My theory on how the webp 0day was discovered (BLASTPASS)

Рет қаралды 57,588

LiveOverflow

Күн бұрын

Пікірлер: 128

@olivezz Ай бұрын

this video's url contains no lowercase letters you guys really made this the top comment huh?

@DxBlack Ай бұрын

What in the fu--

@joshuatatum8519 Ай бұрын

Maybe they're running out of namespace lol

@lucidattf Ай бұрын

@@joshuatatum8519i assure you they are not

@pwall Ай бұрын

@@joshuatatum8519 Go see the tomscott video on the topic

@luna_rants Ай бұрын

With some quick mafs (((64-26)/64)^11), we get a probability of around 0.323%.

@Hacsev Ай бұрын

Watch how this is going to become a year-long series into fuzzing webp, just like the sudo exploit.

@spicybaguette7706 Ай бұрын

The commit you found could be squashed, that is, many commits merged into one. He might have possibly found this because MSVC complained about some kind of out-of-bound access or something

@t0rg3 Ай бұрын

Does that mean that there is a chance to find the PR to that commit and then maybe unearth the unsquashed commit chain in another branch/repo?

@spicybaguette7706 Ай бұрын

@@t0rg3 I found the original PR, but unfortunately it leads to a dead end. The original branch was deleted. It seems like the committer worked at Google at the time. It's PR 118 on the google/brunsli repository

@remiheneault8208 Ай бұрын

Your analysis is very accurate, and your assumptions logical and fair. Great video! I, however, have a hard time believing that - in such a niche space - there is no overlap between open-source contributors and for-profit "security" companies researchers. Supply chain attacks have become so common, my spider sense "tingled" when I saw that commit with unassuming title, huge list of changes and no mention of the table size change. This really looks like an attempt to cover a mistake, or a previously opened backdoor.

@anteshell Ай бұрын

Making baseless assumptions is never good in security. You don't mention at all if you checked the code before the update, whether or not it contained anything exploitable or anything else pointing towards an existence of a backdoor. You simply assume as much and leave it at that. The tingling you have is just the spiky top of the Dunning-Kruger curve. Or if you actually know something more about this, you hide it very well, for which I cannot see any point of doing because it just makes you sound like a run-of-the-mill tin foil hatter.

@fizzlefritz9782 Ай бұрын

@@anteshell I don't understand how you can hate from outside the club; you can't even get in!

@anteshell Ай бұрын

@@fizzlefritz9782 That sounds like a roundabout way to ask advice on hating. I'm sorry but can't help you. I'm old enough not go clubbing anymore and never was a hating type, so I wouldn't know how to advice you.

@kevinwydler7305 Ай бұрын

@@fizzlefritz9782 All he is saying is that it's not as simple... While supply chain attacks are a thing of course, the fact that the code is open source also makes it very easy for security researches to find your backdoor (if you were an "evil" adversary implementing it). So I personally don't think they are practical in the long run (just look up the liblzma attack CVE-2024-3094). If there is a way to exploit the bug... sure, by all means get out the pitchforks. But you have yet to prove that point. And also we must remember that BLASTPASS is not simply a single exploit that will simply let you install malware on iOS. It is in fact an exploit chain which requires multiple bugs within various components which could't all have possibly been introduced by a supply chain attack. I think the people behind such vulnerabilities just take the time to study these formats and/or systems in depth and know them better then most developers that just use them. They may even have contributed to such projects at some point, but to say that there are people everywhere infiltrating repos has yet to be proven by more than just some "wired commits".

@remiheneault8208 Ай бұрын

@@anteshell The weakest link in security is always people. Assuming everyone is honest would be more dangerous than showing skepticism. You don't need to put a full reverse SSH shell in the code to open a door. You're welcome to challenge my point but please do so with less arrogance.

@_plamp_ Ай бұрын

These types of videos are fun. Would also like to see more fuzzing content

@user-ko7oo2qg1g Ай бұрын

Good to see you after a long time! Excited for more great content on hextree. All the best!

@Debrugger Ай бұрын

6:30 Valley nerds try not to build a LISP for 1 hour challenge (impossible)

@BlackHermit Ай бұрын

The URL of this video is the best thing in the world!

@nero2k619 Ай бұрын

This video made me realise why I'm bad at VR :D So much to learn and so little time.

@dadogwitdabignose Ай бұрын

We’re so back

@hariharan6514 Ай бұрын

I fully admired your talk 🙃

@Se7enSoups Ай бұрын

Awesome video as always

@roguesecurity Ай бұрын

This is why I love this channel❤

@GH-jl2td Ай бұрын

Bro its so weird as someone completely removed from coding or cyber security in general, just a random idiot. You keep me so fixated on this stuff. Really love to see more from you on just about anything

@Zizo8182 Ай бұрын

amazing one as usual, thanks for sharing

@jyrk Ай бұрын

very interesting video

@ari_archer Ай бұрын

hey ur back :D

@spicybaguette7706 Ай бұрын

The Return of the King

@3xpl0i79 21 күн бұрын

Hey liveoverflow, can you make a video on hunting for CVEs, your methodology and ideas?

@jpphoton Ай бұрын

consistent with my overall assessment but insightful .. and just remember kids you are ALREADY pwned

@almatsumalmaadi8103 Ай бұрын

Will be great if this libwebp series turned like sudo vulnerability series, from fuzzing to full working exploit.

@abuhamza2771 Ай бұрын

really missed your videos

@impostorsyndrome1350 Ай бұрын

After seeing Linus' friends hacking his phone, it is scary how much stuff can be hacked.

@togamid Ай бұрын

Yeah, though that attack and the exploit discussed in this video don't have much in common besides both involving a phone

@yourfellowhumanbeing2323 Ай бұрын

SS7 exploits are in tge news and forums on and off for the last copule of years. Last time I had seen them in the wild was in 2018-19

@ceilingfun2182 Ай бұрын

Yes, I did miss you. I will check it out.

@Jango1989 Ай бұрын

Very cool

@alfatech8604 Ай бұрын

nice you are smart . I salute the first researcher he might be laughing 🤣. Please make a video on how to use Afl to find the vulnerability thanks.

@null-calx Ай бұрын

waited so long for this one

@twistedsim Ай бұрын

that’s just a theory, a hacking theory

@balsalmalberto8086 Ай бұрын

He has a concept of a vulnerability.

@jonathanherrera9956 Ай бұрын

Aaaand cut

@kevinnyawakira4600 Ай бұрын

Inlove how you explain complex vulnerability even if 50% of the time i don't get it😅

@bean_TM Ай бұрын

Love your new glasses! What are they called?

@muzamilshaikh838 Ай бұрын

Big Brain🔥

@littleblack111 Ай бұрын

ur back!!

@alexanderdell2623 Ай бұрын

Wow the moment of searching for same code in other projects felt like "eureka!"

@M0h4mud Ай бұрын

Bro he’s back 🗣️🔥

@jtw-r Ай бұрын

BlastDoor Now THAT is a cool fucking name for a library

@ameer2942 Ай бұрын

Finally you have started ironing your shirt after google sponsorship ...

@AgentM124 Ай бұрын

And remember guys. That's just a theory. A VULNERABILITY THEORY

@balsalmalberto8086 Ай бұрын

He has a concept of a vulnerability.

@dreicraft2597 Ай бұрын

Nice, hope you'll start your hacked Minecraft series again xD

@metalpachuramon Ай бұрын

Finally! My man got his password back

@kevinwydler7305 Ай бұрын

YESSS

@ameer2942 Ай бұрын

7:09 *Samuel not saelo Saelo is your friend.

@logiciananimal Ай бұрын

A. Tornhill nods.

@v255666 Ай бұрын

Its possible sms hack buffer overflow android zero clicks ?

@tg7943 Ай бұрын

Push!

@stonemannerie Ай бұрын

Why is project zero so concerned with ios and not solely android/Google projects?

@tylerb6981 Ай бұрын

Mostly cause Project Zero was/is less like an arm of Google's security engineering and more like a passion project that was a result of Google's massive counter-surveillance movement after the events of Heartbleed and Edward Snowden. It was more about researching and responsibly disclosing zero days in any and all public facing software than it was about Google protecting/improving their own. Many of the vulns they have discovered range widely from Safari, to Windows 8, to CPUs, to RAM, to Cloudflare, to Apple. Their specialty is not just discovering these zero days but writing about how they could be actively exploited to impact anyone and everyone. It also doesn't hurt that one of their earliest members was geohot... Famous for his iOS jailbreaks.

@rnts08 Ай бұрын

Apple pays better for exploits. Android is OSS as well.

@thewhitefalcon8539 Ай бұрын

They say they want the whole Internet to be secure.

@ムワ-d7n Ай бұрын

i mean if you look at their blog they concerned about all type of internet application, the IOS one is more concerned probably because there's not enough source code online and the exploitation method require one to research the internal on their own. while android/linux/google based projects is open source that way community can contribute and have different approach for fuzzing/exploitation cmiiw

@tylerb6981 Ай бұрын

Since my original comment got deleted for some unknown reason............. Project Zero was started as part of Google's huge counter-surveillance movement after the Heartbleed and Edward Snowden leaks. It was less about Google's product security and more about exposing the dangers of the Zero Day market and improving public awareness of how a zero day could be exploited to compromise their sensitive information. Their specialty is in not only discovering by also publicizing the vulns and exploits.

@quakc Ай бұрын

Just in time for xmas

@almatsumalmaadi8103 Ай бұрын

Finally you're back

@ProfessionalBirdWatcher Ай бұрын

If it ain't broke, FIX IT!

@hichemsavastano4430 Ай бұрын

i message ❤

@thuslymars Ай бұрын

I feel I seen this 1year ago

@Cmanorange Ай бұрын

6:30 (display "LISP MENTIONED!!~%")

@HolyAdilokGames Ай бұрын

Liveoverflow is alive! Heart, Pin, First!;;; Watching you since 4 yrs

@VinayKumar-sy3oj Ай бұрын

😀

@Mitsunee_ Ай бұрын

video consistently crashes the player after 19 seconds

@Smokeyyy337 Ай бұрын

why don't they report the vulnerability to Apple? don't they have a bug bounty program

@garrygarrygarry1 Ай бұрын

apple's bug bounty program payouts are tiny in comparison to the actual value of these exploits.

@Tjkrusinski Ай бұрын

Organizations want the vulnerabilities to do bad things. They don’t want the vulnerabilities reported.

@ahmadshami5847 Ай бұрын

@@Tjkrusinskispy agencies*

@sasjadevries Ай бұрын

If you find such a zero day, you could either report to apple, and get pennies, or sell it to some govt-funded security firm, such that they can "deal with" some of their enemies.

@mrpopsicle3339 Ай бұрын

not first its cringe

@attention_shopping Ай бұрын

oooo

@WalterSamuels Ай бұрын

Here's a discovery path: Vulnerabilities are put into software like this on purpose to be sold to the highest bidder for a few years, by the developers themselves.