So basically scream AAAAAAAAAAAAAA\ at sudo and it makes you a sandwich.

Friendship ended with sudo! Now doas is my best friend.

Man, there's a lot of work behind your *free* videos, thanks so much for sharing!

glad to see there was one more video you wanted to make

This is kind of content that originally bring my attention to your channel, great job

Finally another masterpiece!

Thanks for making this. Code analysis for exploits can seem super impenetrable especially for these old Unix utilities that feel like a fact of life. It's great to have stuff like this showing how you could find an exploit like this on your own. Especially I feel like it's pretty common to get to the point of crashing something and think "OK cool I crashed it, but now what do I do? How do I actually exploit this?", and the segment with GDB really helps with that.

ahh yesI remember this one. I was on the toilet reading my google feed, coming across an article mentioning it. Aftwards I'd hit sudo apt update and there was an update ready for the sudo program already. I had only updated about 3-4 hours ago, so I was amazed the patch followed me reading the article so quickly :D

This video is amazing, I'm mind-blown both by the exploit and your clear, concise explanation

Your channel is really treasure ☺️ Thanks for sharing these videos

Kind of got guilt tripped into watching this video but I am SO GLAD I did. There's so much content on CTF's and basic content and I think it's a struggle going from guaranteed exploitable challenges to real world, humongous code bases looking for bugs that could or could not be there. The idea of taking a CVE and trying to go from step 0 to 0 day is perfect, genius even. I can't wait for your new videos and will definitely be looking for a CVE to research myself. You've definitely outdone yourself this time! Thanks so much!!!

Man, I salute to your wisdowm, but also your patience to explain it in very easy-to-understand way. Once I read motto "be the senior you needed when you were junior". And you, sir, you are just like that!

I'm happy to hear you're not ran out of ideas anymore.

I suspected this kind of deep-dive takes ages to produce. The two weeks of research on the KNOWN bug, I am not even surprised! ;) I don't even want to know how many decades would it take for me to discover the vulnerability in the first place! ;) Thanks for the great video! 11/10 - will watch it again! (note the integer overflow) ;)

I think he is getting his mojo back. He looks happy and motivated. 🧐

I really like this type of video, I appreciate the effort you put in to research and explain this. Can't wait for the rest of this series

I love how there is people that learned their subject so much that they get that good. I guess i'm easily impressed. Thank you for sharing that with us!

This is a genius series idea - I have wanted to see something like this for a long time. The high level stuff is great, but a more in depth version would be good - one where you actually work through the steps, how you're figuring out getting past the various challenges. That might be more work, so maybe a patreon feature? If you want to take it further, maybe try going after allocated but undisclosed CVEs that have been patched. Covering how to attack unknown exploits via source diffing (or binary diffing) would be amazing.

Great walkthrough and analysis!! I really appreciate the care you took in explaining this from discovery and going slowly into the analysis for an infosec noob like myself 👍

A buffer overflow in your buffer overflow fuzzer, nice one

Thanks for the detailed explanation!! I first stumbled across this CVE on a twitter tweet and always wondered how it works

totally unrelated. but I've smashed my head against the wall trying to do setup for a process that would run as its own user and spent hours not getting it to run right only to break down and do it with su. this vid answered so many questions for me that I didnt show up trying to answer.

Really great video as usual, and I’m glad you found your new path going forward!

I can't believe this is free content. Incredibly comprehensive and easy to understand video!

Thanks. I appreciate your videos, sir. I also look forward to the upcoming series.

This was very informative. Consider doing a video like this in a way that it could be presented to an non-c/c++ developer. I'd love to present this video to my coworkers. While I understand c/c++, our development is java and .net and i would need to explain ASLR and heaps and the other hard core tech stuff. However, I think they would benefit from knowing the lengths to which hackers can go to exploit something like this and that tools like AFL can be used for good or evil.

Awesome explanation as always. Looking forward to the series!

Awesome video, as usual I love your way of navigating through the discovery of this stuff :)

Love the idea of this series!

You're awesome! Very detailed while comprehendable! Kudos!!

Romba naal ithuku tha waiting uh thala😍🔥

Damn! Really Cool mate👍 Look forward to the series.

This is so interesting! It really doesn't look that complicated tbh. Step 1: find a vulnerable function for buffer overflow Step 2: find a way to access that function in a vulnerable state Step 3: find a place to overwrite that could cause arbitrary code execution Fascinating!

You always make legendary videos with legendary explanations...

Nice to see you with new ideas!

Love your videos, great work. Thanks a lot for creating these videos

2:25 this genius acting caught me so off guard and was so hilarious for some reason :) I love it

Imagine the vulnerabilities in the Kernel and utilities the NSA knows right now.

This episode was just awesome! Thank you very much!

thanks for this video! this really inspired me to start researching exploitation again

Brilliantly explained. Great video!

Inspiring... I'm just getting started on format1 in protostar lol. So... be right with you! :)

Thank you Live Overflow that's great research .

Love it, great analysis!!! Keep like that

Your new ideas for videos has turned out to be great!

Man AMAZING video. Insane!

I have analyzed this bug also... And those "How did they managed to find this?" moments almost exactly match :DDDD

That AFL bit is super helpful

I am VERY excited for this series!

Not Super Crazy Stuff... This is a Super Awesome Intelligent Analysis and Review!!!! Thank You!!!

Very good Video - super explanation - excellent! Greetings

Thank you for this video! It was very easy to follow your thought process, which you clearly laid out. I've used doas under FreeBSD for some time now because of the somewhat ugly (to read) and oversized codebase that sudo has.

As always, great video. I think you may have overstated the difficulty of setting up afl to fuzz commandline input though. It's a super common thing to do if you fuzz a lot. What I'm partially saying is that it's inexcusable that no one has fuzzed it before. Commandline programs are fuzzed all the time and with afl at that!

Already well over 20 years ago I aliased please to sudo. Mainly for self-protection: on a university server sudo would notify system administrators that a student (me) 'accidently' tried sudo. And I was logged into my own linux machine an the uni system in two windows that looked very much the same. At uni, please told me politely that I shouldnt use that. At home, please would do sudo XD

Motivating video! Thank you

Thank you very much as always! Awesome! :)

Danke schön für diese Erklärung! Very well researched, indeed!

Keep this kind of stuff coming. We LOVE binary exploitation ❤️.

Ich mag die Beleuchtung die du da hast - und nette Frise :)

My favourite phrase of the whole video? "...grooming the heap". Nice.

OMG This is so highlevel, thanks for this now I reforced the things I still need to learn :)

great series!

this new series is neat

@LiveOverflow what can I use to fuzz source code or binaries themselves(for example Firefox) for RCE’s?

Music volume at around 3:30 too high compared to overall voice volume.

Good vid! Im still kinda curious how you couldnt know about NSS?

Awsome video thank you!

You should make a video about the PHP backdoor.

liked it very much. quite a good resource.

5:33 I've been pronouncing the channel as live overflow, as in to live a life. oops

what video editor do you use, I want to share a video with a look like that

Why did the code analyzer tools not find anything?

love the redstar os easter egg :D

what i find amazing is how this eventually got discovered because normally i think such vulnerabilities get discovered accidently for example someone tries to head or tail a file for example and since head and tail displays the first or last part of a file if the file is a binary maybe the system interprets the head or tail output wrongly and not realizing it they have set a memory value and maybe the next time they do something that requires sudo or maybe sudo does not ask for the password or the command is done as if they did sudo. so the only way i can think of is someone decompiled the sudo binary and looked at the code and saw a piece of assembly code that did not look right maybe a jump or copy command and decided to throw stuff at it and got it to work.

oh dude, I have a parser written in c, and I created that exact same "blind increment over an escape" bug. do i have to credit you in my capstone now?

Great job, thanks. But I still have one very important question: what is the name of the color scheme used in your editor and/or where can I find a copy of it?

Are subtitles modifiable in any way by community members? It irks me that KZbin removed such a nice feature.

Another interesting video!!!

Great explaination.

It's samedit because it's a play on Baron Samedi a character in an old James Bond movie.

Great video! Though I kinda miss CTF writeup video😅

Interesting video, the bug is explained very well. I'd be glad to know more about how MacOS seems to randomize heap allocations. Is that a security feature, or a side effect of some other mechanism ?

I’m honestly surprised that heap layout on Linux is consistent between different runs. That seems like a major flaw.

Is you binary exploitation playlist still relevant?

Actually laughed out loud at “Their code was much better than my shitty Python script” 🤣

Cool video! I've tried reproducing it myself but had problems with automating "heap fengshui". Can you share your whole code, including gdb script?

Why you should fuzz as root if we are looking 4 priv esc?

Could you make a more detailed video about fuzzing in general? How it works / what it actually does? Would love to see that ^-^ Greetings from Darmstadt ^-^

Thank you for the tutorial, clear as always. I am trying to replicate the CVE in a Docker container, however, when I run sudoedit -s 'AAAAAAAAAAAA\' I get vim opened. I cannot understand why. Could you please help me? I am running Ubuntu 18.04 and. sudo1.9.5p1 (the version before the patch)

I have no clue what you're talking about but sounds cool 👍

ok ok i watched it! i was going to anyway but you guilt tripped me lmao.

So would the hardened heap implementation actually mitigate the exploitation via the service_user struct?

Great video!

Thanks for teh video =)

Great vid!

Would this work on Windows' WSL?

I know a sudo exploit and how to fix it. Where can I report it?

is this a "been around forever" type of exploit? wonder what year it became capable

17:02 anyone know why the qualys initialize an integer with (1+0) ? Line 6

For Mac, I don't have "sudoedit" by default, so wouldn't that bypass the whole thought about trying to run this on Mac? I thought we needed sudoedit in order to get in that interesting sudo 'mode' to be exploited? At 18:10 we see the use of "/tmp/sudoedit" meaning the attacker would need to have an already compromised system, and be able to write a file in /tmp/ to attempt privilege escalation. At that point, there are easier ways, like writing a malicious python script in /tmp/ and gaining privileges from that, right? This just doesn't seem to be worth the squeeze on Mac. So feasibility on a Mac: very very improbable I do see a "/usr/sbin/visudo" Mach-O binary on my Mac. Perhaps that would be a better place to start looking for a more realistic approach.