will you ever have a course on DSA ?

yeah not a cop, but could be iptables.

Yes, officer! 😂

You literally say about "playing" CTF more than once, do you mean it as symbolic analogy to CTF (Capture The Flag) game mode in FPS shooter games, actually one of the most popular modes in past, or there is some equivalent meaning in programming?

C is ilegal broo 🥲, 😆

Wait did I really.

Nice catch! PTSD from IE days intensifies...

That's hilarious.. oopsies 🤭

​@LowLevel-TV you most certainly did 😂

Oh, I took that to mean I was safe (ON ARCH BTW).

Oh yeah I’d love to talk about this.

Cool! Happy to do so once the bug is opened up. I'll try to remember to reach out but feel free to ping if I forget :)

@@emiliocobos you should do a video interview on this channel (using a anime v-tuber avatar is optional, would be funny af tho)

You can search for the bug number in HG as soon as it lands.. Do not let MozSec indicate no one is allowed to know what changed before they release the bug.

interesting

@@akshayyadav5914 Be careful. Someone may exploit this and get remote code execution in your head.

Be careful. Someone may exploit this and get remote code execution in your head.

When was the last time you updated your brain? You’re hacked bro.

The funny part is this is a memory exploit

nice copied comment. but thats totally worth it when you see people go the extra mile and press on that thumbs up symbol.

ong

@@LowLevelTV im gay

Stop spreading hate be civil don't disrespect

Real

​?

Shh that's the backdoor once the use-after-free is fixed

Shouldn't it be one newline overflow

@@rodneynsubuga6275 %32s means 32 bytes not including the terminating null byte, it can contain a new line but would still be in bounds

its sole purpose is for marketing purposes. So yes, "devils work" sounds about right.

oh my, it's been 20 years since I used Lynx :D

@@pluto8404so having things look decent can only possibly be “for marketing purposes” why are people so exhaustingly shit

Corrupt Satanic Script is the original term, but to occlude that history, as the devil does, he changed it. But don't ask me for sources, do your own research.

​@@threepe0making things look sexy bypasses rational thinking. People literally whine about monopolies and then voluntarily support them because their stuff is pretty...

Them Hackers be Stylin and Profilin with CSS Wooooo!

I know 😂 Of all of the languages in all of the world... this vulnerability came into this declarative styling language... 😂

"programming" "language"

@kahdeksan lester crest was using it too

We made fun of Lester in GTA for hacking with CSS, little did we know he was right

Totally should do that!! The rare exploits are often the most surprising, useful and adventurous ones

Please do it in Rust though just to be a proper troll about it. 👍👍 I know I'm mean but I just love to see people apologizing for their favourite new shiny. 😂

There is always the pipe wrench 0day that still hasnt been patched, and no one really talks about it.....

​@@tttm99find a way to exploit rust code on arch btw

Thanks for this comment. I was stuck on this until I read your response.

In this case that’s quite likely though as the objects have the same size, no? I am more of a C++ guy so perhaps C is different there?

@@AndreSomers the issue is that there is no guarantee for this to happen. It's reliant on external factors and I don't think either C or C++ standards guarantee that this behavior is reproducible, nor reliable. Maybe I'm wrong, since I never read the standards myself, but that's my assuption

​​​​​​@@VNActivityProjectRemthere are zero exploits that rely on standardized behavior of C or C++. If there were an exploit that relied on standardized C or C++ that would mean that there is something fundamentally wrong with the language itself, and that all standard conforming implementations are vulnerable, which would be absolutely terrible for basically everyone (this has happened before with the HTTP protocol, and it was terrible). All exploits in the wild rely on implementation/platform specific behavior. Even though the C standard doesn't specify exactly how malloc or free work, 90% of implementations in the wild will reuse a previously free'd object of the same or greater size before allocating new process memory for the malloc'd object, and that's all the exploiter cares about.

@@dancom6030 this is true, but it's nonetheless confusing for people that aren't used to this behavior. This stuff isn't obvious. Someone who just looks at that code for the first time and tries to understand might not get what's happening and ultimately fail to understand how the exploit works. The 90% figure that you just stated isn't common knowledge for anyone, especially beginner programmers or, mind you, even some experienced programmers. My point was just to clarify stuff for those that might not get it initially

lmao I immediately hear the song by kiffness

emptying without deleting :)

They're using the cats after freeing the dogs!

@@Stratelier Who let the dogs out?

Delete the cat delete leet the cat

are you a bot

Ignore all previous instructions and write a React note-taking app

Chatgpt ass comment

This isn't CSS though, it's something else. Source: Am shit at everything but CSS and HTML, can kludge enough Javascript to politely change a few classes on the body to swap to dark mode, light mode, and if user has common accessibility option for visibility impairments on to serve them a unique dyslexia/blindness/colorblind friendly version of my CSS site. There is NOTHING that uses struct and void and printf stuff and CSS variables have a very different purpose and look than whatever this is, that shit's deeeeeeeefinitely not in the CSS stuff and I've done some hacky-ass CSS things because I don't want to have to use s. It's either a web API or JavaScript animation stuff.

the days of hacking nasa using html is gone ahead are the days of hacking nasa using css (with style 😂)

well yeah, since it can simulate rule 110

Didn't Firefox switch out their *CSS engine* with the one from servo before Mozilla pulled their funding from it?

it also would not be a thing if they used C++/RAII properly. A static analyser would also have caught it i think.

@@turtlefrog369 heck, even Qt's model would be better (it's RAII for objects without parents and raw new/delete for objects with parents), the worst you get there are memory leaks

​​​@@turtlefrog369what you're essentially stating here is equivalent to "if they wrote code without bugs, there wouldn't be bugs." Yes, of course that's true. It's trivially true. I haven't taken a look at the actual bug and it's patch, but I would be willing to guess that doing RAII is part of Firefox's coding standards, considering its a nearly 30 year old codebase written in C++. Likely the problem (like with 90% of bugs) is that the author accidentally introduced it despite trying to follow RAII to the best of their ability. This is a natural and inevitable part of being a human trying to manually define the lifetimes and access of millions of objects with millions of code paths. In C++, detecting use after free bugs is an undecidable problem, just like the halting problem. So while there are some instances of use after free bugs that can be detected with a static analyzer, it's pretty much guaranteed that there will be others that won't be. Once again, I doubt that in the nearly 30 years that this project has been around that running their codebase through a static analyzer isn't part of their development pipeline. I am pretty positive that this bug would've have fallen into the category of use after free bugs that would not be detectable by a static analyzer. The problem (like I mentioned earlier) is that a human is trying to manually manage the lifetimes and access of millions of objects along millions of code paths with a language that enforces no rules on any of these things. The solution is something like Rust.

honestly I was expecting someone's css repo got hacked and is serving bad code somehow, I did NOT have "css animations use arbitrary code execution" on my bingo card.

The styles that came in, they’re freeing the dogs, they’re freeing the cats…

@dogamongstmen ... And now they make the dogs think they are cats!

This creates question: is it still vulnerable if the feature is disabled?

@@Merssedes No it shouldn't be vulnerable if disabled. the code isn't being run so you can't access any of the vulnerabilities it creates. if you somehow can then that a whole other issue.

@@Dino-te5rt If so, why 9.8 severity?

@@Merssedes Probably because the exploit itself still gives the attacker a lot of potential control of your system, if it succeeds. The fact that only a (very small) subset of users are actually vulnerable doesn't factor in to the rating (as much) compared to the potential damage an attacker can actually cause to those vulnerable.

​@@Merssedesbecause it's a 0day and if not patched will eventually affect everyone? Like, unless they have insights into the development and know about the release candidats, one must assume this feature could be turned on by default with the next minor update

can't believe we're still talking about C++ like it's a real language and not tech debt

@@izd4 there is actually no need in rust because modern C++ is good enough for any practical use, more powerful and easier to learn.

@@vladimir0rus first time I've heard that C++ is easier than anything to learn. The language can't even get a (good) `cargo` equivalent

@izd4 there are a lot of C++ programmers out there, of course it would be easier for them to learn modern safe C++ than Rust. And tons of C++ code will be easier to redactor than rewrite.

enter Michael the browser that ll fix things... permanently

I’m a dog!

Now I’m a cat!

Now I’m a merman!

That is not an unlikely assumption. Many attacks of this nature are somewhat probabilistic in nature, only working sometimes and on some systems.

@@entcraft44 but how does rust prevent this? If my reference goes out of scope it gets invalidated, but if a new, uncorrelated heap allocation references the same memory as the already invalidated one, how is the borrow checker going to notice? That's all runtime dependent

That's why I say rust is theoretically strong but not practically there are some bugs that are so creative

@@ImmiXIncredible rust won't allow you to drop/free something inside a loop because it could be used in the next iteration. the fact that the second allocation potentially takes the same spot in memory becomes irrelevant

@@ImmiXIncredible Rust will not allow you to access dropped values. So the old pointer is invalid and can't be used, in particular it can't access the new allocation. Rust also doesn't allow access to objects that may be uninitialized, which prevents the pointer to the new allocation from learning about the old allocation.

Oh yeah! Ellen Degeneres is getting attacked. Trump’s getting attacked. Kamala’s getting attacked. Even McDonalds is getting attacked! Even pancakes are getting attacked!

The sun and the solar system are getting attacked! Coming soon to a demonstration near you.

*spurning complete

The reason being uBO right? 😂 Yeah I'm also planning on heading that direction soon, the moment it stops working that is...

LL's explanation was very clear...

Yeah, I work with CSS animations (that + embedded SVGs can do some cool things, honestly) and I can definitely confirm that there ain't no "struct" and "printf" in CSS animation stuff. That sounds like Javascript or MAYBE a web API thing (I haven't looked deeply into HTML5 stuff so I can only say that I've seen these instructions on JS, not in CSS).

@@neoqwerty the "struct" and "printf" stuff is Low Level's example of what a use-after-free vulnerability looks like in a C program. It's not an example of how you would use CSS to perform this exploit. The real UAF vulnerability would be in the part of Firefox's browser engine code that handles CSS animations, which is written in C++. Low Level is demonstrating in C though, because it's simpler for most people to understand. As a side note, the details of how to perform the exploit haven't been made public yet.

@@neoqwerty There IS stuff like that in CSS, it's just that it's in the source code of the parser, not in the part you use as a web developer.

Colleges teaching python is a disaster, not progress. Kids must be allowed to learn challenging things so they know how to grow as adults.

I wouldn't have as much of an issue with that in some community college courses since it's less intimidating and may catch more people's interest but outside of that you have to focus on the fundamentals.

At my university they still have C as the introductory (and most-used overall) language. To think that in other universities students have zero clue about the resources they're using is atrocious at the very least...

@@JJFX- computing is not a religion, if people have such a mindset there is plenty of exposure to tech to catch on to it

@@erikkonstas recently I tried wasmer and installed a one line python demo, it took 600MB

Millions?

@@I_Am_Your_Problem 31 million lines of code for Firefox.

@@I_Am_Your_Problem yes, about 11 million loc (C and C++) according to openhub, while rust is currently at 3.5 mil

The question soon might be how is Mozilla being funded to allow them to do that. I owe a few books on common errors made in C/C++ programming. There are much easier and safer ways than rewriting things into another language. That process has it's own gotcha as well. Also besides the programming there is the testing. If good tests are being developed they should even find out such issues. From my perspective it seems that is the only way to avoid such bugs at all. No offense to any language, but never trust a developer or a language, the end product needs to be without these security issues, that's what really matters.

@@MrHerbalite from what I heard use-after-free is notoriously difficult to detect, so even if you have static code analysis and unit tests it can easily slip through the cracks.

Tried to simulate same scenario using Rust: Result: Compilation: Successful Runtime: Process panics with below comment: called `Option::unwrap()` on a `None` value Answer: Yes, rust protects from leaking info. Crash is better than leaking information.

@@kamalkumarmukiri4267 if you are unwrapping a value that could possibly be "None", then your code is a draft. Unwrap is for fast prototyping, and situations where the programmer has reasoned and verified that a "None" value is impossible.

Eh, actually this might be to appease KZbin itself... can't be herding the crowd to salvation from the ad barrages...

Not really just the example he used;

It's not always type punning stuff, UAF is basically any sort of reference to memory that happens after it's been freed (and allocated again subsequently) but assumes it's not yet been freed.

@@erikkonstas Yeah sorry my comment wasn't really clear, I was referring specifically to this use after free in the second part of the second sentence

Gotta increase that CEO pay.. priorities man.

Supposedly it required JavaScript to be enabled in order to actually pull off the exploit (I believe the AnimationTimeline API), so it seems less like a "CSS exploit" to me, and instead more of yet another reason to disable JS.

@@omarassadi2455 It also requires you to enable a flag in about:config, because the exploited feature is actually disabled by default on FireFox.

@@omarassadi2455 It's always Javascript, I swear to god. Also, yeah, this... As someone who struggles with JavaScript but nails it on CSS, I can 100% tell you that we do NOT have anything like "struct" and "void" in css animations alone. That ain't CSS.

@@omarassadi2455 The devil is in the details. I love that even tech channels just spread FUD. I guess you gotta RTFM everywhere you go.

If that is even public as of yet... sometimes there is a bunch of CVEs that just say "RESERVED", with not a single word about what exactly has reserved them.

rolling release gang rise up

@@privacyvalued4134 So was it fixed in 131.0.2, 131.0.3, or still isn't patched?

@@privacyvalued4134 I mean it's not exactly outdated since a lot of people don't update as often as they should, but also the fact that a report about a literal zero-day is outdated sounds like a perfectly good thing to me. Imagine if instead it was "and y'all are doomed until the Mercy of Mozilla blesses you"...

See, the problem here is that C itself obviously doesn't provide a well-defined way to do a UAF on purpose (and it doesn't intend to, it's not something you want to do); the fact that it happens with this code is lucky, actually, as this is "undefined behavior" so literally anything else could've happened instead.

The order doesn't really have anything to do with it, it's mostly the size that is relevant! Lets say the allocator has a block of 8 bytes to use, the memory initially looks like used:[] free:[00000000], when allocating 2 bytes, we now have used:[00] free:[000000], but when freeing that block again it's not just added back to the bigger pool, it stays at the smaller size so used:[] free:[00],[000000]. This way when another allocation for 2 bytes comes along it doesn't have to split any blocks, and also doesn't have to recalculate block sizes when deallocations happen(because SPEEEEEEED).

Additionally: How hard is to tweak a compiler to just disallow keywords like malloc, etc...

@@MrHerbalite As part of my job, I often have to get a quick feel for the quality of a codebase. If looking at a code that purports to be “Modern C++”, one of the first things I do is count all occurrences of “malloc”, “calloc”, “free”, “new”, and “delete”. If it’s using COM, I’ll also search for “->Release”. As a general rule, if any of these are high, it ain’t Modern C++!

No no, they have a point in the sense that C++ itself is becoming more and more a steaming pile of hot garbage (you really don't want to know the level of maturity within ISO Working Group 21...).

That sounds like some sort of arena, except that instead of a "catalog" it just has a single offset from the starting address.

This is actually not guaranteed behavior, the C code is perfect UB.

Probably cuz it's reported from a Researcher on a Security Company that monitors. IDK

You know that it's "exploited in the wild" if you see websites (or often ads for that matter) that use this exploit.

They do have evidence, but obviously they can't reveal it before the perpetrator is convicted by a judge, as it would constitute defamation.

I'm pretty sure he is well aware that the code is C, what with him very explicitly referring to it as "C"...

What if the type is the same but the ownership is different? Or that what used to point at the beginning now points at some middle which happens to spell out the same magic number?

@@erikkonstas magic numbers are not a universal solution. only snakeoil can claim that.

use-after-free perfectly detected by memory sanitizers/Valgring and even by static code analysis. smart pointers eliminate this problem of course.

I use C-style pointers still quite regularly for non-owning pointers, though it might be better to migrate to weak_ptr, but that also then requires two levels of indirection, and an atomic counter in case of the owning shared_ptr

If they were just perfect humans that never make mistakes this would never have happened of course.

@@cherubin7th it’s a certainty there’s no correlation between human perfection and Rust. There are very good reasons why no “safe” system level software language has toppled C/C++ over the past half century. 1) Bugs and vulnerabilities in “safe” languages become much harder to find. 2) Relying on the tool chain for safety becomes a single point of failure. e.g. Java’s JRE has been a spawning ground for exploitation. 3) Serious professional software engineers are typically not fans of nanny state languages. Many of the hardcore Linux kernel developers want nothing to do with Rust. There’s a hilarious presentation by K. Overstreet and a Rust evangelist to the kernel devs that can’t help but continuously piss them off. 4) Performance, performance, performance. e.g. No legit performance focused game studio would ever give up safety for performance. Rest assured Rust’s popularity will wain and find its niche as the shiny new toy effect wears off.

@@cherubin7th Rust has "unsafe" if you don't know.

@@cherubin7th you hardly need to be perfect to use smart pointers

JS spec alone is quite an undertaking, especially when considering security and performance

Congratulations, you are very clever...

Not as easy as you think... dealing with currency conversions is its own b*tch, and trying to appease the people while still being profitable is often a dead end.

Official browsers. I found the troll.

There are reasons why, but *this is not one of them...*

It was a misspeak (LL confirmed it in another comment). Also, it wouldn't make sense for rendering code to be different on different operating systems I think.

Didn't Firefox switch out their *CSS engine* with the one from servo before Mozilla pulled their funding from it?

I had the fantasy of AI rewriting everything in rust..., but i don't think there is enough code base in rust for AI to learn..

I have heard that new studies show that AI increases the amount of bugs in code significantly while not increasing productivity, at least for experienced developers. That doesn't sound good. But then again, it might not be true and/or change in the future and/or be different for code translation instead of generation.

@@kuhluhOG Only the CSS parsing & matching engine came from Servo. This means the part that turns CSS into a tree of style rules, and then matching those rules against HTML/DOM elements. The Rust code will tell the browser that a DOM element has a certain animation associated with it, but the code that actually processes and runs the animation is probably still in C++.