard for most open source projects to run some semblance of static analysis checks regularly? I run them at work and it catches all sorts of bugs all the time.
Most of the terms you use are Greek to me, but I watched every second like "yup, that tracks". You've intrigued me into this and learning. Any good places to start? Brilliant?
Thanks, its amazing how ingenious some exploits are.
I'd be interested to know if you think IoT devices are a significant risk to home networks - many of those devices don't get any attention after initial installation and have control servers located in foreign countries. Even if the vulnerability is unintended it may last for years before the device is updated or replaced
3:32 Matryoshka dolls + Perestroika = Marastroika dolls
Huffman coding was invented in 1952. I implemented a version of it in 1980 in a commercial product.
Well, I can't stop thinking of you
You mentioned a few times that a double free leads to remote code execution, but how? You really don't explain it, it's so vague how a simple buffer overflow leads to RCE
Yeah, this wasn’t at all clear to me either, though I’m no expert in such exploits. It would be interesting to know how the rather unlikely buffer overflow can actually lead to a meaningful exploit.