wow that really is unforgivable. you know what else is unforgivable? not checking out lowlevel.academy (and getting a DISCOUNT?)

It's not a bug, it's a low effort backdoor

This is what happens when you have 2 teams not talking to each other. One team did it right, the other not so much.

"Buy another NAS", definitely won't be a D-Link, I can tell you that for nothing.

The guy who wrote the safe_system code is definitely a different person from the one who wrote account. I can't believe it is any other way

D-Link has been a security liability since the 2000's. :)

New vulnerability found in D-Link NAS devices D-Link : It's not my problem, it's yours

"Fuck you, pay me" is a genius strategy when most of your customers do not have consumer protection laws

As someone who has worked in both residential and corporate IT for over 20 years now, I'll never go near D-Link. Garbage products made by a company that does not care. Nothing about this situation surprises me.

As a person that has programmed for 30+ years, that is absolutely insane. The incompetency is astounding. If D-link can't fix things like this, then don't buy D-link products, it's that simple. They clearly don't care about their customers.

As a Gen-Zer even if I hated the collared shirt, that fire jacket makes up for it.

It's hard to imagine a scenario where this is an isolated incident. At any competent organization, the first time something similar happened, the dev-sec-ops team would've forced all kinds of commit/deploy hooks checking for system calls and requiring the lead/PO to sign off that they weren't doing something stupid. This makes all D-Link hardware sketchy. They're not a new company, and they're not small, and they're not new to making routers.

This is actually a genius level move by D-Link: They not have to fix *past* bugs because they deem their hardware antiquated. Also! They also don't have to fix *future* bugs because they just scared away their entire customer base

So a common, old-school Shell Injection vulnerability. The Bobby Tables of system("command").

D-Link once made a router where the web-server ran in kernel-mode and had debug-commands

Prob a junior tech that was tasked to write the account script. This is why you need THOROUGH PR reviews and things like sonar to check for code smells like system and sprintf calls.

When does incompetence become sabotage?

The team that wrote the "account" program assumed that their program is only going to be used by users that are already authenticated inside the machines shell. The team that wrote the HTTP server thought that the "account" program is safe to execute with parameters controlled by the unauthenticated user.

Imagine how chuffed the guy was finding this bug, like "yeah im definitley getting a payout, they will be so glad i found it!", just to be told to feck off and that the fix was buy their new products XD Poor bloke

But isn't connecting your NAS to the Internet an advertised feature? "Run your own cloud!"

I'm loving the channel name exploration in every video

I've never in 30 years heard of CGI "typically being a bash script or an ELF"

A new form of forced obsolesce? Activate all the security flaws after a specific date and refuse to patch them.

is nobody going to talk about how those sprintfs probably are a buffer overflow vulnerability as well

D-link? You mean the company unable to understand how email works? Whatever they did, I'm not surprised.

First mistake they made was buying a D-link. If I see d-link device on customer’s network it has immediately to go out.

We need software engineers who, like other professional engineers, can be held personally legally liable for their work. The software industry is much too lax with the rigor of their code.

you're one of the most competent coders im watching on youtube if not THe best. Good job breaking this down for all the up and coming wizards

04:58 note for windows users: 7-zip file manager "Open Inside #" can also find squashfs like binwalk

Holy moly, if I can get how bad it is without rewinding, it's a really stupid bug

D-LINK. As in the grade.

I've seen more than once maintainers of very active, open source, self-hosted applications saying "our average user does not need enterprise level security features" when they refuse to implement things like mTLS support in their mobile client. Or sometimes they tell you to use treafik as your reverse proxy when you expose the service to wan, while traefik requires the docker socket in a container that is supposed to be facing internet. Absolutely unforgivable.

At thjs point we need to make cyber security flaws illegal. Theres not really another way to force these companies to actually be responsible

Great breakdown of the vulnerability and the triaging process!

Aaaaaand that is another final nail in the coffin for D-link anything now. I mean, on top of the surprise d-link is even a thing anymore still.... But yeah, that kind of reply, without say....releasing some source so the community can support the products they refuse to....has done exactly what they want but not how they want it. Yeah, Ill replace EVERY d-link device with NOT d-link now. Good job on the PR front d-link....morons....

i mean i hate D-Link as much as the next IT-guy but this isnt really fair. the stuff is EoL since 2017. anybody here blaming any other software publisher for not updating there nearly 10 year old shit? just a good point in time to get rid of anything that has D-Link written on it.

if your worried about not getting views put on a choker it'll work, trust me

this video literally had "no views" as he said "this video is gonna get no views"

Like your attitude here! :) Also the colors are so fresh ;)

I would wear what you're wearing. I'm not a gen z straight boy, though, so mileage varies. Great video. Amazing the exploit was so simple.

Yes, LOVE this kind of video content ! I had, within the last 4 years a consumer D-Link and ASUS router/access point in the house. Both of those were garbage. Too bad since they used to be the ones to get. Both of them broke and even a third. Can't remember which one but one of those did a complete factory reset at < 85 degrees F. I cannot trust Chinese made routers unless it is a verified decent product. Quality Control has gone to crap.

The best real life example that i can give of this case, is like forging a whole metal perimeter fence for your house and then installing it on the neighbors 🤣

That was fun... 😂 I know you know, but I'll pointing out that at 2:34 it is just URL-encoding of plain ASCII, no Base64, so %27 is a single quotation mark and %20 is a space. I would expect the exploit to be a little bit different in the quotation style, by looking at 11:13... is it done on purpose to fool the skids? 🤔Am I blind? 😆Or maybe there was some string replacement along the way...? The stuff is pretty basic nonetheless, LOL 😁

Honestly, whoever was working on the program account probably felt like he did not need to be safe, because it's not exposed to the web, and/or he was a junior, and they just told him "whatever do this trivial stuff", and whoever was working on the CGI felt like he did everything he could, as he was using safe_system. The two developers never talked to each other, and the only staff-level senior engineer who had the chance - if they had one at all - to catch this bug was either pulled in to some important business meeting, or was on a holiday that week. And obviously they had no security testing/review/audit process, where this could have been caught. I see these two points a bigger issue, than the fact this bug happened at all. Of course, this now gets huge feedback because DLink said "just buy another one", but I promise you, most software, especially closed one that runs the world is riddled with this kind of issues, and it's never a single developer's or even the developer team's fault, but more likely the product of the corporate culture around them, and the wrong incentives set by leadership - be it technical or managerial.

8:36 that's what I call a well organized home dir!

LowLevelLearning is still the best name

"- Does this mean that I have flawed the exam?" "- Oh no, oh no! Of course not. We are strictly DEI here. We really don't wanna get sued. You should go get another employer if you wanna do that. Here I have a list of some 'friends' that I can recommend!"

I think this is partially a general Linux problem inherited from Unix, doing user management in straight C with `getpwent`, `fgetspent` and so on is difficult to do correctly (file locking and so on) so majority won't even try.

How is a vendor supposed to support his entire product line for eternity? Also, who's more likely to still work at D-LINK - the one who wrote "safe_system" or the one who wrote "account"? :P

oh you mean that 'computing appliances' aren't like toasters, and are really just computers that need constant updates forever? but I bough this 'appliance' because it is cute and single purpose like a toaster that needs no updates ever

You don't need to have it facing the web right? You could create a site with that has a ton if images or s and spry the ip range to find the router.

I'm on the older side of Gen Z but I absolutely despise *wearing* collared shirts. Though I don't mind you having one. It's not tight too, so it doesn't feel like I'm getting choked just by watching.

There needs to be a law, making these tech companies put expiration dates on their products like our food.

This is so easy to prevent. We use automatic code checks so this will not go into the product. It's also possible to use #define to break the build if some forbidden things are used. This is the real problem here. They don't have processes to prevent that bug so there also will be much more similar bugs.

Are you tempted to fix the vulnerability and release an update?

I could not see the collar on your shirt due to the hoodie. I think it was a cool use of obfuscation

What youre seeing here is someone who understands this vulnerability, then they made the effort to make the code appear like its protected, then blatantly disregarded that and atill allowed it through. I would call ethics into question here. Dlink needs to be audited...

Even with the stupid bug the most basic thing called input sanitation would have stopped it.

I once tested a web application where to change your password you could enter a new one without giving the old one. Even worse it was over a get request. So you could basically inject a custom get request in any website and just lure a logged in user to your website so it would change their password without them knowing.

Great stuff! BTW what font are you using in terminal? I absolutely love it!

What happened to LowLevelLearning btw

Serious question, how long does everyone think a manufacturer should support a product?

That sweatshirt is unforgivable.

Is there an actual way to pass a system call, where rather than having to pass a single string that the shell/OS has to parse the arguments out of, you can pass an array of strings containing the arguments? Seems like that would be the safer way.

It's like some home-brew php websites in 2000s calling eval() on user input 😅

I have a project that scans random ip's and gets all html titles and greps out d-link, along with many other but i have a list of like 3,000 d-link servers in a file somewhere

It is made on purpose.

Request: Bring back Low Level Learning! It just sounds nicer

This will continue until companies are legally and monetarily liable.

you are a person I appreciate. Thank you

These devices were first released 11 years ago, and went end of support in 2021, right? I'm a little confused by your reaction to d-link not offering a firmware update for something. Can you help me understand how long a manufacturer should support firmware that is years past it's EoS/EoL?

Bought a D-Link NAS, got the vulnerability, showed to D-Link to get the "You should have bought a newer system" treatment... And we still say AI will doom us all,... idk what worse than this.

Just because you bought a product once, doesn't mean they have to keep writing updates for it forever. Also, who the hell is making their NAS face public IP space?

don't worry, elder gen z doesnt mind collars, shirts or necklaces!

HOT TAKE: If vendor stops supporting product because if it's out of live even with such security critical cases, we as society should stop supporting copyrights related to it. Granted here not that much is to protect, but if there's any copyright protection on that code, it should vanish, reverse engineering ? Producer orphaned it, we're not gonna prevent people to adopt this child. Re distributing binaries ? If it's not worth for you to fix it it's not worth to us to chase people that copied it.

It's very easy to tell how this bug happened. It's not unexplainable. They used cheap contractors that didn't talk to each other.

Now as someone who work in the secure network world i mit ask... Is that code only in the old versions or is a code no one bother to check since then and it in all the new systems as well?

Exec commands should not accept non-sanitised strings. It should just not support it at the type level.

I think your "I cant even" just entered the memeland.

D-Link: Buy our *new* products or get pwned.

IIRC, they've been doing this to their product for… more than a decade, I guess?

typical D-LINK move... I never bought a D-LINK product ever again, after I found out that the user support to their products back then was done by community members (they told me to fuck off, because of an equally ridiculous hardware issue)

It tells you that not only did one person think this cascade of problems was ok, but either there are no peer reviews or automatic checking there or they were overridden somehow. Both are bad.

D-link security is horrible, one of their routers had a massive hole where the devs seemingly forgot to remove "command.php" in the release firmware. It does exactly what you think it does, and even without needing a password!

How is requiring one to buy a new NAS different than Microsoft insisting one has to buy a new computer in order to keep getting updates on Windows 10? Just curious. Shouldn't one be equally outraged?

Not to be "that guy" but these affected hardware platforms were released between 2011 (the 32x devices) and 2014 (340L) - how long *should* a manufacturer support software for a device that was sold that cheaply? I'm curious because while I understand this vulnerability is bad, the fact that they're not patching it on some hardware models that they shipped 10-13 years ago shouldn't really be a knock against them - only the vulnerability being this simple and destructive. Saying they're saying "f off" because they won't update software on some almost 14 year old NAS devices seems a bit unfair and distracts a bit from the discussion around the vulnerability itself.

So, you can easily fix the bug by calling the safe system instead of system?

I will never again in my life buy D-Link equipment and will encourage all of my clients to do the same.

lmao. don't buy anything Dlink? got it. I just can't believe they would go through the effort of securing it only to fall flat on their faces like that. and it's such a simple fix yet they refuse to fix it. IMO they should have to fix it like how car manufacturers have to do safety recalls, this code should never have shipped in the first place.

me forgetting D-link existed 😂 well d-link thats one way to advertise yourself for free 🤣

To be fair, I understand that at some point you don't have the resources and the will to fix all this. For example, imagine D-Link filled for bankruptcy (which should have happened already but). My point is, open source it! The law should be so that if something goes "out of support" then it must be open-sourced. This whole video would have been more straight forward and the fix would have been released already. Btw, there is such a custom firmware for DNS-xxx and it is named Alt-F.

So... bug resulted from a program/code made to prevent this type of bug. There is a bug in your bug. And such great manufacturer posture, congrats, no more DLink for my future purchases.

And it is going to get worse. We are now entering into the age of deregulation. Want clean water? pay us beech. want security on your devices? pay us beech. you want to live? oh hahahahah! fun fact, Ubuntu, in my native language is a word you use to describe "things" as in "small little things". You could also use it to describe people you consider "small"

Amazing. But C devs will say this is a "skill issue" and that we don't need a modern safe language...

I have only 1 quastions: 1) that a heck is gen z means? we love you Low Level - keep do what u do; thx a lot

Whoever wrote that should have been fired ..

Dollarama Macklemore with the cyber sec news!

So DNS-321 and DNS-323 is in the clear?

So D-Link is the Hertz of computers. Bet they rent from Hertz.

genuinely hilarious lol, peak passing-the-buck monkeys-on-typewriters kinda error